Do remote critical checks offer a way in for bad actors?

“Wait a second, I’ll send it to you.”

If you were looking for a phrase to sum up the last decade or so, this one would have to be up there.

The more that our phone has become a kind of appendage at the tips of our fingers, the more skilled we’ve become at instant, spontaneous sharing.

So much so, in fact, that businesses have begun to take advantage of this skill. Some of their processes that used to take hours now take minutes. Think about opening a bank account, for example. It used to involve hours of queuing, filling out forms, waiting, and then a lengthy conversation with the bank manager.

Now, all you need is the camera on your phone and your ID to hand. You can get verified and approved for a bank account from the comfort of your home.

But is there a danger lurking behind this modern way of sharing your details?

Are we offering bad actors a route to our sensitive information that didn’t exist before?

Know your customer checks

Remote critical checks are often referred to as “know your customer” (KYC) checks. They exist so that companies can check they’re entering into an agreement with who they think they are.

As we’ll explore, remote checks without robust security can lead to opportunities for hackers. But the reason for having them in the first place was to avoid fraudulent activity. To stop bad actors from illegally profiting from a business relationship.

And for banks, these checks aren’t a nice-to-have. They’re essential. Not carrying them out can lead to significant penalties. In Europe, the AMLD5 legislation came into force earlier this year. AMLD stands for Anti Money Laundering Directive. It requires that banks carry out even stricter due diligence than they did before.

These days, a lot of these checks are done remotely. That might look like a particularly smart move in the age of covid-19, but it was already a trend before the virus arrived.

If you’ve tried to open a bank account with a mobile bank like Starling or Revolut, you’ll have experienced it yourself. You use the bank’s app to take a photo of your passport or other ID, you fill in your personal details, and then you wait for an email confirming approval.

But the nature of these banks being 100% digital means they’re well-versed in this remote KYC check process. What’s more, they know their reputation relies on customers trusting them to look after their money. So they tend to protect their app as if it were Fort Knox.

The problem is that others are carrying out remote critical checks, too. Not only more traditional banks, but even real estate companies and government departments. And they don’t all use the same level of robust security that mobile banks do.

How bad actors can exploit KYC checks

There’s no problem with companies asking customers to supply sensitive information via a well-secured app. But some businesses ask customers to send photos of their ID via email. And email isn’t always a secure communication channel.

Bad actors can hijack this line of communication. They can intercept messages from customers and steal the valuable attachments within them for use in future attacks. This is called a man-in-the-middle attack.

Often, when customers do send this information to a bank, it isn’t actually the bank that verifies they are who they say they are. Rather it’s a verification body that owns the KYC technology.

A bad actor who carries out a man-in-the-middle attack could use their own malicious server to communicate with the customer. They could pretend to be somebody from this verification body. And they could claim that they need even more information from the customer.

This request could come in the form of a phishing email. Social engineering has been on the rise in the last few months - partly to profit from the general anxiety around coronavirus. After all, there’s a danger that people might be even more prone to trusting seemingly-authoritative emails in the current climate.

And hackers know it.

They could send an email with a link to download a bogus version of a fake app that they’ve re-engineered. Then they could instruct unsuspecting customers to upload their personal details and a photo of their passport from that app.

There are also root and emulator attacks, where a hacker can force a device’s geolocation. They can also fake user and device information, such as a fingerprint.

All of these risks show us why companies mustn't only see the benefits of time and cost savings of doing these checks remotely. Their reputation relies on them first making sure that they can protect the process.

As we’ve said before, the balance between speed and security is a delicate one. But if you have to go one way or the other, always choose security first.

Protecting the modern, sensitive application

So, mobile banks are well placed to defend against hackers because their business is their app. They don’t have physical stores where they can build up a rapport. Their success and their reputation relies on them keeping their customers’ money and personal details safe.

That means they know that their app has to protect against static and dynamic analysis. They understand that they have to block tampering and man-in-the-middle attacks.

Other companies that carry out remote critical checks have to recognise this, too. But even this level of security isn’t enough for the modern, sensitive application.

You need to make use of a full stack of technologies. As well as in-app protection, it’s worth investing in upper levels of protection. This includes fraud monitoring and prevention, and biometric and behavioral analysis.

With these in place, you can get back to profiting from our very 21st century skill of sharing via a few swipes of our smartphone screens.