Snippet: In recent years, the banking industry has tracked the development of increasingly sophisticated fraud patterns, coordinated by groups across the Internet searching for bank systems with security weaknesses. Once a vulnerable institution is identified, the group typically plans a large-scale attack for when defenses are at their lowest.

In recent years, the banking industry has tracked the development of increasingly sophisticated fraud patterns, coordinated by groups across the Internet searching for bank systems with security weaknesses. Once a vulnerable institution is identified, the group typically plans a large-scale attack for when defenses are at their lowest.

The Federal Financial Institutions Examination Council (FFIEC) updated its guidance on “Authentication in an Internet Banking Environment” in 2012. The guidance calls for a layered approach to online banking security, but the standards it puts forward will not protect banks and their customers entirely, leading experts to predict a continued rise in fraud losses. 

With the threat mounting, the immediate reaction is to impose new barriers to mitigate the risks. Banks have widely adopted security measures based on two-factor authentication. Here, online customers first identify themselves by entering something they know: their log-in details. They then use something they have in their possession – a USB token, key fob, chip card, or mobile phone – to provide a unique one-time password (OTP). Emerging approaches also feature biometric scans and voice recognition. 

Whatever the method of generating the OTP or other unique identifier, the flaw these approaches to two-factor authentication all share is that they remain reliant on browser-based communications back to the bank. So, if a phishing site mimics the bank’s online banking or the browser is otherwise compromised, the customer’s credentials and the OTP can be harvested by fraudsters and immediately used to gain access to accounts and authenticate fraudulent transactions.

This is happening with alarming regularity. Verifying transactions through browser communications is, quite simply, a security dead-end. The future, the industry is realizing, lies in two-way, out-of-band transaction authentication. 

Banks in Europe and Asia have already adopted security standards that use advanced cryptography to verify their customers’ identities and authenticate transactions in real time and entirely out of band. In doing so, they have benefited from vastly more reliable means of combating fraud, without impacting negatively on the end-user experience. 

Unlike OTPs and expensive hardware tokens, a digital certificate-based authentication system, coupled with transaction signing, can eliminate virtually all types of man-in-the-middle attacks. Securely encrypted private keys are deployed to online banking customers’ mobile phones, transforming them into personal transaction authentication devices that can meet the highest levels of security a bank deems necessary. Transactions are individually signed before they are confirmed in a one-touch verification process so simple and intuitive it requires virtually no customer education. 

Financial institutions that choose to maintain the status quo of two-factor authentication should expect a sustained increase in successful online account takeover attacks as fraudsters target them with rising frequency. To avoid declining profits and the loss of customers to competitors that inspire greater confidence, institutions must move early and fast in adopting the new baseline for online banking and payments security – digital certificate-based authentication performed entirely out of band on the mobile phone.

For more information on how to protect your customers, visit Entersekt’s customer authentication solution.

Subscribe to our blog.


Entersekt editor

Entersekt editor

An avid scowler and violent sharpener of pencils, Editor’s bark is worse than her bite. Every scrap of writing that crosses her desk she treats with the same care she would her own privately published comic verse. Any orphans and misfits, she takes under her wing. After hours, she practices amateur type design and represents her local library in extreme kerning competitions.

Tags

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.