ENISA calls for secure e-banking and e-payments: non-replicable, single-use credentials for e-identities are needed in the financial sector
January 2014 by ENISA
Different tokens, devices, mobile phones, e-signatures, etc. are used to authenticate our e-identities. Yet, some financial institutions are still not considering the risk of inadequate authentication mechanisms according to a new study by the EU Agency ENISA. The report analyses current e-Finance fraud and correlates it with the financial institutions’ customers’ authentication mechanisms. The report emphasises the need for updated security mechanisms and provides 10 recommended approaches for better security.
The Agency analysed more than 100 survey replies from merchants and e-banking security professionals on the electronic Identity and Authentication method (eIDA).These are used by citizens, customers and companies in e-Finance and e-Payment systems on a daily basis. Additionally, the Agency identified the risks and the attack patterns for each authentication mechanism, including phishing (targeted attacks), ID-theft, session- and identity hi-jacking, etc., of the financial institutions, merchants and payment service providers.
As a result, the Agency has produced guidelines, best practices and recommendations for e-banking and Internet payments. Among the key recommendations are:
1. Improve the security of the e-Finance environment, meaning that financial actors must:
Make a risk analysis based on customers’ profile and size of the institution, Improve customers’ awareness and skills,
Tailor authentication methods to the customer’s behaviour profiles and transactions parameters (e.g. destination country, amount.)
Earlier detection of customers’ device compromise, through device registration, testing and evaluation of its security. (”Assume all devices are infected”).
2. Improve the security of e-Finance applications and their distribution channels to customers: encouraging the traditional “security by design”. You should also take into account the proposal for a new personal data protection Directive, and use trusted channels to install applications in the customers’ device.
3. Promote proportionality between selected method(s) robustness and the identified risk (adequacy of eIDA to transaction context) with emphasis on the use of “2-factor-authentication” even for low risk operations (E.g. ATM has this: a card and a PIN code).
4. Improve knowledge and the behaviour of both customers and professionals.
To summarise, today’s current eIDA practices in the financial sector do not cover many risks. The ECB and European Commission are developing recommendations and regulations aligned with the ENISA report to identify and produce tools to reduce financial losses due to fraud.
The Executive Director of ENISA, Professor Udo Helmbrecht commented: “The financial sector manages e-transactions of hundreds of billions of euro every year. Therefore, secure e-identities and authentication is simply a must for the economy of Europe. The financial institutions should use security as a competitive marketing tool. With this report, the financial actors can make a cost/benefit analysis of additional authentication mechanisms.”