Digital currencies and the fintech boom represent a window of opportunity – but what about the security risks that go along with them?
The digital economy is all about providing a smorgasbord of options to the convenience-hungry customer, tailoring these options to specific groups.
The pace of innovation is often difficult to keep on top of, though, and this is glaringly apparent in the world of finance, banking, fintech and payments.
The developments have been both technological and legal, as blockchain and big data offer exciting new digital products, and PSD2 opens the door for banking disruption in Europe. While the convenience will no doubt benefit consumers and increase healthy competition – and indeed, collaboration – between fintechs and established institutions, the acceleration of development means that lurking underneath are security risks that need to be tackled.
In 2017, a study published by BitSight found that web app compromises beat human error as the top cause of data breaches, giving financial sectors plenty to worry about in terms of cyberattacks. 33pc of breaches were caused by web app compromises. Third-party compromises are also a major worry and the increase in cryptojacking shows that anyone (not just cyber-criminals) can get in on the action relatively easily.
Of course, those who take the success of their products seriously are already on the ball when it comes to cybersecurity. The World Economic Forum established a cybersecurity consortium in March of this year, in order to mitigate the risk both for established institutions with sturdy infosec policy and the fintech start-ups that may not have the security expertise needed to catch up with their growth rates.
Siliconrepublic.com spoke to the experts about the risks, the trends and toeing the line between innovation and effective security for the crucial financial data of users.
Cryptocurrencies took off at a massive scale in 2017, as the public became more aware of what blockchain entailed and grew intrigued by digital currencies such as Monero and bitcoin.
Leonard McAuliffe, director at PwC Ireland Cybersecurity Practice, explained how cryptojacking is a relatively easy win for cyber-criminals: “Victims of this attack are presented with legitimate-looking software which has instructions to download the miner hidden inside.
“This usually looks like a legitimate download and therefore isn’t detected. Once downloaded, cyber-criminals take CPU power for extended periods of time even when the device or browser session is not in use. The majority of the time, a victim will have no indication that they have been breached.”
The simplicity of cryptojacking was further highlighted by Paul Ducklin, a technologist at Sophos. While vast amounts of processing power is required to mine digital currencies at scale, criminals “can build an illegal ‘farm’ of crypto-mining computers spread all over the world, where other people are paying the electricity bills and having their computers bogged down and overheating, while the crooks quietly keep the earnings”.
Protecting the previously unbanked user
Tara Swaminatha, partner in data privacy and cybersecurity practice at Squire Patton Boggs, explained that the influx of previously unbanked people thanks to fintech firms, coupled with increased public knowledge of digital currencies, is bound to have an effect on cybersecurity, with countries such as Venezuela and Iran showing a strong national interest in cryptocurrencies.
She warned: “Digital currencies themselves are not immune from cybercrime.” Given this rush to cryptocurrencies as well as many companies investing in this market without weighing up the potential dangers, there is a risk this will further escalate, Swaminatha added.
McAuliffe noted that the falling number of unbanked people would have a huge bearing on cybersecurity, with some people more likely to be susceptible to attacks involving social engineering or unsecured apps.
Neil Hughes, vice-president of OWI Labs, said that responsible onboarding is vital as new banking and financial customers would represent “low-hanging fruit” for cyberattacks. “The key questions will be: how do we onboard unbanked people in a responsible way? And how do we provide them with education to not fall victim to common identity theft and fraud tactics?” Education and awareness are key factors here.
Open banking – innovation and new threats
Open banking is another area of progress in the financial and fintech industries, with unprecedented opportunities within the sector to present users with more convenient, immediate and useful products and services with the help of APIs.
John Fitzgerald, PwC Ireland cybersecurity consultant, laid out some of the major risks, noting that leakage of user financial information is a critical danger, with security breaches possible due to anything from API vulnerabilities to a malicious leakage of proprietary data owned by the bank.
Fitzgerald added that financial products are also vulnerable to man-in-the-middle attacks, where the attacker “secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other”. This applies to financial products as an API vulnerability could lead to an attack and manipulation of transaction data very easily.
Business reputation and customer satisfaction could also be affected by something as simple as the API becoming unavailable. “The quality of service for users could be affected or [they] could even find themselves locked out of the service.”
To mitigate these risks, Fitzgerald made one key recommendation: a separate virtual environment with a copy of the database. “A segregated database should hold only the data that third parties need to access – this way, hackers have no clear access into the bank’s core systems. This would provide 100pc data segregation and mitigate the risk of the new security threats posed to them.”
Third-party attacks are increasingly common across all industries, and the financial space is no different, according to Swaminatha, who added: “It will be increasingly important in the financial sector to ensure the systems of third-party vendors are also secure given this integrated interchange of data.”
Competing and collaborating
In an environment where innovation is the order of the day, traditional ways of banking are changing and it’s a case of ‘evolve or die’, according to McAuliffe. But how do you balance creating new products and ensuring they are secure?
Continuous attention must be paid to security, he said. “The line is not to hinder the innovation but to ensure security is built into products and solutions in the initial conceptual phase right through to production and, while this may slow down go-to-market solutions to a certain degree”, it is essential that standards are met. He stressed: “Testers only have a finite amount of time to test an application before it goes live; however, a hacker has all the time in the world.”
Hughes said that in the face of increasingly clever bad actors, machine learning (ML) and artificial intelligence (AI) will take a greater role in protection against attacks. “Banks will need to outsmart bad actors, but ultimately will find assistance from smaller and more nimble fintech outfits. As banks and fintechs look to simplify onboarding, criminals will look to take advantage, leaving AI and ML as key safeguards in preventing fraud.”
Hughes predicted a forthcoming “delicate dance” between fintech companies and banks. “Banks have the financial means as well as the credibility with consumers to make inroads. Banks are also well versed in the regulations that fintechs sometimes try to skirt, giving them credibility with governments as well.
“Partnerships will only be possible under the right conditions, and both parties are still trying to figure out how that will work.”
Ultimately, fintechs need the credibility and financial resources of legacy banks, while banks will sometimes turn to fintechs to offer consumers everything they need.
Those who invest in security will beat their competition
McAuliffe posited: “Fintech companies that invest in secure reinforcements and build products to industry security standards will surpass their competition in the long run.”
He noted that banks involved with fintechs could provide an advisory role from a security perspective to assist fintech start-ups that they are collaborating with. “Banks may stipulate or advise that fintech start-ups comply with security industry standards and guidelines eg ISO27000/NIST/OWASP/secure coding or application guidelines,” he said, as well as insist on penetration and appsec testing.