Amidst the rise in social engineering and other cyber threats, several commercial banks have implemented new procedures and tools to limit the risk posed to customers in the rapidly evolving digital age.
The latest commercial bank to enact a change is JN Bank Limited, which will require personal customers as of November 4 to login to the online banking platform JN Live and verify themselves with two-factor authentication (2FA) using the Google Authenticator app. Currently, users select a security image and answer a security question to login to the platform along with entering a transaction password for certain transactions. This will no longer be the case once the changeover takes place.
The 2FA will be required when adding transfer recipients, transferring funds to other bank accounts and wire transfers, mobile phone top-up and setting up new bill payments. As a result, JN Bank has reminded customers that they need to ensure that the mobile number on file is up to date.
The 2FA usually involves a one-time passcode (OTP) or forms of evidence like biometrics via an authentication mechanism which is used as a means to verify a user before a login or transaction is authorised.
National Commercial Bank Jamaica Limited (NCBJ) introduced 2FA in June 2017 with a 'hard' RSA token with a physical device or a 'soft' token via a mobile application. First Global Bank Limited (FGB) introduced 2FA methods in March 2010 which was further enhanced by a 'soft' token with the Entrust Identity Guard app.
Other commercial banks have solutions such as requiring users to input an OTP received via e-mail or using biometrics with their mobile device to verify a device which hasn't been saved as 'trusted'. Certain transactions above a specific amount also require the use of security questions, pins, and OTP codes as a means to limit loss for customers.
While these measures work to protect customers from cyber threats, the rise of phishing and smishing has pushed NCBJ to take extreme measures by temporarily suspending SMS transaction alerts on October 13. Both practices involve an external party sending e-mail and text messages purporting to be the actual institution or person of trust and deceiving them into clicking a link or provide sensitive information which can be used to negatively impact their personal lives.
NCBJ has always maintained a 'no link' policy via e-mail or text messages, but some clients have fallen victim to the deception and been left in a compromised financial state. NCBJ's policy also extends to not requiring personal or financial information like passwords, pins or CVV (card verification value) via text messages, e-mail, or telephone calls.
"In keeping with global trends since the COVID-19 pandemic, financial institutions have seen an increase in cyber-attacks via phishing, smishing, vishing, BIN/Brute Force attacks, website spoofing and other social engineering scams. However, we have been able to thwart numerous attempts and avert what could otherwise be significant losses. Notwithstanding, we are committed in our efforts to continue being alert to these cybersecurity attacks and to continue to review and revise our strategies to ensure they are effective," said NCBJ's Head of Fraud Prevention Dane Nicholson in a recent e-mail.
BIN or bank identification numbers are the first six digits on a debit or credit card. BIN attacks involve a software trying thousands of combinations to guess the full card number and other details needed to carry out a card transaction. Once the transaction has failed, customers receive a declined transaction alert via text or e-mail.
Back in May, customers of JMMB Bank (Jamaica) Limited and FGB received declined transaction alerts despite not placing any transactions. Both banks sent out communication to clients about the alerts and how their systems worked well to block the attempts and reminded them that multiple security measures are in place to protect customers.
Since then, FGB rolled out the CVVKEY app on July 27 which provides temporary CVV numbers for online transactions and replaces the static numbers on the back of cards. The CVV number is a crucial code needed to execute transactions.
"The app is incredibly easy to use; you simply download it and when prompted, open the app to access a temporary CVV code for online purchases. This streamlined process enhances the customer experience while fortifying our already robust security protocols. We are thrilled about this innovation because it encapsulates what First Global Bank stands for - being ahead of the curve, not just following it," said FGB's Head of E-Payments Jermaine Blissett in an advertisement.
Banks have also made the shift to not requiring card readers to use access ATMs (automated teller machines) but simply pressing a button. Even FirstCaribbean International Bank (Jamaica) Limited has introduced a contactless recognition tool at some branch ATMs which will allow users to 'tap' their card next to the device for the door to open.
The posture towards risk in the financial sector has been further heightened following the events at Stocks and Securities Limited. Different securities dealers have upgraded their systems to ensure customers are made aware of any transaction or cash movement and made further changes on handling requests via email.
"During 2022, the financial sector increased its use of technology to cater to changes in customer needs. However, the expanded use of technology for financial services has heightened the risk of cybercrimes and fraud both in the local and global economies. Going forward, the bank and local DTIs must be proactive in safeguarding the integrity of digital assets and customer information by adapting new regulations to maintain industry standards of best practice," said the Bank of Jamaica's 2022 annual report.