Fintech is a valuable target for hackers seeking financial reward and we can’t stop all breaches without changing our attitude towards security.
We all know that cyber-attacks on banks and financial institutions are driven by the desire for cold hard cash. Where better to find it that in the fintech industry?
All involved in the fintech industry realize that the negative publicity associated with a breach doesn’t help retain customers or acquire new ones. As customers, we expect due diligence from service providers, expecting them to secure our money and our private information, which can be exploited for additional financial gain in the form of identity theft. Both customers and fintech companies need to understand the mindset of a cybercriminal and take the necessary steps to prevent a data breach.
A recent story on Fifth Domain reviews the findings of Chris Pogue, Chief Information Security Officer of cybersecurity/information governance company Nuix. Last year, he surveyed 70 hackers and penetration testers at Black Hat USA and DEFCON 24. Of these, three quarters claimed they are “constantly researching security news and technology, testing new systems because they like an evolving challenge and are convinced they can compromise a target in less than 12 hours.”
Okay, fair enough, but even as a writer, a failure to keep up with new technology means that it would soon become apparent to readers that I’m out of touch or lack knowledge on whatever I’m waffling on about. Shouldn’t all hackers and penetration testers be current with the latest tech? We can also assume that these conventions are not attended by cybercriminals, whose motivations are far simpler than combatting the challenges brought by new security tech.
Hackers Do Not Hide in Plain Sight
High-level or state-sponsored hackers do not attend industry events of this nature as they are very aware of the potential for government surveillance. Why do they need to? They network not on LinkedIn but on the Dark Web, using an avatar and never disclosing personal info. Nonetheless, the attendees provided Pogue with key takeaways that are no doubt common to their criminal counterparts. These include but are not limited to:
1. Attack Methods
Direct server attacks are the primary attack vector. Attacks take place using social engineering (phishing, dumpster diving and many other techniques used to discover key data points for the follow-up attack), penetration testing and open source tools, many of them bundled with Kali Linux, for example.
Related Podcast: Defrag This - Episode 1 - Healthcare Attack Vectors
They change their methodology for each target or at least vary the attack method on a biannual basis.
The best company investments lie in endpoint security, and intrusion detection/prevention, causing more problems for hackers than antivirus or firewall solutions.
4. Human Error
All those surveyed by Pogue agree that security-conscious employees would prevent many intrusions.
Armed with this knowledge, which is ubiquitous at this point, how is it that the hacking of fintech companies continues relatively unabated?
In 2017, more than a quarter of a million European users were affected by the Wonga (a payday loan company) breach and in November 2016, more than 9,000 customers of Tesco Bank had a total of more than $3 million disappear from their accounts. To put things in perspective, consider PwC’s 2016 Global Economic Crime Survey for the Financial Services Industry. Fourty-six percent of FSI companies have reported economic crime and 49 percent of it was due to cyberattacks. A worrying statistic, right? Given this level of security lapses, what can fintech companies do to raise customer trust?
Banks vs. Fintech
Fintech companies run the gamut from payment processing (think PayPal, Stripe etc.) to venture capital (VC) and even P2P payment systems and digital wallets. Attitudes to and implementation of security solutions can vary and current regulations often do not consider the latest technology or innovations.
“PCI-DSS compliance relates specifically to organisations understanding and implementing standards for security policies, technologies and ongoing processes that protect their payment systems from breaches and theft of cardholder data. This offers great peace of mind to consumers as it ensures firms are handling their data with the appropriate level of care,”said Aaron Fox, data security specialist at HANDD Business Solutions, a UK-headquartered data protection consultancy for the financial services industry (FSI).
Compliance to PCI-DSS is not a testimonial for overall security excellence.
“What organisations must also acknowledge however, is that this is focused specifically on payment card information and must be adopted as part of a wider security strategy to ensure full protection of all customer and business information,” said Fox.
What are the major causes of Fintech security breaches?
“As you might expect, Fintechs do not have the same budgets as their banking counterparts when it comes to data security. However, the customer data they hold is just as sensitive,” said Fox.
Therefore, fintech companies do much more with less and encryption of sensitive data is essential.
“Organisations of this kind should take a cost effective back to basics approach to protecting their most sensitive data. This can be achieved by classifying all data and encrypting all data deemed sensitive. No matter the breach, this would ensure all sensitive data in unreadable in the wrong hands,”said Fox.
Fox added fintech companies should build a secure network and maintain a firewall configuration, which protects cardholder data. Cardholder data must also be protected at rest and as importantly should be encrypted when in transit across open/public networks.
To follow on from that, Fox stated that fintech companies must develop and maintain secure systems (including anti-virus) and applications, whilst regularly updating the software to fully manage vulnerabilities. The final step is to implement strong access control measures, including the restriction of physical access to cardholder data.
Selecting a Fintech Solution
Verify that the proposed solution is secure.
“As a consumer myself, the first thing I would investigate before using a Fintech, would be to check what security standards they have or are working towards. If, for example, they adhere to PCI-DSS, you can say with a relatively high degree of confidence that despite the size of the organisation, they are taking the right steps to ensure your personal information is being protected,” said Fox.
In conclusion, when your chosen fintech solution is PCI-DSS compliant, breaches can and have occurred. When even global banks are breached, despite their large budgets, you can only hope that fintech companies will learn from the mistakes made.
You are also relying on that provider’s employees. You are assuming that they will not fall for phishing scams, for example. You are assuming their IT staff are quick to install patches and security updates.
Of course, fintech companies, banks and other links in the chain of payment processing are not the only ones responsible for security. Customers must safeguard their passwords, PIN numbers and other information as well. Having a credit card is all well and good, but writing your pin on a post-it and keeping it in your wallet along with your credit card is not. You’d be surprised how many people do this type of thing, as if a six-digit pin cannot be memorized.
Phil Bindley, CTO of Cloud Services Provider (CSP) The Bunker, pointed out in a 2016 story that the biggest data breaches of the year could have been prevented. I do agree but had a WTF moment when I came to ‘security hygiene.’ I get it, just never came across it before. If companies, employees, and customers made correct security practices as much of an ingrained habit as those recommended for food prep, handling and storage or even washing your hands after using the toilet, then we’d all experience a reduction in data breaches.
He’s probably right but data breaches in fintech and other industries, like health code violations in restaurants, will never be eliminated completely. In the meantime, a combo of security awareness and technology (with endpoint protection) is the best we can do.