Banking

HOW BANKS CAN COMBAT MAN IN THE MIDDLE ATTACKS

– David Vergara, Senior Director of Product Marketing, OneSpan

Digital banking has soared in popularity over the last few years, and it is showing no signs of slowing down. A report looking at the UK finance landscape in 2020 found that only 7.7% of UK banking customers prefer in-branch visits, with the vast majority preferring to use online or mobile channels. As a result, bank branches across the UK have been closing down, with Which? estimating that the UK’s bank branch network has shrunk by a third in the past five years. This year alone 247 branch closures are due in the UK.

This trend towards digital has been fuelled by the customer-centric digital only challenger banks, such as Monzo, Revolut and Starling, who claim close to 20 million customers between them. In recent months, the global coronavirus pandemic has also forced many consumers to adopt digital banking platforms if they weren’t using them before as stay-at-home measures have prevented easy access to bank branches.

While digital banking has increased the overall customer experience, it’s also widened the target of attack for cybercriminals, with threats such as man-in-the-browser or man-in-the-middle attacks becoming more common, and having serious consequences for customers. Fortunately, there are a range of technologies banks can implement to help defend against such threats without compromising the user experience of digital banking.

Man in the middle attacks

These attacks occur when a cyber-criminal is able to intercept communications between a customer’s device and the banking server. The criminal is then able to alter the details of the transaction, such as the amount and intended bank account, without the customer noticing. As a result, a standard £100 transaction could turn into a £10,000 transaction that’s wired directly into the criminals’ bank account.

There are several ways criminals can intercept communications, but one common example is when a customer is using a public WiFi hotspot. These are often insecure, and are easy for cybercriminals to infiltrate. So when a customer makes a transaction using a public WiFi network, they may be unknowingly sharing sensitive financial transaction data through a network controlled by a cybercriminal.

Combatting man in the middle attacks through regulation

In Europe, the Revised Payment Services Directive (PSD2) has pushed banks and financial institutions to evolve their online and mobile banking offerings, introducing a range of security requirements designed to counter man in the middle attacks.

For example, PSD2 has set out requirements for Strong Customer Authentication (SCA) in addition to dynamic linking, which is also known as transaction data signing. The dynamic linking requirement protects a transaction in three parts. First, it requires that the payer authenticate the transaction data they’ve inputted such as the amount and the payee and confirm that it’s correct. An authentication code is then generated that links to the transaction data, so that any change in transaction details would invalidate the code.

Second, the confidentiality and integrity of the transaction data needs to be protected throughout the authentication process, so a bad actor cannot intercept and alter the details. This ensures the authentication code is generated based on authentic transaction details.

Finally, the customer needs to be aware of the transaction data they are asked to authenticate. This means that the transaction data needs to be presented to the customer at the time of authorisation.

Combatting man in the middle attacks through technology

Cronto technology is one way banks can verifying transactions and protect customers against man in the middle attacks. Cronto is available through a mobile app and secures the communication channel between the customer and the bank to protect the transaction data from being altered. The data is then presented in plain-text so the user can confirm it corresponds with their intended transaction before generating an authentication code based on the transaction’s details.

Only the bank is able to generate this code and it can only be decrypted by the user’s mobile device. This unique approach to transaction verification simplifies the experience because it reduces the user interaction required to authenticate a transaction – customers simply point their phone at the screen to scan the image – essentially a colour QR-like image – and enter a response code into the browser. This allows all of the encrypted transaction details to be communicated between the bank and customer without the risk of interception or tampering by hackers.

As a result, banks can offer a quick, user-friendly security solution that protects customers, ensures compliance and ultimately improves the user experience.

Banking

SEIZING THE OPEN BANKING OPPORTUNITY

Nick Maynard is a Lead Analyst at Juniper Research

Open Banking has made significant progress in 2020, having recently launched across much of Europe and now starting to emerge in other markets too. And there are two primary reasons why Open Banking is disrupting the banking industry so much:

Banks have begun to discover the real competitive advantage of a more open approach to banking. Offering a superior Open Banking experience to customers can be a compelling differentiator from other competitors as part of a wider digital app experience. Open Banking also creates a level playing field in markets where regulatory intervention has led to Open Banking deployment. As all banks are required to deploy APIs in this scenario, the situation is the same and does not put any one particular bank at a disadvantage.
Legislation – for example, in October 2015, the European Parliament adopted PSD2 (the revised Payment Services Directive). By early 2020, major banks in the EU had adopted Open APIs. There have however been many cases of late deployments of APIs and problems with the availability of APIs.

Nick Maynard

The Disruption Factor

Open Banking is a major disruptive factor for banks. The reason for this being that it opens up account data to both AISPs (Account Information Service Providers) and PISPs (Payment Initiation Service Providers), which can attempt to carve out a role in the banking area.

AISPs: These new vendors are able to access transaction data and balance information, as well as related information. This has, in particular, led to the rise of vendors such as Emma, Yolt and Connected Money. These vendors combine information from multiple sources, adding value to the user.
PISPs: In this case, the vendors are able to leverage Open Banking API connections to initiate payments directly from the bank accounts in question. This means that these players are able to bypass traditional payment methods, such as cards. Vendors such as American Express and PayPal have already launched solutions that have taken full advantage of this action.

PSD2 Changes

Generally, the implementation of the new PSD2 European regulation for electronic payment services effectively reduces the entry barriers for new digital players. It also opens up banks to the potential for competition, enabled by their own APIs. This allows these players to compete with existing services in fields currently offered by the banks. In the case of AISPs, it is possible that third-party applications could displace the role of the apps from incumbent players, which would dilute the bank’s relationship with their users.

As with any fundamental change to markets in the banking area, there is the potential to bring a number of both opportunities and challenges to consider with Open Banking.

Open Banking Opportunities & Challenges to Consider

Source: Juniper Research

Banks and other parties that are looking to become involved in the Open Banking ecosystem must weigh these opportunities and challenges carefully. Open Banking certainly needs a more collaborative approach than traditional banking models, which will require significant effort to make them successful.

The Forecast for Open Banking

The total number of Open Banking users is set to double between 2019 and 2021, reaching 40 million in 2021 from 18 million in 2019. The ongoing Coronavirus pandemic is increasing the need for consumers to have the clarity of combining their accounts and gaining insight on their financial health, and also boosting momentum in the adoption of Open Banking.

This extraordinary growth is being driven by Europe, where the regulator-led approach to Open Banking has created a standardised market, with low barriers to entry. This contrasts with markets like the US, where a lack of central regulatory intervention is limiting growth potential.

Open Banking – Delivering Opportunities and Threats

It is worth noting that Open Banking can be both a threat and an opportunity for traditional banks. While Open Banking exposes user information and access to potential competitors, this threat has the potential to affect all players in the market equally. Consequently, established banks must create innovative Open Banking services that will provide benefits for the user, while also attracting customers from less innovative competitors.

Payments will be critical to the emerging Open Banking ecosystem; accounting for over $9 billion in transaction value in 2024. However, payments in this ecosystem are at a particularly early stage. While eCommerce is dominated by card networks, there is the potential that this role will be eroded over time by ‘direct from account’ payments. Consequently, card networks should look to offer Open Banking-enabled payment services, in order to offset the risk of future disruption.

Open Banking Users in 2021 (m), Split by 8 Key Regions: 40 Million

Source: Juniper Research

Banking

2021: THE NEW-NORMAL LIFECYCLE FOR BANKING

Laura Crozier, Global Director of Industry Solutions, Financial Services at Software AG

It would be impossible to talk about predictions for the banking industry in 2021 without mentioning the cataclysmic impact that 2020 and the pandemic has had on people, businesses and countries.

Unlike with the global financial crisis, banks have been able to step up as “good guys” this time around, rebuilding their reputations as well as accelerating digital transformation. One of the main outcomes is increasingly smart, efficient online payments.

In 2020, the banking industry innovated like never before. This is the new normal. Overall, customers and society will be the beneficiaries from the changing industry. Here are my predictions:

Reputations are reborn

Banks across the globe pulled out the stops to integrate and adapt systems and processes to help customers during the pandemic. They offered accommodations in loans, assisted governments with the distribution of financial relief, and supported consumers by upping contactless spending limits and virtual deposits.

In 2021, banks will risk losing that rosy glow as economic circumstances drive them to deal with non-performing loans, mortgage foreclosures, layoffs etc. But, beyond their role in society as providers of capital and liquidity, banks will invest to sustain their reputations as trusted and good corporate citizens and use their power to persuade their customers and providers to adopt higher environmental and ethical standards. This will be in the areas of bank carbon-neutrality, sustainable financing, serving the unbanked, diversity and gender equality (as the number of women running a major global bank will double from one (Jane Fraser at Citi) to two). It’s a start.

Coming of age in the way of working

Back in Q1, when bank employees cranked up their laptops on their dining room tables, banks that were strategically undertaking business transformation accelerated their efforts. Those that were tactical, or on the fence, now understand with painful clarity that this work must be undertaken strategically.

Cracks in process and the way of working and their resulting risks can be crippling. Especially from a back-office perspective, it is not enough to rely on “organisational memory” and collegial proximity for work to get done right. Advanced banks pushed the boundaries of remote work, and the proof of concept was successful. So, they’re doubling down on developing digital twins and moving to the cloud. They’re adopting the hybrid office/WFH approach to reduce health risks and reduce cost permanently. The watercooler will never be the same.

The death of cash

Ok, maybe the rumours of the death of cash are a bit exaggerated since there will always be the need for cash (and, to some extent checks; the USA, for example, cannot seem to live without them). But the pandemic has permanently changed the way that consumers and small businesses bank, and the demotion of cash has been accelerated by a decade by the pandemic. For example, the Norwegian central bank said that cash payments in that country have plummeted to just 4% of transactions since March.

Implications? It will be critical to continue evolving payments to be smart, safe and flexible to compete in new world, in both retail and commercial banking. Also, the permanent change in the mix of channels will see banks’ face-to-face engagement with customers fade. Branches aren’t going to go away entirely, but they will be reserved for high value activities – by appointment only. To compensate, the personal touch has to be delivered digitally and intelligently.

The role of the bank as a “financial wellness partner” is being born. Banks will use customers’ data, not just to personalise and differentiate banking experiences, but to make recommendations for products and services beyond traditional banking from across their ecosystem to serve their customers well. Just as customers own their cash (physical or digital), in the future they will demand that they own their data (and can share it with whom they choose). Then retail and commercial clients will share their data in return for value.