Wearables have been used to track our steps, deliver emails to our wrists and monitor our sun exposure. But now connected devices on our bodies could help us access online banking systems.
Nymi, taken from the Greek suffix -onym for name, is experimenting with a system that lets people prove who they are with their heartbeat. Halifax, part of UK bank Lloyds, Canada’s RBC and MasterCard are partners.
Everyone’s heartbeat is individual to them, so by wearing a wristband that transmits the signal to the device being used for online banking, or even a till at a checkout, you can prove your identity.
Shawn Chance, vice-president of marketing and business development at Nymi, says the company aims to “make all the passwords go away”. “The idea of a password being used for security is almost eroded,” he says. He adds people tend to keep a note of them in insecure places.
Banks want to better secure their systems from hackers, who like latter-day bank robbers are attracted to the money in their — now digital — vaults. There are also more sophisticated nation state attackers who desire not only cash, but data and seek to make a political impact by targeting an adversary’s most prestigious financial institutions.
Many banks are cautious about putting any extra burden on consumers, already stressed by remembering codes and passwords, and who prioritise convenient and easy access to their money over security.
Even Nymi is unlikely to be accepted as a wearable given its limited use. “We don’t have any illusions that, in order for the device to be useful for an everyday person, it has to do a lot more than get you into online banking,” Mr Chance says. So the company is making wristbands for employees that allow or restrict access to parts of the office or IT network as an additional feature.
Banking is often held up as the sector that has devoted great amounts of time and resources to cyber security. But the threat facing institutions is also changing fast, forcing them to regularly seek out new solutions.
Tammy Moskites, chief information security officer at Venafi, a digital security company that works with four of the top five US banks, says the types of attacks have changed since she worked in information security for banks six years ago.
In the past, she says: “What we found ... was attacks were on online banking, wire transfers, man-in-the-middle phishing-type attacks, about intercepting or redirecting money, sending it to Nigeria, rather than to payroll.”
Now attackers are using techniques that are harder to detect: “The nation state type of attack is just stealing this information to show they can do it ... the money is usually redirected to support the crazies of the world, terrorists, people causing havoc.”
But as banks have moved towards greater encryption in the effort to keep data safe — even if it is stolen — they have created another problem. They cannot see what is moving in and out of their networks because it is encrypted.
“Banks, as well as other companies in general, encrypt more and more of their data,” Ms Moskites says. “In the past, it was just the most critical information, things required by regulators, now they are going above and beyond that. However, when it is leaving their environment, the tools notoriously don’t see that data, [making banks blind] to potential problems.”
Some banks are trying to address this by making sure they know what is encrypted and why and are looking at ways to decrypt it briefly as it leaves the network.
Mark Nicholson, chief operating officer at Deloitte cyber security practice Vigilant, says banks are increasingly turning to analytics to try to identify who is moving money without placing a burden on their customers.
“What we’re seeing is an unwillingness to implement technologies which would cause friction to the consumer,” he says. “So they are using analytics on transactions to understand if certain types of transaction look anomalous — from a profile and history of the times of day you usually transact, from which general internet provider address, browser, machine details, etc”
US-based Vasco Data Security works with more than half of the world’s banks to prevent account takeover and transaction tampering for online and mobile banking. John Gunn, a vice-president at Vasco, says US consumers are more focused on convenience and service than security because they have no lasting exposure to losses from hacking or fraud. “Here in the US, consumers don’t care as much because their status as a victim is quickly and painlessly alleviated by their bank, and usually within 24 hours,” he says.
As a result, Vasco has to focus on verifying customers’ identities discreetly and it has about 20 ways to authenticate a mobile banking customer. “Most of them are done in the background, without the user even knowing they are happening,” Mr Gunn says.
— Financial Times