How to mitigate fintech application threats
"When, not if" used to be the mantra of the CSOs of yesteryear. It still stands, but now accompanied by ever-increasing amounts of "how" and "from every direction".
Despite the heightened security awareness of their parent companies and the industry in general, 97% of financial technology mobile apps tested in a recent study lacked adequate protection, exposing vulnerabilities when reverse engineered or decompiled. When considering the banking sector alone, cyberattacks cost an average of $18.3 million per company annually — with the reputational damage not even factored in.
With the doom scrolling part over, now the good news: there are smart, consistent ways to defend fintech data assets from breaches. These ranges from operational, such as implementing certain security measures and protocols to the platform, to organizational — like ensuring your security teams can perform their tasks at their fullest potential.
The many layers of fintech cybersecurity
Between backends, frontends, web, mobile, and the cloud, fintech security consists of several layers and processes. Those protection layers are meant to deal with one or more vulnerabilities. Roughly speaking, they can be divided into four categories:
The application layer, however, might be the most complex in terms of security. App installation pulls in potential risk, and the dynamic nature of apps can open new security holes.
Common fintech security threats and how to avoid them
Malware comprises a long list of threats, including DDoS, spyware, brute-force attacks, phishing, and the increasingly popular ransomware. This wide range makes malware the most common type of security concern for fintech companies.
To prevent these, fintech companies must invest in solutions that increase data protection and reduce possible disruptions, such as multi-cloud platforms, constantly verified and updated user control access privileges, and educational training to employers regarding cybersecurity threats.
Legacy systems and compatibility
Digital secure payment services must be compatible with the traditional payment card industry and financial environments, such as banks and credit card companies. This requires a mutual co-existence and implies the use of existing services and infrastructure.
Both new and traditional transaction avenues should be available to minimize user friction from both ends of the stack. Legacy applications and servers must be constantly updated to not compromise the system’s security, reducing the risk of cyber theft in the hands of tech-savvy hackers.
Beyond the general issues of trust loss, which is an asset fintech companies can't afford to lose, data breaches in regulated territories like the US, UK, EU, and Japan, can all but bury fintech startups and medium-sized companies as they are followed by hefty fines and restrictions.
There's no way around it: Avoiding data breaches means investing heavily into IT infrastructure, choosing renowned providers for a cloud-based security solution, training employees into the best practices of fintech cybersecurity, and, should the worst occur, being upfront about it to stakeholders to reduce as much damage as possible.
Digital identity fraud
Payment security faces two major types of transactional fraud: Fraud committed by a merchant collecting the digital payment, or fraud committed by someone using stolen credentials to make a payment.
Merchant fraud can be prevented by thorough Know Your Customer (KYC) due diligence, including a close examination of their online and offline footprints. Non-merchant payment fraud involves using stolen credentials such as cards, passwords, or devices, as well as phishing and phone call scams. Mobile apps, for example, are usually exploited through:
- Reverse engineering - Thieves build a hostile copy of a fintech app to reveal backend function. This can expose data encryption algorithms, source code edits, and more.
- Shadow APIs - With the cloned API not appearing as a compromised endpoint, the attacker shows up as an approved user, escaping network filters.
How to build an end-to-end secure fintech application
Make no mistake: When developing a fintech app — or any app, really — security starts at the planning phase. The wants and needs of, say, a B2B application may differ from B2C ones. Compliance requirements depend on which territories your company will operate on. These factors must be taken into account before a single line of code is written to optimize your resources and security standard priorities.
With that said, most modern fintech applications should have some, and probably all, of the following:
- Multifactor authentication implements additional layers to ensure user identities such as personal question answers, SMS confirmation codes, and multiple biometrics.
- White-box cryptography uses mathematical techniques and transformations to generate hybrid app code and keys for more secure encryption. This prevents keys from being located or extracted from the app, with the exact details of the box’s functions unique to each designer.
- Anti-tampering inserts special tracking codes to detect if your code has been altered or attacked, often automatically deploying countermeasures in case of a breach. Combined with cryptographic key protection, these multiple layers of difficulty often prove too hard of a challenge for hackers, enticing them to move on to easier targets.
- Secure data-in-transit optimizes security by requiring periodic rotation of encryption keys and certificates. With that, only designated apps should be able to connect to backend web servers through certificate management. Furthermore, automated threat detection services can pinpoint attempts to move data beyond predefined boundaries, networks included.
- Smart cloud choice ensures your company’s data is in serious hands. A public cloud SaaS application should only be accepted by a vendor who has a verified, well-implemented security strategy. Hybrid clouds allow for the creation of a private cloud just for your company within a SaaS firewall. Finally, private clouds offer maximum security and control, however, purchasing and maintaining the software and infrastructure will be your responsibility.
- Secure APIs, especially when improved with transport layer security (TLS), certificate authority validation, and pinning. By implementing access control features, segmentation authorizes only certain users to have access to specific API resources.
Major fintech regulations and policies
The most well-known of all fintech regulations is, ostensibly, PCI DSS. It's the de facto worldwide security standard for any organization operating credit/debit cards from Visa and Mastercard and, as such, to virtually the entire B2C fintech industry.
Furthermore, in the US, the Gramm-Leach-Bliley Act (GLBA) requires financial institutions to safeguard sensitive customer data. To be GLBA-compliant, fintechs must inform customers about how they will share sensitive data. Customers must also be informed about their right to opt out if they don't want their personal data shared with third parties.
Keeping up with the times, in 2019 the Federal Trade Commission proposed changes to the GLBA to include the following security requirements:
- Encrypt all customer data;
- Demand multifactor authentication to access data;
- Implement extra access controls to prevent unauthorized access.
All financial institutions must apply these specific protections and processes to customers' private data following a written information security plan. The details are outlined in the FTC's GLBA Safeguards Rule.
Across the Atlantic, the EU enforces the Revised Directive on Payment Services (PSD2). In tandem with measures analogous to its US counterpart, it also requires fintech companies to define security-related KPIs, assess risks periodically, and invest into and develop new safety protections — with a particular focus on mobile apps.
Additionally, it bears to note that any fintech companies leveraging any data about EU citizens must abide by the General Data Protection Regulation (GDPR), even if those companies aren't based in the EU.
Emerging tech has been proven pivotal in preventing breaches
AI and machine learning have come a long way in automating fraud detection. Through deep analysis of the heaps of big data fintech companies generate every day, smart algorithms can learn how to predict user behavior and catch anything deemed unusual.
The decentralized nature of blockchain makes it virtually impervious to most mainstream methods of a system breach. Between public, private, and hybrid, blockchain networks can assume compromises between privacy, trustability, and speed according to the fintech's desires.
While cloud-based solutions are considered safe per se, opting for a multi-cloud data storage solution adds redundancy to data-related fears, in particular, the classic cloud-related one: That your data isn’t in your hands. Setting up a secondary private cloud as a backup, for example, is a valid way to ensure your company against breaches and data loss.
Fintech security of the future
A comprehensive fintech security strategy never rests, and new methods emerge constantly. Even on a year-by-year basis, it's easy to lose track of all tech that, once thought to be unfeasibly futuristic, are now mainstays — and even baseline — of what we consider good security.
Examples are endless. Biometrics, for one, has been steadily being accepted as a superior barrier of defense against fraud, with biometric authentication becoming affordable, practical, and widely available. AI, machine learning, and analytics have greatly improved the detection of irregular data security patterns and suspicious transactions over the last few years. Convolutional Neural Networks have been steadily employed as a customer profiling and fraud intent detection tool, processing complex data sources and capturing qualitative and quantitative threat data.
Prolonged rest isn't a luxury fintech security professionals can afford often. But then again, the thrill of constantly solving complex problems pays itself off in the long run.