Keep your digital banking safe: Tips for consumers and banks
In this interview for Help Net Security, Reza Zaheri, CSO at Quantum Metric, talks about digital banking security and what can banks, as well as consumers, do to protect their assets and data in today’s digital payment world.
Digital banking has been a reality for quite a while now, particularly pushed forward in these last few years. Is security keeping up the pace?
Online banking and mobile banking apps have made great security strides in recent years. In fact, some of today’s most well-respected banks are improving security measures by offering SMS or email alerts for financial transactions, multi-factor authentication, fraud monitoring and alerts, and two-step verification for large money transfers. When these features are set up correctly, they exponentially increase the security for personal banking accounts.
Unfortunately, not all consumers use these critical safeguards on their accounts. Our recent Retail Banking Survey found that 30% of those relying on a password only change it one to two times a year, and 23% admit to never changing their password. Despite banks working to improve online security protocols, consumers must also do their part in taking advantage of enhanced security features to keep their accounts safe.
What makes digital banking vulnerable the most?
Instead of physically walking into a bank to manage finances, consumers can now access their account effortlessly on a banking website or mobile app. However, since banks strive to make the digital banking experience as intuitive and frictionless as possible for users, this can also present an opportunity for hackers to access unwitting consumers’ bank accounts.
Since authenticating a consumer’s true identity is so important to the online banking experience, if a bank does not offer strong identity verification, or if consumers are not practicing proper cyber hygiene on their mobile devices and computers, they can be socially engineered into giving up access to their bank account. Considering the majority (45%) of bank customers continue to use traditional username and password to log in, as opposed to more secure methods like thumbprint (20%), facial recognition (17%) or two-factor authentication (16%), consumer’s financial information is more vulnerable than they may realize.
What are the common mistakes consumers make when using digital banking?
The biggest mistake is that many customers still use the same username and password combination to access their online bank account, as they would for other websites. Since websites are constantly being breached (and then their entire password databases are bought and sold on hacker forums), today’s fraudsters are well-versed in testing stolen credentials to log into as many other sensitive websites (like emails, bank accounts and cloud storage accounts) as possible. This is why consumers must use a lengthy and unique password for their online banking accounts, one that can also easily be created and managed through a password manager.
Another common mistake is when consumers don’t set up secure multi-factor authentication, which is necessary in protecting oneself in today’s online world, because simple credentials can be stolen or guessed by a hacker at any time. This protocol is easy to set up and makes it exponentially more difficult for hackers to gain access to a banking account, as it requires additional security measures like FaceID and TouchID, coupled with the consumer’s login credentials, to authenticate to the online bank.
Finally, banking customers should take advantage of security alerts to keep their financial information secure. Many banks allow customers to set up monitoring and security alerts in their banking profiles, so they know when someone is either accessing their account or performing any financial transactions with their funds. This can help them take action much quicker against potential hacks, as well as keep a closer eye on their financial information.
How aware are consumers of the possible threats to their bank accounts and data and how proactive have they become in protecting them?
Many people are still not aware of how easily a fraudster can convince the average person to unknowingly give up their bank account details. Furthermore, many don’t know that poor cyber hygiene on their computers and mobile devices can lead to them inadvertently exposing their personal information.
Some good cyber hygiene practices include keeping devices and all automatically installed apps up to update, installing only trusted apps from the App Store, running anti-virus software and being suspicious of unsolicited calls, texts and emails from banks.
Hackers are using fake emails, texts and phone calls to trick people into thinking their bank is directly contacting them to take some kind of ‘urgent action,’ by coaxing them to verify fake fraudulent activity, or their personal details. Furthermore, there have been cases of fake banking apps distributed on the Google Play Store that look identical to legitimate Android banking apps, but were actually designed to steal victims’ banking credentials.
Banks also educate their customers about the dangers of online banking, as well as actively encourage them to set up features such as multi-factor authentication and security alerts on their accounts.
Consumers should be routinely checking their bank accounts for fraudulent activity, and according to our survey, 41% people check their bank accounts almost every day. Security is a team sport, and it involves active participation by everyone involved to ensure that bank accounts remain safe. In addition to monitoring their accounts, consumers can do their part by making sure they turn on the various security features in their bank account profile.
What can banks do to strengthen their cyber resiliency while offering a satisfactory customer experience?
Banks should continue to communicate to customers how easy it is to enable multi-factor authentication and security alerts for their accounts. This will mitigate many security issues, even if the consumer decides to continue using the same credentials on their banking site, as they do on other websites.
Additionally, banks can strengthen their cyber resiliency using a superior digital insights platform, to ensure that the process and flow for setting up online banking security controls, such as multi-factor authentication and alerts, are seamless and easy to activate. This allows banks to monitor visitors’ digital banking experience, identify and resolve specific pain points consumers face when trying to set up better security controls on their profile, either due to technical errors or confusing UX designs.
If they have any setup issues, and back out of turning features on, banks can pinpoint exactly where that occurred so they can address it, and people are more encouraged in the future to finish the setup process. Real-time monitoring of web and mobile banking applications can also help flag fraudulent activity, so that action can be taken against it and prevent it in the future.