New developments in online banking security
Most banks (especially the larger ones) have been regarded as pretty safe, for all intents and purposes, since the middle of the previous century. But since banks started maintaining our balances in secure data centers at various locations (instead of holding our savings in safes and vaults in their local branches), a bank's records of what is yours and mine become increasingly visible to people within the banks, but also to some on the outside that have malicious intent.
In the never-ending game of cat and mouse, each time a bank improved their security measures, bank robbers improved their methods to attack those centrally located files. At first, stealing money in the electronic age became an exercise in simply transferring the money in your account to their account. Call it “Phase I of electronic banks and robbers,” but those initial efforts were only focused on getting inside the banks' now-electronic vaults … where the “money” is.
The advent of electronic identity theft
Then thieves discovered another vault: our identity information. Instead of making a massive frontal attack on a bank in an attempt to get at the bank's customer accounts, they began to launch a million stealthy small attacks, using a million individuals' account credentials, on a few thousand banks, spread over time. It required a few more computer clicks, but the result was the same.
Identity theft replaced outright bank theft as the number one financial crime, in large part because criminals perfected the art of identity theft before institutions could respond. When they did, their response looked a bit like the proverbial herd of wild animals: A separation existed between the diligent and strong banks, on the one hand, and the others who lag.
Passive and active online security strategies
The strongest banks developed a two-pronged attack to identity theft. Their first line of attack was passive identification protocols, like passwords and PINs. These are geared to verify it's you making the request, not some unauthorized rogue. The advantages are: It's simple and unique for every customer. Banks store those PINs and passwords separately from our account information, even on different networks with separate encryption to make it harder for thieves to extract the codes and be able to use them to impersonate you.
To circumvent any deficiencies with passive protocols, banks added departments devoted to active online security. These experts analyze your buying patterns and react to anything out of the ordinary by reaching out to you to confirm any transaction that doesn't fit your pattern. My bank called me two weeks ago to ask if I was buying gas in Mexico. I wasn't, and their alert limited their damage to one purchase and mine to waiting four days for a new card. The downside of active online security is it's expensive and still not foolproof.
New online security measures are being developed around biometrics
As banks sought a simpler solution that would also be more affordable and criminal-proof, it pointed to a passive system as opposed to high-staff, active systems. The area showing the most promise in this regard is what's called biometric identification. “Biometric,” in this instance, refers to identifiers based on one or more unique parts or surfaces of the human body.
Fingerprints are well known as an accurate means of identifying an individual, because, as we all know, no two people have identical fingerprints. The same applies to other body parts, such as the iris of an eye. Something else that's unique to every person is the vein patterns inside our fingers. Hitachi developed a scanner which shines light through a person's finger and digitizes the unique pattern of veins inside the finger.
The benefit of the vein scanner is that nobody can capture fingerprints from a glass or counter, or capture an iris pattern from a photograph. Your vein pattern is impossible to capture, other than by a scanner.
The downside of biometric identifiers is they all still get translated to zeroes and ones in a computer file — and, if that file resides on a central computer, it's vulnerable to being copied and used by cyber thieves.
However, two recent developments may constitute a breakthrough in online bank security by addressing this vulnerability in a unique way.
Barclays Bank, the 300-year-old bank headquartered in Britain, is again starting to raise the bar for online security. Their latest online banking innovation, using a finger vein scanner, is being offered for a fee to their British corporate clients with desktop devices so that they can identify authorized users by scanning the unique vein patterns inside their fingers.
But the interesting and unique breakthrough in the Barclays application is that the personal biometric identification information stays in the scanner, not in the bank's central computer. That means hackers can't get access to their depositors' codes like they could with passwords or PINs, because the information is simply not at the bank — it resides on their client's desk. The scanner generates a code with each transaction, which the bank checks. It doesn't matter if a crook gets hold of the verification code: The crook would still need both the finger pattern and the scanner's unique translation code for that pattern before they could impersonate a patron and access their banking records.
These scanners are still expensive. It makes sense, therefore, for Barclays to test the new technology with its larger corporate clients first, since they move enormous sums around and can easily justify the expense as a necessity to protect their capital.
If this works, it's reasonable to expect other tech companies, and banks, to develop this technology to the point that everybody can afford to have a personal vein scanner, or some other biometric device, in their home to protect against identity theft.
Apple Pay was part of the new Apple iPhone 6 product launch. Using a fingerprint sensor, their latest smartphone lets you make retail purchases by simply tapping your phone to a payment terminal on the retailer's counter. The tap allows the retailer to deduct the correct amount from your bank account, but without the retailer knowing anything about you: no personal information ever gets transferred.
What retailers don't have can't be stolen. To quote Apple: “With Apple Pay, instead of using your actual credit and debit card numbers when you add your card, a unique Device Account Number is assigned, encrypted and securely stored in the Secure Element, a dedicated chip in iPhone… These numbers are never stored on Apple servers. And when you make a purchase, the Device Account Number alongside a transaction-specific dynamic security code is used to process your payment. So your actual credit or debit card numbers are never shared by Apple with merchants or transmitted with payment.”
Several major financial institutions — like American Express, Bank of America, Capital One, JP Morgan Chase, Citibank, and Wells Fargo — are already on board with Apple Pay, and Apple says several others, notably Barclaycard, Navy Federal Credit Union, PNC Bank, USAA and US Bank are in process.
What both the Barclays Bank and Apple Pay technology-driven security initiatives have in common is embracing biometric identifiers, and moving that identification data out of centralized locations, and into a user's equipment.
Decentralized identification information is difficult to hack, on two levels:
- It's a moving target because, in both cases, the biometric data generates dynamic codes. That's like setting up a new password for every transaction: even if you deciphered one, it's useless for any other transaction.
- The cost/benefit ratio for cyber attackers increases exponentially, because the potential gain for a successful hack goes from hundreds of millions of dollars to hundreds of dollars. In other words, crime stops paying.
Time will tell how these developments play out, but I find it encouraging that practical, joint measures are being taken by banks and hardware manufacturers to further strengthen online security. How does your bank protect your information? Do you think biometrics will keep your accounts safe?