Fintech being one of the most vulnerable of sectors in the face of new-fangled cyber threats resulting in costly data breaches, fintech organizations must stay ahead in cybersecurity practices.
Data breaches become common today, with user data being ransomed on the dark web much more frequently than we expect. COVID-19 prompted digitization, which has resulted in a sudden onboarding of millions of users in various online capacities. This rush has resulted in data breaches that have cost millions in currency, stress, and grief for users as well as organizations.
A data breach doesn’t just result in financial loss, it ruptures the trust between the organization and the user. In other words, the organization in question loses face. Its reputation is attacked.
When it comes to fintech, such breaches are felt with even more intensity, since trusting an organization with monetary details is the ultimate trust by a user. Recent breaches like Mobikwik, Juspay, and Upstox, have rocked the Indian fintech sector.
Unfortunately, fintech is a favourite when it comes to cybercriminals. An independent research conducted by ImmuniWeb discovered that 98% of the top 100 global fintech companies are vulnerable to attacks. In fact, research estimates that around 27% of cyber-attacks are targeted towards banks or healthcare.
“The stakes are much higher when it comes to the fintech industry owing to the kind of financial loss situation that an attack can spiral into,” says Govindraj Basatwar, Head of Global Business for INKA Entworks.
The stakes are much higher when it comes to the fintech industry owing to the kind of financial loss situation that an attack can spiral into
“While we may have state of the art security today, it may not stand tomorrow if there is a new vulnerability found in the entire technology stack of a company. While the best companies cannot stop it, we need to admit to public when it happens to gain trust,” he says.
The recent Mobikwik breach has come under the radar, where the fintech company has been criticized for the way they handled the breach.
“The entire concept of assigning trust by default to users, even in prominent fintech companies who claim to have robust security infrastructures, is proof that this won´t be the last major breach for an Indian company,” says Sandip Kumar Panda, Co-founder and CEO at InstaSafe.
Threat Threat Everywhere
With fintech such a prominent target on cybercrime´s plans, fintech organizations are facing various types of threats today now that millions are becoming users. Right from simple phishing to ransomware to first time mobile users, there are a variety of attacks that both companies and users need to be guarded about.
“As more new users come of age to use digital means of transactions, the more opportunity for the hackers to use their ignorance,” says Raj.
While we may have state of the art security today, it may not stand tomorrow if there is a new vulnerability found in the entire technology stack of a company
Several fintech data breaches have been occurring either through employee vulnerability, a lack of compliance, or simply not being able to keep up.
In 2020, Alpha Bank, Piraeus Bank, Eurobank and the National Bank of Greece were forced to cancel 15,000 credit and debit cards after a tourist services portal was hacked. The banks issued a joint statement admitting that some customers had been charged with transactions they never made.
In June 2020, the banking division of South Africa’s Post Office, Postbank, was a victim of massive data loss when their own employees hacked into their master key (a 36-digit code) and stole details of close to 12 million cards and sold the data online. It was later found that 25,000 fraudulent transactions had taken place.
As digitization catches up with more and more users, fintech will face even more breaches, says Basatwar.
“The major security threats that the fintech industry will especially face in the coming days would be malware, phishing attacks, impersonation, data breaches, and data leaks. Application security attacks on mobile and web are also lurking around,” he says.
How to Keep Up
How can fintech organizations keep up with sophisticated cybercriminals of today? The answer is to stay ahead in the game. For example, in the case of Alpha Bank, Piraeus Bank, Eurobank and the National Bank of Greece data breach, the tourist portal was found to be lagging in its coding regarding its Payment Card Industry Data Security Standards (PCI DSS) compliance.
In the case of the Postbank data breach, it wasn’t wise to use a single sourced master key. As Basatwar says, now, a master key is usually divided between multiple employees and cannot be compromised unless it’s a planned group attack.
Having a cyber threat response action plan in place is important to be able to alert the major stakeholders, control the damage done and take charge of the situation
This of course means that employees also need close monitoring.
“There are some basics that we need to get right, enforce strong credential policies, implement data access control procedures, conduct employee training, have regular software updates, follow good authentication techniques. And of course, having a cyber threat response action plan in place is important to be able to alert the major stakeholders, control the damage done and take charge of the situation,” Basatwar advises.
Panda says that in the absence of a National Cybersecurity Policy, the onus is on companies to upgrade their security posture and adopt a more resilient, offensive approach with respect to their cybersecurity capabilities.
Multiple iterations of testing, continuous risk assessments, and crowdsourced vulnerability testing are just some means through which companies can secure their systems
“Multiple iterations of testing, continuous risk assessments, and crowdsourced vulnerability testing are just some means through which companies can secure their systems,” he says.
While compliance with regulations is important, they are often quite complicated with many grey areas. Still, it is significant to use governance tools like Data Loss Prevention, File Level Encryption, and other integrity tools.
Up to date SIEM tools also provide tremendous value. Also, frameworks like NIST-CSF and the NIST-RMF can be helpful, as they are flexible and easy to adapt for implementing in specific businesses.
While owning an in-house team of cybersecurity experts may not be a financially viable option, managed services are available at more reasonable options. A third-party Red Team assessment is also a good idea in case of maintaining an existing cyber team.
When a data breach occurs, the resulting loss can be devastating to users as well as organizations. Fintech being even more vulnerable, it is imperative that financial organizations pull up their socks and remain vigilant regarding their systems, employees, as well as criminals posing as users. There is no telling where a cyber criminal may be planning to attack from.