Within the fintech industry the security issues are those to be given maximum attention: according to ImmuniWeb research, 98 of 100 top fintech startups contain vulnerabilities to security attacks.
As experts in mobile app development with more than 10 years of hands-on experience, Surf has created lots of apps both for fintech companies and banks, so we know for sure how to develop a fintech app.
From our perspective, security issues cannot be solved at the tools and technology level only, but at the level of the company’s internal culture that puts stress on app security.
In this article, we are going to talk about the risks for financial technology in terms of security and compliance. Keep reading to find out why fintech companies may fail due to poor security and what can be done to avoid it.
Fintech as attractive target for cyberattacks
Banks have always been like a magnet for criminals. The first bank robbery took place as early as in March 1831. Since then our life has changed a lot and banking has significantly shifted to the digital environment but in parallel, the criminals have also made great progress in arranging security incidents and personal data breaches, and financial organizations still remain their most desired target.
According to Statista, the most targeted industries for phishing attacks in the first quarter of 2021 are financial institutions and social media, with 24.9 and 23.6 percent of attacks worldwide, accordingly.
The reasons behind the statistics are easy to explain.
Reason 1. Access to sensitive data
The first and the most obvious reason is that the financial services sector is home to various data sets, covering financial transactions, client’s payment card information, credit report, geolocation, and special categories of personal and other sensitive data. And as we know, data is the most valuable asset in our Information Age.
Statista conducted a survey among IT security professionals worldwide, and the results demonstrate that an increase in cyber attacks since the COVID-19 pandemic mainly refers to data leakage, including unauthorized removal or transfer of data from a device, and phishing emails.
Reason 2. Unproven technologies
Financial technologies are, by nature, innovative and data-driven, with ever-expanding boundaries. But sometimes the race to be first to market can be quite harmful. Once again the COVID-19 pandemic shall be mentioned as the factor that forces businesses to implement new digital products and services. Under the pressure, using cutting-edge, yet less proven technologies, approaches, and processes may give rise to new cyber risks in the banking sector and fintech .
According to Clearswift, the UK-based information security company, Internet of Things, Artificial Intelligence and 5G are called top 3 emerging technologies that pose a cyber-threat and can be used by criminals to develop new methods of attack.
Reason 3. Security gaps in third-party software
Fintechs sometimes imply integration between traditional banks, financial service providers, and fintech startups using third-party security products, which can be a bottleneck in terms of safety. Collaboration with third-party vendors may result in various security risks for financial institutions.
As an example, First Horizon National Bank, which is based in Tennessee, suffered from a data breach caused by a vulnerability in third-party security software. The attackers got access to credentials of approximately 200 online accounts, stole personal information from the victims and exfiltrated around $1 million. Although the vulnerability was later fixed, this incident damaged the company’s reputation, and the bank incurred financial losses.
Reason 4. Human factor
According to the IBM report, human error causes 95% of all breaches. While this number seems quite hard to believe, it is indeed true. The fintech sector employs the latest and most advanced technologies, bringing the need for additional staff training.
However, because of the pandemic and continuous lockdowns, employees are forced to work from home, which leads to less effective corporate training. Combined with the increased need to use online messaging and emailing more, each worker becomes a number one target for potential phishing attacks.
What is the way to make a secure fintech solution?
If we compare the established financial institutions with smaller fintech companies and startups, the first have more opportunities to achieve cyberresillience as they may afford more budget for IT security, while having established processes and policies. Still, any finance-related company remains in the crosshairs and has to ensure the highest possible level of protection.
Correctly implemented user authentication or introducing any similar security features is not enough to protect your customers. To cover all eventual risks the team engaged should apply a systematic approach throughout the processes that would cover eventual fintech security concerns and set priority to security issues in any aspect of the workflow.
Follow the latest fintech compliance regulations
Compliance from a legal perspective doesn’t come cheap. A study by LexisNexis Risk Solutions has found out that anti-money laundering (AML) compliance is costing UK financial institutions £28.7 billion and will raise to £30 billion by 2023. But this is the factor you cannot ignore if you provide products or services that contain sensitive information. Otherwise, this may cost you a lot of money and can affect your reputation.
For instance, as a result of failure to secure its network, the data breach at Equifax Inc. in 2017 affected approximately 147 million people. The company had to pay $575 million as part of a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories.
Here are some of the regulations and standards you have to follow, depending on the country your business operates in:
- Payment Card Industry Data Security Standard (PCI DSS), which is an information security standard to be complied with in case of handling credit cards from majour payment networks;
- ISO/IEC 27001, an international standard for managing information security;
- General Data Protection Regulations (GDPR) for the companies that provide financial services in the European Union and the European Economic Area;
- Revised Payment Services Directive (PSD2), a EU-directive to regulate payment services and payment service providers;
- Gramm-Leach-Bliley Act (GLBA), an act of US Congress to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, and other financial service providers, and for other purposes.
We have already shared more detailed tips on fintech compliance risks management to avoid regulatory penalties and fines.
Build security strategy
As mentioned above, the security-focused strategy is the key to protect your product and customers from fintech and banking cyber threats.
- Implement internal compliance
To comply with the global and local regulations, laws, and fintech security standards, you need internal policies and procedures to organize processes inside of your company.
- Risk management
Building the strategy shall start with risk assessment and covering all internal procedures and measures, both to monitor and mitigate risks and to be prepared to respond to incidents.
- Provide sufficient employee training
Study by LexisNexis Risk Solutions mentioned above shows that to deal with AML compliance challenges many UK companies commit 70% of their budgets for staff training but not for technology development. And this is a significant part for building a solid security strategy, since every employee must be aware of their security-related responsibilities and any changes in laws and procedures in order to comply with them and be able to react promptly in case of emergency.
- Choose reliable partners
Whether you choose a development team or a third-party cloud storage solution, you should be confident that they can be trusted in terms of fintech security.
In the background of the current high demand for creating reliable products, most large corporations have established high security standards and all their contractors must comply with the requirements set. Before release, any IT project shall go through mandatory checks including but not limited to penetration tests and code audits.
Surf projects are well-prepared for such checks, as we have the internal security guidelines and best practices for processing and storage of sensitive data. Every team member is aware of them and uses them at every prod of the app development workflow. Surf security practices and standards have more than once successfully passed clients’ audits.
- Promote cybersecurity mindset
To sum things up we can say that security is not a perimeter-related concept anymore but is integrated into the company’s culture and every employee’s behavior. The security-focused measures are aimed to form a special mindset to make the team aware of potential risks, be more cautious, and react promptly when the security threat appears. ‘Being paranoid is worth it’ —when we speak in terms of cybersecurity.
Follow security-centered development life cycle
Surf specializes in developing banking apps and trading platforms and with ten years’ experience under the belt, we have developed a set of practices to assure security for our clients’ products and services.
- Security-focused tools
The range of tools used by developers varies depending on the experience and
tasks to be set.
Surf set of tools covers, among others, linters to analyze source code using static code analysis, and an access control matrix, a formal security model of protection state to define the rights of each subject within the system.
To develop banking apps we use Mobile Security Framework (MobSF), an open-source security assessment tool that analyzes the code for any known vulnerabilities and generates a report. The report is further used to adjust the source code accordingly.
The fintech sector is rapidly changing, so the development of financial products is characterized by constant improvements, changes, and adding new features. In this case, the DevSecOps approach correlates with the needs of financial service providers. This approach implies development, operations, and security integrated through the complete development cycle, which allows faster releases due to testing small parts of code in a shorter time, reduced costs thanks to process automation and early error detection, and improved security integrated into the DevOps pipeline.
- App logic and architecture
The security foundation of your future app is laid in every element, starting from the choice of architecture. For example, using microservice architecture can improve security and facilitate compliance, as in case of potential issues a separate module is addressed, while the rest of the system remains unaffected. In our blog, we’ve already discussed the advantages of the microservice architecture in banking.
- Thorough testing
Testing is a must-have process to check code reliability and app safety which is of the highest priority for banks and fintech. We at Surf use autotests to cover up to 80% of the banking apps code that has proved to be enough to cover the app logic and helps to save time.
For example, for a banking app, we have to perform 1100 tests — this would take 18 hours in case of manual testing. But if we automate 75%, the testing time reduces from 18 to 6 hours including analysis of the autotests results.
Security remains the highest priority for the fintech industry as it is more at risk of criminals’ attacks than others. Therefore, the security-related measures and practices shall be embedded in the processes starting from choosing safe partners to the development cycle and testing finished products before release — and what is vitally important they shall be regulations-compliant and constantly evolving to be able to respond to changing threats.
The above are key directions to address if you plan to prioritize security to prevent any issues in the future but not to combat here-and-now problems.