Home / Resources / News and Trends / Industry News / 2021 / Cybersecurity in the Digital Onboarding Process

Cybersecurity in the Digital Onboarding Process

Author: Alen Beganovic, CISA, CISM, CGEIT, CDPSE
Date Published: 22 February 2021

Acquiring new clients using a digital channel such as a mobile application rather than requiring a physical presence is a process referred to as digital onboarding. A key benefit of digital onboarding compared to traditional face-to-face onboarding is an increased ability to acquire new clients, offer additional services and reduce processing time with lower costs. Digital onboarding can be fully automated or supervised by a trained registration officer.

Cybersecurity Controls in the Digital Onboarding Process

Despite its many benefits, digital onboarding may introduce threats such as deep fakes, morphed pictures, fake documents, phishing or man-in-the-middle (MITM) attacks. There is more risk in fully automated digital onboarding, but it can be mitigated if cybersecurity controls are implemented throughout the onboarding process. The cybersecurity controls examined here are related to mobile applications.

The following are key steps in the digital onboarding process:1

  • Attribute and evidence collection—A secure mobile application is mandatory to enable secure attribute and evidence collection. The essential cybersecurity controls include:
    • End-to-end encryption to ensure integrity and confidentiality
    • Cryptographic security in compliance with industry security standards
    • Static mobile application protection (i.e., encryption, obfuscation) and file integrity for application code
    • Encrypted locally stored data
    • Personal identification number (PIN) protection (i.e., uses a dynamic [random] keyboard and is not stored on mobile)
    • Regular application penetration testing

Best practice dictates that the mobile application should guide clients during document scanning to ensure acceptable scanning quality.

  • Attribute and evidence validation—After the identification document (e.g., passport or ID card) is scanned, the mobile application must validate:
    • Visual security characteristics of ID card
    • Changes to ID card (e.g., replaced photo)
    • Serial number
    • Validity date
    • Standard validity time for that type of ID card
    • Ortography of numbers, codes that are standard for that type of document (optional)

Additionally, the document should be verified in referent databases to ensure that the presented ID is not stolen or reported as missing. To reduce the likelihood of fraud, the application should provide detailed instructions for the client to take a high-quality photo.

  • Binding with the client—There are 2 key components of binding with the individual: face descriptions and face comparisons. Examples of face descriptions are:
    • Face geometry (e.g., eyes, nose, mouth)
    • Age
    • Sex
    • Three dimensional (3D) head pose
    • Facial hair
    • Laughter intensity

The result of the face description is a face descriptor based on which attributes have been assigned to a given client. Face comparison is a face descriptor comparison obtained from at least 2 sources (e.g., ID and personal photo). Acceptable face comparisons consist of at least 3 of the above attributes.

Liveness Detection as an Attack Deterrent

Machine liveness detection is mandatory. For supervised digital onboarding, human liveness detection is available as an optional feature. Examples of methods of liveness detection include:

  • Laughing, blinking or touching nose
  • Zooming in or out
  • Different colors
  • 3D face shape
  • Optical flow algorithms (detect conversion from 2D to 3D)

Using a combination of the above methods for liveness detection creates an additional barrier to deter potential attackers. This can be achieved by a trained registration officer or a mobile application.

Antifraud Measures for Digital Onboarding

Antifraud measures are important, even more so when digital onboarding is fully automated. In digital onboarding, after the client is observed for first time, security practitioners can rely on global threat intelligence rather than historic data that have been collected on that customer.

Figure 1—Examples of Antifraud Indicators

There is no 100% accurate antifraud indicator. Using multiple indicators provides more accurate fraud detection. If suspicious behavior is detected during any phase of onboarding, it is advisable to stop fully automated processes and redirect the client to another onboarding process.

Figure 2—Digital Onboarding With Trained Registration Officer vs. Fully Automated Onboarding

Fully automated digital onboarding faces more threats than supervised digital onboarding. According to the US National Institute of Standards and Technology (NIST) Digital Identity Guidelines, fully automated digital onboarding can be qualified for Identity Assurance Level 2 and supervised for Level 3.2

The advantages of fully automated digital onboarding include:

  • Avoidance of poor user experience (e.g., queuing and waiting) because the maximum number of concurrent customers in supervised digital onboarding is equal to the number of trained registration officers
  • Lower cost because there is no cost associated with trained registration officers

Despite the increasing adoption of fully automated digital onboarding, regulations continue to lag behind implementation. As a result, fully automated digital onboarding is not in compliance with regulations such as the current EU regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing at this time.3

Conclusion

Digital onboarding is no longer a concept of the future—it is happening now. Though fully automated digital onboarding initially poses more risk than supervised digital onboarding, risk can be significantly reduced with the implementation of cybersecurity controls. In the future, more innovative implementation of fully automated digital onboarding processes from a risk-reducing perspective can be expected.

Endnotes 

1 European Commission, Study on eID and Digital On-Boarding: Mapping and Analysis of Existing On-Boarding Bank Practices Across the EU, Belgium, 2018
2 National Institute of Standards and Technology, Special Publication (SP) 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing, USA, June 2017
3 European Parliament, Directive (EU) 2018/843 of the European Parliament and of the Council Amending Directive (EU) 2015/849 on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing, and Amending Directives 2009/138/EC and 2013/36/EU, Official Journal of the European Union, May 2018

Alen Beganovic, CISA, CISM, CGEIT, CDPSE

Is a security consultant with more than 20 years of IT and security experience. Beganovic is director and founder of Ethernaut Information Technologies, an IT organization that offers cybersecurity, security risk management and security compliance services. Prior to his current role, he spent 12 years as the chief security officer (CSO) for the largest bank in Croatia.