The following article, authored by Giovanni Verhaeghe, Director Market and Product Strategy, VASCO, first appeared 2/4/2018 in the Financial IT.net blog.
Mobile banking apps and the devices they run on are increasingly at risk for compromise by cybercriminals. New, sophisticated methods of attack have rendered the classic username-password scheme outright obsolete. Even the more secure but still basic two-factor authentication seems insufficient, as hackers have found ways to dupe users into entering passcodes into fake user interfaces.
The main challenge has always been to devise a security scheme that is dynamic enough to thwart hackers – without impeding usability. From a user perspective, constantly having to add new credentials like strong passwords and unique usernames is a hassle and may be a reason to switch to a different service provider. It also provokes shortcuts in behavior, for example by using the same password for multiple platforms or using simple passwords that are easy to recall. That in itself undermines security, as it makes it easier for criminals to find weaknesses to exploit. Mobile devices are especially vulnerable as users tend to be less mindful of security than they would be on desktops or laptops.
Layers Erected, Layers Collapse
As mentioned on FinancialIT.net, newly added security layers are also compromised by buggy implementations or the inherent weaknesses of mobile devices and their operating systems. Cybercriminals are constantly at work to find new ways to exploit these vulnerabilities. Each successful hack means developers need to either improve existing layers of security, or add a new layer that contributes to overall complexity. Technology is not the only element targeted by cybercriminals though. They are trying to exploit users’ lack of knowledge. Just picture overlay malware, where the user is presented with a fake login screen. The customer types in their credentials and any authentication code sent by SMS, while the malware secretly changes the target account number, for example.
For these reasons, financial institutions have rightly added more discreet security to their apps – security that does not interfere with usability. For example, by taking into account time and place where users log in to their mobile banking apps, banks can quickly detect potentially suspicious login attempts. If someone tries to do a large transaction in the middle of the night from halfway across the world, something usually isn’t right. Blocking the transaction until there has been some additional verification is the best course of action. But financial institutions can add more behavioral elements to the mix beside time and place. Examples include finger pressure when tapping or swiping the touchscreen of the smartphone, or typing speed. If something is off, it might be that a device has been stolen or that the user is unknowingly using an overlay put in place by cybercriminals instead of the actual banking app.
Behavior as an Added Factor
This type of security has become known as behavioral biometrics and can be added as an additional layer to security solutions. By capturing the way the user typically uses the device over a period of time, behavioral biometrics algorithms can define a sort of ‘fingerprint’. If the user’s actions match that fingerprint, there is a higher probability they are legitimate and there is no need to interfere and possibly compromise the user experience. However, a sudden change in behavior might indicate something suspicious. The bank can then step in and request additional verification.
As mentioned on FinancialIT.net, because behavioral biometrics is a discreet way to verify transactions, the burden of security shifts away from the user. Users normally won’t notice the layer as it does not demand additional action from them. That in turn means that the time spent authenticating a user is minimalized, so the user spends more time using the actual application. All the while, the session is secured to the level that users would expect.
Behavioral biometrics reduces fraud while minimizing the occurrence of false positives. Also, it does not nearly intrude into the privacy of users as do traditional biometrics, like databases of fingerprints, iris scans or voice prints. A user’s behavioral pattern is stored as a mathematical equation that is useless for criminals looking for personal data.
Behavioral biometrics offers security on a transaction-to-transaction basis. It does not secure only one avenue. This makes it very hard for criminals to overcome, as there is no single weakness that can be exploited. At the same time, the user is not burdened with the discomforts additional security layers normally bring with them.
For more information on biometrics, download: