Written by James Stickland, CEO of Veridium (FinovateEurope 2017). Originally published in FinTech Futures.
Consider this terrible dichotomy: while the average person’s application count has gone up significantly, corresponding end user cyber-security measures have gone up little, if at all. Between the app store, social channels, and the multitude of devices in use, a person’s threat landscape – the number of points from which a hacker could target them – has increased dramatically. As a result, the end-user is enormously reliant on enterprise and application providers to keep their data secure when they use these apps.
Cifas recently reported that cyber-enabled identity fraud has hit record levels in the U.K. – with younger users amongst the top targets. This seems counter-intuitive, as this demographic is certainly more tech-savvy. However, someone aged 18-21 may not be as protective of their finances as someone in their mid-40s. The younger generation doesn’t have distinguished user behavior (i.e., they haven’t opened or closed credit cards or taken loans) so it’s difficult for banks to determine what’s normal for them.
Banks have an endless amount of sensitive customer data in their possession and are under pressure to generate increased revenue per user, which means multiple touch points with single clients. This is proliferating the problem by creating increasingly complex client maps and insertion points where hackers can find their way in. Companies are working furiously to thwart attacks, but there are some very straight forward approaches that institutions should be taking to stop the attacks before they occur.
Why aren’t banks doing anything about it?
The cybersecurity problems are clear and the news headlines tell the story. In fact, in 2016, the five biggest data breaches all involved compromised, weak or reused passwords. So why isn’t anyone doing anything about this? One of the key drivers is a risk aversion to putting off customers, or complicating employee access. Anytime you require a change in behavior you can expect a backlash. For example, what would you do if suddenly your expectation of what was required to use an online account changed? Institutions think they are making passwords safer by requiring them to be more complex. In the end, this approach is self-defeating and delusional. It’s not making us safer, it’s putting us at a higher risk and defeating the original plan.
What can we do in the finance industry?
Financial companies are filled with high-value assets and have been making the attack landscape more complex through better and more intelligent firewalls, managed rules, and policies. There has also been a segregation of the data, isolating high value content and adding end-point and data-specific security. Yet, security is never a finished project; it is an ever-evolving beast and hackers have an incentive to keep getting smarter. So how can we stay alert and act?
1. Take away the easy entry points
Passwords are an easy entry point. Enterprises set rules and requirements in an attempt to maintain security: increase the number of times a user needs to change their password, set guidelines that say the password can’t have been used before, or it must include seven characters. Yet, adding rules doesn’t change the issue behind the password.
2. Update security questions
Previously, companies didn’t have to consider the social aspect. It wasn’t a concern that someone could find out your mother’s maiden name or your high school mascot just by checking your Facebook; personal details were less accessible. This is not the case today. Consider how simple it is for hackers to research and uncover those answers.
3. Kill the password
Weak and compromised passwords continue to be a major attack point for hackers, and the costs for maintaining them are high. Even with these issues and if your password policy hasn’t been compromised, passwords don’t prove you are you – they just prove you know something about who you say you are.
Biometric authentication allows you to prove you are who you are through a variety of methods – face recognition, iris recognition, fingerprint scanning, and behavioral authentication. It offers your customers the ability to quickly and conveniently access their accounts, avoid forgotten and misplaced passwords, while increasing security and a fit for the digital age.
At 