Wake-up Call for Financial Institutions: Seven stories about why

advertisement

Wake-up Call for Financial Institutions: Seven stories about why financial institutions, their employees and their customers are at risk when using PINs or passwords on smartphones

A tech-industry insider sees his digital life upended by hackers on a lark. Bank customers lose $47 million in a sophisticated scam with an easy fix. Customers and corporate officers juggle dozens of passwords and PINs every day.

Meanwhile, half of smartphone users are banking on their mobile devices, corporate treasurers are moving billions by mobile and scammers are cooking up the next big, scary thing.

A Fed report from earlier this year shows that getting a smartphone is how most people start using mobile banking and mobile payments. And something like 50 million people now carry such a device.

But a little more than half of smartphone users access no financial services on mobile, the report says. Why? Nearly half of those non-users say it's because they're worried about security. They fear that hackers are going to get into their phones via remote or that their devices are going to get lost or be stolen.

If mobile financial services change the way they secure accounts and customers see that improvement, then users will see the removal of a barrier to investing in that service. And financial services firms stand to gain from such big changes, EyeVerify

CEO Toby Rush told Silicon Prairie News.

"We are impressed by the desire of firms in the banking and financial services industry to replace complex, vulnerable pin and password schemes with a safe, simple, secure alternative," he said.

Mobile represents an enormous opportunity, but only if financial services institutions are willing to keep up with the security services customers want.

Passwords are vulnerable, and banking customers know it.

Entering supposedly secure codes is at the center of hacks like the Eurograbber swindle and an attack on a writer for Wired. Even a hulking offensive lineman has been shown on national TV figuring out his teammate's password and spoofing the rookie's social media accounts.

All this may account for why people are losing confidence in the security of mobile financial services, according to the Fed. The way to help people feel better about financial services on mobile is via information and better technology.

"Consumers need to be provided with reliable and accurate information on the level of security associated with the various means of accessing mobile banking," the Fed report says.

Financial services firms and institutions have to alleviate customer concerns by facilitating new types of authentication, writes Matt Davies, an outreach officer of the Dallas Fed.

Biometrics offer just that kind of assurance: a superior, additional and better level of security and confidence.

Bungled passwords mean lost time.

If security were the only consideration, we would just delete our mobile apps and go home. Or we'd load them down with so much protection they’d become unusable. A

door covered in locks may make your belongings safer, but it means you've got to carry around a janitor-size ring of keys.

Accessibility matters. And the provider that combines security and access makes its services better. The average person juggles at least 25 passwords. They are a pain to remember, and people who have a lot on their minds (who doesn’t?) can forget them.

Corporate officers might be relieved to have one less code to remember, especially for matters that involve a lot of money. In the last two years, some 12,000 senior treasurers have authorized more than $20 billion in payments on mobile with one bank, the Financial News reports.

Now imagine a financial officer at the airport, planning to finish some transfers before his flight. He's using a standard mobile app and muffs his credentials a few times. Security measures kick in, and his account gets locked.

That time-saving mobile app just became a headache that requires a call to a support center. The officer has to put the phone down for a few minutes to get through security, then as he’s putting his shoes back, he can call security services, and maybe by the time he has reached the gate, his password has been reset. As he's boarding, he's getting back to the transfers, sweating it out to get them done before the cabin door closes.

Meanwhile, anyone nearby in Terminal A heard him answering his security questions, and he didn’t have time to get a coffee. Phone conversations are not only less secure — they're inconvenient. And for the service provider, that call is costly.

Put a biometric into that app and the senior treasurer could be unlocking his information with a few glances. Just adding Eyeprint to the service would virtually eliminate calls for password resets.

Verification information can be stolen.

All that available info leads to horror stories like the one Wired editor Mat Honan lived. Honan, a savvy user if ever there was one, was the victim of an attack that is not just a cautionary tale, but practically a roadmap away from passwords and knowledge-based security toward biometrics.

Last August, Honan found a year of his digital life deleted when some recreational hackers liked the look of his three-letter Twitter handle. With some simple — albeit clever — manipulation of current verification systems, the hackers bricked Honan's iPhone, wiped the data from his laptop via remote and went to town on his Twitter account.

The hackers guessed one of Honan's email addresses, added a fake credit card number to his account, and then used that same number as a secure identifier on a password reset phone call.

The hackers did not even try to plunder Honan's finances. It’s not because they couldn't have, Honan explained; his money was just not what they were after.

"My digital life was laid waste. Yet still I was actually quite fortunate. They could have easily used my e-mail accounts to gain access to my online banking or financial services."

If the systems Honan was using had employed Eyeprint, the hackers wouldn't even call Apple or Amazon begging for new passwords. The verification tech at the service center would just tell the caller to go look into the camera on his smartphone and wait for the unlock.

With Eyeprint in the picture, a writer would miss out on a big story, but he would keep the pictures of his daughter's first year of life. As it is, months after the fact, the hackers could still decide to try to get into Honan’s financial accounts. But with

Eyeprint, he wouldn’t have to worry and could avoid waiting for the other shoe to drop.

The eyes leave no fingerprints.

More and more services are turning to two-factor authentication (not to be confused with two-step authentication). In this paradigm, the system takes advantage of two of these three: something the user knows (like a PIN), something the user has (like a keycard), or something the user is (like a pair of eyes).

Things the user has can be forgotten or leak out, and things the user has can be lost or stolen. The most reliable factor is something the user is. And that includes the user’s voice, face, hands and eyes.

Voices aren't very discrete (imagine giving away your biometric to anyone in line with you at the coffee shop just because you want to check your account balance).

Human faces look so similar that the brain treats them as something special. But they are still way too hard for software to distinguish securely. To image the retina

(the back part of the eye) requires a long capture and is impractical for mobile. Both the iris and fingerprint scanning demand special hardware not found on any smartphone but one.

It's true that most of us are used to fingerprints. We've long heard that there are no two alike. Many of us may have submitted fingerprints for a job or for security clearance. And maybe there's something comforting about the thing that identifies crooks becoming part of the front end of security.

But the reason fingerprints are so handy in catching thieves is that we tend to leave them all over the place. Are people going to start wearing gloves until the moment they want to make a mobile payment? Are we going to wipe down a trail of tempting duplicates: on the steering wheel, that coffee cup in the garbage, the restaurant table, the door handle, the ATM, the elliptical, and on and on?

Your eyes leave nothing behind.

Eyeprints are the most reliable factor.

For broad adoption of fingerprint scanning, most mobile devices would need the same top-of-the-line goods that are on the highest-end iPhone (remember, fingerprint scanning is not even on Apple's second-level phone right now).

By contrast, capturing an Eyeprint just takes a camera with 1.2 mp resolution. Those have been delivered with smartphones since 2010. And pretty much every smartphone released in the past two years has a sufficient camera.

Eyeprint verifies the pattern of the small blood vessels in the whites of the eyes.

Each of us has four pattern areas: one on each side of each eye, and every person's pattern is different. According to an independent assessment by the Biometric

Standards, Performance & Assurance Lab at Purdue University, the EyePrint is more accurate than iris scanning and close to fingerprint scanning. Technically, EyeVerify doesn’t claim perfection, but after 50,850 attempts, the rate of false acceptance was

0%.

To capture the images of your Eyeprint, you hold your device about a hand’s width away from your face. No one else is going to get a camera that close to your open eyes without you knowing it.

But even if a hacker somehow got images of your eyes, EyeVerify's software can detect live scenes versus printed images or video.

By contrast, Apple's fingerprint scanner was hacked less than 48 hours after its public release — so quickly that it surprised even the security researcher who managed the spoof.

Road warriors can look like hackers.

Many of us allow sites we trust to set cookies in our browsers. But picture a freelance consultant who spends most of his time traveling and therefore frequently changes IP addresses and even geo-location.

Every time he tries to manage his fees or pay his assistant from the road, the server thinks his account is being accessed from a new device. He is hassled by requests for passwords, PINs and security questions. His legitimate activity appears suspicious, and it's another opportunity for his accounts to get hacked.

And security questions are often not so secure, according to the Federal Financial

Institutions Examination Council, which doesn't think much of challenge questions.

"These questions can often be easily answered by an impostor who knows the customer or has used an Internet search engine to get information," reads a report from the council.

The road warrior in question would catch a real break with biometrics. He might still see an identity challenge when he logs in after a day of travel, but with an

EyeVerify message via SMS or through an app. And with two eye movements, he gets himself bona fide and back to work.

A closed loop allows a big loss.

Consider one of the most successful and sophisticated banking hacks to involve mobile. Dubbed Eurograbber, this 2012 trojan relied on customer behavior and some slick manipulation of two-step authentication (again, not two-factor).

Customers got duped by a phishing come-on and installed a trojan onto their PCs.

When they accessed their bank accounts, the malware tricked victims into giving up mobile phone info. A link sent to the phone looked like it was from the bank, but it actually installed malware on the mobile. Then, every time a customer accessed his account online, the trojan transferred money from the customer account to the hacker’s mule account.

For security on each transaction, the bank sent an authentication SMS to the mobile so the customer could approve or decline the transaction. But customers never even go the chance to stop the fraudulent activity. The phone trojan was programmed to see the message with the code and to send the authentication right back to the bank.

The customers never knew.

Hacker thieves made off with €36 million ($47 million) from about 30,000 corporate and retail accounts across Europe in the scam.

But when we turn that second step (the SMS sent to the phone) into a second factor

— from something the customer has (her mobile phone, which is hackable) to a factor that is something she is — her Eyeprint pattern — then the trojan couldn't bounce back a simple code. The customer would realize something is up right away, and not even one dollar of hers would be stolen.

The solution is here.

Remember all those smartphone users who are using mobile financial services?

According to consulting firm Frost and Sullivan, more than 60 percent of them leave their devices unprotected: They don’t even require a PIN to unlock the phone.

Protecting vulnerable devices with biometrics is the first step toward making mobile secure, says Jean-Noel Georges, the firm's head of ICT in Financial Services.

"The time is now right for biometric technology to emerge as a secure solution for mobile applications that require high levels of security, particularly payment," he said in a company report in August.

Mobile is already big for consumer banking and payments, but it could be so much bigger if people felt safer. Customers may grow confident in time, but businesses will take longer and will be more cautious. Increased security and more certainty would put this sector in a position to take off.

Eyeprint Verification from EyeVerify doubles the verification factors of most mobile applications. The technology is reliable, secure and can be implemented now on most existing mobile devices.

These security scenarios are not maybes; they are certainties. We've seen them happen. But we can prevent them from happening again. We can set our own minds at ease. We can set the minds of customers at ease. And then we can get on with our work.

EyePrint Verification is ready today. It’s not down the road; it’s not in development.

It is available now. Forward-thinking banks and financial services institutions are already using it. Firms that adopt now won’t be the first to adopt this technology; the goal now is not to be the last — and especially not to come in behind the other guy. That’s the sort of thing that gets noticed by customers — and hackers.

To learn more, contact us at sales@eyeverify.com

Sources http://news.cnet.com/8301-1009_3-57604255-83/touch-id-hack-verified-as-legit/ http://www.federalreserve.gov/econresdata/consumers-and-mobile-financialservices-report-201303.pdf http://www.dallasfed.org/assets/documents/banking/firm/fi/fi1303.pdf http://passwordresearch.com/stats/statistic305.html https://www.sans.org/reading-room/whitepapers/ecommerce/security-mobilebanking-payments-34062 http://nypost.com/2013/11/09/booze-beefs-and-brawls-incognitos-history-ofviolence/ http://www.efinancialnews.com/story/2013-10-31/corporate-banking-goesmobile?ea9c8a2de0ee111045601ab04d673622

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honanhacking/all/ http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard http://files.ctia.org/pdf/CTIA_MFS_Guidelines_BP_Final_1_14_09.pdf http://www.bankinfosecurity.com/eurograbber-smart-trojan-attack-a-5359/op-1 http://ithandbook.ffiec.gov/media/153051/04-27-12_fdic_combined_fil-6-28-11auth.pdf http://www.smartpaymentassociation.com/en?t=/documentManager/sfdoc.file.su

pply&fileID=1384779310282 http://www.frost.com/prod/servlet/press-release.pag?docid=282684855 http://eyeverify.com/wp-content/uploads/2013/08/White-Paper-Third-Party-

Verification-of-Eyeprint-Accuracy.pdf

Download