“The Fintech 250: The Top Fintech Startups Of 2018" is a report aimed at presenting the overall state of web and application security of the fintech companies and compare it with the results of traditional banks. And some of the key insights from the report throw some worrying light on the existing threat landscape in the fintech sector.
- 100% of the mobile applications contain at least 1 security vulnerability of a medium risk, 97% have at least 2 medium or high-risk vulnerabilities.
- As many as 93 subdomains failed basic HTTPS encryption standards, with failed or expired SSL encryption
- 56% of mobile app backends (REST/SOAP APIs) have serious misconfigurations or privacy issues related to SSL/TLS configuration and insufficient web server security hardening.
Given how ingrained fintech applications have become in current consumer lifestyle, these security drawbacks are alarming to say the least. And that is exactly why fintech needs to strengthen its security postures.
For any fintech product, customer trust is a key determinant of large scale product usage. It takes just one security lapse to expose huge sets of customer data, and cause severe damage to their financial assets. And a failure of this magnitude can spell the end for a fintech product as customers stop using it altogether.
Another key reason to strengthen security is to ensure the continued existence of the fintech market. If fintech applications regularly become prey to cyber attacks and large scale data and monetary losses, banks will also begin feel jittery. The banking sector, despite digital advances, is highly conservative and does not take undue financial and operational risks. And with banks withdrawing from the collaboration, fintech as an industry will cease to exist.
But the rate of innovation in fintech firms, with no legacy tech to slow them down, far outstrips any financial or security regulations in place. And so these glaring security lapses will only get more complex as the industry progresses.
That is unless we can take a good look at the existing threats while also underlining why fintech should strengthen its security postures.
Challenges to Fintech Security
Managing digital identity
With integrated omnichannel experiences between different consumer applications and the fintech ones, digital identity has become the common denominator tying an individual or company’s online interactions. And while this identity is secure at some level, it is also being used across a number of different applications and portals, not all of which offer the same level of security. Cloning these identities, especially in the fintech world, has become extremely commonplace, and can be disastrous for those involved. This creates extreme vulnerability given the kind of sensitive information and access traded across these applications.
Cross platform contamination
Fintech products exist due to the easy interfacing between different systems via APIs. And while data travels across this network, it’s as possible for malware to do the same. Cross-platform malware contamination is an increasingly common scenario is integrated financial services. It can propagate from one system to another, and you need just one weak link in the chain for the whole thing to get corrupted.
Besides independent fintech firms, banks are also launching their own line of fintech products to deliver increased value to customers. However, the development of these products is largely outsourced to third-party vendors, and the lack of visibility into this development process can bring in several security vulnerabilities into the products. Banks need to be closely involved in the process to ensure conduct due diligence, contract management and ongoing control assurance, and monitoring of operations in order to avoid insecure coding practices.
How to Strengthen Fintech Security Postures
Compliance is only the first, and very basic level of security for fintech products, but critical nevertheless. Compliance regulations in the financial industry are different in their specifics across different countries, but broadly address the same elements around information security - the handling of personally identifiable information, financial data, and non-public information.
It is important for fintech businesses to ensure compliance across geographies if they wish to avoid running into heavy fines and eroding customer trust. With the roll out of GDPR in the EU and similar regulations taking shape in other countries, fintech products have to be compliant across the board.
Penetration testing is a key element in ensuring compliance, to check for application security and if all information requests are being routed through the right channels. This can expose system vulnerabilities in time and help secure the applications.
However, mere compliance does not ensure security. Compliance is the bare minimum that fintech products have to deliver. Security measures over and above these are required for effective risk management.
Post compliance, the next level of security measures come into play on the application architecture. These apps access a variety of financial and personal information from different service providers to perform real-time transactions. The data is accessed across several API calls and other big data sources, and it makes them a very common attack vector. Vulnerabilities here can be easily exploited to gain entry into financial networks.
So fintech businesses need to ensure a robust application security infrastructure to protect data. Starting with firewalls and SSL encryptions to advanced threat intelligence to identify new risks, and patch vulnerabilities - fintech products need to check a lot of boxes to ensure security.
The reason fintech products can offer real-time, highly-available services is because they harness a strong cloud infrastructure. It’s consistent, highly scalable, and offers lower cost of data storage and computation. But it also means another aspect to take care of, when it comes to security. And it’s especially complicated because there is amplified data movement across two to three different environments, with minimal visibility.
Fintech firms, and the banks they collaborate with, must apply the same level of security to the cloud infrastructure as they do to their private networks. Elements like authentication, authorization, data access and API security have to be built into the system. Data governance, data loss prevention, and standardized processes for configuring new cloud services have to be put in place to reduce security risks.
Automated Threat Intelligence
As banks and fintech firms enter into partnerships, the breadth of interactions and elements that need to be monitored increases manifold, making it impossible to manually keep track of it all. Automated threat intelligence becomes necessary to ensure continuous monitoring and alerts in a timely manner. This usually takes the form of machine learning algorithm trained to spot system or data anomalies, once integrated into the network. That makes it easy to identify and prevent security threats in real-time.
Banks and other financial institutions will have to cater to increased customer demand for diverse and easy-to-use financial products. And fintech products will need the BFSI enterprises to be able to deliver value added services. Because of this symbiotic relationship, it pays for both parties to concentrate on improving security postures to increase trust in new security features.
Srijan works with leading financial institutions to help them navigate their digital transformation while ensuring security and compliance. Drop us a line, and let’s discuss how our expert teams can help.