Fresh responses emerging to banking security

Security specialists are finding innovative ways of keeping the cyber criminals at bay

A couple of IT security companies, Tempest Security Intelligence of Brazil and Norwegian company Protectoria, who have ambitions to grow in this country got together at techUK’s London HQ to focus on innovations targeting financial institutions.

Protectoria, established in Norway in 2005 by Trond Lemberg, which is in the process of opening a London office, has observed that the Risk Model between the banks and their online users is under pressure by the new and advanced cyber criminals attacking payment services with greater and greater capabilities.

In other words, users are becoming fed up of the increasing hoops, friction and sometimes disputes of reactive anti-fraud methods which they have to jump through just to secure their bank accounts and money in transfer or getting legitimately refunded after online fraud. This is not good news for banks wanting to improve customer satisfaction, rationalise or outsource non-core business since more and more resources has to be allocated to work and processes caused by too weak and unsustainable online security  The ideal solution would be to resolve the friction in a user-friendly way and simultaneously reduce risks and costs enabling online banks to simply be better and more competitive. 

Lemberg, CEO of Protectoria, said: “Banks losses on card fraud in the UK in 2013 were £450m and now 44% of all claimed refunds by card holders are being denied. Researchers at Cambridge University have also found serious problems in chip and pin  implementations and its EMV Protocol - this means that we must find new fraud detection and proactive prevention methods.” According to KPMG a cyber attack or disruption could cause the next systemic shock to the UK banking industry rather than a liquidity crunch.

Lemberg outlined the firms answer to the problem around phone technology which cuts down on the opportunity for man-in-the-middle attacks: new solution: “No secrets are shared over insecure environments so there is nothing to steal and misuse by unauthorised parties. The method can immediately be used internationally by any user with a phone and there are no logistics problems to overcome, no downloads, apps or tokens.

When a user needs to authorize a large online payment, a Protectoria Synthetic PIN server - at a network which is closely interconnected with the banks ‘infrastructure  - sends a unique sound down the line through the users devices  and is transmitted via the phone (mobile or landline) back to the banking infrastructure. All the user has to do is put their phone to the devices’ loudspeaker after getting the transaction details automatically and synthetically spoken. The sound, since it is unique, acts like a security code and identifies the user’s transaction as authentic.

The solution may also include voice biometrics, a technology which is fast becoming recognised by experts as superior to face recognition, iris recognition or pattern recognition as it is has better user acceptance and fits very well into concepts of end user multi factor authentication deployments. The user can be asked to repeat a series of random numbers or a phrase and the technology which then can determine whether you are genuine or a fraudster.

Alonso da Silva, technical manager of Brazilian security specialist Tempest Security Intelligence, which has been around for 14 years, two of them in the UK and has offices in London's Canary Wharf, talked about the growing importance of threat intelligence to major organisations. 

“We have known for a long time that building a fortress IT security mentality is as useful in today’s hostile environments as building medieval battlements with no roofs in the age of the Black Hawk attack helicopter - your enemies hover over you dropping bombs," he said.

“So if you are going to be attacked, as you indeed are, you need to have a better idea of who is going to do the attacking. In many recent attacks the NASDAQ prices of the companies went down - so it is safe to assume that those companies were shorted by their attackers. Threat-based defence means that we can provide a clear idea of who will be attacking you and you can concentrate on keeping them outside your perimeter” he added.

Tempest keeps track of what all the different specialists are up to; it knows when the criminals are going to attack and when the banking criminals are preparing to launch an offensive. He outlined a recent attack against credit cards which Tempest foiled: “We managed to find out very quickly after the first attack, reverse engineer their technology and provide a major international bank with a quick solution. We have also been able to help major media companies ensure that they knew about planned attacks, particularly by a well-known hacktivist group, before they could do significant damage."

With 600 new types of malware being identified every month it is good to know that companies are setting up operations in the UK and innovating against the rising tide of cyber crime. 

Read more on Threat Management Solutions and Services