Digital Banking: Securing the User Journey in the Wake of COVID-19
It shouldn’t come as a big surprise that fraudsters have noticed we manage more of our daily lives electronically amid COVID-19. This poses a massive threat to banks and credit unions and their respective digital banking ecosystems.
Consider this: 2020 incited drastic, lasting changes to the way consumers and businesses operate. Due to branch closures and heightened safety protocols, financial institutions nationwide have seen significant spikes in digital banking usage, from existing users and new registrants alike.
Change seems to be the only constant - so what better time to educate your account holders on the importance of adopting better security habits across all channels and touchpoints? In response, Alogent is enhancing all aspects of security within our digital banking platform. The next series of articles discusses these enhancements as they relate to programming code, protecting dynamic digital banking environments, and securing the user journey.
A recent survey by the Association of Certified Fraud Examiners found over 80% of fraud professionals reported an increase in cyber fraud since the start of the pandemic, with 90% expecting continued surges throughout 2021. In the digital banking arena, cyber fraud covers a wide range of activity, including identity theft, unauthorized system access, data hacks, business email compromise and trafficking of passwords.
The study also reported steady increases in payment fraud and employee embezzlement throughout the year, again with percentages expected to rise over the course of 2021. It’s no secret that password security is vital, not only within our applications, but to protect financial institutions, account holders, and all online interactions.
I saw a headline a few weeks ago that caught my attention: “Is your Password on the Wall of Shame?” The article discusses NordPass’s findings regarding the 200 most frequently used passwords leaked in a 2019 breach, highlighting the urgent need for security training across our customer and member bases.
As I read through the article, I started thinking about my own password journey, and yes - despite my decades in banking and building regulatory and fraud compliance software, even I made common mistakes in password safety.
Why? Two reasons. The first, because like many of you, I found navigating daily banking operations often required recalling more individual passwords than human memory could capacitate. And second, I have a sneaking suspicion that we’ve become a bit numb to the threat and inevitability of data breaches.
My ‘eureka’ moment, however, came while working with a cyber security partner a few years ago. He ran a basic scan on my email address through his software and found several of my personal passwords listed for sale on the dark web.
That lightning bolt rippled throughout my personal and professional life. I learned to stop exchanging security for the sake of simplicity and memorability. As a Product Manager, I drove home the idea of providing and suggesting controls to nudge our clients to step-up their own proactive security measures.
That said, Alogent Digital and NXT encapsulate guidance from the Federal Financial Institutions Examination Council (FFIEC) Information Technology Manual and Information Security Booklet, which governs factors necessary to assess the level of security risks to a financial institution's information systems and risk management protocols. Further, it includes recommendations presented by other regulatory agencies in response to the FFIEC.
Security is at the forefront of innovation throughout Alogent’s entire product suite, which is why NXT's inherent flexibility of options allows financial institutions to match their existing policies based on their own unique, customized business rules, and provides suggestions on how to improve password security associated with FFIEC guidance:
- Each institution specifies the minimum and maximum password length.
- If a password requires a combination of characters, including symbols (upper-case and lower-case letters, numbers, and special characters) and defines how many of each.
- Frequency of recurring password changes, denoting how often their customers or members are required to change passwords, as well as specifying the number of unique passwords before one can be re-used.
- Prohibiting users from creating passwords like their username or email address.
- And of course, these are coupled with the use of multi-factor authentication.
Yet, as a software company, we can only lead our customers in the right direction by suggesting and encouraging best practices to protect digital banking ecosystems. The real work comes down to how our clients choose to implement these controls on their own terms, positioning to their own account holders.
In today’s world, where customer service is key for maintaining customer and member relationships, the hesitation to implement more stringent password security still exists, as many believe their base is too change-averse to adopt new policies. Here we have an opportunity to take a proactive approach, rather than reactive. Providing much needed education and updated controls protect account holders, rendering better customer service than waiting to assist after their credentials have been compromised and losses ensue.
So, what exactly makes a strong password?
- Security experts have differing opinions on the ideal password character length, but the common standard is the more characters, the better.
- Passwords should be changed every 90 to 180 days.
- And, most importantly, passwords should not be easily recognizable data, like your name, birthdate, your children, your pets, your address, or your email address.
Here are a few best practices to keep in mind as you think about securing your own digital journey:
- Many recommend using a sentence or phrase rather than a single word.
- Create different, unique passwords for each site, especially financial domains.
- Do not save passwords on your devices as they can easily be lost, stolen, or hacked.
Remember, at some point you have likely used a site that asks you questions like the make and model of your first car, or which street you lived in as a child, to validate your identity. If these companies can find that information, so can a fraudster.
Render maximum security, control, and customization of digital channels with NXT, a single, secure platform that marries mobile, digital and voice for consumer and business banking. With powerful out-of-the-box functionality like branding and data-driven marketing, predictive analytics, loan servicing, card controls, gamification, and more, NXT drives superior engagement and meets tomorrow's demands securely with its modern technology stack, open architecture, and deep integration potential.
Contact us today to learn more about how NXT's unified platform approach blurs the lines between devices to deliver a consistent user experience across all touch-points, while securing every level of your financial institution’s digital banking infrastructure.