The current global investment in FinTech is estimated at $13.8 billion with $4.5bn invested in the Asia-Pacific, across 140 deals; according to KPMG and CB Insights’ “The Pulse of FinTech security” report. Let’s agree, FinTech is disruptive and it is the future. Many new technologies like Bitcoin and Blockchain are changing lives, everyday. More than a million applications have integrated bitcoins. P2P lending, faster payments, robo-advisors and automated trading will be severely affected if application security is not accounted for from the start.
Why is Security important in FinTech?
New tech is exciting; but it can open many doors for new threats. We recently witnessed the SWIFT attacks. Bitcoins have already been under severe attacks. Mt Gox and Bitstamp have lost millions of dollars already to cybercrime. These attacks have demonstrated the importance of security and controls from the start. The quicker the technologies are developed the better the opportunities are for technology entrepreneurs whose jobs are to hack and make quick money. Bitcoins and latest technologies make Cyber Crime investigations tougher to crack due to anonymity and lack of regulations at various levels. Hackers have a better understanding about the latest in FinTech than most CIOs. FinTech is the biggest unknown of many unknowns in technology and has become a playground for hackers. Security forms the foundation of financial services industry. Aside from convenience, keeping customer information secure is biggest responsibility of FinTech companies. It takes complex and systematic approach that addresses all the elements of cyber security, which helps you to be better equipped and educated to battle the full spectrum of future attacks.
Current state of FinTech security
The attackers have moved a decade back from Network attacks to Application layer attacks. Globally, more than 65% of FinTech products that have already started financial transactions on their apps haven’t performed a single thorough application security assessment. For the remaining 35%, penetration testing is not often enough.
Why is it not enough? Turing award winning Computer Science Engineer, Dijkstra said “Program testing can be used to show the presence of bugs, but never their absence!” He said this 50 years back and we still see application security as just penetration testing. Penetration testing is a traditional checklist based testing done by Enterprises with certified resources. Security researchers are different from hackers. Hacking and penetration testing are not the same. In fact, there are very few security vendors who understand FinTech and have capability to secure FinTech products and platforms.
What should FinTech companies do?
FinTech security needs innovation in security. FinTech startups need to work closely with real hackers and catchup with the latest threats and vulnerabilities floating in the underground hacker communities. You need real hackers constantly hacking into your product to secure it. But, can your organisation do that? Does your CTO or CIO have the capability to interact with real hackers? Is she familiar with the Darkweb and IRCs where hackers login? Can she interact safely? It will be difficult for her to have time for all this.
This makes achieving absolute security for new technologies extremely difficult. The best way to handle this is to start thinking about security from the start. Bring security into design. Think of secure design patterns.
Do you know that more than 90% of code used by Uber is not their custom code? Instead its built on secure APIs provided by secure platforms like Google and AWS.
What should FinTech companies do?
Most developers see security as an impediment, when they should see security as a way to actually adopt speed and build trust with both users and regulators. It has to be in your organisation’s culture. Have you heard of Tesla’s open challenge to hack into them? Elon Musk may hire you if you hack them. With connected cars you can’t be cavalier with lives. Similarly with FinTech, technology could seriously affect a person’s career.
The Fix
Your team should think about security right from the start, before writing even a single line of code. Check the technology stack you want to use for existing zero days. Be 100% sure of your technology stack. Don’t use unknown open source technologies. Use secure APIs that are trusted across the globe and in your industry. Stay updated with changes in their API. Whatever custom code you write, make it robust and secure. Try to challenge your product’s security every day through hackers. Select an organisation to hack you during the development cycle, not after production. Perform code reviews. If something is not right, figure out the source of the problem. Once you are fairly confident about your platform, before releasing it list it on bug bounty platforms to let hackers attack you to check its resilience. Securing from the start ultimately turns out to be a very cost effective solution.