In a time of new online attacks, security should be treated as a service. If you get it right, and promote it appropriately, security can be a key factor in your bank achieving above normal performance, argues Michael Nuciforo
The very foundations of banking are based on the concept of money and security. If you were to look back at the history of banking, from the very first coins, to loans and the advent of cash, the very purpose of banking was to be a secure store of value. And even though customers expect their money to be secure, they don’t often get excited about it. Due to this a lot of banks invest heavily in new innovations while reducing expenditure in security. A change in mind-set is required.
With more and more threats emerging every day, it is becoming clear that having a secure and robust security platform is going to be a key enabler to achieving competitive differentiation in the banking industry. In a recent US study, the primary reason given for not using new forms of digital and mobile banking was security. Four in ten respondents had concerns that prevented them from using these services. Security also closely relates to how quickly a bank can bring new services to market.
One of the longest lead times on any project is security approval. With security assessments and penetration testing being on the critical path, the more robust your security platform is, the less time you need to spend debating whether your feature is going to create additional security loop holes.
The key to a successful security strategy is to not make the customer work while reducing any risks. The security solution needs to be integrated and consistent with the form factor of the device and if that means setting up a tailored approach – go for it. Giving customers the flexibility to customise their security controls to cater for their own personal preferences is vital. Specific rules, limits and treatments based on the customer’s location, direction or situation should all be available. Finally, simple, clear and accessible guidance for customers to ensure safe and secure banking whilst on the move is becoming increasingly important. Customers want to be told what best practice is.
With new banking technology most banks have an excellent opportunity to maintain control of their environment. Banks can utilise the latest device, behavioural, location and transaction profiling techniques to protect their ground. Organisations such as Trusteer offer banks advanced Malware and Jailbreak detection API’s which can be updated without subsequent client releases. These can be coded into native app builds using standard code libraries. Finally banks can use firms like Melbourne IT for rapid identification, takedown and analysis of fake apps and websites targeting mobile products and services.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataAs more and more people start to use mobile and online banking, fraudsters will start to follow. In its ‘2014 Threat Predictions’ report, McAfee forecasts that over the next 18 months attackers will improve on their skill set, attackers are likely to bypass PCs and go straight after Mobile banking apps.
So always keep one eye open through effective identification and assessment of the emerging security threat landscape, from both closed and open sources. Don’t assume that because you have strong measures in place today, that they will be strong in the future.
Most product, strategy and marketing teams have extensive roadmaps outlining what features they aim to launch over the next few years. Have you ever seen something similar for security? Rarely. Banks must set a clear mobile security strategy that links together with the channels product backlog. Remember what your potential customers are telling you. The number one reason they are not adopting your new online services is because they have security fears.
One of the number one reasons security is not a primary scope candidate is that fraud losses are generally tracked at group level, not at an initiative level. This is also linked to how security initiatives are structured. They are generally managed as group initiatives and benefits are not tracked accurately.
By treating security as a service, you can start tracking its impact on hard benefits such as improved customer acquisition and most importantly a reduction in fraud. If the product manager for your mobile project felt accountable for these benefit areas, then security would automatically get a higher priority.
Do you know that all major UK banks offer a fraud guarantee? They guarantee to refund customers who suffer from legitimate acts of fraud via their online and mobile channels? I firmly believe that banks need to start promoting this service. They should develop an icon that is consistently presented across digital channels at all relevant opportunities – especially login. Banks also need to ensure that the way they design their mobile service should give an immediate impression of strength and safety. Use icons, colours, gradients and tone of voice to improve the perception. Customers will subconsciously notice. Banks should also provide simple, clear and accessible guidance for customers to ensure safe and secure banking whilst on the move.
One of the great advantages of mobile banking is that it’s with your customers all of the time. It is the greatest communications tool ever invented. Mobile should not just be treated as a vertical channel but a horizontal capability that can be leveraged across the bank. From a security perspective it can be used as a delivery channel for services such as card fraud alerts or to validate card not present transactions. It can also be used to validate overseas transactions. Customers can be notified when their card is used, or by validating that they are overseas, they can ensure transactions are not blocked by the banks fraud systems.
The security landscape is constantly moving, as soon as you think you are one step ahead, you are one step behind. Banks need to be ready to act so they should establish a dedicated Mobile security team that is empowered, funded and resourced to deliver tactical changes in response to evolving mobile security threats.
The last thing you want to do when an issue goes down is be haggling over budgets and resources. By having funding and resources allocated at the start of the year, small changes, minor enhancements and tactical fixes can be deployed rapidly.
Biometrics technology such as iris scans, face recognition or finger print scanning has been touted for years. Australian bank, ANZ, recently announced that they are looking to deploy finger print based ATM’s. In the UK we have seen excellent traction in schools with WisePay who are deploying finger print scanning technology that allows children to purchase goods in school canteens around the country. Why aren’t banks doing this yet? Not sure. There has been a significant improvement in biometric security over the last few years, and of any option available, biometrics is likely to be the solution capable of converting the unconverted.
Mobile Applications present many security challenges, but also opportunities. By augmenting the inbuilt platform controls provided by Android and Apple, and innovatively exploiting native mobile capabilities, we can improve our customers’ security and provide a more frictionless user experience. The "3-way trust" that is established during App Enrolment can be used as a transparent second factor of authentication (something the user has).
This provides a more frictionless experience for customer logon and payment journeys (c.f. Online Web channel). Leverage and augment existing platform data protection controls to protect confidential and highly confidential information Implement authentication controls which leverage existing mechanisms and exploit new opportunities that mobile presents, improving customer experience and advocacy wherever possible Protect inbound and outbound communications between the application and our server-side components or third party sites or components
Proactive monitoring of digital storefront for unauthorised applications is a domain that is becoming increasingly important. With this in mind, there is increasing demand for security specialists to review site and application source code and perform custom tests to detect security vulnerabilities. Getting these assessments done by a third-party also adds a layer of protection, as a significant amount of bank fraud is performed internally.
During the development lifecycle it is important to set standards with our developers and testers about the appropriate protocol. One step you can take is to publish a set of guidelines and rules to assist developers in building websites and applications that are absent of security vulnerabilities.
During the testing phase, static and dynamic automated code review tools can detect security vulnerabilities during the development and testing phases of a project. This coupled with penetration testing, and code obfuscation, should be enough to protect your systems and render the code unreadable to a hacker attempting to understand how it works
Recent advancements in the market, such as Apple’s recent launch of Apple Pay and Touch ID also shift the game in terms of security and convenience. As part of Apple’s iOS 8 preview, it was announced that the Touch ID fingerprint capability would be opened up to developers to allow apps to use this as a method of user authentication.
This technology is very unique because it scans sub-epidural skin layers in the finger, therefore making it less susceptible to false readings and rejections than optical solutions in the market. By using a multi-faceted skin layer approach, it is harder for a hacker to spoof than optical – it almost makes it impossible. Apple insists they do not store the fingerprint itself, which implies it is stored as a non-reversible encrypted one-way hash for comparison against subsequent scans.
If you treat security as a service, rather than something that you just have to do, you change the mind-set of your organisation. If you think of security as a service, you will also ensure the customer experience is better. With the risks of a major cyber-attack being more prevalent, it’s time for banks to start working together to deliver a cross-competitor solution. The good news is that technology is improving all the time and also reducing the load on the customer. Ultimately, security is becoming the most aspect of banking services – customers demand and expect their money to be safe – so what are you going to do?