The Holy Grail of Mobile Channel Security Is Here!
In their third quarter 2016 earnings report, Bank of America said that 20 percent of its total sales were digital and 27 percent of those sales were over mobile devices. The bank reported that it now has over 21 million mobile customers. And similar growth is being seen across the banking industry, so there’s no doubt that the mobile channel is a strong contributor to bank growth. As the proverb says, however, “You have to take the bad with the good.” And in this case, the downside is a dramatic increase in fraud attacks designed to exploit vulnerabilities in the mobile channel and a wave of new mobile banking customer targets.
Mobile banking makes a lot of sense: customers can do their banking wherever and whenever. They can scan checks from their dining room table, without having to leave the comfort of their own home. They don’t have to make use of the bank’s website or their laptop. This is why more banking has been moving to mobile apps. The Federal Reserve reports that more than half of Millennials use mobile banking, and overall usage is close to half among all ages. (see infographic below)
Despite this popularity, the dirty secret of mobile banking apps is that they haven’t been successful satisfying the twin goals of usability and security. Often, banks prefer one or the other in their app design: the easier the app is to use usually means the less secure it is. One reason is that mobile app developers have limited resources and often choose usability over security. They are driven to make their apps more consumer-friendly and this often comes at the expense of building a more secure app. The net result is that attackers are flocking to mobile banking apps because of their target-rich environment and numerous fraud opportunities, given these security weaknesses.
This serious problem demands action. Mobile apps can be both usable and secure, all it takes is to consider both when building the apps and understanding that the choice is not mutually exclusive. Instead, what is needed is to incorporate both usability and security in a way that they can be mutually supportive, to enhance both goals equally and to the benefit of customers and the banking IT departments alike.
Steps towards a solution
To serve both masters (of security and usability) is of course harder. It requires understanding several key issues and elements:
First, there is the implementation of the mobile application code. One way to solve security issues is by using a new kind of protection mechanism called runtime application self-protection, which as its name implies uses firewall-like capabilities that are built into the development environment itself. We have written a white paper on this topic that goes into details.
Second, more attention needs to be paid to the security of the device environment itself. This means frequent mobile OS upgrades to stay on top of new threats as well as protecting devices from root attacks and key loggers and other compromises. A number of mobile device and endpoint management tools are available with these protective features.
Third, banks have to build better and more usable mobile apps. Part of the issue is that the bar is becoming a lot higher. There are a number of startups and competitors who have solutions that make mobile payments frictionless, such as companies like Venmo, Alipay, Square, and numerous Bitcoin startups.
Finally, better biometrics are required, in addition to, understanding how they work in the authentication process. In the past, biometrics was treated as just another set of authentication factors like a one-time password. But this technology represents much more. Biometrics has lots of subtleties and the process of verifying voices, fingerprints and other biological factors isn’t a simple binary yes/no decision. Instead, it involves more observations of human behavior. To be useful, biometrics will require more effort to obtain large samples of a user’s data points and to be able to sift through these data in a meaningful fashion.
The key word here is meaningful: often the sampling process can be flawed. For example, a voiceprint recorded in a noisy room is less useful than one done in isolation from other sounds. Or non-native speakers of a particular language might have thick accents that prevent a solid match.
The real secret of incorporating biometrics is being able to sense the end user’s behavior, not just judging whether their eyeballs or fingerprints match a particular recorded template/model. This is a relatively new field, but there are products that can take advantage of the huge collection of sensors now found in the average smartphone, such as gyroscopes, touch ID, geo-location positioning and how people swipe their phone screens with their fingers. This can be as unique as a fingerprint, so it isn’t what you type but how you type it. For example, a researcher in Israel has been able to determine by this finger swiping activity within a few seconds whether the legitimate owner of the phone is in control or if a thief is using it.
The best and most effective way is for biometrics to be integrated into the authentication and app development process, so that users don’t have any interruptions in their banking activities.
Let’s consider what happens once behavioral biometrics and other authentication technologies have been applied to an action requested by a banking customer. The first step is to consider the context of the particular transaction and gather data including biometrics, device condition, and whether any malicious activities have been observed on the device itself. This information is then analyzed for relative risk. What this means is that every action by a user doesn’t have the same impact in terms of balancing security and risk. An account balance inquiry doesn’t carry the same risk as setting up a new payee in your account, for example. This means that any account access decision is based on a dynamic series of circumstances that can result in multiple authentication factors to be satisfied. Instead of relying on individual security measures (i.e. one-time password), the solution becomes more about layered security that dynamically throttles up and down based on different scenarios, depending on the type of risk that is involved. Each transaction effectively goes through a series of trust hurdles, with riskier ones requiring stepped-up security measures (i.e. Additional biometric factor like face recognition) to balance out the risk. In contrast, lower risk transactions are fast-tracked, based on sophisticated risk analysis scoring and rules, so the user is completely unaware of the level of scrutiny taking place, it’s completely invisible to them.
VASCO’s IDENTIKEY Risk Manager is one example of a comprehensive fraud analysis platform that leverages complete device, user, authentication and other data points to accurately prevent fraud in real-time.