[5 Critical Strategies for Mobile Banking Security.]
The tactics used by cyber-criminals to target sensitive financial data are sophisticated and constantly changing. So, too, must the security controls financial institutions have in place to stop the next cyber-threat. But as technological innovation brings promise and excitement to the financial services industry, it also brings new opportunities for fraudsters and hackers. Here are five trends we can expect to see in the future of cybersecurity.
1. Risk-Based Authentication in the CloudFinancial institutions find it much easier to respond against known malware attacks than they do against unknown attack vectors or zero-day vulnerabilities. That’s why one promising approache to security for the industry is the concept of outsourced protection. “We may see ID and fraud management being outsourced or moved into the cloud,” suggests Andras Cser, principal analyst for security and risk at Forrester Research. “The cloud providers can provide you with a lot more background intelligence about attacks and issues that may not have hit you, but have hit other people.”
By working with multiple institutions on a real-time basis, cloud security providers can muster a more comprehensive defense. “They’ll be amassing information as to what it means to be normal from a user or a peer group perspective, and then alerting on deviations from that normalcy,” says Cser. “That’s probably going to be another layer of defense.”
2. Biometric-Powered Bank Applications
The big problem with passwords is that they’re difficult to remember and easy to store in an unprotected area. Even if an application goes to extreme lengths to avoid storing usernames and passwords within its protected data area, it’s hard to stop users from pasting their passwords into an unencrypted notebook page or draft email for quick reference.
Biometrics promises an authentication technique that’s easier than remembering (or copying and pasting) a password. One approach to biometrics is voiceprint ID, in which the user is asked to repeat a phrase or a series of digits. The phrase might be the user’s home phone number or mobile number; or, to eliminate the “replay attack” risk that an attacker has recorded the real user’s voice, the requested phrase could also be a random series of digits, or one of several random phrases.
One of the potential drawbacks of voiceprint IDs is that the user may not be in a quiet area conducive to providing a clean sound sample. In such situations, another promising technique is facial recognition.
Facial recognition, as with voiceprint IDs, might also be vulnerable to “replay attacks” with the current level of the technology, notes Forrester’s Andras Cser.
To counteract that attack vector, one idea is to register facial biometrics as a movie. “You’d rotate your head to the left, and then do a 180-degree rotation to the right,” explains Cser. “At registration, the system would build a three-dimensional model based on that. Then, when you authenticate, you can compare two 3-D images of a head instead of just two 2-D images.”
Biometric approaches work best in defined niches, suggests Forrester’s Eve Maler. “For mobile devices, the quality is still suspect, it’s tricky to do, and it potentially compromises privacy,” Maler says. “If you do biometrics right, that’s great, but it could be more trouble than it’s worth.”
3. Credit Cards with Token GeneratorsOne of the main problems with token-generating devices is that they’re bulky and unwieldy. But what if you could get your one-time password from the credit card in your wallet?
An interesting contender for the out-of-band authentication challenge is having a token generator embedded in the form factor of an ordinary credit card. “You can integrate a PIN-protected one-time password circuit on the same device, along with the EMV chip and magnetic stripe,” says Forrester’s Cser. “You can use it to swipe, or at an ATM, or to read off a one-time password.”
It’s the same size as a credit card, and the batteries last about two years, adds Cser. If deployed at scale, the production costs could be reduced significantly while offering strong protection against fraud.