Skip to the main content.
ÚNETE GRATIS
ÚNETE GRATIS

3 minuto leído

How BBVA differentiated its digital bank in Mexico with next-generation security technology

Although cybersecurity has always been an area of ​​the highest priority for financial institutions, BBVA sees this responsibility as an opportunity to differentiate itself. During the COVID pandemic,  the importance of cybersecurity has only increased: The arrival of new users, unaccustomed to digital channels, has drawn the attention of cybercriminals poised to exploit any weaknesses.

Recognizing that its reputation as a leading digital bank depends on its ability to keep its clients’ accounts secure, BBVA teamed up with its trusted cybersecurity partner, OneSpan, with whom they have been highly successful in using state-of-the-art technology to keep their corporate clients safe from attackers. In this interview, we speak with Omar Bolaños, Vice President of Cash Management at CIB BBVA México and Roberto López Castillo, Regional Sales Manager at OneSpan, on social engineering and how BBVA adapted to the new, high-stakes challenges of cybersecurity.

 

Omar Bolaños, Vice President of Cash Management at CIB BBVA México

 

How has BBVA used technology to differentiate itself from the other e-banking competitors in Mexico?

As a bank, we strive to set ourselves apart not only as a digital bank, but also as a safe bank. Among the main differences we have is that we use tokens that encrypt both the devices used by our corporate clients as well as their unique transactions. Our devices are easy to use, mobile and practical.

The tokenization that I mentioned earlier, coupled with the segregation of functions, supported by the profile configuration that the treasurer or bank administrator provides, puts our e-banking capabilities on another level.

 

What were the main drivers to migrate to your next-generation tokens?

A very important part was our drive to keep innovating and to keep investing in next-generation technology. A second very important component is that the function we launched is very attractive: Because “What you see is what you sign”, you have interaction and validation while the client compares what they see on their e-banking platform and on the device.

Added to the maker-checker that already exists within corporate processes, this allows you to really see what is happening, which protects customers even more, giving them a feeling ofl that extra protection.

 

Technology migration normally means there will be a learning curve for corporate customers. How did you face this challenge?

Corporate banking has very robust security processes, needs, and policies. Despite this, the process we implemented was very straightforward. We explained that these state-of-the-art devices are a very robust mobile solution, easy to install and configure. That not only does it tokenize your transactions, but it also protects your devices. With these talks, the truth is that it was quite simple.

 

Roberto López Castillo, Regional Sales Manager, OneSpan

 

What are the most common forms of social engineering?

To mention a few, there is phishing, in which we are taken (usually via email) to a fake site where they ask for our passwords. A variant of this is spear phishing, in which the attack is made for us or for a specific group of people who meet a certain profile. Perhaps they already have information, such as some personal information that we have published on social networks. There is also vishing, which is done through telephone calls in which they give us excellent attention and ask us to complete information they already have about us. There is also pretexting, baiting, tailgating, and the quid pro quo.

If we fall victim to these attacks, we will see in our account a series of operations that are authenticated– since they have the correct profiles, information, and passwords – yet fraudulent, because we will not be performing them ourselves.

 

What are the main elements that we should take into consideration in protecting ourselves against these types of attacks?

Typically, when a user loses their credentials through social engineering, they have no context for the operation, that is, they do not know when or where their passwords are being used, and first-generation authentication mechanisms afford institutions little to no control.

 Therefore, we need to incorporate three elements. The first is to mitigate all those accesses made in our name without us being there, which is known as account takeover.

 The second element is to have a trusted device that serves, both for institutions and the user, as one more security point (without sacrificing user experience).

 Finally, the third element is to associate information, that is, to give the user the opportunity to confirm a second time during the authentication process. For example, to verify the amounts, the recipient account, or the transaction time. This gives the user a context for the operation.

 

To learn more about the challenges of social engineering, download this ebook: Social Engineering Attacks on Banking Transactions.

El futuro vibrante de la Web3 en el ecosistema financiero de América Latina

El futuro vibrante de la Web3 en el ecosistema financiero de América Latina

La Web3 tuvo un 2023 muy duro. Entre el fiasco de FTX y el declive del interés en la realidad virtual, el año trajo un invierno cripto que llevó a...

Read More

2024 y más allá: Visiones de Ciberseguridad en la Industria Financiera de América Latina

La jungla digital puede ser un lugar peligroso a menos que estés preparado. En los últimos años, el riesgo ha crecido de manera exponencial para los...

Read More

Infraestructura Tecnológica: el motor invisible de la competitividad bancaria

Conforme la industria de servicios bancarios y financieros se vuelve cada vez más, si no totalmente, habilitada por la tecnología, resulta crucial...

Read More