Entrust 2024 Predictions: Banking and Payments

Attributed to: Jenn Markey and Andy Cease, Entrust

We are entering a new age of AI phishing

“In Australia throughout 2023 there has been approximately 99,736 reports of phishing scams, amounting to $25,219,813 lost by victims to date. It’s not new or sensationalist, good old-fashioned phishing is still the best way to steal account credentials. We expect that to continue to grow, not just in terms of scale, but also in terms of effectiveness. AI-enabled phishing will vastly outperform human phishing as generative AI systems improve. We also expect to see more effective form stuffing of knowledge-based authentication, increased use of synthetic identities, and proliferation of deep fakes going forward. Deep fakes are becoming more sophisticated and services to create sophisticated deep fakes are rife on the dark web. According to AustCyber phishing scams remain one of the most common cyber security threats in Australia. These scams typically involve criminals sending out emails that appear to be from legitimate organisations, such as banks or government agencies, in an attempt to trick people into giving away personal information or money.

AI will become a banking double-edged sword

“AI is a double-edged sword for the financial industry. On the positive side, it presents opportunities to improve customer experience and reduce costs. For instance, chatbots for customer service and streamlining account opening can help smaller players compete with established institutions. We’ve seen this rollout with key banks in Australia, such as ANZ’s new chatbot powered by generative-AI called Z-GPT In this way, AI can have a democratising effect similar to past technological shifts like the internet and personal computing.”

“The flip side is that AI intensifies the arms race with hackers and criminals. Bad actors can leverage deep fakes and synthetic identities to impersonate people and bypass verification checks to open fraudulent accounts or break into existing ones. The sophistication of AI means average hackers can now execute attacks once only possible for highly skilled cyber criminals. The scalability of AI also expands the number of potential targets. The Reserve Bank of Australia has recently warned that cyber security, cloud and AI are creating operational risks for the financial sector with potential “systemic implications” should things go wrong.”

Post-quantum cryptography is not a top priority today, but banks shouldn’t be complacent

“Post-quantum cryptography is not yet a top priority for most banks, despite it already being planned for by the Australian government.  For CISOs, more immediate issues like AI, biometrics, customer adoption and fraud take precedence currently. However, long data retention mandates in banking mean “harvest now, decrypt later” quantum attacks could expose records en masse when the quantum era begins in earnest. Banks should already be upgrading cryptography to post-quantum standards, even if quantum computing isn’t quite yet a reality. For banks, threats like synthetic identity theft feel more tangible in the short term. Post-quantum seems abstract, like the early warnings about climate change decades ago. But quantum computing will manifest itself eventually, and the failure to prepare will be felt for the next 20-30 years, perhaps longer. If Australia wants to continue its reputation as a secure haven for financial institutions, banks need to act now before it’s too late.”

Open banking – it’s the wild East, for now…

“According to a recent report, the number of Australian businesses registered to use Open Banking data has nearly doubled in the past 12 months. Despite this, 55 percent of Australians are not familiar with the concept, though the same report also suggests that consumers are keen to obtain many of the convenient features inherent in the technology. Banks are ambivalent because open banking can potentially threaten direct customer relationships. Consumers want convenience, but the industry doesn’t want any disintermediation. This friction is set to continue over the next 18 months as banks try to strike the right balance.”

“In the meantime, banks must adapt their identity and security frameworks to handle open APIs and new third-party fintech partnerships. Banks usually aim to consolidate vendors, but open Application Programming Interfaces (APIs) introduce many new access points and players. We’ll likely see growing pains as convenience increases but so does complexity. The technology infrastructure needs time to properly secure expanded data sharing. For now, it’s the Wild East until more comprehensive regulations emerge.

“In the long run, open banking can enable secure financial ecosystems where consumers control their data. Banks must collaborate with regulators and fintechs to ensure privacy and transparency. The potential benefits of open banking are huge – it’s inevitable, so proactive partnerships will smooth the transition.”

Removing tech complexity will protect banks from bad actors

“For banks, the ‘tech stack’ is becoming increasingly complex in terms of the number of providers they use. Financial institutions have to integrate many different providers into their ecosystems, making the experience stilted and maintenance cumbersome. Fragmentation breeds risk: there is also more chance of attack if you’re working within an intricate environment of different providers. By decreasing fragmentation, banks can add another layer of protection from bad actors. This will not only make the data easier to observe, monitor and manage but also make experiences more frictionless for consumers. We expect this movement towards a more unified, common platform for delivering digital banking experiences to continue next year. Vendor consolidation is the best way to do this. It saves costs and also helps CISOs know who they’re using, what we’re using them for, and how various systems talk to one another.”

Biometrics will balance security and convenience

“Advancements in biometrics, smartphones, and document recognition have been game-changers for balancing security and convenience. In Australia, such verification methods have already become the norm, with most banks and financial institutes incorporating them—such as Bendigo Bank’s initiative to include biometrics for online banking to enhance customer experience and improve security. More and more, banks will be able to build filters that make it harder for bad actors while easier for customers. It’s important to have the latest and best technology possible to ensure that hurdles aren’t the same height for customers and bad actors. For instance, bots armed with artificial intelligence (AI) can breeze through knowledge questions and form fills. However, biometric tech makes it simple for real people to snap ID photos but extremely tough for bots. With the right innovations, complexity can be removed for consumers while scrutinising bad actors more effectively. The ideal system has just enough friction to deter fraud without frustrating users. By leveraging cutting-edge solutions, banks can eliminate hassles while enhancing security.”

“One of the best practices for protecting online and mobile banking platforms in 2024 would be using AI to support and expedite the identity and biometric verification process to prevent fraudulent account opening from the outset. In a survey we recently conducted, we found that 63% of respondents are comfortable with artificial intelligence (AI) helping their bank detect fraud. But digital transformation is not binary – we’re not certain how aggressively banks will adopt AI and biometrics. Nevertheless, it’s the most effective way to secure the experience further, and also simplify the experience. With bad actors becoming more nefarious, this process can be extended to authenticate high-value transactions, such as discharging a mortgage.

This will help consumers to feel more secure in their digital transactions.”