Guest blog: Mike Blalock, General Manager for Intel’s Financial Services Industry division
A global business leader with over 30 years of successful experience in technology and sales management, Mike is passionate about collaborating with partners to develop solutions that enable innovation and transform our world
The concept of facial recognition, iris scanning, and biometric security may sound like something right out of a sci-fi movie, but there’s nothing fictional about it. It’s very real, and it’s coming to a phone, laptop, and bank near you soon.
The entire financial industry is rushing to invest in cybersecurity at a time when cybercrimes and malware attacks could cost the global economy $6 trillion a year by 2021. About 40 million people in the U.S. have had personal information stolen by hackers. The U.S. is spending over $19 billion on cybersecurity as part of its 2017 fiscal budget, which is a 35 percent increase from last year. The U.K. recently announced it’s also investing billions into technologies like Trusted Platform Modules to defend against cyberattacks and financial terrorism.
Passwords, swipes, and signatures are nearly obsolete, and entirely new worlds of cybersecurity measures are coming into play. New technologies are emerging every day, but the measures below are either already in use or very close to becoming the new reality in financial security.
A matter of mobility
Mobile has quickly become the customer’s preferred choice for banking, and the world’s financial institutions are racing to meet those demands. But while mobile and online platforms offer the freedom of banking at any hour from any location on a variety of connected devices, it also exposes each transaction to a host of new threats and malicious attacks. According to a recent study, 60 percent of mobile malware pursues financial information on your device. And 80 percent of breaches target financial applications.
The FIDO Alliance has begun working with EMVCo (the consortium of major credit card companies responsible for EMV authentication chips now used in most cards) to develop a new technical standard for mobile wallet providers and payment application developers. When achieved, it will allow credit cardholders to verify their identity either in-store or online with a fingerprint or a “selfie” shot. The World Wide Web Consortium is also in development of a similar system.
Intel is reimagining the Bitcoin approach to mobile banking with its new Proof-of-Elapsed-Time (PoET) consensus system, which verifies transactions made across the blockchain environment. Currently, faculty members at Cornell University, Cornell Tech, UC Berkeley, and others under The Initiative for Cryptocurrencies and Contracts (IC3) have been studying Intel SGX in blockchain implementations.
Fingerprint comparison has been used by law enforcement and government agencies worldwide for over 140 years. No two fingerprints are alike, not even those of identical twins.
Fingerprint verification apps have been used within institutions like Bank of America, Chase, and PNC for a few years now. Bank of America customers can save their fingerprints on their smartphones to access their mobile accounts without a password.
But even advanced contact-type biometrics like fingerprint scanning aren’t without their hazards. A breach at the Office of Personnel Management in 2015 provided criminals with 5.6 million stolen fingerprints. Unlike passwords, fingerprints can’t be changed, so those compromised might find themselves dealing with the fallout of the breach for years.
Verifying a customer’s identity through a digital image or video frame has become a preferred method of financial cybersecurity. MasterCard just introduced its Identity Check Mobile feature across Europe, which allows cardholders to “pay-by-selfie.”
The United Services Automobile Association (USAA) also released a similar system that lets its members verify their identity by sending an image of their face using their smartphone camera. Both MasterCard and USAA also require the user to blink to prove the image is live, so criminals can’t trick the system with a photo.
Companies across the globe are racing to develop new face-identifying software for use in a variety of industries, especially banking. BioCA, a software company from South Korea, just released a mobile biometric authentication solution for use on smartphones to identify an individual’s face and transfer the data to cloud servers for transacting.
Even Jaguar Land Rover has filed a U.S. patent for facial recognition technology to unlock car doors and perform other vehicle functions.
Along with fingerprints and facial recognition, many large banks are also experimenting with voice authentication features. Citibank is at the forefront of this approach; it has already collected and registered the voiceprints of nearly 250,000 customers.
Although voice recognition software can’t be deceived by imitating someone else’s voice, it can be fooled with a recording or digital reproduction. But biometric technologies are constantly evolving, and it’s only a matter of time until kinks like these are worked out. Intel’s 6th Generation Intel® Core™ processors are helping push biometric cybersecurity to the next level with features that are so advanced that an AI like Cortana can be activated from sleep-mode on a standard Windows PC.
ATMs with iris scanners
Iris scanners could remove the need for debit cards or pin-codes at the ATM. You’ll be able to walk right up, get scanned in seconds, and retrieve your cash. Citigroup recently tested a prototype of its iris-scanning ATM, with technology that can’t be tricked by a picture or a video.
Diebold, who first developed the iris-scanning ATM back in 1999 (along with the first talking ATM), has been manufacturing automated teller machines since the early 1970s. It debuted its new Citigroup model, dubbed Irving, at the 2015 Las Vegas Money20/20 conference.
Wearables and the IoT
Another new approach to the alternate-payments ecosystem are wearables. Visa’s new payment ring was introduced at the 2016 Summer Olympics in Rio de Janeiro, and successfully tested by the 45 athletes the credit card sponsored. The ring is waterproof, never needs charging, and uses an embedded microchip and antenna to make transactions with a simple swipe of the hand. And if the ring ever gets lost, it can be deactivated from a smartphone thanks to tokenization technology — which takes sensitive account data and replaces it with a digital identifier.
But Visa isn’t the only option in wearable payment devices. The Apple Watch and Microsoft Band also allow users to make payments from their wrists. MasterCard and Coin have teamed up to create a whole line of new wearable devices that process tokenized payments. And keep your eyes peeled for even more gadgets from companies like Moov, Omate, and Atlas Wearables.
Although protecting these wearable devices that fall under the IoT umbrella is vastly different than securing a large-scale computing infrastructure, there are many similarities. The same issues affect authentication, authorization, auditing, administration, encryption and decryption, data integrity, and key management, to name a few.
To help address these issues, Intel has teamed up with Visa to develop a secure payment system for IoT transactions. By fusing Visa’s encryption technology with Intel’s Data Protection Technology for Transactions, any intercepted or stolen data will be made useless to hackers. Another tactic to expanding and streamlining the payment platform is a new system called Intel Online Connect, which produces secure identification codes for devices using 7th Generation Intel Core i7 Processors.
Two-factor authentication for consumers is already available at some financial institutions, but many banks still lack the security feature. Though such measures can help protect users, the Reserve Bank of India recently removed two-factor authentication for transactions under a set amount to try and encourage more electronic payments. For banks to stay agile, they must adopt a risk-aligned security strategy, focusing on the areas that are most vulnerable and potentially costly, while giving users the features and service they’ve come to expect from other business sectors. Though consumer-side authentication is important, it’s essential at the enterprise level for employees connecting to the corporate network.
With so many new devices and users accessing confidential information, it is critical to secure the endpoints and authenticate with the move to cloud. In this new cloud paradigm, there is no perimeter to secure — only endpoints connecting to the web. Those endpoints must authenticate the user to secure the system. “The world has a password crisis that can only be solved with an alternative authentication capability,” says Brett McDowell, Executive Director of the FIDO Alliance.
The FIDO Alliance addresses banks’ needs for stronger authentication methods that don’t rely on multiple usernames and passwords. Instead, FIDO uses a locally stored private key. The private key is used to sign a “challenge,” which is then verified on the bank’s backend server using a corresponding public key. With Intel Online Connect, the local private key, including any biometric templates and data processing, is not available to the OS. It is stored on the client device in a trusted execution environment, protecting against both man-in-the middle (MitM) and man-in-the-browser (MitB) attacks.
One step ahead
These security advancements are helping protect consumers and businesses from malicious actors, but the industry will need to stay hyper-vigilant, working partners across the public and private sector to ensure breaches are minimized. As we’ve seen recently, globe-spanning cybercriminals are becoming more brazen in their attempts, and even new, digital-first banks are not immune to security holes.
Explore more ways that Intel is helping usher in a new era of cybersecurity at our financial solutions hubOpens in a new window.