This post first appeared on the recently acquired Fortress Identity blog:
In my role as an advisor to financial institutions on mobile biometric authentication, I meet bankers from all over the world. Most are technologically literate and leverage technology effectively in their operations, marketing, sales, communications, etc. However, many share a blind spot when it comes to their vulnerability to internal and external threats. They are insufficiently aware of:
- The scale and nature of the dangers they face, internally as well as externally.
- The latest security solutions available to financial institutions.
- The ease and economy with which voice biometric authentication can be implemented for mobile devices.
Below, I list nine things all bankers should know about protecting themselves. My goal is motivate you to avoid the half-measure security that criminals now exploit so easily. It’s time to turn your institution into a biometric fortress. The tools and expertise you need to accomplish this are ready right now.
1. Passwords are a hacker’s best friend.
Like screen doors on a submarine, passwords are functional in name only. They are easy to steal, guess, misplace and lend to friends. More than half of all data attacks exploit passwords. Even those bolstered by a question or OTP pin. Astoundingly, many banks still rely on passwords to one degree or another. Why? Is it complacency? Fear of change? Whatever the reason, hackers love passwords.
2. Most attacks on banks are unreported.
As I wrote in my last post dealing with the Metro Bank attack, bad news travels slowly, if at all. Similar attacks in Germany became widely known only after Metro Bank was hit. Is it any wonder many bankers believe their security measures are good enough? If attacks seem to be rare, more a question of bad luck than weak security, why invest in something stronger? Ask yourself, could you be underestimating the threats your bank is facing? If your assessment is based on the fact that you are not hearing about attacks on other banks, you could be more vulnerable than you realize.
3. Mobile transactions amplify your vulnerability.
Instead of having only your own institution to secure, you now have merchants, point-of-sale systems, telecommunication networks, and mobile devices themselves to worry about. Fraudsters can find entry points anywhere in a distributed mobile payment ecosystem – and their methods are increasingly sophisticated. Distributed denial of service attacks, “low and slow” application layer attacks, botnet attacks, etc.
4. Multi-factor, multimodal biometric security is indispensable.
To stop hackers today, your security must be exceedingly difficult to exploit and deployed in layers. The best way to achieve this protection-in-depth is with active and passive biometrics. Everyone’s biometric profile is unique, from your fingerprints and voice to how you type. Spoofing one biometric is very difficult. Spoofing several is exponentially difficult. MFA mobile makes you a very hard target.
5. Multi-factor, multimodal biometric security doesn’t annoy customers.
Many financial institutions have been slow to adopt biometric security in the mistaken belief customers won’t like it, especially those on mobile devices. The fact is, the biometric process is frictionless. For example, one of our own solutions asks a person to recite a random 10-digit number, which is then compared to a voiceprint on file. At the same time, the person’s passive biometric data is being analyzed against benchmarks in the account holder’s profile. To gain entry, not just one but many biometric measurements must match. And it all happens in a few seconds. Your customer experiences zero hassle. But your institution is heavily protected against even the most high-tech attacks.
6. Adding multi-factor biometric security isn’t expensive or time-consuming.
You can’t blame a non-technologist for thinking that the biometric security solutions described above would be a major undertaking. But the truth is, this kind of massive security upgrade can be accomplished by adding a minimal amount of code. That’s all. And you won’t have to worry about educating customers or putting on more support people. Everything about our biometric security solutions is transparent, voice-based and easy to do on a mobile device.
7. A successful attack on your bank will hurt you more than you realize.
Financial institutions are built on a foundation of trust. Once lost, it is difficult or impossible to regain. A bank that has been successfully attacked also loses brand equity and the confidence of its business partners. The arrival of mobile payments has increased almost every bank’s vulnerability by orders of magnitude. And until you take measures to secure your institution against these new threats, the advantage lies with a new, more relentless generation of fraudsters and hackers.
8. Valuable security advisors are probably sitting in your building right now.
Black hats and white hats have a lot in common. Chances are high, your own developers can brief you on the specific threats your institution is facing and your options for dealing with them. I recommend you draw on their insights as soon as you can. They may even be evaluating our mobile biometric authentication SDK right now. We offer an SDK for iOS and an SDK for Android.
9. Hackers never sleep.
There’s too much money at stake—yours. They want it. And they’re using extraordinary ingenuity in their attempts to steal it. But you can stop them cold by turning your institution into a biometric fortress.