On the 20th of October 2022, twimbit, in partnership with F5 and Kyndryl, organised the inaugural “Bank of Tomorrow Asia Pacific Summit”. We were thrilled to have James Tin of F5, chat with Manoj Menon, twimbit, to discuss their aspirations and vision for the future of banking.
Session Title: Cybersecurity to Protect Customers Interaction, Build Trust and Loyalty
Speakers:
- Manoj Menon, Managing Director & Co-Founder, twimbit
- James Tin, Senior Director of Security & Fraud Solutions, F5
Challenges banks face in cybersecurity
Credential stuffing is a great challenge where bank customers have experienced abuse of the “Forgot Password” function. Attackers leverage this function heavily to gain unauthorised access to customer credentials. As a result, this leads to uptick in new account creation, with attackers possessing all relevant information to sign up for a new account.
“In security, compliance does not always equal security. Because, although you might have a particular control in place; if it’s not properly monitored, then there’s always a way to breach it.” – James Tin, Senior Director of Security & Fraud Solutions at F5
Currently, attackers outnumber defenders in cybersecurity. Therefore, defenders need to increase their cybersecurity maturity before they can ascertain an excellent position to prevent fraud and attacks from breaching the banks.
In connection with the Superapps, customers face difficulties with fraud and how it frequently occurs on the web interface and not on the mobile app. For banks pushing towards Superapps, this level of security feedback from customers creates more robust ecosystems with complete control of the endpoint. More advanced control allows banks and other financial institutions to define what appears on the app and what is allowed to go through.
Opportunities for banks to innovate in cybersecurity and customer experience to reduce friction
- Making multi-factor authentication transparent
Multi-factor authentication is a multi-layered process often used for user confirmation. In practice, this often creates more friction for the customer, who might not have immediate access to his mobile phone.
The founders of F5’s recent acquisition, Shape Security, who were previously protecting Google’s online assets and accounts, created the ability to do transparent multi-factor authentication.
How does transparent multi-factor authentication work to improve cybersecurity?
- Transparent multi-factor authentication leverages how a person interacts with a web page, a mouse, a movement, or how they type in words and passwords into the keyboard.
- Biometrics, behavioural analytics, machine learning and artificial intelligence are then used to notice the difference between good and bad users.
- Good users were granted access, while the multi-factor authentication request was sent to users that the system thought to be fraudulent.
- Extending the session timeout window
Extending the session timeout window from minutes to hours or days to weeks to even months helps concurrent users reduce the number of logins, creating an enhanced user experience. As a result, the user spends more time on the website, resulting in higher revenue generation. Although it may appear as if F5 is reducing the cybersecurity, F5 is in fact increasing it.
This is because the bank is able to detect fraudulent users easier while rewarding our concurrent and loyal users. Also, users will feel more inclined to visit the site, since the experience is hassle-free, providing a win in terms of improving the customer experience and cybersecurity simultaneously.
Threats associated with using the public cloud:
Recently, many banks have been looking to go cloud-first and leverage cloud providers to avoid building data centres. These banks want to shift their core banking into the cloud. A primary challenge associated with this move is downtime. If a cloud service provider goes offline or has no internet connectivity, then thousands of users and organisations using that cloud service will also go offline. This could result in multiple threats to a bank’s cybersecurity infrastructure.
To tackle the problem, F5 acts as a shim in the cloud that provides global server load balancing and high cloud availability. This helps F5 increase the overall availability and data resilience. F5 also ensures the attack surface is no longer at the perimeter of the data centre but at the perimeter of a five-distributed cloud platform. Hence, the attacks will stop outside the organisation’s infrastructure. It can even stop attacks in the source country.
“The earlier we can stop the attack, the fewer problems the DDOS or application layer attacks will cause on the intermediary internet leaks from appearing on your data centre. We need to leverage our security controls across multiple cloud endpoints.” – James Tin, Senior Director of Security & Fraud Solutions at F5
Support for API-enabled banking:
As more banks move towards open banking and API-enabled banking, banks seek to drive more business through partnerships than traditional banking transactions. However, banks need to be careful as this move exposes them to many vulnerabilities and securing the API is a priority for these banks. Again, cybersecurity is a must for banks to adhere and follow.
To cater to these needs, F5 recently acquired an open-source platform called Nginx, a market leader in API gateway. Originally used as a web server designed for maximum performance and stability, NGINX has transformed into an open source software for web serving, reverse proxying, caching, load balancing, media streaming and more. Combine this with F5’s API web application firewall, API bot management and anti-fraud capabilities, and F5 creates a powerful ecosystem. With it, F5 can;
- securely publish APIs,
- establish authentication,
- and detect potential fraud.
Banks as custodians of a customer’s trust
Banks have high brand awareness, and security is a significant component. Therefore, banks should create security awareness training to earn the customer’s trust. Now, banks are in a fantastic position to sign up for cloud-based security awareness training and then push that out to their customers. This has resulted in banks addressing most fraud cases while building customer trust through increasing their cybersecurity.