A Smart Approach to Countering Cyber Attacks
Cybercrime is on the rise.
We read about it all the time, but do we really understand the extent to which it is spreading and what we need to do to keep up?
The subject itself is now too large to even discuss in one go. If you think about it, there are so many aspects to it these days. You can prefix almost any illicit activity with “cyber-“, and you get some form of digital crime: blackmail, bullying, espionage, fraud, laundering, stalking, terrorism, theft and warfare. A scary thought!
Still, for every type of cyber attack there are counter-measures that we can deploy in order to prevent, or at least diminish the chance of being caught out. From a consumer’s perspective, we hear a lot about updating and strengthening passwords, avoid clicking on links in emails from people we don’t know (and even from those we do if the content is unusual), and of course never sharing our login details with anyone else. This is all well and good, but it is only one way we can be protected, and it requires us to think carefully about it each time, rather than just getting on with doing it.
What if we could have extra layers of protection that did a lot of the work for us? Is there a technology out there that could really lower the risk of a cyber attack from being successful? As consumers, are there extra layers of security that can be added to help protect ourselves, without us even needing to think?
From a digital banking perspective, providers have tried various measures to add security using hardware tokens, remote client connections and other devices such as One Time Passwords (OTPs) sent to mobile devices. These ‘second factors’ (“something you own”) have worked quite well in recent years, but they suffer from limitations that have prevented their wider adoption, not only across all digital banking services but cyber-security as a whole.
Hardware tokens, for example, suffer from finite battery life and being something extra to carry around with you, not to mention the outlay of having to buy and distribute them to all customers in the first place. My own experience with strongly encrypted remote client connections has found them hard to set up, be less than completely reliable, and of course require software installations on my devices. OTPs seem to be the most frequently used, but are limited to ‘partial event success’ scenarios – an SMS is only sent once initial credentials have been entered – requiring a two-step manual process. This is OK when I am actively signing in to a secure location, but doesn’t protect me from someone now knowing that stolen initial credentials are now correct, nor help me where this type of security is not relevant (such as opening a file or clicking on a link in an email).
An answer might come from more sophisticated sources. While the financial services sector is experimenting with ‘third factor’ security challenges (“something you are”, such as fingerprint and facial recognition), which is working quite well, there are already limitations being identified that fraudsters can manipulate.
We need to consider other dynamics that can be blended together to make a bigger picture. My location is an obvious one, as is the time of day. If I am at my home using my usual device (say my smartphone), and it is between 6am and 8.30am, then it is probably me before I go to work. If however, I am connecting from São Paulo and it is 3am UK time (as the bank knows I live in London), then something might be “iffy”… unless I have already given my travel plans to my bank and told them to expect me to be in Brazil on this date.
As well as when and where I am, we can factor in my regular contact habits – what does my historic access profile look like? Is this a common place and time of day for me, or something unusual? On top of this you can add further analytics – how long does it usually take for me to tap in my access credentials (time lag between keystrokes/taps)? Am I in seemingly different locations too far apart between attempts to make it realistic? If I am on a smartphone, is it being held in the usual way, or is it lying flat (like on a desk)… is this usually how I do it?
Blending in a lot more analytics than we do today, financial services can quickly build up a profile of a customer’s habits, mannerisms and actions, and use these to augment security levels that determine what strength of challenge is appropriate in this circumstance.
Looking even deeper into how ‘smart’ profiling can be, and at where biometrics can take us, in the future we might be able to see if I am ‘my usual self’ – am I sleepy, do I appear too hot or too cold, or do I seem stressed or under duress?
It would be great if my digital banking access was automatically tuned up or restricted if I was doing it from a new location, or at an unusual time of day, and that I could respond to the additional challenge by simply being me! Similarly, wouldn’t it be great if I only had to open the app on my phone and gain full access to my banking, because my smart profile matched up seamlessly with an “it’s obviously me” test.
The fact is we need to get a lot smarter when it comes to countering cybercrime, and we need to get on with it much more quickly. If we don’t, we’ll simply fall so far behind the cyber-criminals, who are getting more sophisticated at an alarming rate, we will never be able to catch up.