One of the main obstacles standing in the way of digital banking progress in Latin America is users’ overall mistrust in the ability of banks to offer fraud-proof service. And they have a point.
Last year, 92% of financial institutions surveyed by the Organization of American States (OAS) on banking security acknowledged detecting some type of “digital security event”, that is, cyber attacks that were either aborted or succeeded. The attacks included malware along with a practice known as “phishing”, where a user receives an e-mail supplanting the identity of a trusted company to get a hold of the users’ passwords and credit card information.
The annual cost for banks to fight these attacks and recover the data reached an average of $809 million, according to the same study. Recent victims have been Banco de Chile and Mexico’s Banco Nacional de Comercio Exterior (Bancomext) and many are beginning to wonder if banks are investing enough resources to defend themselves against increasingly sophisticated cybercriminals.
The weapons banks have at their disposal to fight cybercrime go from encryption to behavioral biometrics and include different levels of identity authentication, such as sending a code to the user’s mobile phone, provide a token or have them answer security questions.
Each bank must meet the challenge of offering a service to their users that is secure and, at the same time, intuitive and as friction-free as possible.
Cybercriminals “have a bag with different attacks and try to see which one works better with this or that bank and keep using it until the bank starts to fight back, something which can take from a couple of days to a couple of weeks”, says Edmundo Fariñas, Vice President of Global Corporate Information Security at TODO1.
Dmitry Bestuzhev, Latin America Research and Analysis Director for Russia-based cybersecurity firm Kaspersky Labs, says in the OAS report that “the security of a bank is not a static strategy, but something that needs to constantly evolve and adapt according to the intelligence gathered on trends, new threats and the latest technologies”.
Besides the standard tool-kit to protect their clients’ information, such as encryption, multilevel identity authentication and time limits, banks in Latin America are starting to use emerging techniques, including Data Analysis (29%), Machine Learning (24%), Artificial Intelligence (AI) and Knowledge Computing. However, almost half of them (49%) has not implemented cutting-edge technologies yet, the OAS report says.
About 61% of Latin American banks allot less than 1% of its earnings before interest, taxes, depreciation and amortization, a key profitability metric known as EBITDA, to their digital security budget, according to the OAS. Several studies show the main barriers to the adoption of advanced technologies and security processes in Latin America are a limited budget, the lack of a robust security culture and compatibility issues with existing technology.
One of the more common methods banks use is the encryption of information, the process that codifies private information so it cannot be accessed without proper authorization during the data exchange between the user’s computer and the bank’s servers.
Banks also impose time limits on each session to lower the risk of fraudulent transactions. If someone forgets to close the session or if it becomes inactive for a number of minutes, the user must restart it to access the information he or she is looking for.
Another security tool banks use is identity authentication. Besides a username and password it might require a number key or the use of an authenticator that will show personalized codes that are constantly changing. However, passwords and identity authentication are the weakest links in banks’ security chain, according to multiple studies.
That helps explain the increasing popularity of security tools linked to behavioral biometrics, not only in banking but in other industries as well. Behavioral biometrics hold that the way we use our computers is as unique as our fingerprint. The system assesses factors such as the pattern we use when we write in the computer, the pressure we apply to the keyboard, the fingers we use to move through the screen and even the angle at which we usually hold our phones and creates a “behavior profile” that helps detect impostors.
But no security strategy is full-proof and users must be educated about the online threats they face. This includes the importance of keeping passwords confidential, which means coming up with unique combinations that are regularly changed. Users should also use anti-virus software, avoid trying to access their bank account from a public place, update their browsers frequently and limit the number of devices used to do their banking.
Perhaps most important of all, both users and bank employees should learn more about phishing. According to the OAS, the majority of users that suffered cyberattacks, 49.68%, were phishing victims through their emails.