Last updated: 23 April 2015
Cyber security has never been more high profile, particularly when it comes to banking. Currently, as a result of numerous data breaches across a range of industries in the past year, banks and customers alike now hold their online and mobile banking security to be of the utmost importance. This, unsurprisingly, has translated into political pressure as a new ‘Cybersecurity Bill’ is approaching legislative approval in the US Senate. The movement for better and more secure banking for everyone is also backed by the American Banking Association (ABA), who released a statement recently supporting the legislative move. Furthermore, according to Senator Tom Carper, the bill should “ensure that we have common sense measures in places to safeguard the transactions we conduct every day in person and online”.
You could argue these ‘measures’ described in the bill, which you can read here, are reflective of how there are now more and more measures in place and options available for different types and categories of security. But, with so many options available, do you bet on one? Or do you rely on several different options? For example, do you opt for hardware token based authentication or HCE or software tokens to authenticate third parties? And where do you encrypt information and data stores? Instead of just one approach, we’d recommend a layered approach. To help explain this, I’ll give you my new favorite analogy for security systems involving cake.
In my opinion, the best type of cake is the layered kind; layered cakes can have a variety of flavors, brilliant texture and normally guarantee a good serving size. The only drawback is they can be difficult to slice through at times as they are much thicker than a normal cake. This, however, is a good thing when it comes to security; you want lots of layers that prevent anyone slicing through, rather than one layer that can be cut easily.
We’ve never blogged about cake with regard to security before, but we have covered multi-factor authentication, in great detail. In fact, we’ve even discussed how the Galactic Empire from Star Wars could learn from this form of cyber security. However, the key lesson to be learned here is not what Darth Vader should do with his passwords; it’s that integrated and layered security for online banking systems is the key for more trustworthy payments and banking transactions. Layered systems for eBanking and eCommerce have been created with the knowledge that an efficient security policy cannot rely on a single technique, but has to integrate several complementary layers.
Currently, there are four key layers of security for this approach to be effective:
- End point protection
- Authentication and transaction signing
- Fraud management
Through this layered approach, digital banking can become as secure as, if not more secure than physical/high street banking. For example, a high street bank would usually have four layers of protection as well – secured premises, customer identification, hand signatures and an audit or rules to follow. These four layers, traditionally, have worked very well in the physical banking world; it’s now time to make sure we have as many layers in the digital world, particularly those which are more secure – for example, digital authentication and transactions signing is less susceptible to fraud than hand signatures, which can be copied easily.
A multi-layered approach like this also has other benefits – our Ezio Suite for example (pictured below) allows banks to choose which business goals to aim for, the appropriate security level, which segments to target, which channels to provide and select the most suited back-end system, form factor and authentication solution. So, in many ways, banks will get a chance to design the recipe of their cake as well.