Argentina’s banks are turning to new authentication strategies to step up their cybersecurity defenses against an evolving series of digital risks.
The institutions are adopting biometrics and multi-factor authentication in a bid to keep their platforms secure, specialists on cybersecurity in Argentina have told iupana
“Digitalization generates new challenges, and we’re working on those at high speed, together with the business and IT,” Pedro Adamovic, Banco Galicia’s chief information security officer told iupana.
“For that, we’re part of agile working groups, we follow best practices and we are automating the process of control. It’s a new working paradigm.”
The changes come as innovations and upgrades generate a complex mix of old and new technology platforms.
“Today, more than new types of attacks, the real threat is that the infrastructure has been created over decades. It is so complicated and it’s not easy to make everything digital,” said Javier Chistik, account manager for the Southern Cone at Forcepoint.
“If the banks could move to the cloud, they would be better protected.”
It’s not just the back-end technology, either. A possible new focus for security concerns is the country’s new trend for banking “cafés”.
In Argentina, banks including Galicia, Santander Rio, Comafi and soon Macro are betting on this model. The new hybrid spaces offer banking services and ATMs with a co-working area and coffee shop. Clients can spend time, chat, and use public WIFI networks – offering new opportunities for hackers.
New risks, same cybersecurity budget
But as the risk panorama grows, cybersecurity budgets are not. According to data in the ESET Security Report 2019, 54% of respondents in Argentina’s financial industry said they thought their cybersecurity budgets were insufficient. The budget had actually gone down since the previous year for 22% of respondents, although it had increased for 25%, and stayed stable for the others.
Russian cybersecurity company Kapersky Lab’s 2018 report on Latin America indicated that phishing attacks grew 60%, and malware threats grew 62%.
The report highlighted the effects of “prilex”, a Brazilian ATM malware designed to steal credit card details – including those with chip and pin – which affected Argentines that take holidays in Southern Brazil.
Among other factors, the report indicated that Argentine banks still use old technology in order to stay compatible with old hardware used in shops – something that increases the possibility of attacks.
At the same time, the report added that the Lazarus hacking collective, which has already attacked various banks in the region, could also turn its attention to local institutions.
“These types of attacks are on the client side of the bank, but you can’t ignore the internal factor, where the banks have to protect themselves from ransomware attempts which could have serious consequences,” said Luis Lubeck, information security specialist for Latin America at ESET.
Chistik points to a proposed law in Chile that would make banks liable for their clients’ losses in the case of digital attacks on their accounts.
“If that goes ahead, without a doubt it will change the paradigm, and we would see banks really pushing efforts to secure their clients’ terminals,” he said.
New cybersecurity strategies
Argentina’s banks are looking at new authentication models to defend against vulnerabilities in the log-in process.
“As in the rest of the world, in Argentina most services authenticate through multiple factors. That means, something the user is, knows and has. It’s highly important to add multiple authentication factors to make cybercriminals’ work more difficult,” said Lubeck.
Some banks are turning to biometric authentication measures, in an effort to improve security.
“We have developed an application that allows people to access mobile banking with a selfie in seconds,” said Franco Di Masi, head of innovation at Banco Supervielle. “Without needing to type in their ID number, user name or password.”
The user registers with a photo, and the technology uses AI to identify points on their face that are unique and not replicable.
Biometric systems can be used as part of a more robust verification process for digital customers, said Sebastián Stranieri, CEO of VU Security.
“The simple use of a selfie to open a bank account is not secure,” he said. “But it becomes a secure mechanism if it is accompanied by a series of other controls, such as location, device, ID card, and context – which users give to their bank, retailer, government or company. Taken together, it creates a model for scoring the risk of the person making the transaction.”
Argentina’s banks insist that training and education – as much for the internal staff as for clients – is key.
“We have a network of permanent alerts, ongoing training for the teams, and technology upgrades,” Mauro Troccay, head of information security at Banco Itaú, told iupana. “It’s important to keep in mind that a large part of cyberattacks follow the same patterns and are mitigated in the same way.”
Client education is also crucial.
“There’s no such thing as zero risk, but we can minimize it. How? Working on human behavior, the main area of vulnerability,” said Chistik. “Banks understand that they have to raise awareness about how to use tools like online banking.”