How banks can retain their digital customers

Experts' publications

Denis Kalemberg, CEO of SafeTech, a resident company of the Skolkovo Innovation Center

“Man of Business”, November 2019, Minsk

In recent years, we have seen a very intensive digitalization of interactions between citizens, business, and the state. The banking industry shows a relatively higher level of innovation; customers can now perform almost any operation remotely, literally with a swipe of a finger across the smartphone’s screen, thus, significantly saving time.

However, there is a flip side to that coin. New technologies carry new threats. And remote banking is no exception. Recently, the number of thefts from customer accounts has sharply increased as attackers use malware to infect computers/smartphones, intercept or scam SMS codes. Banks have to balance between the convenience, mobility, and security of their digital channels so that customers do not go to competitors because the “system is inconvenient”, and at the same time do not lose their money. After all, the one who provided the poor-quality service will also remain guilty in this case.

At the same time, there is no single silver bullet to solve the problem. It is better to divide the customer base into several categories, analyze their main operational scenarios, the channels used, the necessary level of mobility, and offer a set of protection tools that will minimize the customer’s risks without changing their workflows.

I would call the simplest segmentation option a breakdown of customers into traditional online banking users—these are medium and large companies with a dedicated accountant working on a desktop computer (let’s call them “classics”), and modern young entrepreneurs and individuals who are used to the fact that all their communications take place “on the run”, via a smartphone, and therefore preferring to interact with the bank through a mobile banking application (we will call them “contemporaries”).

In this case, the main risks for the “classics” are malware infections, which will allow an attacker to remotely control the victim’s computer and sign payments in the online bank if the electronic signature keys are stored on a flashcard or a USB token connected to the computer. Fraudsters may also replace the details and amounts of signed payment orders with pre-installed templates. Currently, the most adequate protection against such attacks implies the use of so-called Trusted Screen hardware solutions, which display details of payments (for example, in a USB token) and do not authorize them until the user presses the button on the device.

As for the “contemporaries” and their active use of mobile solutions, banks send them SMS or PUSH codes to confirm payments falling short of digital payment security requirements. These codes can be simply intercepted at all stages of the life cycle: on a communication channel, on a phishing site, or a mobile device. Also, fraudsters can easily get those directly from customers, introducing themselves as a bank security officer and asking for a code to cancel the alleged fraudulent payment.

For this category of customers, banks began to apply a more advanced confirmation technology: Mobile digital signature, which is generated directly in the customer’s smartphone and allows customers to sign their transactions in any digital channels assuring transaction’s authorship and integrity. This type of solution could simultaneously improve both security level and customer experience because now customers no longer have to wait for the SMS with the code to enter it manually. The document will immediately appear on the smartphone screen and a customer only needs to press the Confirm button. Thus, today banks that care about security and convenience of their customers have the opportunity to choose solutions for any category of users.