[5 Critical Strategies for Mobile Banking Security.]
The tactics used by cyber-criminals to target sensitive financial data are sophisticated and constantly changing. So, too, must the security controls financial institutions have in place to stop the next cyber-threat. But as technological innovation brings promise and excitement to the financial services industry, it also brings new opportunities for fraudsters and hackers. Here are five trends we can expect to see in the future of cybersecurity.
1. Risk-Based Authentication in the CloudFinancial institutions find it much easier to respond against known malware attacks than they do against unknown attack vectors or zero-day vulnerabilities. That’s why one promising approache to security for the industry is the concept of outsourced protection. “We may see ID and fraud management being outsourced or moved into the cloud,” suggests Andras Cser, principal analyst for security and risk at Forrester Research. “The cloud providers can provide you with a lot more background intelligence about attacks and issues that may not have hit you, but have hit other people.”
By working with multiple institutions on a real-time basis, cloud security providers can muster a more comprehensive defense. “They’ll be amassing information as to what it means to be normal from a user or a peer group perspective, and then alerting on deviations from that normalcy,” says Cser. “That’s probably going to be another layer of defense.”
2. Biometric-Powered Bank Applications
The big problem with passwords is that they’re difficult to remember and easy to store in an unprotected area. Even if an application goes to extreme lengths to avoid storing usernames and passwords within its protected data area, it’s hard to stop users from pasting their passwords into an unencrypted notebook page or draft email for quick reference.
Biometrics promises an authentication technique that’s easier than remembering (or copying and pasting) a password. One approach to biometrics is voiceprint ID, in which the user is asked to repeat a phrase or a series of digits. The phrase might be the user’s home phone number or mobile number; or, to eliminate the “replay attack” risk that an attacker has recorded the real user’s voice, the requested phrase could also be a random series of digits, or one of several random phrases.
One of the potential drawbacks of voiceprint IDs is that the user may not be in a quiet area conducive to providing a clean sound sample. In such situations, another promising technique is facial recognition.
Facial recognition, as with voiceprint IDs, might also be vulnerable to “replay attacks” with the current level of the technology, notes Forrester’s Andras Cser.
To counteract that attack vector, one idea is to register facial biometrics as a movie. “You’d rotate your head to the left, and then do a 180-degree rotation to the right,” explains Cser. “At registration, the system would build a three-dimensional model based on that. Then, when you authenticate, you can compare two 3-D images of a head instead of just two 2-D images.”
Biometric approaches work best in defined niches, suggests Forrester’s Eve Maler. “For mobile devices, the quality is still suspect, it’s tricky to do, and it potentially compromises privacy,” Maler says. “If you do biometrics right, that’s great, but it could be more trouble than it’s worth.”
3. Credit Cards with Token GeneratorsOne of the main problems with token-generating devices is that they’re bulky and unwieldy. But what if you could get your one-time password from the credit card in your wallet?
An interesting contender for the out-of-band authentication challenge is having a token generator embedded in the form factor of an ordinary credit card. “You can integrate a PIN-protected one-time password circuit on the same device, along with the EMV chip and magnetic stripe,” says Forrester’s Cser. “You can use it to swipe, or at an ATM, or to read off a one-time password.”
It’s the same size as a credit card, and the batteries last about two years, adds Cser. If deployed at scale, the production costs could be reduced significantly while offering strong protection against fraud.
4. Polling the Device
The raw technologies involved with mobile computing give it certain advantages when it comes to authentication. “In some ways, mobile is better than a PC for authentication, because you can factor in things such as location,” says ABI Research’s John Devlin. “Combinations of transactions can get flagged very quickly, and then blocked and challenged.” For example, if successive mobile logins were to occur thousands of miles apart, using verifiable location data based on cell phone towers, the bank may infer that one of the two logins has to be a fake.
Ordinarily, downloaded apps can be granted permission to access the location data associated with a device. Beyond location, there’s a big opportunity for banks to strengthen their authentication practices by tapping into the full complement of data and services available on mobile devices.
For example, suppose a bank makes a copy of a user’s contact database and then, before authorizing a transaction, checks to see whether those same contacts are present on someone’s phone. That way, someone who just steals the user ID and password for a bank account would be unable to log in; the thief would have to steal the person’s actual phone, or somehow copy that person’s entire address book along with the bank credentials.
Another approach is examining the physical behavior of how people use their smartphones. “When looking up phone numbers, some people always search the contacts list, while others type the number first,” says Forrester’s Cser. “There are several ways to do the same things, and if you observe someone’s behavior over a long period of time, you’re going to see repetitive patterns that are different, person by person.”
“You can argue that this is biometric information, and there would be a huge set of concerns around privacy,” Cser adds. Whether it would ever be possible to realize some of these enhanced OS-based techniques in Apple iOS remains an open question. Nevertheless, the possibilities afforded through digging deeply into the phone’s data store are sure to make such ideas hard to rule out entirely.
5. Device-Based Authentication
If security at the device level becomes enough of a differentiator in the market, we may see the industry shift to entirely new business models that place device manufacturers and network operators in the driver’s seat.
Mobile operators and device manufacturers were caught flat-footed with the rapid success of Apple iOS, and they’d surely relish the opportunity to figure out some new way to differentiate themselves with a more advantageous bargaining position relative to the operating system companies.
Devlin sketches out the possibilities involved with having the secure area on a smartphone available— for an annual fee — to financial institutions and other payments, e-wallets, and loyalty application providers. “The network operators want to be in charge of that,” says Devlin. “Part of the delay of NFC coming to market is who controls the secure market, who’s paying for it, and who makes revenue from it.” Device-based authentication could be embedded into the handset by the device manufacturer or network operator; or located on a removable SIM card or microSD card to be provided by a bank or other player.
With these considerations in mind, banks should keep a sharp lookout and maintain a nimble footing when evaluating the evolving possibilities in the mobile ecosystems emerging within their respective geographic markets.