Banks and financial institutions have long been one of the primary targets for cybercriminals, due largely to the amount of sensitive information and financial assets they hold.
Over the years, malware and attack vectors have evolved significantly, overwhelming organisations with monetary and reputational loss across the globe. This is particularly resonant for banks and financial institutions where valuable data and money reap a high reward for hackers.
Phishing and identity theft remains an effective weapon for cybercriminals when attacking banks and financial institutions, through preying on the psychology of banking customers. Customers at one Singaporean bank lost nearly S$8.5 million after being tricked into surrendering their account details through a smishing campaign. Meanwhile, the Scamwatch team of the Australian Competition and Consumer Commission (ACCC) reported a 106 per cent increase in SMS scams in 2022.
There are methodologies and solutions available that can help banks and financial institutions mitigate risks from phishing attempts and identity theft, such as adopting a multi-layered strategy which treats authentication as part of a comprehensive risk management ecosystem that takes advantage of artificial intelligence (AI) and behavioural biometrics to identify threats and minimise exposure so as to proactively defend customer assets and safeguard their online identity.
Strong customer authentication (SCA) based on secure mobile push notifications like something offered by HID Approve, is effective in protecting customers against phishing and identity theft. Let us examine how a comprehensive risk management solution can help protect financial organisations against the rising tide of cyber threats.
Determining who’s really behind the transaction request
A more secure and user-friendly way of protecting customer logins and financial transactions is push authentication – one of the delivery channels that enables the use of a mobile phone to perform multi-factor authentication (MFA).
Biometrics can link a specific device to its owner’s presence which makes it difficult for cybercriminals to impersonate someone without physically gaining access to the device. This can be combined with password-less verification using secure push mobile push notifications. When notifications appear on users’ phones, they must be authenticated with their enrolled biometric information first before approving or decline the request rather than using manually typing in an OTP received via SMS immediately. Since the authentication request is performed through push, this exchange will be protected by a secure channel which mitigates man-in-the-middle attacks or malware reading the SMS OTP in the background.
The most flexible push authentication solutions can even allow banks to enable device biometric capabilities to minimal the threat of compromised credentials.
Linking actions with identities and verifying intent
Critical data such as customer device threat detection and customer payment transactions, can be collected and incorporated as adjacent data with behavioural biometrics. Behavioural biometrics is the usual user behavioural patterns, including how users’ type, swipe and interact with their devices, to enable banks and financial institutions to flag anomalous logins and transaction attempts that simple authentication solutions might otherwise miss. The key principle here is supplementing point-in-time data (credentials based on what we know, what we have and who we are) with collected data over time to help mitigate bank fraud.
Evaluating the entire customer journey in real-time
Another crucial approach is leveraging information that seems insignificant on its own, but when combined with other data or information, paints a complete picture of the customer journey. This can be done by implementing a comprehensive risk management solution that detects, records and analyses users’ behavioural biometrics.
This information includes: the type of operating system being used; whether the user is connecting through a VPN or on a device that has been compromised by malware; the IP address and geolocation of each login attempt; a unique device fingerprint, from the languages and fonts that are installed, to how many contacts are stored in the directory; and flagging payment transactions that can be fraudulent.
Battling cyber threats is an ongoing undertaking as cybercriminals will always be part of the digital banking landscape, unfortunately. Notwithstanding, banks and financial institutions must adopt a proactive and in-depth strategy to mitigate risks and combat external threats coming into the organisation.
It is therefore paramount for banks and financial institutions to put in place effective fraud prevention elements, including identity verification, risk management with behavioural analytics and a highly scalable authentication platform, in order to not just protect customers but also uphold the reputation and integrity of the organisation in the long term.
Edwardcher Monreal is Principal Solutions Architect, IAM Consumer Authentication Solutions, HID