Following Mobey Forum’s recent quarterly member meeting in Edinburgh, Executive Director, Maikki Frisk, caught up with Douglas Kinloch, VP Software Protection & HCE and host member, Inside Secure, to get his take on the future of digital security in today’s banks.
Everyone is talking about the digital user experience. For banks, is a security trade-off necessary to deliver the optimal UX?
No. With the right approach, security doesn’t have to take a back seat to user experience, nor should it. As banks reshape their digital services for the mobile app environment, they can place the same emphasis on security as they do on the user experience by including security across the whole lifecycle of the service. Security then becomes a core benefit of the overall UX, not just an inconvenient afterthought. Customers respond well to and appreciate security reassurances as well as their overall experience with the service. Banks’ digital services should be designed at the beginning with security as part of the user experience in mind.
Should securing the customer interface dominate the security debate?
Fraud, together with device and customer account hacks grab the most headlines, but compromising a bank’s back-end, server-side systems could be far more damaging. Obviously, a single account hack is never good, but in most instances the bank can manage the situation. A ‘class break’, however, where a piece of malware, or some other form of attack, gets control of the systems that operate hundreds of thousands of accounts, is something entirely different. More attention needs to be given to the full spectrum of banks’ digital vulnerabilities. Only by blending a mixture of security measures like application hardening, multifactor authentication, encryption etc., and applying them throughout the bank’s infrastructure can they effectively defend themselves against the threats they face.
What role can biometrics play in security?
Biometrics support the marriage of UX and security, but only under the right circumstances. Higher end phones from Apple and Samsung, for example, do a great job of separating their fingerprint readers from the rest of the OS to boost biometrics data security. That said, fingerprint readers are now appearing on lower end phones too, and without the same degree of separation. Banks must tread carefully here; these readers are far more vulnerable to malware and hacking. This is a good example of how banks must be vigilant about the detail - as new security technologies come to the fore it is important to understand how they are applied, as well as how they function.
Any other tips for banks on device security?
Yes, look beyond your own service; much depends on the individual security set up of each device. Some parameters are specified in the OS, some by the device manufacturer, some by the service provider/bank and some by the end user.
When planning, banks should prepare for the worst and consider how to protect their services even when their customers’ device security has been completely overridden. Given time, a hacker can bypass a locked device, and while remote data wiping and remote shutdown facilities are useful, they only function if the device remains connected via Wi-Fi or the GSM network for example. It hasn’t taken hackers long to spot that on most smart phones, all connectivity can be disabled by activating flight mode without even unlocking the device. This convenience-oriented feature means that the hacker can take the device off the grid and make it immune to its own remote security measures immediately, giving them all the time in the world to concentrate on breaking in.
How will the digital banking security scene develop in the next two years?
Banks will increasingly realise that they must take a holistic approach to digital service security. Too many still treat it as a feature of each product or service. Malware will become central to the dialogue. Part of the problem here is that malware is only knowable once it has been successfully identified and, given current banks’ vulnerabilities, the chances are high that somewhere, malware is busily syphoning off customer data for future exploitation.
How important is cross industry collaboration on digital security in banking?
Very important. Having commercially neutral forums for collaboration is critical, particularly because there are no established industry standards for mobile banking and payments. Know your customer (KYC) processes are useful, but the digital enrolment process remains a key area of vulnerability; a bank cannot know whether a new customer’s device is already infected with malware, which could be skimming or screen scraping confidential data in real time, as the customer is enrolling.
While banks are not typically mobile security experts, they have the most to lose from a security breach. With this in mind, providing the opportunity for banks to meet in a neutral environment where experiences and best practices can be shared is undoubtedly beneficial. The security industry moves with such speed that associations like Mobey Forum also act as awareness platforms. Banks have a lot to contend with at the moment, so for vendors like Inside Secure, helping banks understand and navigate the ever-changing security landscape is beneficial to the whole ecosystem.