According to the Federal Reserve, more than half of smartphone owners used mobile banking applications in the year ending March 2014, showcasing how technology is changing the way consumers access financial services. From checking account balances to making mobile payments, consumers demand reliable and secure access to financial services on the go.
Credit unions that offer services such as mobile banking, will have a competitive advantage by providing additional touch points, delivering a top-notch customer experience and engaging with customers via their preferred method of banking. However, embracing new technology also adds new challenges in the form of data security, potential internal threats and Distributed Denial of Service (DDoS) attacks. The same Federal Reserve report indicates that only 15% of mobile banking users and 2% of non-mobile banking users consider mobile banking very safe. This is not a striking endorsement for mobile banking security and could limit or delay customer usage with such convenient applications. Credit unions must also focus on the appropriate security measures to ensure they are delivering the best customer experience.
The DDoS Problem
DDoS attacks can drastically impact the access to a financial institution's website and mobile app. DDoS attacks slow or stop server performance by flooding servers with bad requests to consume network and computing resources, which ultimately prevents users from accessing the services they need.
Even if credit unions invest in high-quality mobile experiences for their users, if they can't access their accounts, they won't get to experience it. Additionally, hackers have been known to use DDoS attacks as a distraction to cover the fact that they are simultaneously stealing electronic funds.
These attacks can have a major impact on a credit union's bottom line by not allowing customers to make transactions, not to mention the damage to the company's reputation from its Website or mobile app being down. According to the hackers themselves, each minute of downtime during a DDoS attack costs a U.S. bank about $30,000.
During a DDoS attack, hackers typically target flaws in the Secure Sockets Layer (SSL) encryption technology, which are meant to protect data between the mobile apps and a server. SSL and Transport Layer Security (TLS) encryption typically uses port 443 for communications, which hackers can easily navigate, since it is a fixed port. Outdated SSL/TLS solutions that have been a target for notable backdoor and vulnerability exploits over the years. Some hijack the SSL/TLS handshake. Others attempt to exploit potential backdoors left by improper SSL/TLS installations. Others target the public cryptography used for key exchange, the weakest link in the protocol.
A better solution for credit unions and other financial services institutions should offer a more robust key exchange process that makes it virtually impossible for potential man-in-the-middle attacks (device sitting between the client and the server) to compromise the secure session. New end-to-end encryption solutions offer this option, and allow the financial services company to choose and configure a port from a predefined list.
Threats from External Hackers
Besides being embarrassing, data breaches also are extremely expensive, as recent breaches to high profile financial services companies such as JPMorgan Chase have shown. For example, two Ponemon Institute studies determined that each lost or stolen customer record costs $201.18. A breach involving 50 million customers — the size of recent hacks on major financial services firms — would cost the company involved more than $10 billion.
There were 642 security incidents with 277 incidents with confirmed data loss in the financial services sector in 2014, according to Verizon's 2015 Data Breach Investigations Report showing that these attacks are not one-off occurrences. In fact, the financial services sector is typically one of the most targeted verticals for security breaches.
By implementing Encryption as a Service (EaaS), credit unions and other financial services companies can achieve the benefits from moving to new technologies such as mobile banking, while still mitigating risks of external breaches. In addition, financial services companies can remain in compliance with regulations and standards such as the Payment Card Industry Data Security Standard (PCI DSS), which are extremely stringent.
For example, an organization can implement encryption for cardholders' primary account numbers (PANs), so that even if a hacker gets PANs, they're unreadable. This eliminates the cost, risk and hassle for the financial institution and its customers.
Combating Internal Attacks
Not to be overlooked, internal breaches can be equally detrimental. According to Computer Business Review Online, more than 63% of financial services firms say they've had multiple accidental internal breaches over the past 12 months, such as lost laptops containing unencrypted customer data. The research also found that rogue devices and applications fueled a 12% increase in online account fraud.
It is critical that credit unions and financial services companies secure customer data from internal employees — both rogue and careless — as well as file storage. They can do this with end-to-end encryption solutions that secure all of the data — while in transit, at rest and at the end point. Any weak point in the transfer of data could provide an opening for internal breaches of a company's information.
Better Security to Sleep Well
It is evident that new technologies such as mobile banking are becoming the preferred transaction method for customers, and credit unions that do not move with the times will be left behind. However, credit unions must take into account the serious threats of both internal and external security breaches, as well as DDoS attacks that can greatly affect an organization's bottom line and reputation. By implementing end-to-end encryption as a service, credit unions and other organizations can achieve the benefits of adopting new technology, with no tradeoffs in security, user experience and cost.
Vaughan Emery is president and CEO of CENTRI Technology, Seattle.