Dollars and Sense: Ensuring Financial Data Security in Today's Insecure World

From EMV chips to biometrics, financial institutions now employ an array of emerging technologies to assure customers that their interests and investments are protected to the greatest extent.
Customer Experience

Earlier this year, major U.S. credit card providers agreed to adopt EMV technology in an effort to protect consumer data and curb future security breaches. From MasterCard and Visa, to Discover and American Express, these leaders assumed this new standard in data security to guard against fraud and identity theft. Yet, while the transition from magnetic strip to chip-enabled cards demonstrates the overarching vigilance and activity within the financial services industry, banks have many safety elements to consider when it comes to defending consumer data.

For companies across industries, developing consistent customer experiences regardless of channel or business unit has become an imperative priority. But, as Brett Beranek, direct of product strategy for voice biometrics at Nuance, explains, financial institutions struggle to offset inconsistent identification and authentication processes, for these outdated methods create significant security challenges and safety gaps. Fraudsters naturally migrate to the weakest channel or operating group, as these points of entry serve as an ideal target. To strengthen their weak points of entry, many banks have implemented multi-layer authentication processes via mobile app, which use device identification, contextual factors, and knowledge-based credentials to secure access. However, as Beranek notes, banks have yet to deploy such measures in their contact centers, making it even easier for fraudsters to compromise this channel.

Greg Mancusi-Ungaro, CMO at BrandProtect, emphasizes that the traditional security perimeter has become less formidable and more porous as people and devices cross the boundary constantly. Employees and customers constantly connect with their preferred institution from outside locations, while employees regularly connect to outside locations when physically at work, making each individual a possible conduit into a banking system or assets, ultimately shifting the cyber battleground dramatically. Therefore, it's no longer enough for security teams to mount cyber defenses solely at the perimeter. Instead, teams must extend their attack monitoring and defense techniques directly into their homes and workplaces of their depositors and employees.

"Breaches don't happen overnight," Mancusi-Ungaro adds. "They are the last phase of a process that has usually occurred over many weeks, if not months. The initial phases of the process-attacks against mobile devices, social domain fraud, and rogue domain creation-can often be detected and mitigated before the devastating final attack is launched. Institutions that do a better job of detecting and mitigating the early phases of the attack make themselves difficult targets. By being proactive and making efforts to stop phishing, mobile, social domain, and domain abuse incidents quickly, institutions are effectively encouraging cybercriminals to look elsewhere."

Throughout the industry, financial institutions seek to eliminate cumbersome authentication methods, such as PINs, passwords, and security questions, as these antiquated tactics prove increasingly weak. Thus, many organizations now aim to implement emerging technologies, such as EMV chip-enabled credit cards and biometric scanning, in an effort to validate identities with greater certainty. Mancusi-Ungaro emphasizes that the near instantaneous nature of online banking, purchases, transactions, and payments puts tremendous pressure on banks to secure their operations and procedures. Cybercriminals perceive banks to be where the money is, so they're constantly evolving their attacks. Thus, banks are responding with the implementation of secure payment networks, chip-enabled cards, and other tactics, including multi-factor authentication, to safeguard transactions.

Banks are actively trying to move away from single-factor authentication to two-factor or multi-factor methods in order to deter fraudsters. While such processes typically combine something the customer "knows" plus something the customer "has" that reliably identifies them, the advent of quick, dependable biometric identification techniques allows financial institutions to incorporate a third component-something the consumer "is"-adding an extra layer of customer data security.

Voice biometrics has also begun to gain much traction throughout the financial services space, as organizations take to this technology in an effort to harmonize the identification and authentication process across channels. Beranek explains that voice biometrics enables financial institutions to enhance the security posture of all their channels and across all business units by simply requiring customers to speak a passphrase when they authenticate via mobile app, or when they call the contact center directly. Voice biometric technologies also work seamlessly with wearable devices, such as smart watches, and intelligent virtual assistants-two tools that are set to transform the financial industry over the next decade.

Beranek also notes that, within the contact center, voice biometric authentication is increasingly paired with ANI-spoofing detection technologies, which can detect if an incoming call originates from a fraudster before the organization's self-service IVR or contact center agents answer the phone. "By combining such technologies with voice biometrics," Beranek adds, "financial institutions can ensure with even greater levels of certainty that the customer accounts will remain secured, while also delivering a quick and effortless authentication experience, eliminating the need for knowledge-based authentication."

For innovative banking leaders, such as Tangerine Bank, the voice biometrics and virtual assistant combination enables the organization to deliver more personalized and more human customer interactions, which can greatly impact the institution's ability to acquire and retain customers, and compete with rival banks. "The objective of voice banking is to deliver an easy, meaningful, and differentiated banking experience that will attract new customers to Tangerine, and strengthen relationships with existing customers," says Peter Aceto, president and CEO.

Instead of guarding the front-end of each banking interface with a rigid security process, Tangerine Bank now has the ability to start each interaction with a personalized greeting and question, immediately humanizing an otherwise robotic experience. This simulates the relationship customers once had with tellers at traditional branch locations, recreating the feeling of being known simply upon entering the building. By delivering the same type of human-like experience via self-service channels, such as mobile apps and IVRs, or through human-assisted channels, such as the contact center, Tangerine Bank can build and support the personalized relationships that promote customer loyalty and retention. This approach also indicates that voice biometrics are not viewed exclusively as security technology, but also as a vital tool to improve and harmonize the customer experience across all channels.

Beyond implementing such voice banking technologies, banks have also learned to work together, forming powerful security user groups, such as the Financial Services Information Security Advisory Council (FS-ISAC), to share best practices and identify common enemies. Mancusi-Ungaro explains that financial institutions share the newest developments within the industry community with regard to initiatives against data threats, while emerging open standards, such as STIX/TAXII, Soltra, and other similar protocols make it easier than ever for security teams to work together. Government regulators, such as the FDIC and FFIEC, have also made note of the dramatic evolution behind cyberattacks and best practices of the largest institutions, thereby establishing their own guidelines for safety. Subsequently, FFIEC published its 'Social Media: Compliance and Risk Management Guidance' for financial institutions as an effective blueprint for the average company to follow on its path to safety.

Ultimately, however, data security success depends upon the given institution's willingness to invest in its own future. While the initial costs for these implementations may be significant for many, banks must look past the start-up implications to gauge the overall importance of such initiatives. Banks that get trust and security right will have a distinct advantage over organizations that don't, adds Mancusi-Ungaro. Institutions that make an investment in full-scale protection beyond the perimeter will advance their reputation as the institution of choice.