Are digital banking security technologies foolproof?
Posted on 10.10.2019 at 12:14
By Pavel Melnichenko, CTO
When was the last time you walked into a bank to withdraw some cash or deposit a cheque? The rise of digital banking has proved to be a revolutionary approach to financial management, even to the extent of reducing the need for brick and mortar banking branches. Be it managing your own finances, working with a corporate account, or wanting to access a new financial service in the dead of night at any location around the globe, digital banking has allowed access to financial services at the comfort of the customer’s fingertips.
However, while the main objectives of digitalization are to make the bank-to-customer experience convenient, fast and accessible, the multiple layers of security procedures within the system is often contrary in providing a seamless user experience. In the following paragraphs, I will explore the security techniques employed by various banking institutions worldwide and the impact they bring to banking users.
Having to abide to strict regulations by the central bank – dependent on each country, modern digital banking systems consist of security mechanisms that are built to withstand cyber intrusions from unwanted third-party individuals. As such, it is difficult for these systems to be compromised.
Nevertheless, it is complacent to assume that cybersecurity threats are not prevalent within the digital realm – as virtual dangers are always lurking behind the always-on digital gates.
On the other end of the bank-to-customer interaction, customers are often seen as the weakest link of the digital banking security ecosystem. With the ability to make transactions seamlessly without the need for physical identification, it is easy for malefactors to make digital transactions on behalf of customers to their own personal accounts. Therefore, a majority of cyberattacks are targeted at customers of digital banking services.
To counter such problems, banks have employed a variety of technologies. While some of these technologies cater towards the user-experience – with others providing higher security functionality – it has been difficult to find both a secure and user-friendly experience.
Your SMS one-time-passwords are not as personal as you think it is
Most banks assume that a user-friendly and secure approach in authorizing transactions could be delegated to using the short message system (SMS). Acting as a second authentication factor – beyond the initial login-password within the remote banking login process – banks send an SMS to the customer’s mobile phone with an OTP, whenever a customer makes a transaction. The OTP is subsequently keyed into the digital banking interface – either on a computer or in a mobile application – to confirm the transaction.
Despite its seemingly secured functionality, the SMS system consist of loopholes that can be exploited by unauthorized third-party individuals.
Firstly, the SMS code is known by the bank, the SMS aggregator – the company who sends the SMS codes for digital banking transactions, and mobile operators.
Secondly, the SMS protocol was designed in the year 1970. This makes it vulnerable to modern security exploits as cyber security attacks become more advanced. For example, a signaling system 7 (SS7) attack can be done using equipment and software that amount to about USD$1500 to read messages for any mobile number in the world.
Thirdly, there have been widespread cases of malware for smartphones with the ability to control your phone which includes reading text messages. Similarly, these malware allows malefactors to gain access to messenger application on your smartphone to receive SMS codes from your bank.
Often, a ‘technical’ attack from a malefactor includes infecting your smart device with a malware. This can be done via messages with a hyper-link to a dummy site, or via email from a friend. By infecting your device, the malefactor can gain access to your digital banking account to make transactions while receiving the SMS OTP codes to authorize the transaction.
Push notifications as a cheaper alternative
Beyond its security loopholes however, SMS OTP systems are also very expensive. Hence, there are banks who prefer to send one-time-passwords using push messages, which are not without its drawbacks.
Firstly, smartphone software manufacturers – such Apple and Google – have a restriction for sending ‘sensitive information (including bank passwords) via push channels. This is because the content of a push message is known by both the push aggregator and push service provider. Therefore, if there is a case of a digital fraud incident, these manufacturers will be implicated – a scenario they wish to avoid.
Secondly, there is a standard software interface to read push notification content for the Android operating system. This standard interface makes it easy for malefactors to infect an Android system with malware that subsequently allows them to read and receive your push notifications on their end.
Thirdly, push messages are not a reliable communication channel. With incidents of transactions not being confirmed despite receiving a push message, the intermittent reliability of push messages may prove to be a cause for poor user experience.
One-time-password generator as a more secured tool?
Another method of generating an OTP is through using a dedicated device or generator. The device generates different codes based on time or using a small touchpad where users can input transaction details to generate a password. While this is a more secured method to protect your bank account, it can similarly be a pain point from a user experience point of view. With demands to create a seamless digital banking experience for customers, the last thing customers would want is to input twenty digits on a device only to retype the provided code in another system for their banking transactions.
From a security point of view, the generated codes are not linked with any transaction detail. As such, the codes can be used with any transaction. This makes it exploitable by malefactors in confirming their malicious transactions in an event they come across the code.
Another important point to note is that malefactors can gather these OTPs, be it through SMS systems, push messaging, or by an OTP generator device, from customers using a tactic termed ‘social engineering’. A manipulative tactic of getting users to divulge confidential information using influence and persuasion. Social engineering attacks tend to be constructed using professional, psychological techniques.
Consequently, victims of these attacks often provide much needed sensitive and confidential information to malefactors which opens them up to the risks of digital fraud. Hence, it is important for us as end users of digital banking systems to be aware and wary of the various cybersecurity threats that seek to undermine these security systems.
The relationship between cybersecurity and user experience may be strenuous, yet this does not necessarily have to be the case. With our cybersecurity solution, PayConfirm, we provide a fast, easy and secured method for you to authorize your transactions while ensuring that the process remains user-friendly. Utilizing a combination of components that include transaction details and timestamps, unique smartphone characteristics, so-called “device fingerprint”, and a unique user’s security key, PayConfirm guarantees that confirmation codes are safeguarded. Additionally, this user-friendly solution ensures that you are one tap away from approving any of your banking transactions.