Financial technology or “FinTech” has been the biggest, most recent disruptor of the financial services industry, encompassing banking, insurance, payments and funds management. Whereas it was once seen as a complex way of managing finance, it is now used by millions of people globally, due to the rise of online banking and mobile-first platforms.
This is borne out by the numbers - 96 percent of the 27,000 consumers surveyed in a recent report (across 27 global markets) reported they were at least aware of a FinTech transfer or payments service – and 75 percent had used one. The survey also identified growth in the SME market across the key categories of banking and payments, financial management, financing, and insurance. Additional research has found that 46 percent of people now exclusively use digital channels for their financial needs, which is set to exponentially increase in the coming years as more and more communities come online.
However, given the amount of sensitive and high-value information contained within the financial services market, the growth of fintech poses a much higher security risk to the industry. The influx of users has caught hackers’ attention and these criminals are on the hunt for anything, from personal finance details numbers to credit card details, which they then sell on the dark web or leverage themselves.
Hackers and cybercriminals have also become more advanced and are able to carry out increasingly sophisticated cyberattacks, including ransomware and Distributed Denial of Service (DDoS) to gain access to confidential data. They are constantly looking for human error and the use of outdated and vulnerable technologies to find loopholes and carry out an attack.
Therefore, security is a critical aspect of fintech, with firms having their own unique set of security needs. Below, we’ve outlined some of the key challenges, as well as examined the emerging technology set to transform Fintech security.
To understand the most effective security practices, key challenges must first be established. After healthcare, fintech is the second most frequently attacked industry by cybercriminals. Security of digital IDs is a constant concern for both customers and service providers to prevent unauthorized access. The selection of the appropriate digital identity verification mechanisms is therefore critical.
Similarly, data security is one of the top concerns for financial service providers since they have access to high volumes of personally identifiable information (PII) such as full names, phone numbers, email addresses, birth dates, home addresses, and tax ID information.
Regional security requirements also need to be taken into consideration. KYC (Know Your Customer) and data protection regulations differ between regions and even use cases. For example, General Data Protection Regulation (GDPR) and the revised Payment Services Directive (PSD2) apply for European Union citizens, whereas Payment Card Industry – Data Security Standard (PCI-DSS) is to be adhered to by entities that gather and process credit card information.
In addition, integrating third party components like payment gateways, payment solution providers, aggregators and more, that cannot be developed in-house needs reliable vendors and constant monitoring. Third-party vendors may have vulnerabilities in their systems that may not be immediately visible, so monitoring of leaks or vulnerabilities from the institution’s side is good practice.
Aspects of data protection
Some of the best practices for secure FinTech solutions have now become table stakes. Advanced Encryption Standard (AES), Rivest-Shamir-Adleman (RSA) and Triple Data Encryption Standard (3DES) are some of the most powerful encryption algorithms that every Fintech platform worth its salt must employ. All of these protect classified information by encrypting sensitive data.
A well-designed architecture is needed for reliability, scalability as well as security. APIs must also be secured using methodologies such as authentication, authorization, encryption and more to prevent attacks. Various authentication methods should also be employed, often in combination, including
- Multi-factor authentication like One-Time Password (OTP), transaction PINs, IVR PINs leverage knowledge, possession or inherence of additional information to authenticate users thus reducing risk of passwords or PINs being compromised
- Periodic password expiry which further diminishes the risk of passwords being compromised both at the individual level and for the whole user base as well
- Limited logged-in session lifetimes are handy to prevent misuse and monitoring and tracking goes a long way to detect and prevent instances of unauthorized access
- Role Based Access Control (RBAC) is an often overlooked identification and authentication mechanism that follows the principle of least privilege where users and roles are granted access to only the features and processes that they need.
By combining the secure application access methods above, the risk of unauthorized access is greatly mitigated.
Additional measures include replacing sensitive data using generated tokens that are created for temporary use to prevent tracking of information through transactions. Also, thorough testing for any potential leaks or breaches is essential. Breach scenario testing, penetration testing and security audits should always be combined with standard software testing.
There are significant emerging practices that help deal with security concerns. One of the main use case of artificial intelligence (AI) and machine learning (ML) is automating processes in the backend systems. They can also serve more advanced use cases such as risk profiling, credit estimation and fraud detection.
AI can extend its use into the front end for advanced identity management as well. AI can secure use cases like access control via computer vision-powered facial recognition, and multi-factor authentication using voice recognition powered authorization, adaptive authentication and behavioral biometrics.
Blockchain is another emerging technology that is fast becoming very useful in fintech. While it may have become famous for cryptocurrency and the execution of transactions, it is well suited for a variety of use cases outside these. It can provide secure digital identity by allowing users to create their own digital personas. Moreover, in the infrastructure layer it can be used in audit trails, access logs and so on thanks to its decentralization and immutability.
While there exist many methods to safeguard financial transactions, security is, however, not a one-off exercise. It must become a continuous process in the business, starting from analyzing requirements through deployment and beyond into operations. When a holistic approach is considered that includes not only technology but also product design and operations, the financial service provider can confidently play their part in the digital economy.
Vikas Prabhu, Product Manager, Tecnotree