How banks are strengthening their cybersecurity posture [Q&A]
Cyberattacks and data breaches affect all kinds of organizations, but banks and financial services firms are at particular risk.
The shift to using mobile devices to carry out financial transactions has changed the threat landscape in recent years too. We spoke to Will LaSala, director of security solutions and security evangelist at OneSpan to find out more about what banks can do to bolster their security.
BN: Has the pandemic boosted the shift to using mobile devices?
WL: People were already slowly migrating towards mobile, before the beginning of last year, we saw that people were putting in place technologies like SMS one time passwords, and maybe starting to roll out a mobile authenticator. But really it was still testing the waters they weren't necessarily going full bore into it, the bigger the bank the more services they were offering to their mobile clients. But once the pandemic hit mobile was the way to go and we certainly saw that in terms of our adoption and how we're securing that side of things.
In terms of threats you had a different style of attacks in mobile, but they were very similar. So they were things like account takeover and new account opening fraud, those type of attacks all log on to the mobile platform. IBM's threat intelligence index says about a quarter of attacks are focused on financial institutions to just try and get into these financial applications.
BN: What technologies are emerging to guard against these threats?
WL: There's something called mobile app shielding which basically puts a hardened shell around the application. This prevents other code or viruses being injected into it. It also guards against apps like rogue keyboards that might be trying to log keystrokes, as well as SIM swapping.
Another technology to focus on is data aggregation. This relies on AI and machine learning to analyze data to pick out patterns of attack and protect against them, and determine consumers are really who they say they are. It can fully automate workflows driven by accurate risk scores, which enables fraud teams to be nimbler and identify fraud more quickly.
A third technology is the idea of 'self-sovereign identities'. These are kind of the Holy Grail and they mean that the user controls their own identity. So the user is able to give that identity to who they want and control who has access to it. They can bring that identity to a bank and say okay, you have access to this identity for this period of time and this is what you're allowed to see. Now, the bank can request to see more information or require more information, but it's still under the control of the user. The technology that enables this is blockchain, this idea is still in its infancy but it enables banks to be able to trust those self-sovereign identities, so a user can verify this is who they say they are. This becomes more important as you move into digital payments and digital wallets. It makes signing up new customers easier too because you don’t need to rely on things like copies of drivers licenses or passports.
BN: In terms of accessing financial and banking systems is mobile inherently less secure than desktop?
WL: When mobile first came out people knew of the problems on desktop so they were trying to design a format that was more secure. Many of the issues that we had were with the fact that the operating system was not hardened, was not componentized, so you had a big problem with viruses. You don't see that on a mobile phone, because the whole device has been architected in a different way.
That said there are still a lot of security holes out there, and one of the things that we hear from our customers very frequently, is that they put false trust in the platform providers so they look at Google, they look at Apple and they think it must be okay. But that's not true, even with the best coders and the best organizations there are still security holes and so it's really important to protect and make certain that they're looking at those holes and applying technology that will help plug them.
BN: Where do biometrics fit into all this?
WL: Fingerprints are great but usually for an iOS device or an Android device your fingerprint data never leaves the device, and rightly so, which means you can't really use that to prove the identity of the user.
Instead you can use data from the phone to identify how the transaction took place. So, you go back to how the user is holding their phone, how they're performing transactions where they're performing transactions. There's a lot of data on a mobile device, and all of this data is usually gathered by the bank's mobile app and sent to the back end processing. When the data comes into that back end we can apply artificial intelligence to say okay, the user was just here. It's about looking at all of the data that the mobile has about you and using the AI to pick up those patterns.
BN: Blockchain has mostly been associated with cryptocurrencies, but are we going to see it assume a bigger role in conventional banking?
WL: Yes, I think you're going to see more blockchain, though we still have a little bit of time before it's fully ready for mainstream. There are a lot of clients working on blockchain to really reduce that footprint and make it more palatable for organizations, and we're starting to see that there are some great use cases for blockchain. Besides, self-sovereign identity, there are some blockchain use cases for authentication. I think over the next few years or so blockchain will be used for more and enable us to push out some of this technology to the zero trust area. Technologies like quantum computing that can vastly speed up processing will make adoption easier too.