VASCO rebrands as OneSpan, makes acquisition, to support emerging mobile banking services

By Byron V. Acohido

Bank patrons in their 20s and 30s, who grew up blanketed with digital screens, have little interest in visiting a brick-and-mortar branch, nor interacting with a flesh-and-blood teller.

This truism is pushing banks into unchartered territory. They are scrambling to invent and deliver a fresh portfolio of mobile banking services that appeal to millennials.

Related articles: Hackers revamp tactics, target mobile wallets

This, of course, is a tall task. Convenience must be delicately balanced against security. Rising regulatory and anti-fraud requirements add to the difficulty factor. However, the economic opportunity is considerable. So banks are all in.

The recent series of strategic moves made by VASCO Data Security underscore this seismic shift in banking services. Chicago-based VASCO has been around since 1991 and has more than 600 employees.

VASCO long ago established itself as a leading supplier of authentication technology to 2,000 banks worldwide. Yet on one day last month the company:

•Changed its name to OneSpan

•Launched its new Trusted Identity platform

•Announced the $55 million acquisition of Dealflo, a U.K.-based supplier of automated identity verification and digital account onboarding technologies.

Just prior to this strategic repositioning, I met with Will LaSala, the company’s security evangelist, at RSA Conference 2018. We had a lively conversation about the advanced attacks threat actors are currently directing at banks.  And then we got down to discussing the high-bar banks must meet to maintain trustworthiness, while attempting to leverage mobile banking services.

For a full drill down on our discussion, please listen to the accompanying podcast.  Here are excerpts edited for clarity and length:

LW: VASCO’s been around a long while in the tech world.

LaSala: We’re the world’s largest vendor of hardware authentication. About 10 years ago, we moved into the mobile application space. Today, it’s all about mobile. Everybody’s using mobile apps and doing security within the apps.

LW: Can you walk us through how banks have arrived at focusing on mobile services?

LaSalla:  Back in the day it was hardware tokens for banks. Today it’s about doing mobile, and doing more in mobile. No one liked the use case where you typed in a password from a hardware dongle into your mobile application. It showed you couldn’t use that same hardware technology on a mobile platform.


So as they rolled out their financial apps, banks started to see that they needed to do more security around their mobile application. So it’s more about authenticating, not just the user, but authenticating their app on the device, and authenticating the device itself.

LW: Let’s come back to that. What are criminals up to?

LaSala: When mobile fraud first started, hackers tried to steal as many usernames and passwords as they could. Those were the first attacks. And then we started to see some of the advanced attacks move over from the desktop environment.

LW: Such as?

LaSala: Trojans and viruses.  And doing man-in-the-middle attacks to redirect money transfers or to prevent transactions from happening. But these advanced attacks took a lot of work to install, from the bad guys’ perspective.

So we’ve seen them move to, ‘How do I attack a whole bunch of people.’ What we’re seeing is they’re going in and taking a bank’s good application and wrapping a crypto currency mining app around it. Then they publish these apps on these third-party stores. The user downloads it, installs, it and uses it, as normal. Except now the phone is runs really, really slow.

LW: It’s the actual banking app, wrapped up with a crypto mining functionality on it?

LaSala:  Exactly right. It’s a cheap way to get money anonymously, from more platforms, really quickly.  It’s called, you know, repackaging. They can do a lot more worse things. But right now, crypto mining is where the money is.  And they can perpetrate that fraud across many, many devices really quickly. The mobile banking app is used as a delivery mechanism.

LW: Can you frame mobile attacks aimed at businesses?

LaSala:  Businesses tend to see more of that that traditional phishing style fraud, or the social engineering style of fraud, where people are being called and asked to go ahead click here and transfer this money and all of a sudden the money is gone.

There are all kinds of other types of fraud. And the reality is we have yet to build trust within the device on the mobile platform. This can be done by locking down how the application works, by making certain things like repackaging don’t happen. The user needs to trust that he or she is downloading the correct app, and that nobody else has tampered with it.

LW: The platform has to be trustworthy, or consumers won’t use it?

LaSala: So, really, building trust into the application and establishing trust of the environment leads to allowing you to do trusted services with the end user. That’s really what we’re getting to here is this whole trusted environment, trusted platform, where a bank can new banking services to all of its our clients out there, and the customers won’t have to worry about getting defrauded or getting attacked by mobile malware.

LW: Why do mobile apps still feel very sketchy to me?

LaSala: Right now, I think we’re on the tipping point. We have to implement some of these solutions and get some of these things stepped up. And the reality is that you’re right. You’re still getting the social engineering of someone sending a text message that you’ve never heard of.

Wrapping a bubble around the user is not going to fix the problem. We really have to start at securing the application and pushing the security profile onto the users.

LW: Is it mostly the banks or consumers’ burden?

LaSala: Good question. It’s a mixture of both. The younger generations are more apt to give away information and to leave doors open, and they don’t really want to use pins or passwords. So that means that it is on the financial institutions to make things more secure, and to add the technology into their platforms to make them trusted platforms that really work for the users.

But when malware gets on the phone or when something happens with the phone, it’s not the bank’s responsibility to get the malware off the phone. It’s the bank’s responsibility to stop the transaction, make certain you’re not defrauded, and then alert you and say, ‘Hey you know maybe you need to go and get your phone repaired, because there’s some anomalous activity going on.’

This goes back to the notion of a security profile, because if it’s happening to one application it’s probably happening to all of the apps on the phone.

LW: What will mobile banking services look like two years from now?

LaSala: Right now, the banks want to attract new users and they want you to use their applications. So the curve is on reducing end user complexity. At the same time banks want to give you more functionality, so that you can go out and do more.

Now if something is broken, the customer will want to be stopped before the fraud happens. They’ll appreciate being prompted for a fingerprint scan, or facial authentication because something bad was detected.

LW: So banks must balance cool functionality and trustworthiness?

LaSala: Exactly right. Make it simplistic for the user. Make it so the user keeps coming back. But also make certain that you’re maintaining that trust factor between you and the user and everything else that’s going on.

Editor’s note: Last Watchdog has provided consulting services to OneSpan.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone