American Financial Sector gets cyber attacked “over a billion times a year,” stated CEO of PayPal and a chairman of Symantec, Dan Schulman. In 2017, Banks lost $16.8 billion to cybercriminals according to Javelin report. The number of Data Breaches reported by UK financial companies to Financial Conduct Authority “rose 480% in a year” according to RPC report.
Nothing extraordinary about those numbers: the bigger the Fintech industry becomes, the bigger security threats it faces. No reason for worries though; you just have to ensure that your Fintech application is developed with relevant security practices in mind to minimize probabilities of breaches.
Reliable Code, Reliable Project Logic
Program code is a foundation of security. Code is blood of software, and regardless of the programming language, there are common practices that help ensure the blood has its lymphocytes. These common practices that help to build reliable project logic include:
1) Educating oneself on secure coding, which helps avoid prevalent defects, bugs, and logic flaws within the code. In addition, it is important to learn what patterns that may compromise security to avoid.
2) Including input validation to check any data received from other sources in order to prevent injection of malicious code into a project.
3) Not writing unnecessarily complicated algorithms as they may lead to gaps in a project’s protection, which are difficult to notice, and increase the possibility of bugs.
4) Ensuring that a project sends the minimum of required data to external sources to prevent leaking of sensitive information.
A bright example of an unintentional mistake in a project’s logic, which might have caused a disaster if was figured out by a person with criminal intentions, is a Fiserv case. Fiserv is a global provider of financial services technology, which reported total revenue of $5.5 billion in 2016 and is often a member of the Fortune “World’s Most Admired Companies” list.
According to the article, one day a security researcher Kristian Erik Hansen reported that he discovered an issue while logged into an account of a small bank.
Hermansen had signed up to get email alerts any time a new transaction posted to his account, and he noticed the site assigned his alert a specific “event number.” Working on a hunch that these event numbers might be assigned sequentially and that other records might be available if requested directly, Hermansen requested the same page again but first edited the site’s code in his browser so that his event number was decremented by one digit.
In an instant, he could then view and edit alerts previously set up by another bank customer, and could see that customer’s email address, phone number and full bank account number.
A person with technical knowledge and bad intentions could have exploited this breach to add and delete phone numbers or emails to receive alerts about transactions, and generally monitor transaction activity of the bank users. This security issue was shut down in time, and the probable business disaster was avoided, while people received a valuable lesson on cybersecurity.
On the Client Side
One of the main tasks of the development team is to ensure that a user has everything to secure personal information and that his or her actions or lack of knowledge will not compromise the security of the app.
1) Include multi-factor authentication. A single password is not enough to provide access to core functions of an app, additional authentication via email or phone is required as well.
2) Motivate users to create complex passwords. Provide them with the required minimum of symbols, necessity to include uppercase letters, special symbols, and numbers. Despite raising concerns about personal data protection, people still use simple passwords.
3) An app should monitor all the activity of a user to notice any unusual actions, such as unusual time of performed action, frequent actions, actions with a big sum of money, or action performed from unusual locations. In case there is a strange activity, request additional authenticatioт or block this activity.
4) Make sure that an application does not save a password and login. It is frustrating to input login and password each time, but it is essential for security.
5) Inform your users regarding the important aspects of their security. Tell them how they need to act in case it they lost a phone; how they can block their account; remind them to change a password in case of a strange activity; remind them that it is dangerous to use an application via public wifi networks.
When data is being sent from one device to another, it is relatively easy to steal. Therefore, it is important to encrypt data, transform it into a mess that only a receiving side can decipher. There are various approaches to do this. The primary task of the developers is to choose the most relevant and reliable method of encryption that will suit the best.
Never forget about the human factor. Companies “are 3 times more likely to be breached via social attacks than technical failures.” It makes a person the weakest spot of any piece of software.
So, even if you have reason to believe that your software is protected better than Fort Knox, still remember to educate employees on cybersecurity, conduct security-awareness training, and remind them about the possible threats by any means necessary.
We did not mention QA testing in this article because it is mandatory for any software development endeavor. However, we want to stress the necessity to conduct additional security testings for Fintech applications.
We wrote quite a bit of text, but all of the mentioned above can be underlined by a single sentence:
“Work with an experienced Software Development team.”
It does not matter whether you outsource the development of your product or work with an in-house team; if you want to create a Fintech product, you want to be sure that developers, designers, and QAs are equipped to create a digital Fort Knox.