Nothing creates immediate impact quite like a cautionary tale. Let’s start by taking the example of First American Financial Corporation and the data breach they faced back in May 2019. Over 885 million sensitive records, with names, email IDs and other PII, were exposed through a common website design error. A ‘Business Logic Flaw’ was exposed by attackers when a particular web link leading to sharing of sensitive information wasn’t protected by the authentication policy to verify user access. Sure, there was a severe business impact felt by the organization as a result of this, but they also lost out on the most valuable currency they have when it comes to their customers – trust.

It’s quite easy to figure out why attackers see the banking & financial services industry as a potential goldmine, because it is, after all, essentially a goldmine. Millions of online transactions occur daily, were money switches hands through digital communication. And if you believe data is a more precious resource than actual money, there’s plenty of that going around too, with sensitive PII being constantly shared. It’s telling that finance was the most breached industry in 2023, with over 64% of financial institutions experiencing a cyber-attack in that time.

In 2023, RBI reported 13 lakh cyber-attacks between January and October. Approximately 4,400 cyber-attacks every day!

Since there’s so much money involved, the fallout is also massive. The average cost of a data breach in the financial sector was $5.9 million in 2023. The most common types of data stolen were personally identifiable information (PII 36%), payment card information (PCI-32%), and financial information (22%). The most common ways to exfiltrate this were phishing, malware & unauthorized access.

Do you know what organizational entity houses all this data, and is susceptible to all these breach tactics? Your website. What’s a good starting point for securing it? An SSL certificate.

Understanding SSL/TLS Certificates and Why They Matter

SSL (Secure Sockets Layer) was a network protocol started in 1995 by Netscape that was used to secure connections between web clients and web servers over insecure networks like the Internet we all use today. In 1999, it was converted to TLS (Transport Layer Security), which came under the domain of the IETF (Internet Engineering Task Force). SSL has been obsolete for a while, and TLS 1.3 is the latest version and industry standard of this protocol, but since SSL is so easily identifiable as a term, they are still referred to as TLS/SSL certificates. Organizations called CAs (Certificate Authority) are tasked with issuing them out.

The key to SSL is public key cryptography, which consists of a public key that encrypts the sensitive information of any user browsing your website, and a private key that resides secretly in your web server, allowing only you the power to decrypt said information. Essentially, if attackers ever intercepted this communication in transit, all they’d see are garbled characters that are almost impossible to decrypt.

This is what goes on behind the scenes of an SSL certificate. Yet, the front facing aspect of it is essential in securing the key commodity of customer trust for a bank. If your website doesn’t have an SSL, that means you have a URL with HTTP. Your users are greeted with a page starting with ‘This website is not secure’, and they have to click on a drop down before they can even proceed onto your website. Customer trust eroded, right then and there.

SSL certificates are definitely the answer!

They come with a HTTPS (Hypertext Transfer Protocol Secure) instead of a HTTP, which activates the green padlock icon next to it, a key trust indicator for the user. Sometimes, the URL is highlighted in a reliable green colour, depending on your browser.

Not All SSL Certificates Are Created Equal

Yet not all SSL certificates are created equal. There are different types based on different parameters. One involves the number of domains/subdomains you want to secure, which is not important for this particular blog. The parameter that is of importance is the validation, and there are 3 different certificates for that:

• A domain validation (DV) certificate, that provides elementary protection with no ties to your organization. 94.3% of all SSL certificates are DVs.
• An organization validation (OV) certificate, which involves verification of the existence of an organization and the ownership of the domain in question. OVs make up 5.5% of all SSL certificates.
• An extended validation (EV) certificate, which is the industry standard and the hardest to obtain out of the lot. Only 0.1% of SSL enabled websites are EV certified.

Let’s just say right off the bat: we believe the solution is the Extended Validation TSL/SSL certificate for banks. Not only do they possess strong encryption, an EV TLS/SSL certificate gives you the best identity assurance available out of all the different certificates. When one accesses the padlock of an EV certificate, the name of the organization owning the server is clearly visible, along with the name of the CA that has issued the certificate. Seeing the certificate itself will reveal further details about the company’s physical address, base country, and type of business registration.

Yet, having said that, we are seeing a trend develop worldwide. Large enterprise & commercial banks are obtaining EV certificates from well-renowned CAs, while public, cooperative, or government-linked banks are just using whatever cheap certificates they can find. As long as their sites have that padlock, they’re happy.

Why Banks Should Prioritize EV TLS/SSL Certificates

We recommend EV certificates across the board for all banks because they all deal with sensitive information. There are multiple reasons why your bank should opt for an EV TLS/SSL certificate:

• Prime Trust Indicator: Nowadays, 90% of all phishing websites have SSL certificates, most of them the easily obtainable DV certification. All their phishing emails will direct you to a non-authentic website to gather your details, so anything that can help your real website stand out from the fake ones can help avoid breaches. The company and CA details in the padlock of an EV certificate is one such differentiator.
• Counterfeit-Proof: EV certificates are more difficult & expensive to obtain for fraudsters. A fair amount of company information is required to get one, and it is unlikely that the attacker will go to such lengths like starting a fake company to get sensitive information.
• Organizational Utility: Internal teams now use EV certificates for use cases like verification of whether websites belong to a particular company they are conducting due diligence for, adding rules to internal firewalls, and configuring managed security services, internal audits & compliance.
• Potential Compliance Requirements: In 2019, the EU introduced the Payment Services Directive that requires the use of EV TLS/SSL certified websites by financial institutions doing business in that region. There is every chance such a requirement could be mandated by India in the near future.

Apart from all these factors, a key differentiator between EV certificates and the other two validation-based certificates is the effort taken to obtain it – a trust indicator in itself. DV certificates require a simple, identity-free verification through either email, DNS, or HTTP, and can be given out in minutes. EV certificates, on the other hand, can take a week or two to issue, depending on the CA you choose. There are a lot more steps of verification with this particular certificate.

It is important to note that this could have massive implications for your organization. As long as the domain is owned by you, anyone within your organization can request a DV certificate if they have an associated email ID. Worst case, it could be a rogue administrator or an employee with breached credentials.

There’s less chances of that happening with an EV TLS/SSL certificate, because there are a lot more identity verification checks. Here is the standard process of obtaining an EV certificate from a reputed CA:

1. You start by filling out forms and submitting them to the CA, like an SSL Subscriber Agreement, Certificate Request Form, and other enrolment forms.
2. Organizational authentication is conducted by the CA, where they check out government registries to verify whether your organization is a legally registered entity that is active in the registered location.
3. Operational existence is confirmed by checking if the organization has been operational for more than 3 years. If not, you will probably need to furnish registration documents or a Professional Opinion Letter.
4. Physical address is verified to establish physical presence in the country or state of registration. CAs won’t accept PO boxes of offshore companies.
5. Telephone verification is conducted, where trusted third-party directories are combed to verify if the organization has a working phone number.
6. Domain authentication is undertaken, which confirms that the organization is the rightful owner of the domain. This is usually conducted via file-based authentication, email or cName.
7. A final verification call to the person submitting the documents in step 1 is done before issuing out the certificate.

We’d like to end this by saying that while EV TLS/SSL certificates are our preference for banking security, a key part of its effectiveness is educating your consumers on how to identify one. It won’t matter if they think the green padlock is the only trust indicator, since phishing sites will also have them, so customer education on checking company details in the EV certificate is ideal to avoid any breaches.

Ready to Secure Your Bank with an EV Certificate? Contact iValue Group Today!

And if you’re a bank looking to immediately secure your EV certificate status, we at iValue Group are the right partners to bank on for this process. Contact us here to get started!