Do you have your passwords written down on sticky notes or, worse, did you email them to yourself? If so, you’re costing security experts, like IEEE Member Jungwoo Ryoo, a lot of sleep.
A professor of information sciences and technology at Penn State Altoona, Ryoo heads its division of business, engineering, and information sciences and technology. One of his research areas focuses on information security in the banking sector. The Institute talked to him about how secure mobile banking is, and whether more of us should be switching from credit cards to digital payment systems.
What are the things that keep you up at night?
Mostly, human factors, which are some of the most difficult issues to address. It’s important for those who develop technologies to try and make security easy for users. For instance, password-related issues come up again and again, and that’s because, by design, passwords are difficult to manage. People either select passwords that are simple for hackers to guess [123456 and password are two of the most commonly used] or write them down on a sticky note that they leave on their office desk. Instead, people should aim to have passwords of around 12 characters, make them more complex, use symbols, and change them frequently.
Systems can be designed to force users to comply with these requirements. However, these requirements could backfire by making it more difficult for users to remember their passwords, forcing them to write them down, which defeats the purpose. There needs to be a viable way for people to securely manage their passwords.
In your research, you’ve described the state of cloud computing in the banking industry as an arms race between security experts and criminals. Who’s winning?
The banking industry is winning the war, but it loses battles from time to time. In terms of the efforts and investments being made, the general level of security is increasing. But at the same time, the industry can never get comfortable, because there are always new threats and the threat environment is constantly changing. That’s what’s so difficult about security. The threats we face are fluid and dynamic, so the banking industry has to constantly reassess the situation.
While banks may be winning the war now, that’s not to say they will win in the end. Nothing is definite. For a security person, I think it’s important to stay in a mind-set where you’re losing a little sleep every night.
What are some promising countermeasures to make security more effective and user-friendly?
One good example is the biometrics approach Apple is taking on its iOS right now—which allows people to use a fingerprint instead of typing in a passcode. The downside of that, of course, is it really drives up costs for Apple but it has to make these kinds of trade-offs. Something is always going to suffer when it comes to security, and it’s always a matter of making compromises. There’s no silver bullet for these issues.
Engineers must continue to make security countermeasures more user-friendly and transparent. We’re not there yet, but there’s a lot of research going on to make improvements in what is known as “usable,” or user-friendly, security.
What sorts of security issues are being introduced by Apple Pay, Google’s Android Pay, and other mobile payment service systems?
These kinds of tools happen to be much more secure than carrying your credit cards with their magnetic strips. That's not to say every mobile payment system is 100 percent secure, and they have their own vulnerabilities. But when it comes to using smartphones to make payments, security is far superior to that of conventional credit cards.
That’s because your smartphone offers more sophisticated countermeasures than a credit card. If your mobile device is compromised, the credit card information on the device is securely encrypted. However, if your phone is already compromised at the time that you add a credit card to a mobile payment service, that information can be easily stolen.
More and more banking information is moving through cloud computing servers. What does that mean for security?
That’s a big question mark. Moving to the cloud means losing control over IT infrastructure and data, and transparency from these cloud computing companies is not there at the moment. You can’t just place 100 percent trust in what the cloud service providers are pitching. Banks have to have their internal auditors look at the small print in the service level agreements and ensure they’re getting the right kind of assurances in terms of security, and that the providers can live up to the claims they’re making.
Digital payment services, however, do not necessarily rely on the cloud or they use private cloud servers instead of third-party companies.
What can be done to motivate retailers and customers to adopt more secure payment systems?
Security incidents such as breaches at Home Depot and Target drove the credit card industry in general to provide more secure technologies. The banks do have regulations, like the Payment Card Industry Data Security Standard, which they can use as a benchmark to make sure vendors are complying with their security obligations. Banks could use these regulations to drive the adoption of chip and PIN and eventually of NFC (near field communication) terminals, which allow vendors to process payments from smartphones.
But to fully implement the latest technologies like the contactless payment systems mentioned above requires a shift in mind-set and culture. Adoption of these systems is happening gradually, mostly in big cities like New York City or Seoul, South Korea. Trust of the technology among consumers is another factor and it varies across cultures, locations, and age groups.