Achieving Strong Authentication for Online Banking

SDO Marketing Staff | November 28, 2017

When it comes to targets for cyber criminals, financial institutions are the holy grails.

Understandably, banks and other similar organizations hold the most promise for hackers and successful attacks tend to be highly lucrative.

This reality has turned cyber security and regulations for these institutions to be major issues for the industry to address. The fact that the average corporate bank experiences some 85 direct hack attempts a year, highlights the need for bank managers as well as customers to stay one step ahead of the cyber threats facing the banking sector.

Flaws in the System

First thing’s first:

What are the weakest links in the chain of security keeping accounts safe?

One vulnerability lies in the methods prevalent in the banking world for customer authentication. Some of the most devastating hacks of financial institutions of recent years have been accomplished via flaws in customer authentication protocols needed to access accounts, including the infamous Equifax breach of last September.

There are several trends that have made customer authentication a weak point in banks’ security posture. First has been the advent of third party providers (TPPs), an industry of middlemen that interface between the account holder and his or her financial institution. While there are convenience and other practical benefits of these programs, the introduction of TPPs has opened a whole new area of security risk. Banks were once the only bodies capable of interacting with customers when commanding and executing account actions. TPPs now give hackers a third party that they can impersonate or compromise in order to gain illicit access.

Vulnerabilities to banks also exist within systems used by the international community to transfer funds from one location to another.

SWIFT, the Society for Worldwide Interbank Financial Telecommunication, is the network that keeps the worldwide economy moving. Some 25 million messages pass through the SWIFT system daily, consisting of some $5 trillion worth of monetary movement.

Over the past several years, security incidents have shown the SWIFT, even when working, is vulnerable to manipulation by criminals. One of the most poignant cases to demonstrate this fact was the cyber heist of the Bangladesh Central Bank in 2016. Investigations revealed that the perpetrators were able to simply access the SWIFT system using stolen credentials–likely obtained in a phishing scam. The fact that SWIFTs security updates after the theft were still based on login credentials highlights the lingering vulnerability of the system.  As long as the authentication is based on passwords logins, it leaves something for hackers to steal and utilize.

The Weaknesses of Regulation

Legal protocols governing the banking system also often create security vulnerabilities.

Recently, an international trend has been growing amongst legislative bodies mandating transparency standards for account holder information.

The European Union Payment Services Directive 2, or PSD2, has codified the requirement for banks to share information on account holders with certain third party services. While the intention of this legislation was to help open the banking service market to more competition, PSD2 created a continent-wide risk for information compromise. While financial institutions are expected to vet service providers for security, banks have no control over the connections created between customers and the providers themselves. Additionally, the security protocols of many of these companies that guard personal information are often not up to par when compared with established banks.

And the trend continues.

Similar rules have been in the making in other countries as well. In the UK, the new “Open Banking” protocols will require banks to disclose customer details to companies providing application programming interface (API) services such as e-wallets and prepaid cards. Experts have stated that cyber criminals will seek new opportunities with Open Banking that will give rise to a host of new scams and hacking methods.

Circumventing the Threats

The ideal solution for strong online banking authentication is one that circumvents all of the above vulnerabilities tied to credential based login. Keyless authentication of the Octopus Authenticator brings flexibility and seamless authentication, along with excellent user experience. It even enables the complete removal of passwords if needed.

With a keyless authentication scheme, users can take advantage of the convenience that emerging services in the industry provide and operate within otherwise compromising banking protocols, while all the while not compromising on their own account security.