Soft tokens, hard security: the best way to beat online banking threats

Banks must earn their customers' trust
Banks must earn their customers' trust

There is a mobile transformation underway for today's financial institutions. Major elements of this transformation include mobile authentication for online banking, and the deployment of mobile platforms that enable customers to conduct banking transactions anytime, anywhere.

Key challenges include optimising the user experience while ensuring that all transactions are secure and customer privacy is protected. There are also increased regulatory requirements to consider, and an evolving threat environment as cybercriminals move to target specific vulnerabilities of the mobile platform.

With 1.75 billion users worldwide in 2014, the smartphone is becoming popular as a multifunctional device that can be used for mobile identities. Security best practice dictates that banks and other financial institutions must secure online access with multi-factor authentication. With the growing threat landscape, they must also increase fraud controls, yet avoid interrupting the online user experience. This requires strong, dynamic authentication that is more secure than passwords yet convenient and cost-effective.

Online and mobile banking challenges

Banks face many challenges, including ensuring trust and confidence with mobile and other online services as adoption increases. Institutions must deliver multi-channel support while maintaining confidence in digital banking, upholding transaction efficiency, and safeguarding confidential data.

A growing concern is preventing account takeovers by protecting against advanced malware and other growing online threats, which is accomplished by adding security defences in a layered approach.

Finally, banks must also increase operating efficiency, by minimising the problems of disparate processes, legacy systems and applications while doing everything as cost-effectively as possible. In short, banks face a dramatically changing environment, in which a growing percentage of IT budget is focused on maintaining their digital infrastructure.

As online and mobile channels converge, customers also want to bank anywhere, anytime. Multi-channel integration becomes more important, and the industry is already shifting to an omni-channel model that raises the bar for customer-centricity and meeting service expectations that are becoming more demanding. Fraudsters who are adopting more sophisticated and dangerous tactics, with increasing focus on credential theft, are responsible for the biggest threat to the growth of digital banking.

Defending against mobile-based threats requires a more effective approach to identity assurance, as most authentication controls have documented vulnerabilities and malware specific to mobile is increasing. Simple passwords are already widely known to be compromised. Fraudsters have also effectively overcome other traditional authentication methods. They unleash advanced threats such as phishing, keystroke logging, system resource manipulation, screen capture and chosen plain text brute force attacks to hijack account access and compromise transactions.

As fraudsters continue to introduce more sophisticated attacks, the adoption of advanced authentication methods has become a matter of protecting both the bank's brand reputation and its bottom line.

Financial institutions seeking to implement multi-factor authentication (MFA) have historically been able to choose from a number of different methods and form factors, including OTP tokens, OTP challenge/response calculators, smart cards with readers, numeric grids printed on cards or sheets of paper, and various combinations of the above.

Most banks have implemented strong hardware-based authentication for their commercial customers but fewer on the consumer side, thinking it costly and complicated to deploy and manage, and inconvenient for users. This all changes, however, with the advent of advanced mobile security that fosters a convenient banking experience with out-of-band strong authentication.

Evolution of mobile authentication

The most basic mobile authentication option is delivering an OTP via SMS. An online banking customer logging in to the bank's website with a username and password triggers a request to send an OTP to his or her registered mobile phone. Upon receipt of a text message with the OTP, the customer enters it into an additional field on the banking site's login page to complete the login process.