The cybersecurity landscape in banking has changed since the entry of Financial Technology companies, or fintechs, into the sector.
Cybersecurity in fintech vs banking
Cybersecurity in banking is enforced through legal regulations, which require banks to provide reliable and secure services and to implement robust cybersecurity procedures and operational processes aimed at optimizing those services.
Large and rich organizations constantly test their security measures as they don’t want to risk reputation losses or penalties. Especially in the case of large, global banks, even a minor security incident can draw thousands of customers away, which is too big a risk for any business to take.
Above all, breach of a legal regulation often incurs severe financial penalties - so severe, that it can incur more damage than loss of customers.
In contrast, financial technology companies, or fintechs, are often small or fast-growing startups that provision some of their products to the banking industry. Since fintech providers aren’t banks, they aren’t as strictly regulated and have greater flexibility in adjusting to the existing requirements.
As such, a fintech company can act as an “overlay” to banks, facilitating the provision of certain financial products in a simplified manner. The additional benefit they bring to the banking industry is shorter time-to-market of services, which is why banks often rely on fintech. This overlay, however, often comes with weak security measures.
Why is cybersecurity in fintech important?
Fintech companies and startups offer more flexible (not as strictly regulated by law) products and services than banks due to modest legal regulations. They also offer shorter time-to-market, which is particularly important from the business perspective.
However, rapid release cycles means that fintech companies often simplify their products or skip certain features. As a result, fintech companies often secure their solutions only partially, omitting some security measures altogether, especially when they can’t see the added business value.
Fintech startups may also lower their non-functional data security requirements because of limited cybersecurity awareness and the false conviction that fully secure products aren’t flexible enough from the business perspective.
This often leads to creating functional, but poorly secured products, which are likely to generate substantial security costs when these products are scaled and must be properly secured or fixed. As a result, dealing with fintech startups may be riskier than trusting global banks.
Overall, the probability of a security breach occurring on the part of a fintech company may be higher than in a strictly regulated bank, but the impact can be similar - in the end, both process the same kind of data.
Top cybersecurity threats in the fintech sector
Banks, financial institutions, and fintech companies are subject to security issues. Fintech startups are particularly attractive to cybercriminals who know that fintech companies rarely invest as much money and effort in security measures as banks. Mistakes such as keeping unencrypted data or unsecured third-party services are only asking for trouble. Most common security breaches in this sector include:
- Identity theft, which may lead to social engineering attacks or phishing
- Money theft and laundering
- Application breaches and data leaks
- Malware attacks
Examples of security flaws in fintech
Unfortunately, security flaws in fintech abound.One of the famous cases is Dave, a US mobile banking provider, with a mission to ‘create financial opportunity that advances America’s collective potential.’ Dave’s former third-party providers included Waydev, which was breached.
Even though this was an external provider, the malicious actors were able to obtain unauthorized access to personal data at Dave. This included passwords that were hashed through bcrypt. Luckily for everyone, Dave fixed the issues before financial activities were affected.
Other examples we’d like to draw your attention to include the N26 bank in which a university researcher found numerous security breaches (luckily for the bank, all issues were fixed without any known harm to users), and the Finstra ransomware attack. Large corporations are also at risk, as this Capital One data breach shows.
What can happen when customers’ data is compromised
Compromising customer data may bring upon grave consequences on two levels:
1. For the business:
- Loss of what’s most important - customer trust, which ultimately translates to financial losses
- Legal implications, e.g. a GDPR cybersecurity breach is subject to hefty fines and may provoke injured persons to file a lawsuit
- Increased risk of exposure to subsequent attacks, such as phishing
2. For the customer:
- Stolen data may be used in a range of fraudulent activities, such as identity theft, financial fraud, blackmail, etc.
- Misuse of data to carry out other attacks, especially phishing
- Infiltration of other systems, unrelated to the one that was compromised, especially if an individual repetitively uses the same, simple password
Above all, many fintech applications have direct access to various banking systems. If data leaks from such an application, it can be subsequently used to access credentials without suspicion, often remaining invisible to the bank’s monitoring system.
How to avoid security flaws in fintech – best practices
Although it’s impossible to completely eliminate risk when building complex software products, the below practices can reduce it significantly.
Secure by design approach
The best way to eliminate fintech security flaws is to incorporate the secure-by-design approach into the software and product development processes. This approach incorporates specific security techniques at every stage of the software development process: From analysis, through design, implementation, and testing, to maintenance and monitoring.
The shift-left rule
The most important aspect of the secure-by-design approach is the shift-left rule, which assumes that security practices should be implemented as early as possible, at every Software Development Life Cycle (SDLC) stage.
For instance, the sooner a Security Engineer joins the project team, the more potential threats he will be able to identify and eliminate through appropriate system design and relevant security controls. This way the project team can apply security measures and build a solution that better meets specific business needs.
This approach also allows companies to reduce the costs associated with detecting and fixing errors in software products: the National Institute of Standards and Technology (NIST) estimates that the shift-left approach reduces maintenance costs by up to 30%. Security flaws detected during penetration tests or through security incidents are the most expensive to fix.
Certain practices can reduce cost of fixing a security flaw.
Seeking the right talent
Invest in highly qualified Security Engineers who are able to perform a range of tasks:
- Conceptual, such as risk analysis or threat modeling
- Technical tasks, e.g. configuration of CI / CD pipelines or cloud configuration hardening
- Security testing on multiple levels, such as application, infrastructure, network, etc.
Also, don’t underestimate the importance of solid soft skills. As the team’s Subject Matter Expert, the Engineer must be able to clearly present concepts and solutions, so communications skills will be invaluable here.
The importance of cybersecurity in fintech
A good Security Engineer is essential for securing any fintech solution. You can even take security a step further by establishing a DevSecOps team, consisting of engineers with solid hard and soft skills. A DevSecOps team will easily build software in accordance with the secure-by-design approach.
It is the ideal approach for fintech companies looking to meet high security standards in a flexible way, as well as to innovate in areas that banks cannot address as easily.
More posts by this author