I’ve been following the outcomes from Operation Waking Shark II with interest. This was an exercise that ran at the tail end of last year to test the readiness of the UK’s financial infrastructure in the event of a hostile country launching an all–out cyber-attack on our critical financial infrastructure.
The scenario involved simulating a three–day attack on our financial system, including denial of service attacks on the global websites of major banks, the penetration of secure networks by hackers, and problems with core payment systems. 220 people were involved in this war game exercise, which included 14 investment banks and major lenders, as well as providers of financial infrastructure and representatives of the Bank of England, the Financial Conduct Authority and the Treasury.
I am in favour of such exercises and believe that these types of events should be repeated with much more regularity to ensure that we are adequately testing our defences. Cyber-attacks have long been identified as one of the biggest problems for our banking industry and major financial services groups face regular attacks on their systems from a variety of sources, including both criminal gangs and foreign governments. Most of these attacks are relatively small–scale but some have led to severe security breaches and the collapse of core systems.
The problem will only increase as we now face exponential growth in identities, both in the number and types of identities such as people, devices, apps, social, mobile and cloud – all of which have the potential to be compromised. Attacks continue to grow in sophistication. No longer a playground for juvenile hackers, we now have nation-state, organised crime and hacktivists to contend with.
Of course all the traditional forms of protection such as anti-virus, next generation firewalls and so on are completely necessary. Such measures however will only protect a bank against 80 to 90% of attacks. And, it’s the 10 to 20% of attacks that make it through where banks need to focus on protecting the identities and the transactions of individuals which is an area that Waking Shark hasn’t particularly focused on.
Today’s threats require stronger means of authentication than simple usernames and passwords, particularly for high risk financial transactions such as wire transfers. Single factor authentication is not enough to protect against current online account fraud and identity attacks.
Typically strong authentication methods used today involve multi-factor authentication rather than single factor where the communication channel is secure. For example SMS, while an improvement on single factor, is a channel that can be compromised and is not truly strong authentication while Mobile OTP (one time password) and Mobile SC (Smart Credential) is.
Advanced authentication methods take this a step further where Mobile OTP and Smart Credential is used for transaction verification, and in place of a PIN a form of biometrics is used instead. For example, fingerprint, eyeprint, voiceprint, facial recognition, gesturing or a combination of these are used.
In general, today’s banks are relying on usernames/passwords and then possibly some form of knowledge-based authentication (i.e. question and answer, password replay, PIN). Online fraud and identity attacks are frequently the result of the exploitation of single-factor authentication or weak multi-factor authentication schemes.
In my experience the authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods and I would urge banks to look at strong and advanced authentication layers. Layering factors of authentication can increase security and help limit vulnerability to identity attacks. Properly designed and implemented strong and advanced authentication methods are more reliable, are stronger deterrents to fraud.
If that is the case the question is why don’t many banks deploy more effective strong and advanced authentication today? Based on most financial institution’s innate ability to manage risk through business means, most have considered this level of security a low priority given the cost and resources required to manage and deploy strong and advanced authentication solutions.
In addition, traditional solutions have not always provided the flexibility and ease of use. Banks have seen security as a way to protect themselves, rather than a means to build customer loyalty and competitive advantage in the marketplace. Often, worries that users will find the process of authenticating with multiple factors complicated or intimidating have inhibited the use of these authentication methods.
But as risks increase, the true importance and necessity of strong and advanced authentication are much clearer. That said, the issue of user acceptance must remain in the forefront of all authentication decisions. Determining which additional factors to apply and how to implement them with the least possible stress on users requires a thorough assessment of risk, careful selection and planning.
There are many authentication methods, ranging from simple single factor authentication in the form of usernames and passwords to sophisticated strong and advanced authentication mechanisms. Each method delivers a different balance point between cost, security and user complexity. With malware phishing and online attacks set to increase, it is vital that consumer confidence is maintained and that online identities are protected.
At the same time, the issue of user acceptance must remain in the forefront of all authentication decisions. An effective strong and advanced authentication deployment must be easy to use and have customer acceptance no matter how many or which factors are being used other-wise this will cause other issues for banks.
Moving forward I believe that exercises like Waking Shark also need to look at all areas of security including authentication rather than just the big cyber-attacks. I recommend a layered approach to security. Firewalls, endpoint security (AV), network monitoring and other technologies are all useful tools. But people and policies are just as important as the tools and enterprises can employ all of these layers and still only have 80 to 90% protection – protecting the identity we believe is still missing from many security layering strategies and must be addressed.