Keeping customers safe when banking online

By Nic Sarginson, Principal Solutions Engineer at Yubico

This year, consumers have turned to technology in their droves to work, shop, and manage their finances. While online access has always offered convenience, this year it has become close to a necessity as people retreated to their computers and phones, instead of the high street, to access banking services. The significant shift in the way consumers transact and manage money highlights just how much we have all come to depend on our digital identities. Protecting those identities is essential, and that means taking steps for effective and secure authentication.

There has been such an increase in demand for online and mobile banking, that 88% of banking executives reported their organisation has become completely overwhelmed, according to this European survey. This reveals an interesting truth for the banking industry: many former telephone or in-person banking customers will now have to become more familiar and comfortable with their banking service operating online. The benefits they gain, including immediate access to account status and other banking services, are likely going to be the contributing factors that get these new habits of operating online to stick.

The growing shift toward online banking can prove to be positive for financial institutions with a digital agenda, as well as for consumers. However, the move is not necessarily worry-free. For example, while two-thirds of TSB’s mobile banking users say they benefit from the convenience and 24/7 access to their accounts, security is still a concern among older age groups. Despite the rate of mobile banking registrations almost tripling in the three months following lockdown, TSB discovered that 39 percent of people over the age of 55 worry about fraud and 37 percent of them fear losing their phone and as a result, their bank details being compromised.

Lines of defence

The first line of defence in online security is generally a username and password, supplemented with additional measures to help safeguard against a range of threats including:

• Credential stuffing – this is when stolen details are tried against a range of digital services, with the goal of gaining access to as many accounts as possible. This type of attack takes advantage of the ill-advised practice of password reuse, which unfortunately is a common occurrence because it’s challenging to manage a large number of passwords on a day-to-day basis. Therefore, people often reuse the passwords they can remember across several services, leaving many accounts susceptible to being breached. Once a cyberattack has succeeded at gaining access to a password, multiple account takeovers become possible, simply by trying the same password across different accounts through the use of an automated system or program.
• Phishing – involves luring and tricking people into revealing personal information such as their login credentials. This could be through an email from an illegitimate sender disguised as a legitimate service provider, such as their banking service. The illegitimate sender will often include a link in their email that will then take the user to a fake site where the user is asked to enter in their credentials, leaving the illegitimate sender the ability to use those newly phished credentials on the real site and gain access to the user’s account.
• Man-in-the-middle (MiTM) attacks – occur when attackers secretly relay, and possibly alter, communications between two parties who believe they are communicating with each other. Recognising this type of attack is hard, even for those who are very cyber aware, with attackers creating highly personalised messages relevant to targets. Routes in for them can include unprotected Wi-Fi networks and manipulated URLs to look like legitimate sites. Again, the end result is to gain the necessary credential to access an account.
  

  Nic Sarginson

Multi or two-factor authentication (MFA/2FA) boosts traditional username/password authentication, by adding a second layer to help mitigate these common security threats, as well as others. It’s important to note that not all MFA is completely resistant to security threats – for example, mobile-based MFA using one-time codes increases account security but can still be vulnerable to modern MitM and phishing attacks. Additionally, it may not be the most convenient solution, as it relies on your mobile device, which may not be accessible when in locations that are mobile-restricted or do not have cellular reception to receive codes.

Financial service providers can and should take steps to help customers increase their online account protection. This, along with increasing education to help reduce the digital divide for the less security aware, is important in any organisation’s digital transformation. Strong authentication protecting online banking accounts should:

1. Prevent account takeovers from phishing and MiTM attacks – by circumventing weak security measures and tricking users via fake links and altered communication methods, cybercriminals have the ability to instigate transactions, gain access to important PII and other activities that can wreak serious havoc on finances.
2. Provide a convenient user experience – frictionless security should be simple, seamless, and quick. Typing passcodes can be prone to error and adds time to the process of logging in.
3. Integrate into existing systems – enabling strong authentication for customers shouldn’t require a huge overhaul of existing systems or workflows. Instead, it should be simple to integrate for both existing and future products and services.

Strong authentication, through tools such as hardware security keys, bolsters security without inconveniencing customers. By leveraging global authentication standards supported by the leading platforms and browsers, like WebAuthn and FIDO2, developers can integrate a strong authentication solution into their products and services, which provides users with the ability to secure their accounts and devices. Now that we recognise that legacy authentication methods are not always the most secure, online service providers should go beyond basic MFA to provide strong standards-based authentication to stop account takeovers.

Indeed, for financial services organisations, using such technologies as FIDO increases user security and ease of use. It also adds more flexibility to the security options available, from increased user identity assurance, to being able to implement hardware backed Root of Trust procedures, and even transaction signing solutions.

As consumers increasingly go online to manage more aspects of their daily activities, they will seek confidence in the security measures designed to keep their accounts safe. Basic security measures can be vulnerable to a range of security threats and should be enhanced through strong authentication that is simple to deploy and use. Now is the time to meet customer expectations when accessing financial services online by providing the highest level of protection, combined with a seamless user experience.