As long-devoted readers of Just After Midnight’s chin-stroking content, you’ll know we take an interest in the dynamic world of fintech, BaaS, open banking and platform banking.
However, we’re not the only ones.
Various dastardly cyber criminals have also perked their ears, and to the tune of a 70% increase in payment fraud across the fintech sector in 2021.
A natural target for cyber attacks – it is, after all, where the money is – fintechs of all stripes are under unique pressures to stay secure, less they suffer financial, reputational and other forms of unpleasant-sounding destruction.
So, what are we to do?
Answer: put together a list of the 3 key cyber security attacks against fintechs and how to guard against them. Simples.
1. Identity theft
What is identity theft?
In some ways, learning the art of online identity theft is much easier than going in branch with a fake moustache and your best Mr./Mrs. Jones impression.
So it’s no wonder that online account takeover attempts rose by 282% between 2019 and 2020.
These are obtained via hacked or stolen personal data, and in many cases, this is all they need for a very immoral payday.
How can fintechs guard against it? No face? No problem
Some security solutions – slot-able into any fintech stack – have tackled this problem with biometrics, often using two key concepts called active liveness detection and passive liveness detection.
The theory goes that as so many passwords and such are scrapable, stealable and all the rest, biometric solutions can authenticate users securely – alongside other security measures.
The old-hat active liveness detection solutions work against hackers using masks, photos or videos imitating biometric data (faces) by asking users to blink, shake their heads or otherwise perform tasks.
Which can literally be a pain in the neck.
Passive liveness detection (which is where it’s at) utilises AI algorithms to scan quietly in the background for signs of life.
So in a way we are back to the fake moustaches.
2. AI-fuzzing
What is AI-fuzzing?
To understand this, we first have to understand regular, garden-variety fuzzing.
Essentially, fuzzers – as they may or may not like to be known – attempt to generate breaches and exceptions by making inputs into an application.
For example, it might be that a certain string of characters input into a site’s search bar causes an error which can be exploited by hackers.
This isn’t the same as trying to generate a password. It’s more like touching all the blades of grass in a garden until you find the one that makes the front door catch fire.
Computers are strange.
The AI part comes in when fuzzers apply machine learning to – in the terms of our analogy – compare all the world’s gardens and find the common denominator among these arsonous blades.
It’s the same as any ML solution. The machine sees what we cannot. Strange and terrible…
How can fintechs guard against it? Fight fuzzer with fuzzer
The AI is back on our side! Long live the machine.
As is often the case in cyber security, the fix is applying the break before anyone else – then fixing it.
Currently, preemptive AI fuzzing is offered by Microsoft through MSRD (Microsoft Security Risk Detection) and Google via ClusterFuzz.
So, beat ‘em to it!
3. Integration loopholes
What are integration loopholes?
Essentially, the vast chasm between the fintechs themselves and the banks they integrate with are often filled by custom APIs.
These fiddly, out-on-their-own fellas often fail to benefit from the security measures of the bank or the fintech application, making them ripe for the picking.
And, even if you think you’ve got everything covered, source code updates can expose new vulnerabilities – even updates aimed at patching old issues!
How can fintechs guard against them
Careful planning and testing from day one is a good start, but really every fintech should practice constant vigilance!
Active vulnerability scanning can help isolate loopholes and other issues as and when they arise, so you can keep your custom APIs safe from harm.
These services are offered by a range of partners – but in our opinion you’ve already stumbled across the top dog.
How we can help
As bonafide technology top dogs, we have a range of services that could help accelerate your fintech.
From our one-of-a-kind 24/7 support service to cloud-native solution architecture and security, we’re a valuable partner no matter the project.
To find out more about how we work with fintechs, or for anything else, just get in touch.
