Implementing secure practices in times of digital banking fraud

An interview with  

Mr. Mathew Chacko 
Founder Director & CEO, Precision Group

(www.precisionit.co.in) on how his company plans to address security issues in these times of digital banking fraud

Firstly, could you help us understand the context of what problems we are looking to solve with respect to digital banking fraud?

Let’s start with some techniques that we have been using for Identity authentication, Password, OTP, Token, & PIN. These conventional methods have helped thus far but have now begun to fall short. 

The country’s cybersecurity agency has warned that “Scammers are targeting banking customers in India with a new type of phishing attack by impersonating internet banking portals”. Indian Computer Emergency Response Team, or CERT-In, issued this advisory in August 2021 

“CERT-IN has reported a total number of 3.94 lakh, 11.58 lakh, and 6.07 lakh cyber-security incidents during the years 2019, 2020, & 2021 (up to June)” 

These are but a couple of reports that point to security incidents including phishing, man-in-the-middle attacks, & impersonation frauds that affect the banking sector. 

Passwords & OTPs are no longer reliable as methods to authenticate the person – be it the customer or an internal user of the bank’s systems. Passwords provide very low confidence in an identity claim; there is no such thing as a ‘strong’ password. Additionally, a multitude of passwords that one must remember causes password- fatigue. Password policies cannot mitigate the failures of a password. Further, multiple devices used to access banking services adds to the difficulty in ensuring security. 

What is the context of these issues? 

Internet & mobile banking users need a solution that can prevent credential compromise, phishing attacks, password fatigue & enable seamless multi-device use. It should reduce possibilities of fraud, enhance user experience, & increase productivity. Even the best password policy cannot mitigate spyware or phishing attacks. For example, a very strict password policy is futile, & tends to encourage bad security behaviours, adding little value over a policy that is mindful of user experience (UX). Investing in more robust authentication methods or other compensating controls is better than tinkering with Password Policies. 

So, what is the solution? 

Biometric authentication methods using unique morphological (e.g., fingerprint, face) or behavioural traits (e.g., voice, keystrokes, mouse movement ...) offer advantages over other orthodox, credential-based methods in both UX & accountability (non-repudiation). 

Our R&D team has solved the problem & we are putting the solution right into your pocket. 

Precision’s InnaITKey is a state-of-the- art offering, fully developed in-house & a Made-In-India solution. The solution is available in two variants:

  1. A secure biometric device incorporating a best-in-class, highly secure, anti-spoof fingerprint match-in-sensor & a high- end crypto controller that combines Public Key Infrastructure (PKI) & biometrics to provide Password-less Identity Authentication, Transaction Authorization, & Signing. This solution is FIDO2 Level2 Certified too. 
  2. A solution that uses ‘Phone-as-a-Token’ (PhaaT) – this solution can use the biometric sensors available on mobile phones.

We also have a solution that uses a ‘tap’ or ‘touch’ sensor (non-biometric) which can provide strong, password-less authentication. 

These solutions can be configured to perform password authentication in addition to the native authentication techniques. This would suit the needs of customers – both Corporate & Retail banking and can be deployed for use by the bank’s internal IT users too. 

What are the benefits your solution offers to various stakeholders of the bank? 

Let me summarize it as follows:

To the bank’s Management, InnaITKey provides robust information security, eliminates repudiation, improves privacy, financial savings & branding. It resolves compliance issues & provides legitimate audit trails.

To the bank’s IT Team, InnaITKey eases the deployment & administration, reduces information security burden, administrative overhead, time & effort, with the best cost optimization. 

To the bank’s Customer, InnaITKey prevents impersonation, provides secure access to services, eliminates password fatigue & provides an enhanced UX by being the most compact on-the-go device.

Could you tell us what else Precision does? 

Established in 1996, Precision provides Biometric, IoT, Cloud & Systems Integration solutions, and IT Infrastructure Management Services. Do visit www.precisionit.co.in for detailed information.

Article Link:
https://bankingfrontiers.com/banking-frontiers-march-2022-issue/

Example Page