By Chad Davis
Most financial services organizations have digital transformation projects underway, but the associated distributed, multi-cloud applications come with new, complex challenges.
This of course adds to the already complicated legacy IT environments many institutions have in place.
Credit unions are a lucrative target for cybercriminals. That’s why mission-critical web applications and APIs must be constantly protected from exploits and automated attacks that can disrupt business intelligence, slow app performance, and enable account takeover (ATO) that can lead to fraud.
All credit unions have to do is turn their proverbial security knobs up to 10, and they’re fully protected, right? Unfortunately, its not that easy, and criminal organizations know it. This along with the extremely promising lucrative returns of a successful attack against a credit unions, is exactly why they focus so much of their time and effort against them. Not only do credit unions need to thwart an onslaught of daily attacks, but they also have to do this with one hand tied behind their back.
It’s the unavoidable truth of balancing security and smooth member experiences. For example, having strict security controls in place can inadvertently stop a legitimate money transfer for a strategic member, or what is commonly known as a false positive.
Today’s digital-first members have high expectations—especially when it comes to critical applications like banking apps, which they depend on every day. You have to deliver the services they want securely and without disruption. Disruption and friction potentially leads to lost revenue opportunities and even sometimes churn.
A Balancing Act
Securing critical banking apps, while streamlining the member experience, is a paradox. This is why you can’t turn your security knobs to 10 (or an 11 for the Spinal Tap fans out there). Your goal is to use security to protect your members. But while strict security and fraud controls may stop some attackers, they can negatively impact the experience for all. This balancing act can be extremely frustrating for credit unions, and often times security teams and member experience teams are at odds.
The pressures to keep members from getting annoyed with high friction-causing security solutions in their digital experience seem to be getting an edge, with nearly three-quarters of respondents to a recent SOAS survey saying they would trade security capabilities for better performance. In fact, a full third of the industry’s decision makers said they’d trade security measures for even a small improvement in performance—less than 25%!
Unmet Visibility Needs
The data hype that has been teasing the business world with more advanced use of AI/ML seems to have captured the imagination of the sector, with 98% of respondents from another recent F5 SOAS survey saying they’re missing insights they need, and more than nine in 10 financial services expecting to use AI-assistance.
The demand can be attributed to many areas in the business, but a prime example is the drive toward better meeting member expectations for greater personalization, which requires better insights and more sophisticated analytics than are currently in place.
Another example for driving the need for greater visibility has to do with real-time threat analytics. Organizations today require live and actionable threat intelligence that can enhance the efficacy of existing security controls, including WAFs, with controls that automatically detect and block active threat campaigns, while significantly reducing false positives.
Sourcing Signals
Collecting and analyzing telemetry signals is at the heart of gathering useful threat intelligence. Sources of these signals include, but are not limited to the following:
- Device Signals. Recognize devices and digital users online, including when users log in from unusual time zones or when multiple users log in from the same device.
- Network Signals. Pick up on signals from atypical countries, ASNs located in hosting environments, and unusual time zones associated with ASNs.
- Environment Spoofing Signals. Identify transactions via VPN, anonymizing proxies, or other technologies designed to hide or spoof environments, as well as multiple transactions of the same type from the same device, and previously unseen browser fingerprints. With the latest technology you can also detects minute changes in a device’s integrity, identity, and legitimacy.
- Behavior Sign. Notice typing patterns, such as the keys pressed, typing speed, and suspiciously large amounts of copy and paste, including into first name and last name fields. It looks at the location of a browser window and mouse movement that might indicate copying-and-pasting from a text file.
Changing Everything
Digital transformation is changing everything: how members behave, where fraudsters focus their attention, and how organizations get ahead. Financial services institutions that fail to adapt face harsh regulatory penalties, member churn, and lost revenue.
Credit unions that can keep up with evolving member expectations stand to gain revenue and greatly raise the prospects of the future prosperity of their institutions. In order to meet (and exceed) these expectations, organizations must securely accelerate innovation and app modernization.
Chad Davis is senior solutions marketing manager, global financial services, with F5.