Security has long established itself as a primordial need for Mankind, often defined as the condition of being protected from or not exposed to danger. While the elements which comprise this feeling of safety have continuously evolved throughout history, they remained, mostly related to the physical or material dimension, up until now that is. As technology shifts the paradigm of modern and future societies through the widespread inclusion of digital elements into our daily lives, the concept of security as we knew it has been undergoing considerable changes.
In a highly digitalized age when information is not only the most valuable asset, but also easily accessible at any time, place or device, new security concerns arise, namely in what regards the safeguard and protection of digital data, networks and systems. Cybersecurity has now become the word of order for any business or company with digital channels, but even more so for those whose offerings are entirely developed and deployed in virtual environments. With so much sensitive information both private and corporate, circulating the digital space, there has been an increase in cyberattacks with the intent of accessing, altering or destroying data, but also disrupting essential services and infrastructures.
Are banks prepared for the New Wave of digital threats?
As the prime targets for cybercriminals, banks have been at the forefront of cybersecurity for years, aiming to protect the vast amount of sensitive information from their clients, both personal and corporate. However, variables such the increasing number of user-operated devices, the high adoption of digitization to create unique customer experiences or innovative hacking strategies, have drastically raised the threat level, further enhanced by the disruptive regulatory landscape of the banking industry.
In fact, the requirements for PSD2 Compliance and Open Banking implementation, despite being a major step for consumer rights and banking transparency, pose major threats as third-party providers gain access to consumers’ banking information. These API infrastructures provide prime targets for cyber attacks as most traditional security systems have proven inadequate at keeping them secure and inaccessible.
Other major trends in banking security for 2019, as predicted by BitSight, include:
- Mobile Apps and Web Portals – As the go-to choice for clients to process payments and transfers, apps and internet banking interfaces still present major security flaws. So much so that a report from Positive Technologies ranked the financial sector as “the most vulnerable to attack”. Similarly, on a 2018 study conducted by Accenture, security risks were found at 30 major banking applications.
- Third Parties – While most banks invested in protecting their own systems and networks, they were unable to successfully monitor those of the third-party vendors they have come to rely daily. Monitoring vendors for security vulnerabilities is mandatory moving forth.
- Cryptocurrency Hacks – With many banks aiming to start trading cryptocurrency in 2019, questions regarding the security of digital currency have arisen. Taking into account recent events where financial institutions have been hacked and robbed of millions of dollars’ worth of cryptocurrencies, a new approach to security is in order.
The truth is that there seems to be a wide gap between awareness and active preventive measurements when it comes to Cybersecurity. Studies show that despite 82% of companies reporting their board members being concerned or very concerned about Cybersecurity, active implementation of security protocols is underwhelming at several levels: the company’s internal security structures have not matured, security teams get involved in digital transformation projects too late or not at all and last but not least, only 43% of said board members lead by example and follow good security practices (source: ISACA).
“97% of companies have been a victim of digital attacks and yet only 22% are prepared to deal with incidents in the future” – source: i-scoop.eu
So…Can a Digital Transformation process be secure?
As the financial landscape is being reshaped to adapt to both client and regulatory demands, the subject of Going Digital is no longer a choice. As such, the question banks and credit unions are facing is not whether they can take the risk associated with digital processes, but rather how can they prepare in advance and minimize vulnerabilities. Besides the change in internal culture and processes to implement security measurements in-house, the same or even more strict demands must be required from all third-parties and vendors involved in the Digital Transformation of traditional banks.
As a prime Digital Transformation enabler, ebankIT has been addressing the subject of privacy and security from an early start, continuously improving on each new update of its Digital Banking Platform. As of the latest version, we’ve managed to address the most pressing subjects when it comes to current Cybersecurity concerns, by continuously improving our architecture and gathering feedback from our clients. Below is a brief breakdown of how our platform is prepared to face each risk-heavy aspect:
A greater amount of sensitive digital information circulating between providers
Looking into the threats associated with sensitive digital information, there are 3 key moments to consider: when we move it, when we use it and when we store it. Regarding transportation, our solution provides data encryption of all sensitive information communicated between our apps and services. This provides an extra layer of protection, managed by us, even if the transportation layer is partially compromised.
When we are accessing the sensitive data on an authenticated omnichannel session, not only is that data protected by the authentication itself, but also because it is volatile and only temporarily stored on banks’ internal systems which periodically purge information from previous sessions.
Lastly, our platform allows financial institutions to meet PSD2 legal requirements which translate into higher encryption capabilities on stored information.
Higher than ever number of user-operated devices (several per user)
With so many digital devices operating at once, it’s critical to receive accurate real-time information about each one and make it possible to monitor any potential anomalies. Our platform integrates with highly specialized fraud detection systems, allowing for adaptative authentication. Based on this external information, certain operations may be considered high-risk, which is why we require a second level authentication to complete said operation. This can be provided by us or integrated with a third-party provider.
Additionally, users can monitor all mobile devices which used their access and immediately block them in the event of a security fault. They can also activate access-related alerts, receiving notifications whenever someone tries to authenticate with our credentials.
Cybercriminals are becoming increasingly complex and innovative
To face the growing Cybersecurity threats, we must stay one step ahead of the game. Innovation is key and the ability to integrate with external systems allows us to continuously improve, by adopting the latest developments of specialized systems. Our platform can resort to machine learning to validate behavioural patterns through said systems and use their feedback to determine which actions to take on each moment, in what regards authentication.
We also work closely with Cybersecurity Experts and Consultants whose sole purpose is to keep up with all the latest developments in terms of digital security. Not only do they provide us with valuable insights, but they also conduct sophisticated vulnerability tests on our platform. Finally, we continuously articulate with our client’s security teams (both internal and external) to gather additional feedback and recommendations.
PSD2 Compliance and Open Banking will make API infrastructures prime targets
While exposed APIs may become a target, these regulations already impose stricter security criteria than before. A prime example is the obligation of Secure Customer Authentication (SCA), which consists in a multi-factor authentication focused on 3 categories: knowledge – “something only the user knows” (passwords, etc.), possession – “something only the user owns” (OTP sent to the client’s mobile) and inherence – “something only the user is” (such as biometrics).
These standard security requirements will not only force service vendors to implement them on their solutions, but also make Financial Institutions more aware of the need to invest in specialized fraud detection systems to avoid the exploit of APIs.
From a client’s standpoint, it’s also worth mentioning that only through their explicit consent can these third-parties access their information. Our platform allows the validation of said consent through standard security protocols.