Digital banking fraud prevention

Preventing fraud in the digital banking era

The financial services industry faces huge fraud risks

  • #1 target for cyberattacks [1]
  • #1 target of hackers using phishing to breach security [2]
  • 76% of data security breaches are financially motivated [3]
  • 82% of data breaches originate from weak username and passwords [4]

Impact of fraud on customers

Victims of financial fraud can experience short-to-long-term financial loss. They also suffer the inconvenience of applying for and eventually receiving reimbursement from their bank once the money has been recovered.

Phishing is the most common attack on individual banking customers. Hackers trick the customer into entering their account credentials into a fake website, capture the credentials and then use them to steal money.

Again, customers suffer the inconvenience of proving the fraud, and the minor inconvenience of resetting their credentials (following both failed and successful fraud attempts) and recovering accurate financial records (due to being locked out of account).

USE CASE: a digital bank in Australia

One of Australia’s leading financial services providers has chosen Haventec to help it prevent account fraud attacks on its digital banking customers. Haventec’s solution protects customers from theft of their digital banking login details via attacks such as phishing, social engineering and shoulder surfing. It prevents the theft and reuse of login details or credentials, such as user identity and access key (password/PIN).

Haven AuthenticateHow Haventec Authenticate prevents account fraud

Haventec Authenticate prevents fraud by blocking unauthorised access to accounts.

It achieves this with two main data security methods:

  1. Decentralisation – breaking data into multiple parts and separating those parts across multiple locations
  2. Single-use encryption keys – changing keys and re-encrypting data for every transaction

These methods ensure that only the authorised customer with their authenticated device and key can connect to an authenticated domain and access their account.

ProtectionHow we protect customers

Haventec Authenticate protects the customer against unauthorised access of their accounts.

Even if a criminal manages to capture any part of the customer’s credentials that stolen information cannot be reused.

Haventec Authenticate demands the following conditions are true to authorise access:

  • User is on an Authenticated device
  • User enters their PIN, which is only known to them (not stored or saved anywhere)
  • The device has a valid single-use authentication key

Common attacks are prevented

The following common attacks are prevented because access details stolen during a single interaction with the banking app cannot be reused:

Attack Description Protection

PHISHING
Tricking a customer into clicking on a fake website link to capture credentials including secrets then reusing that information for fraudulent transactions. Haventec Authenticate prevents this attack because the fake website does not have, and will not have, access to the authentication key.

PASSWORD CRACKING
Running computer code that tries multiple password variations (along with harvested usernames) to find a match – the weaker the password, the faster it can be cracked. Haventec Authenticate prevents this attack because it doesn’t use a password and even if the attacker discovers the customer’s credentials they will not have access to the authenticated device.

SHOULDER SURFING
Observing a customer entering credentials, including secrets, then reusing that information for fraudulent login attempts. Haventec Authenticate prevents this attack because even if the attacker accurately captures the customer’s credentials they will not have access to the authenticated device.

SOCIAL ENGINEERING
Tricking a customer into providing credentials and security question answers then using that information to fraudulently reset credentials. Haventec Authenticate prevents this attack because the attacker does not have access to the authenticated device nor the authentication key.

How we protect digital banks

Haventec Authenticate prevents mass account breaches and theft of individual credentials by ensuring no credentials are ever stored on any server to steal. This removes the major motivation for cybercriminals to attack a bank’s systems and addresses the following risks:

Risk Description Prevention
MASS ACCOUNT BREACH The loss, theft or compromise of a large number of user (customer or staff) account credentials, potentially leading to mass fraud.

Haventec Authenticate removes the need for a central store of credentials. It decentralises credentials across 3 separate locations: user’s head (PIN); device (authentication key); and bank’s server (only stores the final part of the credentials puzzle).

All 3 parts are required to authenticate a user.

Even if an attacker infiltrates a bank’s server and steals all authentication data stored there, these parts are useless without the other 2 parts of the credentials puzzle.

Any authentication data they did steal is also redundant as the keys are rotated the next time a user authenticates.

Leakage of credentials into system logs The accidental or intentional leakage of credentials data into system and application logs that might then used by an attacker to access and compromise a user’s account.

The bank does not know the user’s PIN and therefore cannot leak this information anywhere. Unlike traditional passwords, which are rarely changed by the end user, the separate authentication data stored on the user’s device and the bank’s servers will be changed on every successful authentication.

So even if these sets of data are leaked they are still ineffective without the user’s PIN.

Any authentication data they did steal is also redundant as the keys are rotated the next time a user authenticates.

Managing exposure to regulatory and legislative liabilities Storing personal or sensitive data about customers can expose organisations to many privacy and breach liabilities if that data is not protected from theft or other unauthorised access and use – customer privacy is a major focus of new legislation such as Australia’s Notifiable Data Breaches Scheme and the EU’s General Data Protection Regulation.

Haventec Authenticate removes the need for a central store of credentials. It decentralises credentials across 3 separate locations: user’s head (PIN); device (authentication key); and bank’s server (only stores the final part of the credentials puzzle).

All 3 parts are required to authenticate a user.

Even if an attacker infiltrates a bank’s server and steals all authentication data stored there, there is nothing held centrally that could cause significant harm to the end user thus minimising the risk of loss of private critical information.

Why Haventec Authenticate?

Haventec Authenticate offers an easy and fast way for digital banking customers to securely access their account/s via their banking app.
The sign-in experience is familiar to the customer as it asks for username and secret.
As long as the customer is using an authenticated device the sign-in process is seamless.

We can help you build trust in your organisation. Ask us how.