Future-proof Security

With software, “future-proof” generally refers to the ability for something to be functional well into the future without requiring replacement. This becomes particularly important with security software, as the vulnerabilities can be found and exploited within hours.

The stakes are also very high: we estimate that at least a billion people do some form of payment on their smartphones. And while there are many different estimates, the market’s total size is surely above a trillion dollars worldwide. A market of this size is a highly tempting target for criminals - why rob a bank for cash if you can exploit a zero-day vulnerability and empty bank accounts directly?

In what now feels like a lifetime ago, traditional mobile phones were once predominantly used as the 2nd factor for authentication. People did their payments using a PC web browser, then authenticated the transaction using a one-time code received as a text message (OTP by SMS). Back then, this was reasonably safe, but today, using text messages for authentication is becoming less common. Why? Because hackers are way savvier, and text messages are incredibly susceptible to being intercepted and read by malware. The result has led authentication to move directly to bank and payment apps installed on users’ smartphones. 

With authentication moving to apps, the user experience has undoubtedly changed for the better. From the users’ perspective, a payment can now happen entirely on their phone, with initiation, authentication, and confirmation all within the same app. And, because most smartphones have biometric sensors (such as fingerprint readers), the transaction verification can be very smooth, too.

While security and fraud rates have improved with this move away from text messages, there are still market and regulatory forces which creates challenges for the future:

• Europe is moving towards instant payments across Europe. Banks used to take days to do international transfers, which gave them plenty of time to react to any potential fraud. Now, a SEPA instant payment is expected to take less than 10 seconds, making strong security on the device even more critical.

• Smartphones have now been around long enough so that even the old ones can be “good enough” many years after the vendor has stopped providing security updates. This means that well-known security issues within the underlying mobile operating systems go unpatched, making easy targets for malware.

• Criminals are, of course, getting more and more technologically advanced. 

While the continuous battle between criminals and security vendors might make the situation look bleak, there are a few actions payment service providers can take:

1. Set the scope of what you need to protect. A good policy to follow is zero trust. Not all apps will need the same level of security, and it is often enough to protect the core strong customer authentication and transaction verification.
   
   
2. Let requirements drive technology. This might be obvious, but requirements such as the PSD2 RTS have some excellent guidelines for implementing security. It is also worth looking at the UK Open Banking guidelines, even if your company is not located in the UK.
   
   
3. Choose reusable technology. The list of situations where customer authentication can happen goes well beyond internet payments and 3DS. It is important that the same authentication mechanism can be used in every situation where users are authenticated. In this context, PSD2 RTS sets the highest security standards. 
   
   
4. Don’t let compliance make you complacent. Compliance can quickly become a matter of semi-automated paperwork through an automated system that magically generates policies for you. We believe that security is fundamental and that it is essential for it to be done correctly. This means you must look at your vendors’ compliance and verify that they fulfil all requirements.
   
   
5. Choose vendors that have a strong security focus. There are plenty of “full-service” and 2FA vendors that provide APIs, but provide little in the way of security. Partnering with a vendor that focuses solely on security can raise your level of protection to a point where potential attackers will give up and choose another target.
   
   

I hope you’ve found this post valuable and interesting! If you’re interested in security and how to future-proof your services, feel free to reach out to us at hello@okaythis.com.