Don’t mistake activity with achievement.
Financial institutions (FIs) aren’t safe either: Global Payments (processor for Visa and MasterCard), Bank of America, Citibank, JP Morgan, and Fidelity National Information Services all suffered data breaches recently. Hundreds of millions of dollars stolen and boatloads of personal data exposed to criminals.
EMV (Eurocard, MasterCard, Visa) (covered on this blog) would be a step in the right direction, erecting additional layers of protection between FIs and hackers. EMV has been adopted by most of the world, but not in the U.S.
EMV replaces the magnetic strip on cards with a microchip used for authentication, encrypting the information during the transaction, making it more difficult for thieves and card skimmers to steal. Security is further bolstered when used with a PIN or signature. However, it is by no means a panacea.
Retina scans and fingerprints could also thwart criminals. Those systems require expensive investment in hardware and new software to support them.
Dual-factor authentication (2FA) is another, more feasible, option. It adds another level to the standard password login. The FI would send a code via text message to a customer’s mobile phone, which then is entered by the user to execute the transaction.
Ninety-one percent of Americans already have a mobile phone, according to Pew Research. Convenience alone makes 2FA via text message a logical solution.
Sending out text message codes would require investment in software, but the cost is meager compared to implementing a scanner or other hardware solution. Twitter, Google and Facebook already support 2FA as an option at login. It should be made mandatory.
2FA has been around for decades but never took hold. If a mobile phone was compromised, it would carry frightening ramifications. And, transactions are susceptible to Trojan horses, Man-in-the-Middle attacks, and other malware. In fact, all computers are vulnerable to these types of attacks.
Tokens like RSA’s SecurID, 1Password, Toopher, YubiKey and the like that provide one-time passwords have weak points as well, which can serve as gateways for criminals. If breached, could expose every one of the user’s passwords, all at once. Not good and hardly safe.
So what’s the answer?
Disappointingly there isn’t one that ensures total protection in all situations. Hackers are clever and will continue to exploit weaknesses in any, and every, system.
2FA is easy to implement with current technology and is a formidable additional security layer.
Coach Wooden said, “Do not let what you cannot do interfere with what you can do.” FIs need to heed this advice.
Which security features do you think will be the norm in the future? Which security considerations and solutions are top-of-mind for your financial institution?
Post a comment or question now to get input from your peers or Cassio Goldschmidt, principal information security leader at Digital Insight.