non-replicable, single-use credentials for e-identities are needed in the financial sector
Different tokens, devices, mobile phones, e-signatures, etc. are used to authenticate our e-identities. Yet, some financial institutions are still not considering the risk of inadequate authentication mechanisms according to a new study by the EU Agency ENISA. The report analyses current e-Finance fraud and correlates it with the financial institutions’ customers’ authentication mechanisms. The report emphasises the need for updated security mechanisms and provides 10 recommended approaches for better security.
The Agency analysed more than 100 survey replies from merchants and e-banking security professionals on the electronic Identity and Authentication method (eIDA).These are used by citizens, customers and companies in e-Finance and e-Payment systems on a daily basis. Additionally, the Agency identified the risks and the attack patterns for each authentication mechanism, including phishing (targeted attacks), ID-theft, session- and identity hi-jacking, etc., of the financial institutions, merchants and payment service providers.
As a result, the Agency has produced guidelines, best practices and recommendations for e-banking and Internet payments. Among the key recommendations are:
To summarise, today’s current eIDA practices in the financial sector do not cover many risks. The ECB and European Commission are developing recommendations and regulations aligned with the ENISA report to identify and produce tools to reduce financial losses due to fraud.
The Executive Director of ENISA, Professor Udo Helmbrecht commented: “The financial sector manages e-transactions of hundreds of billions of euro every year. Therefore, secure e-identities and authentication is simply a must for the economy of Europe. The financial institutions should use security as a competitive marketing tool. With this report, the financial actors can make a cost/benefit analysis of additional authentication mechanisms.”
For interviews; Ulf Bergström,