Secure Banking Communications to Protect Consumers

Secure Banking
Picture of Shawn Stewart

Shawn Stewart

Mr. Stewart has 25 years of experience with hundreds of international, commercial, military, and government IT projects. He holds certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell, and others. He has a Masters in Cybersecurity, a Bachelors in IT, a Minor in Professional Writing, and is a published author.

This article was co-authored by Richard Koontz

With consumer confidence at an all-time low and corporations placing profits over privacy, middle-class America is the biggest loser.

Over 5.5 billion robocalls rang US phones in January 2023, according to Robokiller. Apparently, citizens are none the wiser to the scams. The Federal Trade Commission (FTC) reports fraud accounted for over $65 billion in financial loss for average Americans in 2022. Not corporations. Not insurance. Not governments. Citizens.

Despite tremendous advances in legislation at the Federal and State level, a flurry of technological advances, and phone carriers extending spam-blocking technology to users, the number of fraudulent communications increased. Most consumers won’t answer an unrecognized number, but curiosity still gets the better of some. The biggest target? The elderly are those on fixed incomes.

In a rare bipartisan effort, politicians on both sides of the aisle heard the cries of their constituents. Congress mandated the Federal Communications Commission (FCC) to develop means to combat robocalls and, likewise, fraudulent calls. STIR/SHAKEN increased call confidence, and the technology would impress 007 himself. Essentially a certificate granting service similar to those authenticating websites, the certificate authority (CA) gives each call an attestation level of A, B, or C. An attestation level of A, also called full attestation, shows the CA authenticates the caller and verifies they own the number. When the call authenticates but the caller’s ownership of the number isn’t verified, Level B, or partial attestation, applies. Finally, an attestation level of C is the lowest level of trust. International calls fall into Level C, also known as gateway trust, which was further regulated by the Traced Act.

The Traced Act, signed in 2019, is finally bearing fruit. It required major carriers to provide better detail on caller ID and, along with STIR/SHAKEN, intended to eliminate spoofed calls. This helps when a recorded message supposedly from the IRS says you have a warrant for your arrest, but the caller is a foreign gentleman calling from an Iowa number.

The FCC continues to work closely with individual states to strengthen local laws against spam calls. While every state includes legislation against fraud, nearly one-third of US states do not specify robocalling. The highest number of robocalls hit Texas, Georgia, Ohio, South Carolina, and other states missing legislation. However, foreign nationals have no fear of being traced, especially as many fraudulent calls come from hacked domestic numbers or disconnect days after successful fraud occurs.

Spoofed numbers inside the United States are mostly gone because overseas carrier calls are now restricted by STIR/SHAKEN. But many malicious callers can easily access authentic phone numbers from US-based Voice of IP (VoIP) providers, such as Google and RingCentral. Callers sit in foreign countries, such as India, with a VPN connection back to the United States. The calls do not register as spam and are not blocked. Corporations blame uneducated consumers, legislation, and other corporations, but they profit regardless.

Carriers are at the front lines of most finger-pointing. Many profit by reselling customer information to other companies for marketing. Heavy legislation rests on them, including forcing all lines to have an attached address for emergency services. Google was only recently required to tie all VoIP numbers to landlines or mobile phones for tracking. But no carrier to date allows blocking of all calls except those on a whitelist or of those listed in the customer’s contacts. Why? Carriers make money on every phone call that traverses their system. Suddenly removing 66 billion of the estimated 292 billion calls will decimate profits and jobs. Profits over privacy.

For financial institutions, particularly banks, fraud turns assets into untraceable liquid. Compliance and regulations tightly control all aspects of consumer interaction, from restrictions on opening new accounts to reporting large transfers. Banks must find a solution to legitimize communication with their customers while bypassing carrier attack vectors. And it works both ways. Banks lost untold billions globally because of insufficient identification procedures. Mobile device apps for businesses and third-party authenticators may hold the solution of mutual identification verification for banks and consumers. Here is how it should work for a fictional financial institution, BigBank, Inc.

Most bank fraud occurs because of policy failure. BigBank, Inc. must first create policy and receive legal agreement from consumers that all communications to and from them must follow a certain path. For most consumers, this will center on a mobile app, a third-party authenticator app, the consumer’s mobile phone, and personal information only known to both the bank and the consumer. This policy must be front and center, not buried inside tens of pages of legalese.

BigBank, Inc. uses industry-standard AAA (authorization, authentication, accounting) security and technology to build an app. The app contains a certificate that verifies it with a global certificate authority with every launch. This provides consumers with the authentication to trust the app before ever logging in. Upon login, the authenticator app prompts the consumer for multi-factor authentication. Additional authentication options are available, such as with joint accounts. The consumer now has a private, encrypted connection with BigBank, Inc. to exchange private messages. Tech-savvy banks are already here, but more is required.

The consumer must use the proper equipment as well. Non-compromised (jailbroken) devices with an internal Trusted Platform Module (TPM) chip run the app. In this scenario, tablets are not compatible. A third party, such as the mobile carrier, cannot verify devices without a number or device certificate. Further protection separately encrypts the memory and drive space used by the app on the mobile phone to protect against theft and brute force attacks. This assures BigBank, Inc. they are not communicating with a compromised consumer device.

Without this technology, banks and consumers have no means of authenticating one another. The consumer can not verify a phone call, text, or email supposedly from the bank. The bank only has account numbers and pass-phares to confirm the consumer. Who are they really communicating with?

A secure app provides assurance of identity, encrypts channels of communication, and becomes a springboard for interaction. If BigBank, Inc. wants a consumer to know of a low balance situation, for example, the app notifies the user of a new message. Connecting into the app, the consumer can read the message securely. If the consumer wishes to speak with a bank representative, the app starts the communication from the consumer’s phone to a dedicated member services representative. The call is an encrypted voice connection through the app or an actual phone call across the carrier network. The call is to the bank through the app, not from the bank, where possible impersonation can occur. BigBank, Inc. can honestly say they will NEVER call or email their customers regarding their account. Convenience must give way to security.

Of course, there are consumers who cannot or will not use a mobile app to communicate. Those use a central calling clearing house. The consumer calls a dedicated number for BigBank, Inc. and, using STIR/SHAKEN confirms the consumer’s identity. The connected call to BigBank, Inc. includes metadata of the consumer and instills confidence the person is at least calling from a device/number owned by the consumer. The clearing house would also prompt callers to use the mobile app for more secure service. And, of course, there is always snail mail. Banks cannot penalize consumers for not using technology, only urge them toward its benefits.

Finally, corporations need ownership interest. This comes from requiring corporations, especially financial institutions, to take responsibility for failed communications issues that lead directly to fraud. Today, banks are quick to raise their hands and shrug, saying fraud is a consumer or regulation issue, not a corporate oversight. This, not fraud or breaches or technology failures, is the primary reason consumer trust is virtually non-existent.

A personal approach where consumers, governments, corporations, and organizations are mutually accountable and mutually assured of identity is required. A single technically competent and trusted competitor could disrupt banking profits globally with this secure solution. Corporations must take responsibility for policy failures. Can we hold Microsoft accountable for phishing attempts bearing their name through their Office 365 servers or in Outlook to gain their attention? We should try. Will foreign countries punish their phony IRS agents even when we provide their exact locations? They haven’t yet. We are still waiting for Nigeria to locate and extradite their phony prince. The onus is on us to require consumer privacy and protect ourselves.

Need Help?

Reach out to us! We’re all in this together. Visit our contact page to submit an inquiry. Also, please follow us on social media for the latest updates.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *