Do remote critical checks offer a way in for bad actors?

“Wait a second, I’ll send it to you.”

If you were looking for a phrase to sum up the last decade or so, this one would have to be right up there.

The more our phones have become semi-appendages at the tips of our fingers, the more skilled we’ve become at instant, spontaneous sharing.

So much so, in fact, that businesses have begun to take advantage of this newfound skill. Some of their processes that used to take hours now take minutes. Think about opening a bank account, for example. It used to involve hours of queuing, filling out forms, waiting, and then a lengthy conversation with the bank manager.

Now, all you need is the camera on your phone and your ID to hand. You can get verified and approved for a bank account from the comfort of your home.

But is there a danger lurking behind this modern way of sharing your details?

Are we offering bad actors a route to our sensitive information that didn’t exist before?

KYC checks

Remote critical checks are often also referred to as “know your customer” (KYC) checks. They exist so that companies can check they’re entering into an agreement with who they think they are.

As we’ll explore, remote critical checks without robust security can lead to opportunities for hackers. But the reason for having them in the first place was to avoid fraudulent activity. To stop bad actors from illegally profiting from a business relationship.

And for banks, these checks aren’t a nice-to-have. They’re essential. Not carrying them out can lead to significant penalties. In Europe, the AMLD5 legislation came into force earlier this year. AMLD stands for Anti Money Laundering Directive. It requires that banks carry out even stricter due diligence than they did before.

These days, a lot of these checks are done remotely. That might sound like a particularly smart move in the age of covid-19, but it was actually already a trend before the virus arrived.

If you’ve tried to open a bank account with a mobile bank like Starling or Revolut, you’ll have experienced it yourself. You use the bank’s app to take a photo of your passport or other ID, fill in your personal details, and then wait for an email confirming approval.

But the nature of these banks being 100% digital means they’re well-versed in this remote KYC check process. What’s more, they know their reputation relies on customers trusting them to look after their money. So they often - but not always - protect their app robustly.

The problem is that others are carrying out remote critical checks, too. Not only more traditional banks, but even real estate companies and government departments. And they don’t all use the same level of security that challenger mobile banks do.

How bad actors can exploit remote critical checks

There’s no problem with companies asking customers to supply sensitive information via a well-secured app. But some businesses ask customers to send photos of their ID via email. And email isn’t always a secure communication channel.

Bad actors can hijack this line of communication. They can intercept messages from customers and steal the valuable attachments within them for use in future attacks. This is called a man-in-the-middle attack.

Often, when customers do send this information to a bank, it isn’t actually the bank that verifies they are who they say they are. Rather it’s a verification body that owns the KYC technology.

A bad actor who carries out a man-in-the-middle attack might use their own malicious server to communicate with the customer. They could pretend to be somebody from this verification body. Then they could claim that they need even more information from the customer.

This type of fraudulent request tends to start out as a phishing email.

Social engineering has been on the rise in the last few months - partly to profit from the general anxiety around coronavirus.

After all, there’s a danger that people might be even more prone to trusting seemingly-authoritative emails or SMS messages in the current climate.

And hackers know it.

They could send a message with a link to download a fake app that they’ve re-engineered. They could then instruct unsuspecting customers to upload their personal details and a photo of their passport from that app.

There are also root and emulator attacks, where a hacker can force a device’s geolocation. They can also fake user and device information, such as a fingerprint.

All of these risks show us why companies mustn't only see the benefits of time and cost savings of doing these checks remotely. Their reputation relies on them first making sure that they can protect the process.

As we’ve said before, the balance between speed and security is a delicate one. But if you have to go one way or the other, always choose security first.

Protecting the modern, sensitive application

So, mobile banks are well placed to defend against hackers because they realize that their business is their mobile app. They don’t have physical stores where they can build up a rapport.

Instead, their success and their reputation relies on them keeping their customers’ money and personal details safe.

That means they know that their app has to protect against static and dynamic analysis. They understand that they have to block tampering and man-in-the-middle attacks.

Other companies that carry out remote critical checks have to recognise this, too. But even this level of security isn’t enough for the modern, sensitive application.

You need to make use of a full stack of technologies. As well as in-app protection, it’s worth investing in upper levels of protection. This includes fraud monitoring and prevention, and biometric and behavioral analysis.

With these in place, you can get back to profiting from our very 21st century skill of sharing via a few swipes of our smartphone screens.