Fortified fintechs: Security and cybercrime in finserve

Originally Published in FinTech Magazine

Ever since its inception, the fintech sector has faced the inevitable risk of cyber threats.

According to Verizon’s 2021 data breach report, social engineering, web application attacks, and misconfiguration represent 81% of breaches against the financial services sector.

Banks have had to deal with a variety of threats, including employee errors, state-sponsored attacks, errors involving third-party vendors, and the use of complicated technologies for well over a decade. Each threat actor has a different motive and organisations require adaptive systems to manage these attacks.

But the fintech sector has become more resilient and created a safer space for financial transactions to take place.

How? By building, secure digital spaces that allow institutions to offer quality-rich financial services with minimal risk concerns. As a result, many of these cutting-edge technologies play an essential role in defining the future of the fintech sector.

According to Safi Raza, Director of Cyber Security at Fusion Risk Management, recognising these technologies and integrating them into the existing fin-serve infrastructure is crucial.

“Using Artificial Intelligence to examine metadata, content, context, and typical user behaviour to detect anomalous emails has been effective,” says Raza. “Secure Access Service Edge (SASE) has also been proven effective in securing the remote workforce during the pandemic. It is a cloud-based architecture that delivers network and security services to protect users, applications, and data.”

Technologies securing the fintech industry

Several threats are currently looming over the fintech industry. Unencrypted data, which poses the risk of data loss, and third-party service errors—to name a few. At the same time, the lack of core awareness and inefficient management methods pose further challenges within systems. However, many of the following technologies are used to keep the system and customers as secure as possible.

As Jonathan Knudsen, senior security strategist at the Synopsys Software Integrity Group summarises, “Security has slightly higher visibility in fintech software discussions because the software so directly affects assets that need protection. Fundamentally, however, the challenges of software security in FinTech are the same challenges as software security in every other field.”

He says, “More than a half century of experience has taught us that software and security are inseparable. Nowadays nobody would consider talking about automobile manufacturing without acknowledging that safety is an integral part of every phase of the process. Likewise, one day soon it will seem nonsensical to speak of software without understanding that security is part of every phase of development, deployment, operation, and maintenance.”

Machine learning, big data, and analytics

Every day, financial service providers receive an abundance of data. Although many institutions lack the expertise to create a protective layer against cyber threats, the data they have gathered for many years can be applied to the security of their systems. With the help of Machine Learning and standard data analytics practices, companies are capable of leveraging big data to find irregular patterns from these data streams to continuously redesign risk management systems, allowing them to detect problematic behaviour in seconds and protect customers from potential data loss/exposure without considerable investment.

Embedded authentication interventions

Embedded systems have been on their edge for some time, but the fintech sector has only recently discovered the real potential of these systems. Instead of relying on hardware or software alone, an embedded system can combine both to confirm a customer’s identity. For instance, a hardware identifier on users’ endpoint systems can be used along with a traditional PIN/passcode to verify access to fin-serve platforms.

Zero-trust networks, blockchain and biometrics

Regardless of the technologies in use, the current fintech sector requires a redefining of user privacy. Many technologies are effective here, but zero-trust networks, blockchain-based systems, and biometrics-based authentication are the future solutions of choice. In the light of recent ransomware and other malware attacks, Zero Network Access (ZNA) ensures that a user does not receive access to a network without properly confirming their identity.

“Advanced machine learning that can automatically detect threats – like phishing or insider threats – by understanding the behaviours of employees in an organisation. This type of technology not only automatically detects these threats, but it can also alert employees to the risks in front of them, consequently nudging people to make safer cybersecurity decisions and preventing data loss, without burdening security teams,” explains Tim Sadler, Chief Executive Officer & Co-Founder, Tessian.

Early adopters of these technologies have found these security options to be effective, but according to Sam Curry, Chief Security Officer at Cybereason, the principles of these security methods—not necessarily the solutions themselves—should be adopted by fintechs.

“Privacy-by-design and Zero Trust are good, but they aren’t panaceas. They are really principles to use in design and improvements and not things you can buy and deploy as a packaged product like a firewall or a router, no matter what vendors claim,” says Curry. “Despite science fiction and thriller books and movies, biometrics are not the answer. They can still be beaten. The systems that back up the biometrics can be compromised, and signals from readers can be replayed or cracked if these systems aren’t designed and built well. In these cases, biotelemetry amounts to a password you can’t reset.”

“If we could jump to a zero trust network today, we probably shouldn’t as it would amount to a new attack plan with the added pain of interrupting a lot of businesses and adding latency to transactions. The best course of action is the pursuit of these principles rather than the attainment of a naive and even counterproductive solution’s false promise of fixing everything.”

Experts also foresee the integration of blockchain technology into the security aspect of the fintech sector. “Blockchain technology has a huge potential to strengthen cyber security. Data on blockchains cannot be tampered with, as network nodes automatically cross-reference each other and pinpoint the node with misrepresented information. Also, as blockchain technology automates data storage, it eliminates the leading cause of data breaches – human error,” says Kris Sharma, Fintech Sector Lead at Canonical.

Biometric authentication has become more of a norm in the past decade, as context-aware systems are likely to overtake the competition in the coming years. For example, voice-based identity confirmation systems and the zero-trust model will make transactions safer while keeping the user passive.

Fintech security in 10 years

It is impossible and impractical to predict which security technologies/protocols will have the upper hand in a few years. For instance, the growth of blockchain technology was not even considered possible in 2010.

Similarly, we cannot predict whether a ground-breaking security technology could benefit fintechs at this stage, but there is still hope for suitable technologies. “There is significant scope for Machine Learning and analysis to assist and speed up the discovery of new attacks.

Together with better threat Intelligence and the exchange of learned information could make for some very powerful defence technologies in the future. Financial services would benefit enormously from that level of automated cyber collaboration,” says Simon Eyre, Chief Information Security Officer of Drawbridge.

Context-aware security is going to be the core idea of fintech security in 10 years. This aspect of security tech ensures that the infrastructure and networks remain secure with minimal user input. Hybrid authentication options and zero-trust network environments will play a crucial role in this aspect. “Cybersecurity solutions will work seamlessly in the background, only alerting them [organisations] to a threat when they need to know about it. This approach will empower people to do their best work, without security getting in the way of them doing their jobs or hindering their productivity,” Sadler adds.

The crux of the matter is that fintech security will be more effective and reliable in ten years, provided that service providers are willing to make the necessary upgrades.

The areas where challenges exist

Awareness seems to be an area where cybersecurity in fintech needs crucial improvement. While there are sufficient technologies to protect transactions and networks, making these technologies accessible to banks and other fin-serve institutions is a different matter altogether. Moreover, this aspect of the deal requires additional focus and effort in developing countries, where the banking systems still need a push towards modernity.

“For too long cybersecurity solutions have focused on protecting the machines in an organisation, and not the people running the machines and handling huge amounts of data. As a result, data breaches caused by human error are at an all time high,” says Sadler.

More importantly, customers of new-gen fin-serve technologies require education on identity verification and integrated security in fintech. Therefore, instead of solely focusing on making the best technology, there must be an equal amount of focus on keeping the technologies accessible to the customer base across the globe.

Originally Published in FinTech Magazine