E-banking enjoys high interest of customers. Using the platform provided by the bank, they may order transfers or apply for a loan. However, the security problem remains. What solutions are used by banks now? Are they sufficiently secure?
Online banking security software — legal requirements
Security is of key importance in the banking sector. Whether the money deposited by customers in their bank accounts and their personal data remain outside the reach of any unauthorised parties is conditional on the adopted solutions. As the financial sector is particularly exposed to cybercrime, the security aspects are not governed by the banks themselves. Quite the opposite, the recommendations are provided by state supervisory bodies. Decisions concerning the online banking security are made also at the EU level which may be proved by the PSD2 Directive (Payment Services Directive) and the less known Commission Delegated Regulation (EU) 2018/389 (termed RTS, a supplement to PSD2).
The PSD2 Directive brought significant changes both for the banks offering online banking services and for the customers. The most important aspect in terms of security is the so-called “strong customer authentication”. According to the definition included in the above directive (Article 4), the banks must request the users to use at least two components (this is the so-called two-factor authentication) belonging to the categories:
- knowledge — something known solely to the user (e.g. a password),
- holding — something held solely by the user (e.g. an identity document, payment card — when the money is disbursed from an ATM),
- customer’s properties — something which the user is (e.g. a fingerprint).
The components must be independent from one another. The idea is that the violation of one of them does not compromise the reliability of the other.
Good news for the customers is that online banking security is examined in the context of reducing their liability for unauthorised transactions. After the loss, theft, appropriation or unauthorised use of a payment instrument is detected (Article 69 PSD2), the customer is obliged to report that to the payment services provider. They shall not be held liable if they were not able to detect the loss, theft, appropriation or unauthorised use of a payment instrument before the payment (Article 74 PDS2). However, this still means the bank should make every effort to prevent any security violations.
The PSD2 directive is not the only one the banks must consider with respect to the online banking security. The EU General Data Protection Regulation (GDPR) is equally important, as it contains detailed guidelines concerning bank employees’ conduct when there is a hacking attack or customer’s data is disclosed to any third party by mistake.
Banking security software — what do the banks use?
A bank offering e-banking services must ensure the security of software used by it. When it comes to the threats for the online banking users, the following can be listed: phishing, Man In The Middle, Man In The Browser or remote attacks. The online banking security software should minimize the success rate of the above attack types.
For the online banking, the authentication of the user’s identity is deemed to be of key importance. The online banking security is largely conditional on whether it is strong thanks to which the user’s account will not be available to cybercriminals. What solutions are used by banks? The online banking security software used frequently is tokens.
Having entered the login and password, the user must provide also an additional code generated by the token, i.e. the one-time password generator. Tokens come in two versions, i.e. hardware tokens and mobile solutions. In Comarch, we use two different tokens for banking:
- tProc ECC is a hardware token using the elliptic curve cryptography. The advantage of this solution is also the HPD (Human Presence Detection) mechanism. The user authorises every transaction by pressing a button on the device housing. This token is impervious to remote attacks;
- tPro Mobile is an advanced mobile tool. This solution meets the recommendations of the above PSD2 directive and thanks to its structure and design it can be integrated with an operating system and used as an additional authentication factor.
What is more, the banks use PUSH notifications and biometrics. In the latter case, the most popular solutions include FaceID and fingerprint biometrics. It should be kept in mind, however, that due to the controversy, some countries do not use the latter method (e.g. Japan which uses the Finger Vein biometrics).
For security reasons, some banks use not only the 2FA tool (the above two-factor authentication), but the online banking security software is equally important. Its operation consists e.g. in reduced session duration (it reduces the time when the customer may use the account after logging in).
How will the online banking security develop?
The methods used by cybercriminals keep evolving. This means also online banking security software must consider more and more efficient protections to ensure the customers’ money and data is secure and not available to hackers. What direction do the banks go in and what can be expected by online banking consumers in the years to come?
Biometric technologies are gaining more and more popularity recently. The finger vein biometrics may be a solution of particular interest for the banks. As proved by the studies carried out so far, this method is reliable (contrary to e.g. the iris biometrics) and can be used for all the people regardless of their racial origin or age. Some banks offer that authentication technology to the banks, e.g. the English Barclays Bank introduced it in 2014. In Poland, the pilot programme was introduced in 2015 by Bank BZ WBK. The Planet Cash ATM network also offers this method of authenticating the transactions carried out.
The online banking security software may also use artificial intelligence (AI) which will prevent frauds. Over the course of its development, the AI technology will enable to monitor customers’ behaviour in terms of their location, devices and authentication methods. Basing on the observed behaviours, the software will provide recommendations and reliable risk assessment to the analysts.
Although online banking security keeps improving, it should be kept in mind the user remains the weakest link in the system. Implementing cutting-edge solutions, the banks should also promote customer education. Only then combating cybercrime will make sense.