Financial organisations require a new cybersecurity “playbook” for the post-pandemic era
If history has taught us anything, it’s that hackers like to make money – and lots of it. In fact, 86% of breaches are financially motivated, according to the 2020 Verizon Data Breach Investigations Report (DBIR).
In its report, Verizon reveals that the financial sector ranks fourth among all sectors (1,509 incidents), and at second overall just behind healthcare (448 breaches) in its analysis of more than 32,000 security incidents and 3,950 breaches. In addition, these financial organisations also suffer the third-highest average cost per breach at $5.85 million, which is nearly $2 million higher than the global average for all industries, according to the Ponemon and IBM 2020 Cost of a Data Breach Report.
Unfortunately, because criminals seek to steal as quickly and easily as possible and go where the money is, the current pandemic has only elevated the sector’s risks. According to a research from VMware Carbon Black Global Incident Response Threat Report, as much as 51% of post COVID-19 attacks target the financial industry compared to the second highest, healthcare, at 35%.
As a result, notable incidents and developments are making headlines. For example, in April 2020, the Small Business Association disclosed that a data breach of its online application portal may have compromised personally identifiable information (PII) – including Social Security numbers, income amounts, names, addresses and contact information – of an estimated 8,000 businesses applying for Economic Injury Disaster Loans.
Then in May, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and other agencies issued a joint alert for “all Americans to be on the lookout” for fraud attempts using “coronavirus lures to steal personal and financial information” or trying to steal payments from initiatives such as the $2 trillion Coronavirus Aid, Relief and Economic Security (CARES) Act. And as recently as June, the FBI issued yet another warning about cyber criminals accessing the credentials of mobile banking customers through bogus, malicious programs disguised as banking apps.
Clearly, financial institutions, their transactions and their accounts continue to present large opportunities and targets during the global pandemic. More than ever, fintech leaders need better ways to secure systems, data, and most importantly, access to them, or risk their businesses and highly public, customer trust.
Despite the risks, we’re still seeing too many financial institutions rely solely on familiar, but flawed, “knowledge” or “possession-based” authentication controls – and then encounter significant issues due to their exclusive dependence on them. Knowledge-based authentication is common to most users and requires them to input something only they should know, like a password, PIN or answers to challenges like “where did you go to elementary school?”. Possession-based authentication controls require something users physically have, like tokens.
From our vantage, the finance sector needs a new “playbook.” People lose tokens. Hackers easily steal passwords via email phishing scams or by, e.g., tricking the user into logging into a phony banking site that will then expose their real banking credentials, or by using keylogging (malware which records keystrokes) or credential stuffing (inputting into multiple accounts massive numbers of logins and passwords taken from a compromised database) techniques. And as for answers to those “elementary school” questions? Cyber adversaries already follow the social media posts of their targeted victims to find this openly shared information.
What’s worse, these authentication controls that are not especially effective also create unwanted friction for users and prove problematic for digital transformation projects trying to prioritise customer experiences (CX). To illustrate, if a banking site demands all customers enter their case-sensitive passwords, complete CAPTCHAs, receive SMS, and answer tedious challenges every time they log in, these account holders are likely to lose patience and opt to visit a competitor.
That’s why it is critical for Financial organisations to consider replacing and/or augmenting their current authentication practices with an emerging approach that both increases security while reducing customer friction – behavioral biometrics.
Unlike possession or knowledge-based controls, behavioral biometrics used for authentication is about “inherence,” or the unique attributes of an individual. Whether eating an apple, signing a receipt, gripping a steering wheel, etc., everyone interacts with “things” in a unique manner. Our personal style, preferences, experiences and how they are reflected by the speed, pressure, dexterity, etc. of our movement determines the way we interact with computers and mobile devices.
Through a process of continually profiling how each individual uniquely holds their smartphone, types on a keyboard, moves their mouse or gestures on a touchscreen, behavioral biometrics technology leverages this uniquely human set of attributes to enable security teams to invisibly and unobtrusively verify authentic users and block would-be intruders.
Yes – financial institutions realise that they’re wearing a large bull’s eye these days, and that this will likely continue during the pandemic and in a post-COVID-19 world. But at the same time, they can take the opportunity to improve customer experience and digital transformation by removing cumbersome, friction-laden steps to definitively confirm user identities and reduce risk and fraud. And now with behavioral biometrics as part of the new playbook, they can achieve unambiguous accuracy, ensuring secure and frictionless consumer engagement, instead of driving them away.