FINTECH – THE NEXT BIG TARGET FOR HACKERS?
Posted on June 5, 2018, by Lucy Leaper
Banking has always been a lucrative target for organised crime, whether it be through scamming customers out of their money, or directly targeting the financial institutions themselves.
Over the years the tactics have changed somewhat, from the smash-and-grab techniques of old to the sophisticated banking trojans and cyber-attacks of today. Organised crime continues to evolve and criminal groups are now more than capable of utilising the latest hacking tools to expose any potential weaknesses found in financial organisations.
Protecting any organisation is an increasingly difficult task, and whilst the financial industry is taking the threat seriously — banking security budgets could be as high as £300-£400 million per annum — yet it hasn’t stopped attackers getting in.
Here are just some of the headline breaches from the past few years:
- Tesco bank hacked – Cyber fraudsters stole money from 20,000 accounts
- Ecuador bank hacked – $12 million stolen in 3rd attack on SWIFT systems
- ATMs in Thailand hacked – 12 million Baht stolen; 10,000 ATMs prone top hackers
- Polish banks hacked – Malware planted on their own government site
However, things might be about to get even worse.
Banking opens up
The introduction of PSD2 and open banking standards looks set to revolutionise the financial sector, and the potential for technological innovation in this space is as enormous as it is exciting.
FinTech is already an established sector, employing over 60,000 people in the UK and estimated to be worth £7 billion to the economy. But with increased access to financial data, automation and digital wealth management, the industry is arguably the most important in technology right now.
However, with industry expansion and technological advancement comes added complexity, additional risk and, of course, the increased chance of cyber-attack.
Hackers will always choose the easiest possible route when it comes to an attack and with significantly less security resources than traditional banks Fintech looks set to become a major target for criminal groups.
These sophisticated criminal gangs are the same ones who targeted big banks in the past and already have a wealth of resources at their disposal, from sophisticated malware to complex kill chains. So, is Fintech truly prepared?
Already, there’s one major issue.
When technology comes first, security starts to suffer
For the big banking firms, financial risk is key and keeping this to a minimum is always their top priority. However, when it comes to FinTech, technology starts to take more of an important role.
When technology comes first, security starts to suffer, and you only have to look at the Internet of Things (IoT) to see the warning signs. In the rush to create ‘smart’ devices many manufacturers have overlooked security concerns, ultimately releasing products to consumers with less than adequate security measures, and that’s putting it mildly.
This cannot be allowed to happen in the finance industry; the risks are far too high and the security of consumer data needs to be a top priority for all.
How high are the stakes?
Those involved have a responsibility to get the process right and the recent TSB banking app problems, whilst not a cyber-attack, provided just a brief glimpse into the chaos that could ensue if hackers were able to bring down financial systems.
Not only could they disrupt the day-to-day operations of businesses across the country, but there’s also the possibility of people’s accounts being completely wiped clean.
So, how do we prevent such an outcome?
Traditional banks and FinTech companies need to come together to ensure that open banking remains secure: without this collaboration, inconsistent interpretation of the standard could lead to a number of issues.
There’s a lot both sides can learn from each other through collaboration, however, the ultimate goal should always be that of consumer data security.
Security by design
Security concerns can no longer be an afterthought and connected IoT devices are the perfect example of how security can’t afford take a back seat in the innovation process.
But how do you address the issue of security throughout your organisation? The most effective way is to adopt a security by design mindset. This means that security concerns are raised at every stage of a process, from initial planning right through to going live.
Software is a prime example of this and by incorporating security at all stages you not only develop a more secure end product, but bugs (security and functional) can be resolved faster and at a lower cost if they are detected early within the software development lifecycle (SDLC).
We see examples all the time of security coming too late in the development life cycle. Sometimes just before the product is released.
The result is, unfortunately, the identification of a large number of security vulnerabilities. This in turn results in expensive remediation work and more retesting. These ongoing cycles of pentesting, remediation and retesting can not only be expensive, but can often impact release deadlines.
Don’t wait for the bad guys to strike, test yourself regularly
Testing security is essential for those within the financial industry and FinTech should be no different. Organisations need to have a robust testing schedule in place and need to utilise a range of tests, ensuring you remain protected against the latest threats. From simple vulnerability scans to more in depth penetration testing and extensive red teaming exercises.
The only way to truly ensure your networks are protected is to test them regularly.
Now is the time for action
We’re in the very early stages of the new standards and whilst work has begun in earnest, it will be some time before we start to see this wave of FinTech solutions becoming available to consumers.
Now is the time for action and all those within the industry, as well stakeholders, have a responsibility to come together to ensure that this is a success. We don’t want to look back after a major financial breach and admit we could have done better in terms of cybersecurity.