Fintech Meets Cybercrime: a Survival Guide
The global economy faces unprecedented challenges with respect to cybercrime. The exact scale of the challenge is up for debate, with estimates placing the annual cost of cybercrime at anywhere between $1 trillion and $6 trillion. However, one thing that everyone seems to agree on is that the situation looks set to deteriorate. A report published by the World Economic Forum towards the end of last year found that “unless action is taken now, by 2025 next-generation technology, on which the world will increasingly rely, has the potential to overwhelm the defenses of the global security community.”
But why should the financial industry be so concerned? First and foremost because financial data holders (financial institutions, fintechs, and new providers — technology companies) are the number one target for cybercriminals. The infamous 1930’s bank robber Willie Sutton is said to have been asked why he robbed banks and responded “because that’s where the money is.”
Since those times, Sutton’s truism has remained the same. The industry, however, has changed a lot — and it’s still changing. We are currently in a period of unprecedented technological change, driven by fintech innovation. Much of this change is being enabled through more open and distributed architectures, which means the industry’s attack surface is becoming larger and more complex to manage.
At the same time as the task of establishing cyber defenses is becoming more complex, threat actors are also becoming increasingly sophisticated — thus compounding the challenge.
Fortunately, we think there is still cause for optimism. As long as we can find ways to close off new exploits and attack vectors and embed security into the design of new services rather than as an afterthought, the industry can continue to innovate securely.
The industry’s attack surface is getting larger and more distributed
The impact of COVID on the workplace will potentially last longer than the pandemic itself. Having staff working from home has brought about new challenges, making it more difficult to control the network perimeter and potentially opening up opportunities for social engineering. Given the lockdown of much of the conventional retail industry, the pandemic has also triggered a surge of newcomers to e-commerce, and these newcomers aren’t as wise to the ways of cybercriminals as more experienced e-commerce customers and are therefore more vulnerable.
At the same time, financial technology innovations are offering significant new benefits to consumers — but they may also be creating new vulnerabilities. For example:
Open data initiatives are making it easier to extract financial data via APIs for legitimate means (eg. account aggregation, financial planning), but could also pose abuse opportunities for criminals. Identity and account information, whether stolen directly from compromised APIs or exfiltrated from under-protected third parties who access the information, creates new identity fraud risks for financial institutions.
Growth of embedded fintech has made it easier for online retailers to extend credit at the point of sale, but provides another potential avenue for fraudsters to exploit. KYC and credit risk management, therefore, needs to be embedded into those services.
Financial innovation has increased the speed and simplicity of service provision — whether that means faster account openings, faster payments or faster credit. While faster, simpler services are welcomed by legitimate consumers, they also pose opportunities for cybercriminals who can potentially exploit that speed, and the resulting elimination or compression of settlement intervals and back-end risk control processes to their advantage.
Cloud infrastructure has become the preferred technology choice for financial organizations of all kinds. However, when it comes to cyber security, cloud has proved to be a double-edged sword. While cloud services enable organizations to stand on the shoulder of tech giants when it comes to IT security, exploiting the security features provided by those giants is not simple, and it means learning new security models. Financial institutions need to ensure that their security teams can keep up with the pace of innovation enabled by the cloud.
Threat actors are becoming increasingly sophisticated
This may seem like an obvious trend, but it cannot be overstated. Cybercriminals are increasingly well-organized, well-funded, and well-equipped, particularly in relation to attacks that impact the financial industry, Knowing that established institutions have mature and well-funded IT security operations in place, these cybercriminals are increasingly looking to target fintechs and/or cloud infrastructures in the hope that these will prove to be weaker links.
Recent years have seen a number of examples of such attacks. Finastra was forced to take large numbers of cloud servers offline after falling victim to a ransomware attack; fintech giant Fiserv is being sued after potentially leaving clients exposed to threats from attackers; tech unicorn Dave suffered a data breach impacting more than seven million customers; and Capital One had its cloud infrastructure hacked, with more than 100 million customers’ data exposed to risk.
In addition to attacks of this nature, cybercriminals are regularly exploiting several other attack vectors:
Ransomware: Attacks in this category continue to grow in sophistication and severity. Attackers share tools and exploits over the dark web, and the average cost to each ransomware victim is rising sharply. Moreover, the evolution of cryptocurrencies has provided an ideal payment mechanism for cybercriminals looking to extort a ransom from their victims, which can’t easily be foreclosed by financial institutions or regulators.
Identity theft: This continues to be one of the most common threats to financial institutions, particularly providers of loans and credit cards. Although technology to verify identity continues to evolve, attackers have also become increasingly sophisticated at sharing exploits and using social engineering to draw information from their victims.
Phishing: Phishing and other forms of social engineering have become significantly more sophisticated as criminals research their victims more thoroughly in order to carry out targeted attacks (spear-phishing) or to focus their efforts on high-value targets (whaling) in pursuit of more valuable B2B payment fraud opportunities.
These threats have already evolved significantly, but the fear going forward is that cybercriminals and nation-state actors exploit new technologies, such as artificial intelligence and attack automation, to become even more effective at breaking through cyber defenses.
How do we guard against these trends?
With the threat-actor capability and on the rise and the corporate environment increasingly complex and challenging to lock-down, how can the industry guard itself? First and foremost, it is vital that financial innovation takes place with cyber security as a primary consideration. Security is always much stronger when it’s embedded and designed into new services from the outset, rather than added as an afterthought to a structure that wasn’t designed to work securely.
At the same time, the industry needs to seek out innovative solutions to seemingly intractable challenges.
Policy-based solutions are one possible area of innovation. For example, as ransomware demands have skyrocketed in recent years, the US Treasury recently took the bold step to ban ransomware payments. Treasury’s goal is to radically reduce the attacker’s payoff from a ransomware attack by making it illegal for victims to pay. On the one hand, this transforms an expensive ransomware attack into a potentially even more damaging destructive malware attack; on the other hand, it makes the ransomware market much less attractive to economically-motivated criminals. The theory is that this will reduce the incidence of ransomware enough to offset the increased cost of the attacks that do occur; it’s too early to judge whether this approach will be a success, but it’s the kind of innovation that’s worth trying.
Standards initiatives can also drive innovation; for example, the challenge of KYC and of authenticating users and KYC could eventually be solved through greater adoption of standardized identity vetting services and digital identities.
Technology innovation will, obviously, also be required; for example, innovation in rapid recovery from successful, complex attacks could help blunt the rising cost and severity of ransomware and destructive malware attacks.
At Team8, we are committed to bringing to market fintech solutions designed from the ground up with effective and innovative security as a core value element. We are also continuously looking to find ways of solving cybersecurity threats for established enterprises both within the financial sector and more broadly for all enterprises.
Originally appeared on Medium