In 2017, we’ve seen several major banks roll out new ATM technology that uses authentication on mobile phones, allowing customers to get services without using a physical card.
The move from the vulnerable plastic card to a digitized version that can be better secured is great and the shape of things to come, but digital security remains at the “minimum requirement” level at banks, which exposes the entire industry and creates a lack of trust in digitization. A good example of this is the recent digital ATM breach at Chase. (Chase has reportedly made security improvements since the incident.)
It is important for our industry to get mobile and digital correct at the start, and we need to do much better at what the industry calls its “minimum security” requirement.
Let’s look at two great examples: First, the freshly publicized yet old SS7 vulnerability, which shows that one time passwords sent by SMS are not reliable. And in many cases, they are not a trusted mechanism for second factor authentication. Then, why are we using text? For several reasons: We understand it, it is old, cheap, easy to explain and the buzzword “two factor authentication” sounds innovative and secure.
It’s worth noting that strong secure second factor authentication currently requires access to a hardware secure container (chip-SIM card) on the end points or mobile device where you can store a reliable authentication factor that cannot be tampered with. With that, SMS becomes our “minimum security requirement” that doesn’t contain many account breaches for large sums money that are starting to surface.
And while many tout the cloud as the ultimate protector, nothing can really protect a valuable piece of data on a device using only a cloud-based solution. Once you are offline, any hacker can pull that information off your phone remotely and reuse it to drain your account.
Then there is white box encryption, which is a great sounding name for a security mechanism that is better explained as an obfuscation mechanism. Think of it as hiding a needle in haystack, keeping in mind that hackers are really good at finding needles.
Then why even use white box encryption? For the same reasons mentioned above. It’s easy and it sounds secure, so white box encryption becomes our “minimum security requirement."
So what do we do? Real innovation requires us to step away from “minimum security requirements” and jump into deploying bold new technologies that are practical today. Protecting data on mobile and IoT devices cannot be achieved by bending legacy ideas to do so, instead it requires new and innovative platforms that are designed for the new world of connected devices.