By Ralf Sydekum, Technical Manager, F5 Networks
The face of finance is changing. Many institutions are abandoning the high street and moving towards a faster, more responsive 24-hour on-line services to meet customer demand. Yet, as digital engagement increases, hacker groups are using sophisticated tools to infiltrate operations and attack critical applications to gain access to data.
According to the 2016 Verizon Data Breach Investigations Report, 82% of breaches in financial services were due to web application attacks and many banking mobile apps also remain vulnerable.
This sector is one of the most heavily regulated industries in the world with legislative frameworks, such as the PSD2. With 2018 also witnessing the activation of the EU’s General Data Protection Regulation (GDPR), should consumers still be worried about the security of their investments, or their personal data?
Trick or treat?
The average financial services company typically manages tens of millions of complex daily transactions processed through gargantuan data centres and a plethora of third-party cloud vendors.
The industry is a magnet for malicious automated bots. Consumers’ details are the prime target for cybercriminals because they can exploit vulnerable accounts and sell personal data for sizeable sums of money on the dark web or black market.
First discovered in 2016, TrickBot is an example of a financial Trojan, which targets the customers of major banks. The Trojan is mostly associated with phishing campaigns that trick users into entering their credentials into phishing and fraudulent banking websites, which are designed to appear as legitimate services. In fact, hackers can now develop or acquire tools at rapid speed, which not only makes discovery more difficult, but systems can be unlocked with sophisticated malware and ransomware.
Today, banks and Fintech companies can offer innovative on-line services that appeal to a digitally savvy millennial audience. Chatbots and virtual assistants, mobile apps, and chat messenger bank notifications are now being used to ‘humanise’ the banking experience and extend financial services.
In November 2017, German mobile bank N26 expanded into a further nine European markets with its premium account, the N26 Black. Customers have access to benefits, such as real-time push notifications, spending breakdowns, and real-time P2P payments, all within the N26 app. In January 2018, HSBC launched a virtual 24/7 assistant chatbot in Hong Kong, called Amy. Branchless banking is maturing rapidly, where mobile-first solutions are surpassing traditional financial services infrastructure. Firms are quickly embracing these new technologies, which has seen Revolut became the first UK digital bank to break even in February 2018.
Consumers, therefore, expect their personal data to be protected by the most robust processes and technology, whether accessed through on-line applications, smartphones, tablets, and the cloud. Cybersecurity must be the number one priority throughout the industry to ensure that all transactional processes are efficient, reliable, secure and compliant.
The GDPR legislation states that every European data subject has a fundamental right to the freedoms, control, and protection of their personal data, whenever and wherever it is processed.
Many financial organisations are implementing integrated advanced application security solutions to protect against all types of hacking threats together with penetration attempts, as well as denial of service attacks. This enables them to secure transport protocols, allow secure certified testing of application development, as well as secure patching and administrative access logging, all of which contributes to the requirements of the GDPR, namely “Privacy by design and by default”. In addition, these secure processes can be applied across multiple platforms and allow businesses to take advantage of scalable multi-cloud advances and dynamically move apps and data. Being able to respond immediately to attempted security breaches reinforces the company’s willingness to be proactive in providing a trusted stewardship of its clients’ personal data and help towards compliance.
An advanced web application firewall (AWAF), for example, allows companies to adapt their security posture for web and mobile apps, whether on-premises or in the cloud, whilst defending against malicious bots and exploits. AWAF also prevents malware from stealing credentials from victims’ devices and stops further credential theft related attacks like Brute Force or Credential Stuffing. In addition, it detects mobile app tampering and ensures app-layer DoS mitigation.
Consumers understandably need reassurance that their money is safe and the banking insurance system together with the latest cybersecurity systems make this certain. However, it is the protection afforded to their personal data which should really dictate their interest; how financial organisations value the private data of their clients, how they use it, share it and strive to remain GDPR compliant. Every business, irrespective of sector, must be stewards of private data. They must be respectful of customer wishes and provide security at every juncture. Ultimately, businesses that ignore requirements for transparency and fairness will suffer severe reputational and financial consequences. The future of finance is clear and that is the value and maintenance of trust with clients’ private and sensitive data.