Co-authored by Jefferson Costa, Southeast Asia Regional Security Lead, Avanade, and Ryan Lim, Growth Markets Financial Services Advisory Lead, Avanade
Cybersecurity is often a game of cat and mouse, as the saying goes. As businesses beef up their cyber defences, cyber criminals will evolve their attacks. As users become smarter to new threats, so will hackers refine their infiltration methods.
This is why phishing, one of the oldest types of cybersecurity breaches, is still such an effective cyberattack today. No matter how high you build your castle walls, all it takes to undo the efforts is a careless person inadvertently opening a backdoor to an attacker.
The recent spate of high-profile cases in the Singapore banking sector are a stark reminder of the stakes involved. Millions of dollars were lost to scammers who managed to evolve their phishing attacks to circumvent robust security measures that had worked for years. For example, in recent cases, the scammer utilised Alpha Tag – which is a name or a string of text that appears in place of a phone number as the sender ID – to deceive users into believing they were receiving legitimate messages from their respective banks. It is easy for scammers to use Alpha Tag but complex and costly for the bank to implement a robust security measure.
It is not surprising that many banks have been stepping up their cybersecurity efforts, such as building up anti-fraud measures, to manage the threat from these new attacks. In the interim, the Monetary Authority of Singapore (MAS) has introduced new measures to stem the tide for such phishing scams. Additionally, MAS has been working with banks to review the liability framework on scam payments and transactions, and it is clear that all parties – government agencies, banks and customers alike – should shoulder the responsibility for fighting scams.
While phishing has remained similar in many ways over the years, the methods behind the practice have changed significantly. Cybercriminals have become more organised and effective in crafting phishing scams and cyberattacks by banking on resources on the Dark Web. This means cyberattacks will become more sophisticated. To stay ahead, banks must rethink how they can safeguard consumers against these attacks without rolling back years of advancement they have made in terms of customer experience.
Why a unique digital identity is important
Central to new efforts must be an evolved digital identity. As customer interactions now span physical, online and mobile channels, banks need to rethink how they deliver efficient and robust identity verification and authentication.
Most banks already have ways to verify the first two elements – through a device and a password. However, they do not usually have a way to verify a customer’s biometric information, which helps identify the customer based on biological features such as fingerprints and eyes.
This is important because biometric information is unique to each person and difficult for cybercriminals to counterfeit and/or steal. Together, the data collected from these elements describes an individual uniquely, so a bank can safely trust that the person it is dealing with is authentic.
The future lies in decentralised identity
With identity management central to digital transactions in future, banks have to find a way to make sure that these digital identities are secure. One way forward is through the emerging concept of decentralised identity.
This means that users retain control of their identity by storing their biometric information, as an example, in a digital identity wallet. It would contain verified information from trusted or certified issuers such as the government. With this, a user can control what personal information he shares with a third party, whether this is a bank or another entity that he is transacting with digitally. In other words, more personal control over privacy.
Just as important is the enhanced security that decentralised identity offers. Since a person’s information is not stored with a single entity or organisation, it is not as easy to steal and control that person’s identity and data.
With a digital identity wallet that is protected, a user can consent before sharing any personal information and have full knowledge of what has been shared (i.e., transparency).
For both banks and customers, decentralised identity brings clear benefits. For one, less information is stored in banks’ databases which would mean data breaches are not as damaging. This also means passwords can be replaced for future multi-factor authentication (MFA) processes. Scammers which rely on phishing links/websites will need users to provide biometrics instead of just passwords.
There is still a lot of work to be done for a mature decentralised identity ecosystem, but first steps have already been taken today. When multiple issuers and verifiers are onboard, and decentralised identities are accepted by public and private sectors around the world, users and organisations would enjoy a more simplified yet secure way to transact.