Robbing a bank used to be a physical endeavor. You either donned a mask, secured a getaway driver and went in guns blazing; or you burrowed a hole into the bank from an adjoining building in the middle of the night and cracked the safe — at least according to the movies. Either way, you risked life and limb and success was a long shot.
Today that’s all changed. Robbing a financial institution is easily accomplished using a computer. You eliminate the physical risks, and success becomes simply a matter of outsmarting the network security systems. The risk-to-reward ratio is appealing and seems to spark creative new approaches almost daily.
For example, earlier this month, according to cybersecurity blog Krebs on Security and reported by The Verge, the FBI was tipped off that cybercriminals would soon attempt to hack payment card processors or banks, and use ATMs all over the world to withdraw millions of dollars over the course of a few hours. Here’s how it was going to work, according to Krebs on Security: The criminals would compromise a bank or card processor with malware to gain access to bank users’ card numbers. They’d use their access to alter ATM withdrawal limits and account balances, allowing them to withdraw as much money as each ATM possessed. Then, the criminals would send the card data to accomplices who would imprint the data onto reusable magnetic strip cards like gift cards. At a coordinated time, the accomplices would withdraw funds from ATMs around the globe using the fake cards.
That’s just one example of cybercriminal creativity targeting banks. In April, cybercriminals went after the SPEI system (interbank electronic payments system), which allows users to electronically transfer money between deposit accounts through a private, encrypted network operated by Mexico’s central bank. And Russian bank officials recently revealed hackers stole over $17 million from the country’s banks in 2017 using the Cobalt Strike security testing tool.
Although financial institutions constantly invest in new software and new methods to thwart electronic attacks, they are always playing catch up to savvy thieves. And while some cybercriminals go after big payoffs like those mentioned previously, small-to-medium size financial institutions are actually the most vulnerable, according to the FBI, “likely due to less robust implementation of cyber security controls, budgets or third-party vendor vulnerabilities.” And, the FBI said it expects the ubiquity of this activity to “possibly increase in the near future.”
Getting a handle on this risk means we can’t rely on traditional cybersecurity methods alone anymore. To keep up with savvy cyber criminals, we’ll have to use more sophisticated protection methods, such as biometrics.
There are some great examples of financial institutions that are already using biometrics to make a positive – and more secure – impact on finance. And most of the solutions find a way around the two most common biometric hurdles: expense and inconvenience.
For example, KB Kookmin Bank in Korea is using iris scanners to authenticate customers. The function is made possible by Samsung Pass API, an app that enables Samsung partners to leverage an iris scanner already included in Galaxy S8 phones for user authentication.
Elsewhere, Citibank is using voice biometrics to automatically identify a customer while he or she speaks to a customer service representative over the phone. It takes less than one minute for a customer to set up a voiceprint, which can then be utilized each time they contact the bank afterwards.
PyraMax Bank, a federally chartered mutual savings bank based in Wisconsin, is using Fiserv’s DNA account processing platform, which authenticates customers by examining their palm vein pattern as they wave their hand over an infrared sensor.
Finally, the Royal Bank of Scotland began using behavioral biometrics two years ago on private bank accounts for wealthy customers and is now expanding the system to over 18 million business and retail accounts. Behavioral biometrics are collected via sensors in a mobile phone or code on a website. The software quietly records that person’s gestures and builds a profile. Those gestures can include things like the rhythm of keystrokes, the way a user holds and moves the mouse, etc. On a smartphone, data points collected can include how a person swipes the screen, or even the angle at which he or she holds their phone. Leveraging those tools, a company can gather thousands of data points. That profile is then compared against the customer’s movements every time they return to the website or app. If something looks out of whack, the system can alert the organization that an unauthorized user may be trying to access the account.
When I log into my bank account today, a simple user name and password is all I need to access my accounts, make transfers or pay bills. And while that’s easy enough, it also concerns me. Given the current cybersecurity landscape, and the growing numbers of brazen heists, it will take more to ensure my peace of mind. Hopefully biometrics – and the unique and creative ways financial institutions are beginning to use them – will get us there.
