Banking Security Trends for 2018
By Shirley O’Sullivan
Banks everywhere are pushing more and more of their customers towards online and mobile banking services. While these offer customers greater ease-of-use and accessibility to a whole host of features, a greater reliance on online and mobile banking brings with it some major banking security concerns, particularly for the CISO. Banks experienced a variety of attacks in 2017, from simple DDOS attacks to mobile banking specific Trojans. How are CISOs and digital banking mediums reacting to the evolving threat landscape and where should they be looking in 2018 to ensure that their security continues to be effective?
Most major international banks have been experimenting with blockchain, the implementation of digital ledgers that increase transparency and make online banking processes much more efficient. Bank-backed blockchain projects may be able to secure the global currency exchange rate speeds as well as increasing transaction security. With more of the major banks turning to and backing blockchain providers such IBM’S Hyperledger Fabric, Unity Settlement Coin, and R3, we can expect to see this implementation trickle down to smaller financial organisations. The addition of specific identity to ledger records and further credentials will be able to keep records anonymous while still ensuring the faster processing of online transactions in the growing market of online and cryptocurrencies.
Machine Learning/Artificial Intelligence
The importance of the software’s own ability to recognise and adapt to specific attacks is becoming more and more critical. Malware is starting to use AI of its own to adopt dynamic attack patterns that target weak-points in the application layer. Meanwhile, there is a greater volume of automated attacks and intelligent phishing campaigns that aim to expedite the exposure of software vulnerabilities. Banking software must also learn to make use of artificial intelligence. One proposed method of using machine learning is the development of “risk profiles”. By using AI to determine the variable security risk parameters of the various types of banking transactions, security can be applied dynamically. The simplest example of this is by requesting more forms of verification depending on risk profile, but there is of course a greater scope for exploiting AI technology to achieve more sophisticated risk management.
As more User devises now come with biometric functionality, from thumb prints to ocular scans, we are expecting an increased reliance on these methods. It’s expected that banks will continue to expand the reliance on biometrics to voice and face recognition software. Not only will sophisticated biometrics be able to ensure greater levels of authenticity, but it will do it at no added effort from the customer. Providing the tools are developed well, they will prove even more efficient and easy-to-use than having to remember passwords and other credentials. With the growing need for deeper multi-factor authentication, biometrics are sure to come to the forefront of new security developments in 2018.
The implications of the Payment Services Directive (PSD2) regulations have impact across all banking platforms in the UK and the EU. Banks will be required to open their payments structure and customer data assets to new regulatory bodies. While the new regulations are designed to open the online ecosystem and offer banks of all sizes access to infrastructure services that improve their software, this new level of data sharing brings with it new banking security risks. With the implementation of the new Payment Services Directive in existing apps, will come a need for even tighter platform security. These may include Runtime Application Self-Protection and new applications of the fast-growing biometrics field of authentication.
As increasing numbers of agreements and larger transactions being made entirely in the digital world, our dependence on electronic signatures will continue to rise. The authentication of more advanced electronic signatures could make customers much less susceptible to fraud than current simple electronic signatures. eIDAS, the EU regulation on electronic signatures, lays out greater explanation of what constitutes an advanced electronic signature and more banks are starting to use these to ensure greater levels of authenticity and reduced chances of fraud. Furthermore, banks are looking to extra levels of authentication like biometrics that can provide greater ease-of-mind for users without making their services any less convenient to use.
Mobile App Security
We saw several of the UK’s top banks have one of their greatest vulnerabilities exposed late last year. Apps from some major high street banks were all found to have a weakness that left their software exposed to “man-in-the-middle” attacks. An error in certificate pinning methods, used to ensure the validity of encryption certificates, could allow hackers to redirect users to webhosts with fraudulent certificates, leaving them open to easy data theft. While this exploit was found and stopped, we only expect mobile banking apps to become one of the most frequent battlefields for CISOs, with attacks likely to become more common with threats such as overlay attacks making their way to the EU and perhaps the UK for the first time.
Mobile apps also tend to present a new problem in the form of fraud. Studies show that consumers who use mobile apps are more susceptible to being tricked by cybercriminals. Copycat apps have always been an issue in the mobile space, but the growing popularity of banking apps makes it only more prevalent. Education of the consumer base is key, while Mobile Banking App Users must look further into their own device authentication methods, Online Banking Services will probably look to machine learning and a dynamic multiple factor authentication technology to ensure that extra levels of protection are added to transactions that have greater weight. By applying a “risk score”, mobile and online banking software could scale the demands for authenticity.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help you.