Facets of financial fortification

From biometrics to white hat hackers to pattern recognition, responsible companies in the finance space are serious about keeping your data and your money safe from digital predators,

Each time someone builds a fortress, there is someone else who wants to storm it — whether it is for political or financial gain, or simply because it is there. That is the assumption we operate on when it comes to security in the digital space, especially of user data and accounts.

Ironically, the task is made even more complex by the sheer ease offered by enabling financial transactions on a multiplicity of devices. And it can be further complicated by a consumer’s recklessness. As consumers, we often abdicate our responsibility to be vigilant about our own privacy and data. We sign into financial websites and neglect to log out; we use the same passwords across multiple accounts; leave our credentials lying around where criminals can access them; and more.

That’s understandable. After all, large payment institutions are the ones that first told us we could sit at home in our pyjamas and make our payments using our phones or laptops; or lie on a beach and buy a piña colada using a wearable device. Clearly, an armed guard at the door and a bulletproof glass cabin with a tiny aperture through which money is exchanged doesn’t cut it any more. For institutions engaged in payments, whether as acquirer processors or issuer processors, security concerns are growing ever larger. Deterrent, proactive and reactive security measures have to be applied at the processor, merchant and user levels.

Cameras and action

Primary members of international payments providers are required to be compliant to the most stringent security checks — Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organisations that handle branded credit cards from the major card schemes.

Passing it forward, it makes sense to demand PCI DSS compliance from any merchant who wants to store payments data. After all, memories are still fresh of last year’s security breach at Target, one of the largest retailers in the US, which resulted in data on 40 million payment cards being stolen from its servers.

For institutions in the business of payments, it also pays to not be camera shy at the back end — facilities where payments are handled are usually monitored by closed-circuit cameras that capture all activity. At the system level, every single keystroke by each member of back-end staff is captured and stored. Penetration testing, intrusion testing, denial of service (DoS) testing methods are universally adopted by major institutions to ensure safety. After all, a system is only as good as its weakest link. And we know that those who want to storm the digital fortress — the hackers — are becoming more and more sophisticated in their methods and tools.

Black and white

Sometimes the best way to catch a thief is to set a thief. This is where we bring in the ‘white hat’ — Internet slang for an ethical computer hacker, a digital security expert who specialises in finding the weakest links by breaking through them.

Many companies that provide penetration and intrusion testing services hire white hats to replicate the modus operandi of the ‘black hats’, the hackers who break into systems with evil intent. The white hats will behave like black hats and try to find a way into a system. But then they will come back and tell you how successful they were, and where the vulnerabilities lie.

On the penetration tests that we run on a regular basis, the results reported by the white hats allow us to close any potential security gaps.

That’s the first step — not letting the criminals in. But we work on the assumption that, modern black hats being as advanced as they are, we may not be able to keep all intruders at bay. So the data stored on our systems is encrypted with the highest industry standard. For someone without the decryption key, it is gibberish.

Patterns and pauses

On a parallel track, we deploy the highest security standards available at the consumer end. From the basic hard-to-crack alphanumeric passwords to advanced biometrics, it is important for every single organisation to track and deploy the most advanced security.

At the same time, our security systems use algorithms based on pattern recognition. A good risk management system comes with fundamentals such as size checks and velocity checks. If, for instance, you always buy things that cost less than $500 (Dh1,830), and make a no more than a couple of transactions a week, warning bells start ringing (metaphorically speaking, of course) if the system logs five back-to-back transactions of $5,000 each. Sure, it could be because you are planning a large party or getting married, but it could just as easily be because someone has penetrated your security by acquiring your plastic and passwords. A sentient system will not ignore such anomalies.

Taking behaviour metrics a step ahead, algorithms are created based on the way you break in a new device. Like a favourite chair or a well-worn pair of shoes, it becomes used to you. Your identity is imprinted in the way you press the buttons or pause between actions. This becomes another authentication form factor, triggering an alert when it encounters an unfamiliar pattern.

A safe financial transaction is the end result of complex security systems working in conjunction to simplify the operation at the user level to just a click or tap. So you can sit back and enjoy that piña colada with no worries, mate.

Bhairav Trivedi is Chief Executive Officer of Network International.