Schalk Nolte is the CEO of Entersekt, a leading provider of digital security technology within the financial sector.
IST caught up with Schalk to ask him what he thought about the mobile security and how this will affect customer experience.
His answers are both enlightening and insightful.
At Entersekt, what are the current problems you see with current security systems, either on the desktop or on a mobile device?
One of the biggest problems is the prevalence of SIM-card-based security for mobile banking and payments. SMS OTP is something we need to move away from – NIST in the US has just confirmed this with their deprecation of the method.
With mobile, we see banks and other services using it, but not correctly, creating unnecessary problems. The vast majority of mobile banking apps have insufficient transport layer protection, and this is where the attacks happen.
Is cybercrime becoming more sophisticated and hackers becoming more creative?
Yes, cybercrime is increasing in the sense that more and better malware is becoming available, but mostly it is still the same old attack vectors that are wreaking havoc, perhaps with slight variations.
Do you think companies understand the risk if their security systems fail?
Not yet – but the impact of breaches of public companies (including the impact on revenue) is becoming too glaring to ignore.
Generation Y now place ‘security and privacy’ as the second most important feature of their apps, number 1 is user experience. Do you think good CX can include Security?
Undoubtedly – Entersekt’s solutions prove this. Security is not improved by making it so complicated that users become confused and avoid using it. If a bank uses the right security provider, they should have no issues with additional friction introduced into their app.
Iris scanners, touch ID, voice biometrics, device authentication: We have all heard about these technologies. Why aren’t more companies using these technologies?
It’s true that biometrics enablement on the smart phone has potential as a quick and simple replacement for passwords. Yet it can also be expensive to implement, and the technology will have to prove itself as an authentication method before we will see mass uptake.
Device authentication, on the other hand, is what we believe it’s all about. If you can uniquely identify the device as one owned and operated by a particular customer, you can build a more convenient, immediate and secure means of engaging with them. It’s only a matter of time before this authentication method takes off.
How do you combine good CX with security whilst maintaining Digital Convenience?
This is the classic conundrum: strong security can be too difficult to use, but security that is light on effort may be light on protection as well (e.g. weak passwords). We need to use a layered approach, understanding that we cannot rely on users to identify attacks.
What are your top 3 security failures?
While it’s difficult to rank security incidents because their contexts can differ so widely, I can point out the top four trends we are currently seeing. Firstly, there has been a spike in the use of stolen card details to create counterfeit cards for use at non-chip-enabled ATMs. Secondly, card-not-present (CNP) fraud is climbing in many parts of the world because of the move to EMV (Chip and Pin) and resistance to the adoption of the 3-D Secure protocol. Thirdly, we have seen a tremendous increase in ransomware, where an organisation’s data is “kidnapped” for money, and this is unlikely to abate soon. Lastly there is the emergence of “whaling”, or CEO/CFO fraud, which has unfortunately turned out to be very effective. In this type of attack, a fraudster basically impersonates an executive’s e-mail, asking for valuable data or money transfers.
What should companies be doing now to increase their security?
All companies should definitely have advanced fraud detection techniques running on their back-end systems to detect anomalies, for example in user behaviour. It will also be of key importance to focus on implementing two-factor authentication.
Where will the security be in 5 years’ time?
We predict that CNP (card-not-present) fraud will continue to rise globally as the US’s shift to EMV (Chip and Pin) cards closes off easier opportunities. Account takeover will get bigger, exploiting weaknesses in the initial user registration process (typically for mobile banking), as well as the process used to reset passwords. Phishing will continues to be a big attack vector and will be coupled with social engineering attacks. CEO/CFO fraud will continue to evolve in maturity, mostly affecting small- to medium-sized businesses, but ransomware will affect everyone – coming not through banks, but through the open Internet.
For more information on Entersekt products and how to implement this into your existing CX system, contact IST today.
Source: IST Blogs