The New Normal
Most cyber security intelligence experts including the FBI have been warning Fintech companies that the point to be worried about is not “if” they will be hacked, but “when”. Cyber attacks on Fintech companies is a new normal in 2016. More than 3 million credit card records have been made public in 2016 alone. One Payment systems hacked in 2015 left information from 2.5 million credit card records out in the open. A recent attack on Bangladesh bank has put all Fintech companies and banks on their toes. The attackers who stole $81 million from the Bangladesh Central Bank probably hacked into the software from the SWIFT financial platform that is at the heart of the global financial system. The widely regarded impenetrable shields around online banking systems are now being consistently questioned by critics and experts. Recent strikes on Fintech startups like Kreditech, Clinkle and Dwolla shows that startups are at risk too!
Attacks on Fintech companies have moved beyond physical infrastructure with hackers finding it easier to attack applications to get sensitive financial data out of repositories. Here is a list of 6 actionable tips to build secure Fintech products.
#1 Leader
Having a Chief for Information Security in your organisation is crucial to install a security culture in the organisation. There is a strong need for someone to go to for anything and everything related to security. It could be an in-house CISO or a third party security vendor. You need a Chief with a clear vision. She should make sure that security is a major board room discussion topic. She should be comfortable in talking to real hackers. She must be proactive, not reactive. Having these characteristics in a CISO enables FinTech companies to achieve reasonable security in no time. Here is a list of most active CISOs on social media:
- http://www.klogixsecurity.com/assets/Most-Social-CISOs.pdf
- https://www.checkmarx.com/2015/02/26/cisos-to-follow-on-twitter/
- http://www.evanta.com/ciso/summits/global/page/4108
Recently, Tesla opened up their platform to hackers across the globe and invited them to hack them. This wouldn’t have been done had Elon Musk not thought about security right from the inception of a connected car idea. The culture of building secure products has to be driven by your Chief. Attacks can come anytime from anywhere. Follow this link to see how countries and organisations are attacking each other in real time – map.norsecorp.com.
tl;dr – Make someone responsible for security!
#2 Architecture and Code review
Architecture review is the first step to secure any application. Before you write even a single line of code, define your security requirements along with the product features. Strike a balance between convenience and security. The reviewer should be independent and away from the team building your product.
Review your code for security loopholes immediately after every code release. Ensure your team understand their mistakes and bad practices. Sensitize them. Ensure they drive best practices by choice than by compulsion. Different platforms like the following can be used for code reviews. Reviewing every line of code sounds tedious, but it still is the most efficient way to find security loopholes.
tl;dr – Review code before it goes out to production.
#3 Encryption
Let’s face it. No one can be 100% confident that their product is secure. More than 100 bugs are submitted daily to Top 500 product companies through vulnerability disclosure programs. Application security is a journey where you get surprise attacks from the most unexpected of places.
The biggest myth around encryption – “Encryption will make your app slower”. It is partially true. But, smart moves by tech giants illustrate how one can handle it. Facebook runs encryption on separate servers, thus not compromising on speed and ease-of-access. Encryption helps in protecting your data assuming anything can happen to it. Here is how partial encryption of Lastpass saved it from a major public embarrassment. Also, here is how timely encryption could have saved Target’s face.
Having an SSL or HTTPS is not enough. Encrypt every line of data. Obfuscate every line of code. Hash and encrypt every entry in your database. Encrypt your emails. Encrypt every layer of your product.
tl;dr – Encryption is like a hot partner – Tough to manage but totally worth it if you can.
#4 Proactive security assessments
Security assessments count among our primary engagements for most companies. Penetration tests are performed every year. How does it help instil a robust security culture within an organization? Penetration tests are becoming a thing of the past and are more tool-driven than ever.
Have you ever heard of Social engineering? Here is how Jayson E. Street hacked a bank, with out writing even a single line of code. According to us, a strong offence is the best defence.
Can your security chief talk to real hackers to see how secure your platform is? Initially, you can go with traditional penetration testers (in house or outsourced), but having real time continuous assessments performed by real hackers can provide you with that 1% crucial additional confidence. Good white hat hackers can be found on many online forums.
Once you have gained confidence that your hacker team is out of bugs to find, it’s time to move to a Vulnerability Disclosure Program (VDP). It is simple and one of the most efficient security processes.
Step 1 – You ask white hat hackers to hack into your platform and let you know about the identified security loopholes.
Step 2 – You award the hackers with a bounty for finding the aforementioned security loopholes.
Step 3 – You provide them with incentives to responsibly submit security loopholes to you.
Don’t open your platform for Vulnerability Disclosure Program if you haven’t implemented the required best practices in your app.
tl;dr – Get white hat hackers to identify bugs in your platform.
#5 Rapid and efficient bug fixing
Do you know that the industry average to completely remove a critical security bug from a production server is 14 days? Enterprises react slow to bugs and that is expensive! Once you identify a bug, it has to be reproduced. It has to be acknowledged. It has to be fixed. The fixed code has to be retested. Pushed to production. Retested. Closed.
Rapid and efficient bug fixing is key to any secure organization. Fix each bug as you identify it. Low, medium, high or critical – doesn’t matter. Get it fixed from the same developer who generated it. You need to have strong collaboration tools to monitor your security loopholes. We have built one, and it includes a free 3-month beta trial- enprobe.io.
tl;dr – Fix each bug as you identify it.
#6 Monitor internal risk
Managing internal risk is serious business for any Fintech company. Audit committees and board members consider cybersecurity a top risk, underscored by recent headlines and increased government and regulatory focus. Even tech-savvy employees can be fooled into allowing attackers access to company networks, warns former FBI investigator Don Codling. More on the role of internal security.
It is essential for any FinTech company to assess risks properly by creating a cyber risk calculation framework that is underpinned by an understanding of data assets and the business. Internal security audits are easy to perform when you are smaller in size. If you are compliant from the start, your team will ensure you stay secure and compliant.