EU cyber security Agency ENISA calls for secure e-banking and e-payments: non-replicable, single-use credentials for e-identities are needed in the financial sector

Back to News

Different tokens, devices, mobile phones, e-signatures, etc. are used to authenticate our e-identities. Yet, some financial institutions are still not considering the risk of inadequate authentication mechanisms according to a new study by the EU Agency ENISA.

The report analyses current e-Finance fraud and correlates it with the financial institutions’ customers’ authentication mechanisms. The report emphasises the need for updated security mechanisms and provides 10 recommended approaches.

The Agency analysed more than 100 replies to a survey distributed to merchants and e-banking security professionals on the electronic IDentity and Authentication Systems (eIDAS) used by citizens and customers in e-Finance and e-Payment systems. Additionally, the Agency identified the risk and the attack patterns concerning each authentication mechanism, including phishing, ID-theft, session and identity hi-jacking, etc., of the financial institutions, merchants and payment service providers.

As a result, the Agency produced guidelines, best practices and recommendations for e-banking and Internet payments. Key recommendations are

  1. Improve the security of the e-Finance environment, meaning that financial actors must:
    • Make risk analysis based on customers’ profile and size of the institution,
    • Improve customers’ awareness and skills,
    • Implement authentication methods tailored to the customer behaviour profiles and transactions parameters (e.g. destination country, amount)
    • Early detection of customers’ device compromise through device registration, testing and evaluation of its security. (”Assume all devices are infected”)
  2. Improve the security of e-Finance applications and their distribution channels to customers: encouraging the traditional “security by design”, taking into account the proposed new personal data protection Directive, and using trusted channels to install applications in the customers’ device.
  3. Promote proportionality between selected method(s) robustness and the identified risk (adequacy of eIDAS to transaction context). with emphasis on the use of 2 factor authentication (e.g ATMs: a card and a PIN code) even for low risk operations.
  4. Improve knowledge and the behaviour of customers and professionals:

To summarise, today current eIDAS practices in the financial sector do not cover many risks. The ECB and European Commission are developing recommendations and regulations aligned with the ENISA report to identify and set up tools to reduce losses due to fraud.

The Executive Director of ENISA, Professor Udo Helmbrecht commented: “The financial sector manages e-transactions of hundreds of billions of euro every year. Therefore, secure e-identities and authentication is simply a must for the economy. The financial institutions should use security as a competitive marketing tool. With this report, the financial actors can make a cost/benefit analysis of additional authentication mechanisms.”

 

For full report: eID Authentication methods in e-Finance and e-Payment services

 

Background: The proposals for the EU data-protection directive, and Payment Services Directive 2, ECB “Recommendations for the security of Internet payments

For interviews; Ulf Bergström, Spokesman, ulf.bergstrom@enisa.europa.eu, mobile: + 30 6948 460 143, Manel Medina, ENISA Expert, sta@enisa.europa.eu