Banking security and the customer convenience conundrum

Security and convenience are two things nobody in the banking sector can escape, and the constant pull and push of tension make for a significant challenge for financial organizations in balancing the two. Adding accessibility so customers can do their banking business anytime/anywhere with new devices is adding yet another layer of complexity.

With almost 5 billion people estimated to be using mobile phones globally, the banking sector is embracing the mobile option wholeheartedly (there’s your convenience), but the industry is also beginning to understand the additional security required to make this convenience a reality.

While mobile banking applications have become a must-have for customers, it has also become a new attack vector for cybercriminals. This new avenue of the financial industry opens up opportunities for hackers to exploit vulnerabilities though customer-facing applications including authorization, identification and authentication. Banks often make the mistake of simply using a one or two-stage authentication process, which is easily accessed using relatively simple cybersecurity tactics (and not helped by the customer’s proclivity to re-use passwords across multiple accounts). Institutions need to incorporate various layers of positive consumer validation utilizing layered technologies that include automation and anomaly detection, multi-factor authentication, passive biometrics and behavioral analytics, so that the true customer can be identified, and the imposter detected before they can access critical account functions.

Slipping through the code

The vulnerabilities in the authentication, authorization and identification process allow cybercriminals to pass through a system virtually undetected. A recent report by Positive Technologies has discovered the startling reality that two-thirds of remote banking applications are vulnerable to some form of brute force attack, so it’s not hyperbolic to suggest this is an industry-wide problem. Client data, bank or customer funds, client or customer information is therefore all up for grabs, and could all end up for sale on the dark web, creating a pipeline for further cybercrime.

Even outsourcing can’t save banking organizations as applications developed by third-party vendors had on average twice as many vulnerabilities as applications developed by in-house technology teams. That creates a scenario whereby every piece of code must be tested for such vulnerabilities in function and logic, and then approved by an in-house security team, to ensure the integrity of the banking application.

The data on the dark web

The theft and sale of ‘open’ passwords is a thriving industry on the dark web, where customer details brush up alongside drugs, weapons and worse. While some progress has been made in halting the stream of passwords revealed through vulnerabilities by using two-factor authentication, this is not a complete fix. Combining two-factor authentication with physical biometrics (fingerprints, iris scans, selfies) strengthens the security solution, but each of these components can be individually subverted by bad actors.  

The really groundbreaking solutions are in mapping consumer behavior, and the interactional signal from every individual as they use their mobile devices. Passive biometrics can track such things as the angle of a handheld device when in use, the pressure applied to the keys or screen, and the length of gaps between typing and swiping. All this information can be used to identify good users from bad. These subtleties are virtually impossible for a non-human interface to replicate. When passive and physical biometric solutions are combined and used in conjunction with traditional two-factor authentication solutions, customers are protected to a much greater degree, and anomalous behavior is identified using the established patterns in the data to track outliers.

Financial institutions stand at a fascinating crossroads in the often-tenuous relationship between technology and their customers who use it. Technology can now be used to separate machines from humans, unknown from known humans, and then unknown users demonstrating high-risk signals.

Deploying integrated authentication, which combines physical biometrics, such as facial recognition or a fingerprint, with behavioral analytics and risk decisioning within robust offerings, gives banks and financial institutions a unique and powerful ability to secure transactions, and improve verification authenticity. At the same time, it ensures convenience for the customer who is not required to go through endless steps to complete their transactions. Until banks move to this type of multi-faceted approach, their remote banking apps will continue to be vulnerable, raising the risk of their customers looking for someone else to trust with their finances.


The views and opinions expressed in this article are those of the author and do not necessarily reflect the official policy or position of or NCR Corporation.

Image credit: iStock/sirastock

Written by Ryan Wilk

Ryan Wilk is Vice President, Customer Success for NuData Security, now a MasterCard company. Previously, he was manager of Trust and Safety at StubHub and spent eight years with Universal Parks & Resorts in various e-commerce roles. NuData Security predicts and prevents online fraud, protecting businesses from brand damage and financial loss caused by fraudulent or malicious attacks. NuData Security analyzes and scores billions of users per year and services some of the largest ecommerce and Web properties around the globe.