Although cybersecurity has always been an area of the highest priority for financial institutions, BBVA sees this responsibility as an opportunity to differentiate itself. During the COVID pandemic, the importance of cybersecurity has only increased: The arrival of new users, unaccustomed to digital channels, has drawn the attention of cybercriminals poised to exploit any weaknesses.
Recognizing that its reputation as a leading digital bank depends on its ability to keep its clients’ accounts secure, BBVA teamed up with its trusted cybersecurity partner, OneSpan, with whom they have been highly successful in using state-of-the-art technology to keep their corporate clients safe from attackers. In this interview, we speak with Omar Bolaños, Vice President of Cash Management at CIB BBVA México and Roberto López Castillo, Regional Sales Manager at OneSpan, on social engineering and how BBVA adapted to the new, high-stakes challenges of cybersecurity.
Omar Bolaños, Vice President of Cash Management at CIB BBVA México
As a bank, we strive to set ourselves apart not only as a digital bank, but also as a safe bank. Among the main differences we have is that we use tokens that encrypt both the devices used by our corporate clients as well as their unique transactions. Our devices are easy to use, mobile and practical.
The tokenization that I mentioned earlier, coupled with the segregation of functions, supported by the profile configuration that the treasurer or bank administrator provides, puts our e-banking capabilities on another level.
A very important part was our drive to keep innovating and to keep investing in next-generation technology. A second very important component is that the function we launched is very attractive: Because “What you see is what you sign”, you have interaction and validation while the client compares what they see on their e-banking platform and on the device.
Added to the maker-checker that already exists within corporate processes, this allows you to really see what is happening, which protects customers even more, giving them a feeling ofl that extra protection.
Corporate banking has very robust security processes, needs, and policies. Despite this, the process we implemented was very straightforward. We explained that these state-of-the-art devices are a very robust mobile solution, easy to install and configure. That not only does it tokenize your transactions, but it also protects your devices. With these talks, the truth is that it was quite simple.
Roberto López Castillo, Regional Sales Manager, OneSpan
To mention a few, there is phishing, in which we are taken (usually via email) to a fake site where they ask for our passwords. A variant of this is spear phishing, in which the attack is made for us or for a specific group of people who meet a certain profile. Perhaps they already have information, such as some personal information that we have published on social networks. There is also vishing, which is done through telephone calls in which they give us excellent attention and ask us to complete information they already have about us. There is also pretexting, baiting, tailgating, and the quid pro quo.
If we fall victim to these attacks, we will see in our account a series of operations that are authenticated– since they have the correct profiles, information, and passwords – yet fraudulent, because we will not be performing them ourselves.
Typically, when a user loses their credentials through social engineering, they have no context for the operation, that is, they do not know when or where their passwords are being used, and first-generation authentication mechanisms afford institutions little to no control.
Therefore, we need to incorporate three elements. The first is to mitigate all those accesses made in our name without us being there, which is known as account takeover.
The second element is to have a trusted device that serves, both for institutions and the user, as one more security point (without sacrificing user experience).
Finally, the third element is to associate information, that is, to give the user the opportunity to confirm a second time during the authentication process. For example, to verify the amounts, the recipient account, or the transaction time. This gives the user a context for the operation.
To learn more about the challenges of social engineering, download this ebook: Social Engineering Attacks on Banking Transactions.