Security Buyer takes a look at whether online banking in today’s society is as safe as it could be, and identifies where the security gaps are most concerning
Banking and finance has increasingly changed over recent years with many banks transitioning to online banking as their primary solutions. Covid-19 has heightened this transition and has now even created online portals for mortgage applications and business loans, in addition to everyday online banking. This shift is evident in the removal of many physical banks, the reduction of opening hours and the necessity for online secure card readers. This means that business banking has also moved online, such as payroll. So, with this digital shift, how can we ensure that online banking and finance is just as secure as physical banking.
How do we test online banking security?
Which? Recently released new data analysing which banks had the most secure online banking systems and stated: “All providers have processes that aren’t visible in the type of testing we carried out – we can only analyse security features available to the customer – but our tests compared banks on the following:
Encryption: We looked at whether banks support outdated versions of ‘Transport Layer Security’ TLS, where data is scrambled so that only you and your bank can read it – or whether they have weak ciphers. We also checked if best-practice security headers are in place to protect against a wide range of attacks. We also noted where scripts were loaded from external sources.
Login: We rated banks on the information required to access accounts and how easy it is to recover usernames or passwords. We specifically looked at whether banks offered secure card readers upon log in to an app in addition to one-time passwords via text, despite this being the least secure way to authenticate customers.
Account management: Setting up a new payee and editing account details should require additional checks to verify identity. We want banks to send notifications when details are altered to alert you of a potential risk. We marked them down if messages included a phone number or web link as scammers often replicate these.
Navigation and logout: Banks were penalised if they let us log in from multiple browsers or computer networks at the same time – this should be flagged as a potential attack. Banks should auto log you out after five minutes of inactivity.
Is mobile banking safe?
The biggest threat to banking security comes from using a compromised device. And this applies whether you’re using a computer or a smartphone. Although phones are more easily lost or stolen, apps are in some ways are safer than using a computer to log in to your bank account. This is because apps in the official app stores are vetted by Apple and Google, whereas PCs can run software from any source.
It’s also more difficult to plant a keylogger in an Android or iOS device (software used to track every key you press and potentially steal usernames and passwords). Smartphones can be located, locked and even wiped of data remotely if they are lost or stolen (by registering for Google ‘Find My Device’ and Apple ‘Find My iPhone’). Of course mobile banking isn’t risk-free – fakes can turn up in app stores and malware does exist that specifically targets mobile phones.
Citi mobile banking study
Apps for mobile banking have become some of the most widely used by Americans, according to Citi’s 2018 Mobile Banking Study. The survey of 2,000 US adults found that, measured by top two ranked responses, 31% of consumers use their mobile banking app the most, behind only apps for social media (55%) and the weather (33%).
“Mobile banking usage is skyrocketing as more consumers experience the benefits of greater convenience, speed and financial insights driven by new app features and upgrades,” said Alice Milligan, Chief Digital Client Experience Officer, US Consumer Bank, Citi. “Over the past year we’ve witnessed this increase in engagement first-hand, with mobile usage in North America increasing by almost 25%, and we don’t see this trend slowing down any time soon.”
According to the study, almost half (46% of consumers – including nearly two thirds of millennials (62%) – have increased their mobile banking usage in the last year. Eight out of 10 consumers (81%) are now using mobile banking nine days a month, on average, while nearly a third (31%) mobile bank 10 or more times per month.
As consumers increasingly adopt the technology, they are rethinking more traditional banking tools, so much so that 91% of mobile banking users prefer using their app over going to a physical branch, and 68% of millennials who use mobile banking see their smartphones replacing their physical wallets.
Mobile banking users are also experiencing convenience-related benefits offered by the technology. On average, respondents estimate that they save 45 minutes a month because of mobile banking (equivalent to nine hours a year), logging in while at home on the couch (75%), in bed (47% or at work at their desk (36%). In fact, 19% of millennials are even mobile banking while on a date. See accompanying infographic with additional statistics on when and where Americans are mobile banking.
Trusted choice
When it comes to handling their financial information, 87% of Americans would still trust traditional banks more than non-bank financial institutions.
And this high degree of trust in banks is largely driven by security offerings. According to Citi’s Mobile Banking Study, when it relates to personal information on their phones, 45% of consumers would feel most uncomfortable about others seeing their banking information, far ahead of their photos (24%) and texts (21%), illustrating the importance of rigorous security protocols to help keep this information private.
Milligan added: “At Citi, we launched over 1,000 digital features in the US in 2017, a nearly 500% increase over the previous year, and we continue to reimagine the client experience through innovative capabilities that deliver ease and simplicity for our cardmembers. In recent months, we have introduced a number of features to further enhance protection and security, such as face ID sign-on for the Citi Mobile App on iPhone X and email notifications when we detect unknown attempts to access customers’ accounts.”
Knowledge is power
Mobile banking customers are more confident that they know the exact balance of their bank account right now (95 percent), than non-mobile banking users (85%). Nine out of ten (91%) have experienced additional positive outcomes from mobile banking, including greater awareness of their financial situation (62%); fewer concerns about managing their finances (41%) and a better understanding of the services offered by their bank (38%).
These ultimately drive a more optimistic view that banks can help to better understand their financial situation, with 82% of mobile banking users feeling confident that a bank can truly help improve their state of financial wellness, compared to 62% of non-users. See accompanying second infographic with additional statistics on mobile banking and financial confidence.
Recently, Citi announced it will be introducing new mobile capabilities on the Citi Mobile App for iPhone to serve the full spectrum of clients’ banking needs nationwide. The new features, launching in the weeks ahead, include seamless in-app account opening, a 360-degree view across financial accounts and spending insights to enhance financial wellness. In a first-of-its kind among banks, non-Citi clients can create a profile and connect their accounts across financial services providers.
Payroll
Steve Cox, Chief Evangelist at IRIS FMP, discusses exclusively for Security Buyer why payroll security should be a top priority in light of Covid-19. With over 18 years experience within the IT and software market, Steve is a technologist and chartered accountant (FCCA) who looks at how technology can simplify the modern working environment.
Handling payroll data is a highly sensitive topic that requires not only integrity but reliability and trust. The specifics of the nature of data that payroll includes mean that it is valuable to hackers and fraudsters.
When dealing with such data, it’s important to ensure that your data is held securely and accessed in a manner that creates as much difficulty as possible for an unverified attempt. Cyber threats are very real and in payroll can have huge implications for your companies trust from employees and clients. There are some basic steps you can take, but in light of the trend towards homeworking, these can be harder to achieve.
Hacking can come in many forms, from Facebook’s payroll data in 2019 being discovered after a car was broken into and a hard drive stolen, or in May 2020 when Interserve, a MoD contractor,was hacked and over 100,000 employee details stolen.
Education amongst staff
While the obvious things such as strong passwords may be most effective, staff education surrounding cybersecurity is actually the best guard at initial preventative measures.
Cybersecurity should be a regular training topic, covering everything from the latest hacks and scams to regular reminders.
18% of executives surveyed by MalwareBytes said that for their employees, cybersecurity wasn’t a priority. While a lower number than other studies, it’s a large proportion of vulnerable companies.
Processing special categories of data, as defined in GPDR, such as payroll relevant data, means that education around handling such data is especially important. As well as education on handling such data, ensuring that staff are aware of phishing techniques to avoid downloading viruses from various sources.
Enforcing regular password changes
Unsecure passwords, repeated passwords and passwords that never get changed leave you open to vulnerability, cross system hacking and at serious risk from dark web exposure.
This all may sound scary, and that’s because it is. If your password is left unchanged for years, and then a database is hacked and sold on the dark web, those credentials can be matched to other databases and used to access any account those are matched with.
As well as regular changing passwords, making them unique and strong, being longer than 8 characters and a combination of various characters, can all help to reduce the risk of penetration.
Secure transfer of files
When working with payroll data, a password secured file isn’t the best. Emails can be easily accessed and without full encryption, your files are out there for the world to use.
Ideally, for sensitive data, you need to be using an end-to-end encrypted software. All this means is that only the two end users, i.e. client and business owner, are the only two people who see the unencrypted messages. One popular example of this is WhatsApp, where each chat is end-to-end encrypted.
Services such as DocuSign, Signal and SpiderOak are all end-to-end encrypted services that are good for file sharing and can be easily set up. With homeworking becoming more common, secure file sharing has never been more important due to the use of unsecured internet networks.
Creating protected servers and internet access
When home working, on the road or even in the office, having internet that is protected by firewalls and accessed from the user device in a secure way is of paramount importance.
Having appropriate firewalls or VPNs set up to anonymise the computer in question can help from a remote worker perspective. Ideally, sensitive data should never be handled over a public network such as a coffee shop or airport, however if it has to be, and there is no alternative, then procedures must be put in place.
For home networks, making sure they have the highest encryption possibly available, all unnecessary devices are removed or even having a separate network access point can all help to guarantee the safety of the data.
While all of these procedures can help to secure your devices, your data and your company, sadly this sometimes isn’t enough. By showing you’re doing everything possible will instil trust in your customers and employees and that is the best you can do.
Commentary: Steve Cox, Chief Evangelist at IRIS FMP
Handling payroll data is a highly sensitive topic that requires not only integrity but reliability and trust. The specifics of the nature of data that payroll includes mean that it is valuable to hackers and fraudsters.
When dealing with such data, it’s important to ensure that your data is held securely and accessed in a manner that creates as much difficulty as possible for an unverified attempt.
Cyber threats are very real and payroll can have huge implications for your companies trust from employees and clients. There are some basic steps you can take, but in light of the trend towards homeworking, these can be harder to achieve.
Hacking can come in many forms, from Facebook’s payroll data in 2019 being discovered after a car was broken into and a hard drive stolen, or in May 2020 when Interserve, a MoD contractor, was hacked and over 100,000 employee details stolen.
When home working, on the road or even in the office, having internet that is protected by firewalls and accessed from the user device in a secure way is of paramount importance.
Having appropriate firewalls or VPNs set up to anonymise the computer in question can help from a remote worker perspective. Ideally, sensitive data should never be handled over a public network such as a coffee shop or airport, however if it has to be, and there is no alternative, then procedures must be put in place.
Commentary: Joerg Borchert, President of Trusted Computing Group
The biggest challenges we have at the moment when it comes to securing the financial services industry are the legacy systems at play and the lack of communication on how enterprises can adopt new technologies in a manner that is protected against an attack.
With mobile transactions projected to grow by 121% over the next year, this is fast becoming a new area of concern for security experts, where essential transactions must be kept safe and secure. Goldman Sachs is one of the few pioneers engaging with the unlimited possibilities FinTech has to offer. By joining TCG, in a recent partnership, TCG will play a pivotal role in defining and shaping the security measures needed specifically for the banking financial services sector.
At a time when FinTech is of increasing importance, we want to encourage others within the financial services industry to follow Goldman Sachs’s lead, and join us in innovating and defining solutions for the future security of the FinTech sector
Case Study: Gallagher and AUB
Ahli United Bank is a leading financial institution providing banking, investment, and wealth management services from 147 branches in 8 countries. Utilizing Gallagher’s business and security solutions in Bahrain since 2008, Ahli United Bank (AUB) decided in 2017 to undertake a full upgrade of the systems at its headquarters.
As part of upgrading the full product suite at its Bahrain Headquarters – which included all controlled doors and software – AUB also took the opportunity for a complete re-design of the set-up and locations of its security system. While researching their options, AUB management saw a demonstration of Gallagher’s Mobile Connect technology and were immediately convinced that this was the ideal product for the bank’s upgrade.
From an administrative and site management perspective, Gallagher Mobile Connect provides AUB with significant flexibility. Easy provisioning means that authorized staff can remotely allocate temporary access in advance and can also schedule when a user’s access can begin and end – ideal for visitors and contractors who come to the bank’s headquarters.
Beyond Mobile Connect, readers and controllers, AUB uses Gallagher’s security software platform, Command Centre, to manage alarms and access for its headquarters and all branches, all from a centralized location. “The power of Command Centre is enormous,” said AUB’s Management. “It integrates with our CCTV equipment and gives excellent oversight of our operations.”
To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.
Media contact
Rebecca Morpeth Spayne,
Editor, Security Portfolio
Tel: +44 (0) 1622 823 922
Email: editor@securitybuyer.com