The message in code: Why banks must step up their user authentication game
Even though there’s no gun present, banks and their customers are being silently robbed. The reason? The mechanisms used to identify, authenticate and authorize users are rife with weaknesses.
While banks value convenience in the race to secure customer satisfaction, they must balance it with security. With an estimated 265.9 mobile phone users in the United States, banks that ramp up their mobile offerings must also tighten security or risk leaving the vault wide open for cyber criminals.
These criminals continuously probe mobile applications and online banking business logic for vulnerabilities and many find holes in critical functions such as identification, authentication and authorization of users. Banks often rely on just one or two layers of consumer validation and this invites disaster. Institutions need to incorporate various layers that utilize technologies such as:
- Anomaly detection
- Multi-factor authentication
- Passive biometrics, and
- Behavioral analytics
Utilizing these layers, banks can identify the true customer—and detect the imposter before they access critical account functions.
The password is ‘vulnerable’
The code problem is not limited to just a select few organizations. A recent report by Positive Technologies finds that two thirds of remote banking applications remain vulnerable to some form of brute force attack. Such flaws could result in the theft of funds, along with unauthorized access to client data and other sensitive bank and consumer information.
The report also states that banking apps developed by third-party vendors had on average twice as many vulnerabilities as those made by in-house technology teams. This means that every piece of code must be tested for function and logic vulnerabilities, then approved in-house before implementation to ensure the banking application’s integrity.
Passwords to open accounts have become a dime a dozen on the Dark Web. Two-factor authentication and physical biometrics such as fingerprints, iris scans, and selfies have a place in the security and authentication stack. But hackers can subvert each solution when they take them on one at a time.
A boost from better biometrics
Solutions based on consumer behavior and interactional signals now lead the way to provide more customer safety with less friction on their experience and less fraud in the marketplace. An excellent example of balancing security and user experience is the layering of behavioral biometrics with solutions such as Mastercard’s Identity Check Mobile or fingerprint sensors.
Passive biometrics can track the angle of a handheld device when in use, the pressure applied to the keys or screen or the length of gaps between typing and swiping. These can separate good users from bad and these signals are virtually impossible for a non-human interface to replicate. Anomalous behavior can be identified by analyzing these signals—even in large data sets—and by comparing the patterns of known human users with unusual patterns.
Technology solutions can now tell machines from humans; then separate good machines from bad; select known humans from unknown humans; and finally sort unknown humans demonstrating low-risk signals from unknowns with high-risk signals. This process lets organizations fast track the known and low-risk users for an optimal experience—and that saves the friction and traditional authentication methods for the highest risk users.
Integrated authentication that begins with physical biometrics (such as facial recognition or a fingerprint) needs behavioral analytics and risk decisioning to help create robust offerings.
It also provides banks and financial institutions with a unique and powerful ability to secure transactions and improve verification authenticity.
Until banks move to a multi-modal approach, their remote banking app will remain vulnerable. Unfortunately, so too will be the trust of their most loyal customers.
Want more Banking Strategies? Sign up for our free newsletter!
Robert Capps is authentication strategist, vice president for NuData Security. He is a recognized technologist, thought leader and advisor with more than 20 years of experience in the design, management, and protection of complex information systems to counter cyber risks.