– David Vergara, Senior Director of Product Marketing, OneSpan
Digital banking has soared in popularity during the last few years, and it is showing no indications of slowing down. A report looking at the UK finance landscape in 2021 found that only 7.7% of UK banking customers prefer in-branch visits, using the vast majority preferring to use online or mobile channels. As a result, bank branches across the United kingdom has been closing down, with Which? estimating that the UK's bank branch network have reduced by a third in the past 5 years. This year alone 247 branch closures are due in the united kingdom.
This trend towards digital has been fuelled by the customer-centric digital only challenger banks, such as Monzo, Revolut and Starling, who claim close to 20 million customers together. In recent months, the global coronavirus pandemic has additionally forced many consumers to adopt digital banking platforms when they weren't using them before as stay-at-home measures have prevented quick access to bank branches.
While digital banking has grown the overall customer experience, it's also widened the target of attack for cybercriminals, with threats such as man-in-the-browser or man-in-the-middle attacks becoming more common, and achieving serious consequences for customers. Fortunately, there are a range of technologies banks can implement to help defend against such threats without compromising the user experience of digital banking.
Man in the centre attacks
These attacks occur when a cyber-criminal is able to intercept communications from a customer's device and the banking server. The criminal is then able to alter the details of the transaction, such as the amount and intended banking account, without the customer noticing. Consequently, a standard lb100 transaction could are a lb10,000 transaction that's wired into the criminals' bank account.
There are several ways criminals can intercept communications, only one common example is when a customer is using a public WiFi hotspot. These are often insecure, and are easy for cybercriminals to infiltrate. So when a person makes a transaction using a public WiFi network, they may be unknowingly sharing sensitive financial transaction data through a network controlled by a cybercriminal.
Combatting man in the middle attacks through regulation
In Europe, the Revised Payment Services Directive (PSD2) has pushed banks and banking institutions to evolve their online and mobile banking offerings, introducing a range of security requirements designed to counter man in the centre attacks.
For example, PSD2 has set out requirements for Strong Customer Authentication (SCA) along with dynamic linking, which is also referred to as transaction data signing. The dynamic linking requirement protects a transaction in three parts. First, it takes that the payer authenticate the transaction data they've inputted such as the amount and the payee and confirm that it's correct. An authentication code is then generated that links towards the transaction data, so that any alternation in transaction details would invalidate the code.
Second, the confidentiality and integrity from the transaction data needs to be protected through the authentication process, so a poor actor cannot intercept modify the details. This ensures the authentication code is generated based on authentic transaction details.
Finally, the client needs to be aware of the transaction data they're asked to authenticate. This means that the transaction data must be presented to the customer at the time of authorisation.
Combatting man in the middle attacks through technology
Cronto technologies are one way banks can verifying transactions and protect customers against man in the centre attacks. Cronto is available through a mobile app and secures the communication channel between the customer and the bank to safeguard the transaction data from being altered. The data is then presented in plain-text so the user can confirm it corresponds with their intended transaction before generating an authentication code in line with the transaction's details.
Only the bank is able to generate this code also it can only be decrypted by the user's mobile device. This unique approach to transaction verification simplifies the experience because it reduces the user interaction necessary to authenticate a transaction – customers simply point their phone at the screen to scan the look – essentially a colour QR-like image – and enter an answer code into the browser. This enables all of the encrypted transaction details to become communicated between the bank and customer with no risk of interception or tampering by hackers.
As an effect, banks can offer a quick, user-friendly security solution that protects customers, ensures compliance and eventually improves the user experience.