New developments in online banking security

Most banks (especially the larger ones) have been regarded as pretty safe, for all intents and purposes, since the middle of the previous century. But since banks started maintaining our balances in secure data centers at various locations (instead of holding our savings in safes and vaults in their local branches), a bank's records of what is yours and mine become increasingly visible to people within the banks, but also to some on the outside that have malicious intent.

In the never-ending game of cat and mouse, each time a bank improved their security measures, bank robbers improved their methods to attack those centrally located files. At first, stealing money in the electronic age became an exercise in simply transferring the money in your account to their account. Call it “Phase I of electronic banks and robbers,” but those initial efforts were only focused on getting inside the banks' now-electronic vaults … where the “money” is.

The advent of electronic identity theft

Then thieves discovered another vault: our identity information. Instead of making a massive frontal attack on a bank in an attempt to get at the bank's customer accounts, they began to launch a million stealthy small attacks, using a million individuals' account credentials, on a few thousand banks, spread over time. It required a few more computer clicks, but the result was the same.

Identity theft replaced outright bank theft as the number one financial crime, in large part because criminals perfected the art of identity theft before institutions could respond. When they did, their response looked a bit like the proverbial herd of wild animals: A separation existed between the diligent and strong banks, on the one hand, and the others who lag.

Passive and active online security strategies

The strongest banks developed a two-pronged attack to identity theft. Their first line of attack was passive identification protocols, like passwords and PINs. These are geared to verify it's you making the request, not some unauthorized rogue. The advantages are: It's simple and unique for every customer. Banks store those PINs and passwords separately from our account information, even on different networks with separate encryption to make it harder for thieves to extract the codes and be able to use them to impersonate you.

To circumvent any deficiencies with passive protocols, banks added departments devoted to active online security. These experts analyze your buying patterns and react to anything out of the ordinary by reaching out to you to confirm any transaction that doesn't fit your pattern. My bank called me two weeks ago to ask if I was buying gas in Mexico. I wasn't, and their alert limited their damage to one purchase and mine to waiting four days for a new card. The downside of active online security is it's expensive and still not foolproof.

New online security measures are being developed around biometrics

As banks sought a simpler solution that would also be more affordable and criminal-proof, it pointed to a passive system as opposed to high-staff, active systems. The area showing the most promise in this regard is what's called biometric identification. “Biometric,” in this instance, refers to identifiers based on one or more unique parts or surfaces of the human body.

Fingerprints are well known as an accurate means of identifying an individual, because, as we all know, no two people have identical fingerprints. The same applies to other body parts, such as the iris of an eye. Something else that's unique to every person is the vein patterns inside our fingers. Hitachi developed a scanner which shines light through a person's finger and digitizes the unique pattern of veins inside the finger.

The benefit of the vein scanner is that nobody can capture fingerprints from a glass or counter, or capture an iris pattern from a photograph. Your vein pattern is impossible to capture, other than by a scanner.

The downside of biometric identifiers is they all still get translated to zeroes and ones in a computer file — and, if that file resides on a central computer, it's vulnerable to being copied and used by cyber thieves.

However, two recent developments may constitute a breakthrough in online bank security by addressing this vulnerability in a unique way.

Barclays Bank, the 300-year-old bank headquartered in Britain, is again starting to raise the bar for online security. Their latest online banking innovation, using a finger vein scanner, is being offered for a fee to their British corporate clients with desktop devices so that they can identify authorized users by scanning the unique vein patterns inside their fingers.

image: Barclays
image: Barclays

But the interesting and unique breakthrough in the Barclays application is that the personal biometric identification information stays in the scanner, not in the bank's central computer. That means hackers can't get access to their depositors' codes like they could with passwords or PINs, because the information is simply not at the bank — it resides on their client's desk. The scanner generates a code with each transaction, which the bank checks. It doesn't matter if a crook gets hold of the verification code: The crook would still need both the finger pattern and the scanner's unique translation code for that pattern before they could impersonate a patron and access their banking records.

These scanners are still expensive. It makes sense, therefore, for Barclays to test the new technology with its larger corporate clients first, since they move enormous sums around and can easily justify the expense as a necessity to protect their capital.

If this works, it's reasonable to expect other tech companies, and banks, to develop this technology to the point that everybody can afford to have a personal vein scanner, or some other biometric device, in their home to protect against identity theft.

Apple Pay was part of the new Apple iPhone 6 product launch. Using a fingerprint sensor, their latest smartphone lets you make retail purchases by simply tapping your phone to a payment terminal on the retailer's counter. The tap allows the retailer to deduct the correct amount from your bank account, but without the retailer knowing anything about you: no personal information ever gets transferred.

What retailers don't have can't be stolen. To quote Apple: “With Apple Pay, instead of using your actual credit and debit card numbers when you add your card, a unique Device Account Number is assigned, encrypted and securely stored in the Secure Element, a dedicated chip in iPhone… These numbers are never stored on Apple servers. And when you make a purchase, the Device Account Number alongside a transaction-specific dynamic security code is used to process your payment. So your actual credit or debit card numbers are never shared by Apple with merchants or transmitted with payment.”

Several major financial institutions — like American Express, Bank of America, Capital One, JP Morgan Chase, Citibank, and Wells Fargo — are already on board with Apple Pay, and Apple says several others, notably Barclaycard, Navy Federal Credit Union, PNC Bank, USAA and US Bank are in process.

What both the Barclays Bank and Apple Pay technology-driven security initiatives have in common is embracing biometric identifiers, and moving that identification data out of centralized locations, and into a user's equipment.

Decentralized identification information is difficult to hack, on two levels:

  • It's a moving target because, in both cases, the biometric data generates dynamic codes. That's like setting up a new password for every transaction: even if you deciphered one, it's useless for any other transaction.
  • The cost/benefit ratio for cyber attackers increases exponentially, because the potential gain for a successful hack goes from hundreds of millions of dollars to hundreds of dollars. In other words, crime stops paying.

Time will tell how these developments play out, but I find it encouraging that practical, joint measures are being taken by banks and hardware manufacturers to further strengthen online security. How does your bank protect your information? Do you think biometrics will keep your accounts safe?

More about...Banking

Become A Money Boss And Join 15,000 Others

Subscribe to the GRS Insider (FREE) and we’ll give you a copy of the Money Boss Manifesto (also FREE)

Yes! Sign up and get your free gift
Become A Money Boss And Join 15,000 Others
guest
13 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Kayla @ Femme Frugality
Kayla @ Femme Frugality
5 years ago

New security measures are needed all the time as the “bad guys” get smarter with enhanced hacking skills all the time too. Sometimes I’m worried that technology will not be able to keep up and thus the “bad guys” will win…

MoneyAhoy
MoneyAhoy
5 years ago

All this kinda stuff just keeps honest people honest. It’s only a matter of time before “bad guys” find a way around it. But hey, the security companies will make a bundle in the process!

DonB
DonB
5 years ago

I would just settle for good 2-factor authentication via OpenAuth. Google does it. Facebook does it. Microsoft does it.

So basically all the data in the world I don’t care about is protected with 2-factor authentication, all with a compatible standard.

My banks? Treasury Direct? Anywhere I actually keep money? No.

J
J
5 years ago

The problem isn’t the number of factors the security has. The problem is weak passwords. From a technology perspective, a fingerprint or vein pattern is just another password. If a criminal somehow gets your fingerprint, they’ve stolen your password, and you can’t change it. On the flip side, if you make it too “secure” (i.e. inconvenient), nobody except identity thieves will use online banking, as it will be easier for people to just drive to the bank. I don’t believe people who use weak passwords “deserve” to have their identity stolen, but there are MANY simple things that can be… Read more »

FindX
FindX
5 years ago

Since there aren’t many comments I decided to unlurk today to say I always enjoy your posts. I always learn something new. It’s fascinating to know they can scan the pattern of our veins in our fingers. Also that they are unique like fingerprints. Love your work. 🙂

CheapMom@SimpleCheapMom
5 years ago

What a great post! I’d never really heard of vein scanners before and it seems like an exciting new way to keep our information safe. I think anything new will keep us safer, but only until the theifs catch up. At least if movies have taught me anything.

Laura
Laura
5 years ago

Well, all this security is great. But another reason all of the credit card companies are jumping onto the ApplePay band wagon is because with ApplePay, people will spend more. I remember Dave Ramsey talking about pain – there’s pain spending cash; a bit less writing a check; no pain swiping a credit card. And just passing your phone over something? Is there something called “reverse pain”? Yep – just one more way to more easily separate us from our money.

Marie
Marie
5 years ago

I’m fascinated by the science behind this vein scanning. I wonder how age, blood pressure, weight changes, and other health issues affect your vein patterns. Since this involves shining light through your finger, does it work on very dark skin? What kind of light is it, and could frequent use cause skin cancer concerns?

In general, those of us who refuse to jump on the smart phone bandwagon are eventually going to be left in the dust when it comes to account security. It’s frustrating that so much of daily life is becoming centered around one piece of equipment.

Leslie H Tayne
Leslie H Tayne
5 years ago

A really informative article here William. Online banking is such a great convenience and can be an amazing tool for people, but its important for everyone to stay vigilant until greater security can be assured. It will be interesting to see how effective Apple Pay is as it moves forward.

Nathan
Nathan
5 years ago

The problem with improvements like this is that it doesn’t mitigate the largest thread: social engineering. As an example, a few months ago I received a phone call from someone claiming to be from my cellphone provider; the number even appeared as coming from the provider’s customer support number — #000# (not the real number). I was told that in exchange for participating in a survey, I would be given a $20 credit on my next bill. I was suspicious as I started to answer questions, but the questions were innocuous (eg. How would you rate the service? etc.). Then… Read more »

James Salmons
James Salmons
5 years ago

Sometimes it is the user who has the problems as much as the thief.

If the success I have with my image reader and fingerprint log-in mean anything, they are not foolproof by any means. I often have to know my user name and password anyway since the machines just don’t recognize me.

The most certain word in the post was that no matter what the good guys do to provide more protection, the bad guys keep finding something new to try. As the old poem says, “Life gets tedious don’t it.”

Chris
Chris
5 years ago
Reply to  James Salmons

It does seem that the bad guys are always 2 steps ahead of the new technology meant to keep us safe. Nothing seems to be fool proof.

BrentABQ
BrentABQ
5 years ago

I work in Biometrics (mostly fingerprints) so hopefully I can shed even more light. In some places like Brazil, it is becoming increasingly common to use biometrics in ATMs and branches. Its almost always paired with additional information like a card and pin. So its only making it more secure. If the implementation of these are done right your fingerprint is validated to be a live finger and not some fake while its validating that it matches and the entire process is encrypted. This means that it doesn’t matter if someone lifts it off some glass because they still can’t… Read more »

shares