Money-stealing Trojans be gone. When is the last time you logged into your online banking portal, made a payment transaction, and received a notification on your phone to validate the details of the transaction and tap approve? Better yet, when is the last time you had to use a physical hardware device to sign a transaction?
When you walk into the bank and request a high-value payment transaction involving your funds, a typical process involves the bank teller printing out a summary of the transaction request for you to validate. Upon your review, you simply tell the bank teller to proceed with the payment transaction. At this point, based on your validation, there is an inherent expectation that no one in the bank's backroom is suddenly hijacking the transaction request and transferring the funds to a separate account. When it comes to online banking, this transaction validation process is an important step in mitigating fraud that stems from sophisticated Trojans. Depending on where you're located in the world, your daily online banking experience may already involve an out-of-band transaction validation & cryptographic signing process, when you make a payment transaction. For others, this extra step is unheard of - What do you mean I have to take an additional step to validate transactions details, to fulfill the payment transaction I've already requested?
Having recently touched down in the Netherlands, I stopped into a cafe to grab my first Amsterdam espresso & figure out how much time it would take to grab an Uber. As I sat and sipped, the lady adjacent to me sat astute in front of her laptop, taking a piece of authentication hardware out of her purse. She appeared to be making a payment through her online bank, punching numbers into an additional hardware device to satisfy the transaction. The transaction signing device, gray in color, contrasted what appeared to be a large brand new iPhone 6 plus. I questioned why she wasn't simply using her phone to finish the transaction process.
Making payments through an online bank should be an easy and safe experience - after all, it's our money. As malware flavors continue to chart new territory from the days of Zeus & Citadel to the likes of Tinba, stealthy Trojans don't make the process as easy as banks may like. Financial institutions have to play gatekeeper, asking us to reflect on the age old tug-of-war game between convenience and security. Man-in-the-Browser (MITB) Trojans, unbeknownst to the victim, secretly plague end users who are trying to complete a simple payment transaction, by manipulating the transaction data (in the background) and sending the funds to a mule account.
In an effort to mitigate the risks posed by such money-stealing Trojans, some banks have adopted a layered transaction protection approach to mitigate MITB attacks. While some financial institutions are simply determined to elevate their security maturity posture thanks to heightened awareness, others may be satisfying regulations, such as PSD2, that call for more stringent controls. Ultimately, the appropriate level of controls will both satisfy the regulation and the bank's knowledge of end user expectations; expectations that typically include a swift transaction experience, security controls to ensure their funds are safe, and a level of convenience attributed to an intuitive user design flow. Security aside, user experience and seamless transitions help keep a user pleased when utilizing a service.
The rise in mobile smartphone technology paired with biometrics, makes meeting end user expectations even easier. As Goode Intelligence puts it, 'biometrics is providing a credible solution to the twin problems of replacing weak password and pin authentication mechanisms and solving the mobile authentication dilemma: how to deliver convenient strong authentication solutions to smart devices'. Mobile Software Development Kits enable financial institutions to envelop their banking app with strong, transparent multi-factor, risk-based authentication and transaction integrity through the validation of transaction details paired with cryptographic signature. Mobile SDK embedded biometrics, such as fingerprint and even a selfie generated EyePrint, allow for a user to swiftly authenticate. Leveraging the Mobile SDK, Transaction Signing provides integrity assurance, cryptographic signature and authenticity for payment transactions to combat fraud from advanced financial malware attacks.
When a bank bakes this type of security into their mobile app, the end user wins - when a user makes a payment transaction, a push notification arrives on their mobile phone, and requests the user to validate the payee and payment details. With a simple tap of approve, the transaction is signed cryptographically. Depending on the level of risk, the user takes a selfie or uses their fingerprint to authenticate and the payment transaction has been completed securely.
Convenience or security - the ongoing balancing act never ends but consumers can have and deserve both. When financial institutions combine a cryptographically signed payment transaction validation process with a follow-up biometric authentication into one simple mobile-optimized device workflow, end users can rid themselves of unwanted transaction signing hardware, while banks mitigate fraud and keep their clients safe.
Author: Mathew Long
Category: RSA Fundamentals, Blog Post
Keywords: Biometrics, Secure Payment, Transaction Signing