The quest to secure payments security

When Darouny Bounsengsa bought her mobile phone at 17, she wasted little time diving into the digital payments world. “I use it primarily for checking my balance at a moment’s notice, but I have used it to deposit checks, locate branches and ATMS, and transfer funds between my accounts,” says the 21-year-old theater manager from Clearwater, Fla.

You might think there is safety in numbers, as Bounsengsa is part of a growing demographic. The number of Americans who use mobile banking has jumped from 33 percent of those with bank accounts in 2013 to 43 percent in 2015, according to a study by the Federal Reserve.

Yet where consumers with money congregate, so do hackers and thieves. And like virtual pickpockets, they can work a crowd with ease … except that they’re impossible to spot by face. They don’t even leave so much as a fingerprint behind.   

But in the quest for safer payments, some banks are turning to those very features—faces and fingerprints—to add a layer of hack-proof security for their customers. And while it’s too soon to report any stockpile of statistics, experts believe the new measures in play hold promise for consumers who send and access money digitally. 

Citi, for instance, has just introduced a mobile app that protects transactions by requiring the user to establish biometric data; this includes not just fingerprints and facial recognition but also voice authentication—something a fraudster could only conceivably defeat by recording you the moment you log on.

That’s because no generic voice prompt, such as “Hey Siri,” will pick the lock. To gain access to your Citi accounts, you must speak the phrase: “My identity is secure because my voice is my passport, verify me.” (It doubles as a subtle plug, too.)

The Citi app is just one example of the tremendous investment banks are making into mobile security, says Rick Borden, who specializes in cybersecurity law for Robinson & Cole. And ultimately, banks may be trying to protect consumers from themselves.

“I don’t believe I’ve actually heard of a mobile banking app being compromised,” says Borden, who formerly served as senior vice president and assistant general counsel at Bank of America, where he was responsible for cybersecurity and technology. The biggest risks, he notes, come from mobile devices themselves, along with people “who give their credentials through phishing campaigns or something else.”

So while some may unwittingly share passwords or other data that allow passage into their payments stream, a recognized face is impossible to share, barring a makeup trick straight out a James Bond flick.  

That said, logging in to mobile payments requires WiFi, which means problems can still arise, says Chris Vickery, a white hat cybersecurity researcher. “There’s a certain level of risk anytime you are broadcasting information to a wireless network. This is especially true for people who are willing to connect to any available WiFi access point.”

Researchers at the University of Erlangen-Nuremberg in Germany also contend that hackers no longer have to work on multiple fronts, because apps do not utilize an internet security measure known as two-factor identification. “It is sufficient to compromise the mobile device, which automatically compromises all authentication factors running on the smartphone,” writes Vincent Haupert, a research associate at the university’s Security Research Group.

Thus what is user friendly may be hacker friendly as well. “The current trend that massively favors usability over security is the wrong way to go,” Haupert writes. “Therefore, legislative regulation is required that precisely frames the limits of authentication schemes used in digital banking. Particularly mobile banking currently lacks clear standards that have to be addressed.”

For now, mobile malware does not yet target mobile banking due in large part to limited customer acceptance. But as payments via wallets and apps become more widespread, criminals are looking for new ways in.

Consumers could also take a lesson from the likes of Bounsengsa, who practices what’s known as good cyber hygiene. “My main security concern is someone being able to take my information as I use the app and hack it as am I am using it or shortly after,” she says. “I don’t open the app if I’m using public WiFi and switch to using data if I am not at home.”

How else can banks protect customers?

  • Encourage and promote cyber hygiene. This also includes the frequent changing of mobile passwords, as well as keeping separate passwords for different accounts (including non-bank portals such as Venmo or PayPal). Without variation, one hacked password can lead to a flood of trouble.
  • Thoroughly test new consumer-facing payments technology. This consists of a security architecture review; threat modeling; secure coding training; secure code reviews; app integrity protection design; static analysis; and dynamic testing.
  • Look outside headquarters. As players in the FinTech sphere develop breakthroughs in payments security, consider partnering with them or undertaking a joint venture to create something new.   

Bounsengsa, the Clearwater theater manager, still feels safe using mobile banking apps to send and receive payments. “I haven’t been hacked or anything of the sort,” she says. “So far the app has kept my information secure and I feel comfortable using it.”

But there’s no telling how long that will last. For even as payments move faster and smartphones get speedier, so too will the cyber criminals rush to keep pace.

Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.