Financial institutions including banks have embraced digitization with the support of data conversion services with a view to take the industry to a whole new level of technology integration. Banks aim to perform better and also provide improved customer service. Various technological advancements have now made it possible to extend a bank’s operation beyond normal working hours. Moreover, mobile internet users are increasingly adopting digital banking due its convenience and cost effectiveness. This has led to the emergence of Open Banking. It is a system that provides a user with a network of financial institution data through the use of application programming interface (APIs). The use of APIs enables third-party developers to build applications and services around the financial institution. It relies on a network that helps financial services to securely share sensitive data with other financial institutions. It ensures easy transfer of funds and compares product offerings to provide a good banking experience. The growing technological advancements in the banking sector also places emphasis on the need for stronger data security measures.
Before the introduction of Open Banking, at the time of PSD2 (Revised Payment Service Directive), cyber criminals used a different strategy i.e. moving from high value but less frequent theft gained from infiltrating bank accounts to lower-value, but far more frequent hauls. Cyber criminals refine their strategies and techniques and gain access to millions of usernames and passwords and other data. With the help of technology, they can set up a systematic and automated system that can exploit all the information and remain undetected by any high-end security team.
However, with open banking the problem becomes highly complex. With consumers sharing and controlling their own data, more information is shared between banks and Fintech apps. It provides access to user data; and it is difficult for security experts to determine whether an automated computer logging into a bank account is one of those platforms with permission or if it has any malicious intent. According to Sumit Agarwal, VP of product management and co-founder of cybersecurity firm Shape Security, attacks can exploit these APIs to gain access to bank account data, even without logging into the account.
This can be a rising threat as open banking initiatives continue to spread. In a competitive environment, third party personal finance companies and other FinTech organizations may obtain many customers but still struggle to become viable and eventually end up selling the technology, platforms and data to buyers who control information. There are many small PFM (Personal Financial Management) firms that are not successful, and they may sell their assets to somebody and criminal gangs use this opportunity to buy the users, the technology and the brand name of the PFM for a few dollars. Although security experts are making efforts to tackle the rising threat, the financial services market that focus on promoting data sharing and consumer ownership will take some time to understand the potential risks involved.
A collective approach to bank security is important for the financial industry to move forward. No amount of money or technology will be enough in case of a serious cyber-attack. So, it is important to be prepared and also have a collective defence.
What to Expect in 2019
By the end of 2018 we saw that young Fin-tech companies and crypto exchange were at higher risk due to their poor security systems. These types of companies were often targeted. Here are some predictions for 2019 according to KasperSky Security Bulletin.
- Emergence of new groups: By 2019, we can expect fragmentation of major cybercrime groups that can lead to escalation of cyber-attacks and expansion of the geography of potential victims.
- First attack may be from the use of biometric data: Almost all financial institutions now use user identification and authentication. But last year there were many major leaks of biometric data. These two facts lay the foundation for the first POC (proof-of-concept) attacks on financial services using leaked biometric data.
- Attack on supply chain: This trend which was there in 2018 is expected to continue in 2019. Attacks on providers have proven effective and allowed attackers to gain access to many major targets. Usually small companies, suppliers of money transfer systems, banks and exchanges are destroyed first.
- Attacks on accepting online payment: Those who use cards without chip and do not use two-factor authorization of transaction will be the most at risk. To evade anti-fraud systems, cyber criminals copy all computer and browser system settings. This type of cybercriminal behavior signifies that the number of attacks on PoS terminals will decrease, and they will start targeting online payment platforms instead.
- Cyber security of financial institutions will be bypassed using physical devices: Due to poor physical security and lack of control over connected devices in many networks, cyber criminals will exploit a situation where a computer or mini board can be installed, specifically configured to steal data from the network and transfer the information using 4G or LTE modems. This provides an opportunity for cyber criminals to access different data as well as the infrastructure of financial institutions.
- Attack on mobile apps: Mobile apps are becoming widely popular now and it is likely to facilitate cyberattacks. The most likely attack vectors are attacks at the Web API level and through the supply chain.
While technology has its best uses, it also entails many security risks. Cyberattacks are increasing in sophistication and complexity, making it difficult to identify and prevent them. But implementation of security technology is important to ensure safety of financial data. A high amount of data leakages occurred last year through cyberattacks and the trend could continue this year as well. The worst scenario is that cybercriminals can use leaked internal information to make messages look legitimate. These possibilities call for implementation of fool-proof security at all levels and in all processes, even when utilizing various outsourced solutions.
