Security as an engine of remote services. New level of convenience and mobility with reduced client risks
Posted on 15.01.2017 at 12:00
The development of remote banking services is a complex and multifaceted process in which both the bank business units and the IT/InfoSec departments are equally deeply involved. On the one hand, business units formulate their preferences and set tasks for technical experts, which are then jointly discussed by the project team. On the other hand, IT and InfoSec departments often find and offer to implement new solutions that can push previously existing “obstacles” and dramatically improve banking services, make them more user-friendly and profit generating.
What technologies are in focus now? What benefits can IT and security experts offer their business units now?
Convenience, simplicity, and security. What does the business need?
It is quite natural that business units, initiating projects for developing remote banking services, usually operate in terms of the number of customer transactions and the profit that the bank gets from them. Nevertheless, the IT security often becomes a key factor in the implementation of the plan. Consider:
High ROI on remote services. As a rule, this expectation of a business unit can be met by reducing customer risks and, as a result, by increasing limits on payment and money transfers.
The ability for a customer to make as many transactions as possible. This is a reasonable need of the business unit. With bigger customer’s turnover in remote banking, the services become more efficient and cost-effective. And in this regard, IT and security departments are also able to help: the customer’s ability to work both on a desktop and on a mobile device, as well as convenient authorization of operations, will accustom the customer to remote services and help increase the number of operations.
Communicating with customers only on “pleasant” and easy-to-understand topics. Of course, business units would like to simplify communication with users and, if possible, avoid such topics as installing and using data encryption tools, drivers, third-party applications, etc. In this case, IT and InfoSec departments should choose such solutions that do not require special knowledge and skills from customers. The simpler and clearer the remote services will be, the more customers will choose them.
Safety of the Bank’s money. This is the key expectation of the bank’s business unit. In this regard, the business expects that, on the one hand, the remote banking system itself will be resistant to attacks, and on the other hand, the bank would not lose lawsuits and would not lose its own money in the event of incidents. Thus, for the safety of bank’s money, remote services must comply with the IT security regulations.
Additional non-interest income. As a rule, a bank’s business expects that security will not incure costs in customer service, but rather that it can be sold to the user to generate profits. In this sense, the bank’s IT and security experts can create separate “advanced” security products that will be able to get customers’ attention, turn out to be in demand, and will be actively cross-sold with the remote services.
The listed expectations of business units and the capabilities of the security and IT departments are quite reasonable and real. The main issue is to opt for those solutions and technologies that will allow these requirements to be fulfilled.
Current risks of online and mobile banking
Currently, the risks generally remain the same: this is the possibility of stealing money from user accounts. This risk existed in online banking as well, but due to the active use by customers of smartphones and tablets, combining channels for creating and authorizing documents on a mobile device, fraudsters got much more opportunities for the attack.
In addition, the standard authorization of operations via SMS is traditionally blamed. Why? The fact is that the SMS channel was not originally intended to transmit sensitive information. The message can be intercepted both in the channel of the telecom operator and in the smartphone itself. And fraudsters have learned how to do it well! For a long time SMS was the cheapest channel to a customer, and banks actively used it. Now we need to implement a user-friendly and secure alternative for remote services.
To drastically reduce the risks of stealing money from user accounts, two main conditions must be met:
Do not transmit transaction authorization codes via insecure communication channels, but generate them on the client side;
authorization codes should be generated based on the details of each transaction: so, if the fraudsters somehow intercept the password, it cannot be used to authorize another document.
This can be done with the help of hardware tools (MAC tokens), but this option is quite costly and requires complex logistics. The second way is to use banking transaction signing software that can be installed on a smartphone or even integrated into a mobile banking application. Ideally, this should be an advanced digital signature or even a qualified digital signature.
“Classics” and “Contemporaries” in remote banking. What do they need?
Among the remote banking users, one can distinguish “classics”—relatively conservative customers who have been using traditional services with the corresponding security tools for many years, as well as “contemporaries”—customers who seek to use the most advanced technologies and services on newly released devices. In their initiatives for developing remote banking services, bank business units are interested in reaching both “classics” and “contemporaries”.
The “trusted screen” technology used to authorize transactions is well suited for “classic” customers (consider the well-proven SafeTech SafeTouch solution). This technology protects against all modern remote attacks as it provides visual control of data transferred to the token, while the signature operations are blocked until the confirmation button is pressed
The “contemporary” clients are best suited for solutions providing secure and user-friendly replacement of SMS passwords with authentication, visualization of payment details, and authorization of transactions on mobile devices (consider SafeTech PayControl solution). The solution combines the convenience of a smartphone and the security of a MAC token: user automatically gets the payment data (and even a PDF document) on his smartphone’s screen, checks the details, and authorizes the transaction with a digital signature.
Back to the future. Using crypto services in the clouds and on mobile devices
In our opinion, the synergy between mobile and cloud technologies for authentication and transaction signing stimulates the development of remote banking (and not only banking) services. A good example is a bundle solution based on PayControl and the cloud-based digital signature service CryptoPro DSS.
A joint solution will allow users to authorize payment documents with a qualified digital signature directly on their smartphones. We believe the solution is ideally suited for corporate mobile banking systems and have already submitted it for certification to the FSB of Russia. Now banks are able to implement authorization of payment documents on mobile devices with a qualified signature cost-efficiently. The new integrated solution of PayControl and CryptoPro DSS makes this real. The solution does not require hardware keys which will dramatically lower the threshold for using a qualified digital signature for customers, significantly reduce costs, and provide the desired “complete mobility” while maintaining the legal effect of electronic document management.