Cybersecurity is, in an unfortunate sense, the gift that continues to give. As the industry develops at an incredible pace - think new and innovative market entrants bringing unique digital banking experiences, a shift to mobile and other disparate devices that enable ‘any time, any where’ banking, and new initiatives such as Open Banking and PSD2 - so too does the volume and sophistication of the threat. To discuss that risk in more detail, FinTech magazine questioned Daniel Cohen, Director of Fraud & Risk Intelligence at RSA Security. Here’s what he told us.
Just as the financial sector has diversified, so too have the threats it faces. While digital innovation has opened a lot of opportunities for organisations, it also creates new digital risks that need to be managed. Take, for example, the number of digital touchpoints that consumers can engage with to access financial services, which have increased dramatically through initiatives such as Open Banking and PSD2 regulations.
This widens the attack surface that hackers can take advantage of. For example, cybercriminals expanded to social media platforms, hosting cybercrime websites on the blockchain and launching attacks from IoT devices - there’s many more avenues for adversaries to exploit in their quest to compromise banks and consumers for financial gain. New types of attacks have emerged that take advantage of the digitalisation of finance; they’re finding ways to exploit vulnerabilities in innovations like open APIs and digital payments, creating rogue mobile applications, mobile-based card-not-present fraud, and even adapting banking malware to exploit current trends and pose a more sophisticated threat.
Traditionally, banks have had very closed systems, which gives them an added layer of protection against outside threats. When you open this up, it naturally creates new risks. So it is fair to say that yes, there is an increase in risk. With a growing array of digital banking channels available, customers seemingly have infinite possibilities for conducting financial business. At the same time, this has expanded the number digital risks that banks must manage. More channels mean that the number of potential points of compromise and potential vulnerabilities in systems has increased. When it comes to fraud, there’s now a far higher risk of fraudulent transactions slipping through the net because of the rise in the volume of digital payments, for example. The total value of money being transferred through digital channels is also increasing, which is exposing the sector to more potential losses from reimbursing victims.
However, there are risks to not engaging with and embracing innovation too – such as loss of market share and revenues – which are just as real. We live in a hyper-connected world and organisations that don’t engage in that will be left behind as customers have such high expectations of service. So it’s really about balance: organisations need to understand the digital risks they’re exposed to and assess these in the context of the business to determine the right digital risk strategy that balances the needs of the customer and the business with the need for security.
It’s often a question of demographics. Typically, the older generation is often more wary of new startups and fintech companies, compared to more familiar high-street banks and brands. In my experience, because they’ve grown up in the digital age, younger people are more bothered about convenience and user experience and therefore more open to fintech innovation.
Revolut and Monzo are good examples of brands that are disrupting the traditional market. So, while there is a portion of the market that will always go for the stability of a known brand, this is changing. When you consider that the customers who will be the most profitable – those who will be getting credit cards, loans, mortgages, and so on – are those aged between 25-40, the need to balance convenience and security in a way that provides minimal friction to the user becomes even more critical.
Ultimately, banks will begin to lose their foothold if they cannot meet the demands of their customers. This is why user experience and design thinking needs to be an integral part of any digital risk management strategy.
In such a fast-moving and competitive industry, fintech startups could potentially be at risk of viewing security as something as an after-thought on occasion, or worse – something the big banks should worry about; prioritising user experience over stringent security controls and processes. But this is something of a false economy as these organisations are, by their very nature, less established and therefore more fragile to reputation damage.
History tells us that if a well-known high-street brand suffers a data breach or significant increase in fraud, it’s not likely to suffer irreparable damage. Smaller companies may not fare so well. This is why it’s essential for smaller fintechs to have clear digital risk management policies, and work in partnership with the larger financial institutions to achieve a scalable and secure fintech industry. They should consider that digital opportunity and risk are two sides of the same coin – having the ability to manage risk enables you to embrace business opportunity.
Traditional players need to create a digital risk management strategy that serves a much wider range of customers – from the grandmother in West Wales, to the millennial at university in London. This is no mean feat, as simple solutions such as text authentication might not work for Molly in Aberystwyth. This is why it is vital to take a holistic approach to managing digital risk.
Financial institutions often need to build an ecosystem of third parties and open up APIs to provide access to data in order to deliver greater personalisation. APIs are a relatively new way for organisations to offer these digital capabilities, such as linking customer accounts to payments for everyday services. The worry is that open APIs, accessed by multiple third parties, will create concentrated points of failure and a new attack vector for adversaries to target. This means that financial companies need to weigh up the added value to customers versus the new risks that are introduced to the business from these new services.
Any new technology or service must be built with security in mind, and any access to sensitive data should always be limited to a need-to-know basis by default. Banks also need to be careful who they get into bed with and ensure they have conducted a thorough risk assessment before opening up any systems, while limiting access to absolute need. Applications and APIs should also be constantly monitored for cyber-attacks and fraud.
It’s certainly true that consumers are more aware of cyber risks than they ever have been, but awareness alone doesn’t always translate into secure behaviours. Convenience often trumps security, even where our personal details or money is concerned.
I believe every business has a responsibility to not just educate users, but translate that education in action; find ways to positively change consumer behaviours to make us all more secure. That’s no easy feat, as more security can mean more limits on what consumers can do, or more hoops for them to jump through. Ultimately, a balance has to be struck between security and user experience.