Any kind of project can be of potential interest to attackers, since the information stolen in an attack can be turned into cash. In the case of financial projects, though, an attack usually results in attackers transferring user or system funds to an unknown location. This eliminates the extra steps it would otherwise take them to reach their ultimate goal.
Regardless of what stage your fintech project is at, it’s never a bad idea to make sure that everything has been done that can be to eliminate all possible digital security risks to ensure that clients and the business itself are adequately protected.
“There are only two types of companies: Those that have been hacked and those that will be hacked.”
In this article, we’ll go over the key financial cyber security concerns, as well as a list of ten components for putting together an effective system to protect the financial information of both users and the company itself.
|Note: In early 2018, PSD2, the amended Payment Services Directive for the European Union, enters into force. Later in this article, we’ll describe the main IT security requirements of this directive. If your company operates in or plans to operate in Europe, we recommend that you familiarize yourself with it and download our checklist.|
The main financial cyber security concerns
We’ll begin by looking over the main traditional digital security risks facing personal data protection in IT systems for fintech companies.
|SQL injection||SQL injection is the kind of digital security threat that involves the introduction of altered SQL queries. Using vulnerabilities in the system’s software implementation, an attacker can execute arbitrary database queries.|
|Brute-force attacks||Brute-force attacks attempt to recover a password by automatically guessing from a pool of possible passwords. Using a database of likely passwords (like a dictionary), this process becomes much more efficient.|
|Zero-day vulnerabilities||Zero-days are unknown vulnerabilities used by hackers before software developers have fixed them. In addition, system administrators don’t always update software in a timely manner causing additional digital security risks.|
|Man-in-the-middle (MITM) attacks||In a MITM attack, messages being exchanged between the ends of a communication channel are intercepted and spoofed using an unauthorized connection.|
|Phishing||Phishing is a kind of the greatest financial cyber security concerns nowadays that involves the theft of a user’s information with the help of fake websites and web applications that mimic legitimate resources. Through nefarious means (often a link in an email or another message), users end up at these fake resources and voluntarily enter their login details into forms that look identical to the real ones.|
|Banking Trojans||This type of malware is aimed at compromising specifically banking cyber security. It gathers account details, collecting stored information about users’ accounts and sending this data to an admin panel. The admin panel, either by automatic rules or manual intervention, chooses a target and displays a fake page to the user.|
|Ransomware||Ransomware is typically spread through phishing messages. When run, the user is locked out of the system by the malware, which demands a ransom payment.|
For 2017, the Open Web Application Security Project (OWASP) identified the following as the most critical web application security risks:
- SQL injection
- Cross-site scripting
- Broken authentication
- Broken access control
- Sensitive data exposure
- Using components with known vulnerabilities
- Security misconfiguration
- Cross-site request forgery
- Unprotected APIs
- Insufficient protection from attacks
| Read also: Credit Card Fraud – Most Common Ways
10 key ways to eliminate these digital security risks
1. Web application firewalls (WAFs)
Most fintech projects provide services through web applications, which are exposed to a number of risks.
A web application firewall, designed specifically for securing web applications, can be used to protect against a variety of financial cyber security threats, including brute-force attacks, session ID spoofing, etc.
A WAF monitors the interaction between client and server during HTTP packet processing. In doing so, it uses predefined rules to detect unauthorized access and block suspicious activity as required.
2. Hardware security modules (HSMs)
The main function of an HSM is to perform cryptographic operations and store digital keys. Using an HSM can reduce the risk of unauthorized data modification to as low as zero. It protects data from attackers who have penetrated external security measures, as well as from dishonest employees.
3. HTTPS-secured connections
HTTPS is an encrypted version of HTTP, not a wholly separate protocol, as some think. The difference is that HTTPS supports encrypted data transfer using the TLS and SSL transport mechanisms. When implemented correctly, this type of connection protects against digital security risks like man-in-the-middle attacks, significantly increasing the security of information transmissions.
| Read also: 10 Basic BYOD Security Rules
4. Creating anti-fraud filters using big data technologies
Companies that provide banking and other financial services manage huge amounts of data that are constantly being generated during the system’s operation. Every customer action or transaction creates a record that’s saved in a database. Analyzing this data allows one to make decisions, take user preferences into account, and manage financial risks. Another possibility in combining big data analysis with machine learning is the tracking and prevention of attackers’ actions. The system must be taught to distinguish normal customer activity from suspicious, fraudulent activity.
5. Multifactor authentication
Usernames and passwords can be intercepted or accidentally entrusted to unreliable people. For these reasons, a username and password alone are insufficient to reliably confirm a user’s legitimacy. Multifactor authentication systems are becoming increasingly widespread. Along with the usual username and password, users are additionally identified not by knowledge (e.g. of a password), but by ownership (e.g. of a device). As a rule, the additional authentication factor is provided by a token, which generates one-time passwords. These may be software tokens (an app on a smartphone) or hardware tokens (separate devices in the form of a key fob or plastic card). It’s much harder for an attacker to control two (or more) authentication factors as opposed to any one factor alone. Some “second” and “third” factors are even unique to a given user (these are biometric methods of information protection) – like your fingerprint, pulse, retina, or face, as in Apple’s Face ID.
“In response to new challenges, Protectimus has developed a powerful means of protection against banking Trojans, injecting, and other types of malicious software that manipulates and modifies data during transactions.”
– Denys Shokotko, Head of R&D, Protectimus Solutions LLP
6. Data signing (CWYS)
Data signing is an effective measure against injections, banking Trojans, and other means of swapping out data during a transaction. The working principle here is that of a one-time password, used for transaction confirmation, which is generated based on the data of the particular transaction being performed by the user at the time. Such “marker” data might include the amount of money being transferred, the currency, the recipient, the client device’s IP address, etc. In this manner, even if the one-time password is intercepted, an attacker cannot use it to sign an illegitimate transaction, as the one-time password will have been generated based on entirely different data.
| Read also: Detailed Information on Data Signing
7. Smart identification (behavioral factor analysis)
The use of this model can serve to ease the “burden” of multifactor authentication somewhat. If a user’s characteristic behavior remains consistent across several sessions, the system may not require additional identity verification from the user.
The simplest example of this kind of smart identification is when a system remembers the browser and device you use or the time and your IP address when you sign into your account.
8. Payment balance reconciliation
In this method, the user’s balance and transaction amounts are verified against each other. If a discrepancy is identified, the user is blocked from withdrawing funds. The balances of internal and external payment systems can also be reconciled to protect companies from unscrupulous partners. Constant balance reconciliation can serve as a good countermeasure against data tampering and system errors.
9. Database replication
Replication involves the synchronization of changes to data: the data from one server (the master) is continuously copied (i.e. replicated) to one or more other servers (the slaves). Replication is used for scaling and/or to improve fault tolerance. In this article, we’re more interested in the latter. In the event that the master server is unable to handle a request, requests can be transferred to one of the slave servers, which becomes the new master (and the old master server becomes a slave after being restored). This technique helps to maintain data and system performance in spite of various planned or unplanned events.
| Read also: What is Online Skimming and How to Avoid It
In case of destruction or unauthorized changes to databases and other elements of system software, it’s essential to regularly produce backups and store them somewhere reliable, preferably also somewhere remote. Keep in mind, though, that there are disadvantages to backups—unlike database replication, backups only store a snapshot of the system at the time of the backup. This means that when restoring data from a backup, the latest data will be lost.
PSD2 summary: the future of cybersecurity in European fintech
In January 2016, the European Union’s new payment service directive entered into force. After a two-year transition period, as of 13 January 2018, the previous version of the directive (PSD1) will be retired completely. All European fintech businesses will have to bring their operations into compliance with the new requirements. Among other things, significant attention has been given to the following issues:
- banking cyber security;
- protection of personal data on the internet.
The use of financial cyber security methods like multifactor authentication and dynamic transaction confirmation will become mandatory.
| Read also: Hardware or Software Token – Which One to Choose?
Additionally, multifactor authentication will be required not only when clients log into their accounts with fintech services, but also upon making an electronic payment, as well as when remotely managing financial accounts. (Per the directive, such thorough verification is not required for transactions under 30 euros.)
You can familiarize yourself with the basic requirements of PSD2 and check which requirements your system meets by downloading this checklist.
Powerful means of protecting information against unauthorized access are essential for all resources on the internet, particularly fintech projects. Not only a company’s reputation in the eyes of its clients but often the company’s very existence depend on the effectiveness of these measures.
And here are 10 must have steps to eliminate digital security risks in fintech project, check if you’ve done all of them now:
- Web application firewalls (WAFs)
- Hardware security modules (HSMs)
- HTTPS-secured connections
- Creating anti-fraud filters using big data technologies
- Multifactor authentication
- Data signing (CWYS)
- Smart identification (behavioral factor analysis)
- Payment balance reconciliation
- Database replication
We have picked up additional information on financial cyber security topic, which may be also of interest to you.
Here are some informative articles about phishing scams, social engineering, online skimming and ways to protect yourself and your clients from these cyber security concerns:
- Top 7 Tips How to Protect Yourself from Phishing Scams
- Social Engineering: What It Is and Why It Works
- What is Online Skimming and How to Avoid It
Besides, you may learn more about PCI DSS standard requirements to strong authentication, new biometric authentication techniques some financial institutions implement, and cyber security concerns in the so popular IoT field: