Data Security In The Financial Industry
Data security cannot be an afterthought. Unfortunately, there are some who commit crimes against security: storing passwords in plain text, connecting to open Wi-Fi networks, or installing third-party applications without any reason are all serious offenses against cyber safety. In due time, the IT karma catches everybody, and it will come back to haunt them. Sadly, the episode can be rather costly, especially for the financial sector. Why?
In short, U.S. law requires banks to refund any money taken from customers’ accounts without their authorization (assuming the customer alerts the bank within 60 days). To make matters even more grim, there is no protection for institutions in case of major cyberattacks: if your employer gets hacked, you are effectively on your own. That is only the beginning of your problems. According to the Financial fraud expert and Gartner analyst, Avivah Litan, if you become a victim of a cyberattack, and the third-party takes control of your data, you could be facing having to “[pay] ransoms of $5 for every $100 worth of damage they could suffer if the extracted data were published.”
The best approach is to always go the extra mile and ensure that all data is unharmed, and that it will stay that way. When it comes to surprises, we think that the only acceptable kind is a surprise birthday party. Surprise hacks or leaks? No, thank you.
Common Ways To Ensure The Safety Of Your Customers
The list of ways to remain safe we provide for you here is by no means exhaustive. While they are great recommendations, the way hackers attack your product differs on a case-to-case basis. Therefore, the best way to really sleep well at night is to contact specialists who will handle the safeguarding of your company’s data.
Nevertheless, the actions we list below are a good place to start. Moreover, we also have some industry-specific advice in the next sections.
Case 1 — Banking
Banks are some “most wanted” organizations. Holding vast amounts of wealth requires top-notch security solutions. We should know a thing or two, since we have already successfully worked with BNP Paribas the bank that is among the biggest in the world, to create a tailor-made Know Your Customer (KYC) system for them.
Authentication & Authorization
Authorization and authentication are two of the topics that we have been trying to solve ever since humans had something to hide from an unwanted eye. Both are also among the primary reasons we have banks — starting from 4000 years ago!
To put it simply, authorization is whether you have the right to do something, and authentication is whether you are you say you are.
While deposits work largely the same, our problems are much, much different nowadays. A common issue for customers is recognizing whether somebody who is calling claiming to be the bank employee is in fact who they say they are. This is a common issue, which isn’t always handled properly. So much so, that we have created a proof of concept (PoC) for you. We created an app that solves the problem through a mobile app. While it’s just one of the solutions out there, we made sure ours feels familiar to all mobile phone users.
DDoS
DDoS, short for Distributed Denial of Service, is a technique that, to a certain extent, feels all too easy to implement. In essence, it all comes down to numerous devices (phones, computers, but also routers) that are trying to overwhelm a server by accessing an IP address, often in a rapid succession.
Criminals pulling off such an attack seem to prefer financial organizations & institutions. More than half of attacks in the first half of 2021 were against such organizations.
“Furthermore, NETSCOUT [a network detection and response platform] discovered that over 7,000 DDoS assaults were performed against commercial banks and credit card processors during this time.”
The traffic during these attacks may be massive. It may spike even up to 840 Gbps, coming from all around the world.
How easy are DDoS attacks to run? One developer implemented an in-browser tool to participate in a gigantic attack against a governmental organization (for obvious reasons, we will not be linking to it). An equally simple solution is to impose a limit on the number of requests from each device connecting to our server, and a general limit for a given resource. Captchas are also a popular way you may solve the issue. A novel way of mitigating this danger is to deploy your front-end to the edge, meaning, nodes all around the world will handle the traffic, thus making flooding your service more resilient against the massive flow of data.
Hacker Bounties
Hacker bounties are a perfect way to put your product under extreme testing. The process is simple: you say that you offer money for discovering a flaw in your code. The money is often so attractive (it has to be) that hackers do not use the vulnerabilities they discovered to profit criminally, instead they often opt in to receiving the prize (bounty) instead.
Of course, the bounty cannot be too low: after all, people who might have had experience conducting illegal hacking (black hat hacking) could use the discovered loophole to their own (illegal) advantage.
One notable example of a hacker bounty program is HackerOne, which manages the programs for many companies, Microsoft, Yahoo, Intel, and Apple — as well as financial institutions such as Saxo Bank.
To quote Saxo Bank’s CISO from the article:
“Saxo is truly a digital company, with all our customer services being highly digitalized. We are, therefore, highly dependent on being able to deliver secure and robust services to our customers — they rightfully expect it, and we want it to set us apart.”
This is no different than most financial institutions and fintechs worldwide — customers expect no less than the best, and rightfully so. When people’s money is at stake, there’s no room for error.
An Air Gap. Winning Without Fighting.
As Sun Tzu wrote in his “The Art of War”, “[…] the supreme art, is to subdue the enemy without fighting.” Following his logic, the highest achievement would be to defeat hackers, not wasting efforts on fighting them head-on.
To achieve that, banks may perform the so called “air-gapping.” The concept behind this, seemingly difficult, term is straightforward: we unplug the main server from the internet. This is the ultimate security solution, and it does not get much safer than that. The only way, then, to successfully attack your company would be from within, after obtaining physical access to your location or after obtaining access to one of your senior employees’ device. Previously, this requirement was much harder to meet. Now, however, due to the remote, remote-first, and hybrid work policies, attackers can have a much easier time to successfully strike. It’s still not an easy task; far from it. The fact is, it’s easier than it was before. Your IT departments and cybersecurity specialists will be your MVPs in this scenario.
Case 2 — Payment Processing
Payment processing services are a bit different than the services we have mentioned above. At times, such services work in environments they do not have any control over. They are often loaded from the outside on third-party websites who wish to accept payments or donations. That is certainly a problem, and a challenge, however, with the right kind of precautions, everything is manageable.
Strict Transport Security
There is a separate kind of attacks called “man-in-the-middle.” It is what it sounds like: a malicious third party intercepts a request between the target and the origin.
In a situation, where your client uses your service to pay for a good, the request needs to reach your servers first. It is the best if everybody accessed your website specifically via typing https.
Every so often, they might not, and they will often have to be redirected to the secure website. The problem is that a simple redirection will not be enough. Here is where we need to tell the browser to only load the secure version of our website: through the “Strict-Transport-Security” Header.
Decryption Keys
Tons of data on credit cards is certainly an attractive target for all cybercriminals. After all, you must store all the terabytes of card numbers to facilitate easy online payments. How to keep all of it secure while also making sure transactions are as fast as possible? You encrypt everything, and store the keys necessary to decrypt everything on separate machines.
Encryption
Speaking of decryption keys, encrypting data is about as old as the history of writing. There is evidence suggesting that people of antiquity used encryption to restrict access to data, e.g., keeping some data from the eyes of the “uninitiated”, thus increasing its significance.
Nowadays, cryptology is a science, and a valued one at that. Coming a long way ever since the first text on the topic (fourth century BC), we now also have much more sophisticated ways of keeping our data from prying eyes.
We also have an entirely separate set of threats, one of which is quantum computing. Even though quantum computers won’t be a reality for many years, they do have the potential to break encryption, we thought would suffice.
Some of the best algorithms companies can use are Blowfish, Twofish or RSA. Crucially, however, each algorithm has its use case, and is best for different applications. As cryptography is an enormous topic on its own, we will stop here. If you are interested about finding out about how to secure your critical enterprise data, let us know.
Updating
There is a more obvious way to keep your customers secure. It’s undoubtedly one of the simpler ones, though sometimes neglected. It’s keeping your code up to date with the newest releases. They come from time to time: some come from their creators regularly, while others come unexpectedly. All releases have either an approximate, or an official support schedule.
If your company heavily relies on any product, make sure your team of engineers, at least, keeps up with the Long-Term Release schedule. This way, you don’t have to worry about the system that creates value for your customers.
One highly publicized example of what can happen is the Log4Shell vulnerability that the cybersecurity specialists first detected in Log4j towards the end of 2021. The scale of the threat? Almost all systems running on Java could have been a target of an attack. Scanning for impacted systems began minutes before public disclosure of the vulnerability, too (as a sidenote, we did write some code that lets download a list of IP addresses doing the scanning).
Case 3 — InsurTech
The insurance industry also plays a crucial role in our lives. These companies secure the livelihoods of millions of people around the world. It was no different from a client we completed our work with at the end of last year.
What happens in the USA, stays in the USA
The client had a specific requirement: their data could not leave the United States. That had many implications.
Apart from the obvious ones, the system our engineers worked on had to be deployed with the hands of an employee from inside the country. Even though it made our task much more challenging, we respected the requirement. After we have finished our work on the client’s system, we deployed it through a video call, steering another person remotely from across the ocean. Everything ended with a success of the deployment, naturally.
We understand that companies need to protect their customers. After all, ITMAGINATION is doing the same thing. The CEO of the company went on to say that “[t]he team’s knowledge, work ethic, and professionalism are all very impressive.”
Case 4 — Cryptocurrency Companies
Cryptocurrency holders expect a different kind of experience from their dashboards. They expect something new and fresh — equally novel as the whole idea of Bitcoin and other cryptocurrencies.
The challenges are different as well, and so are the solutions. We could say a lot about it, since we have worked on a redesign and development of the user experience for the web & mobile apps for Revollet — the provider of “e-wallet solutions.” We have also worked on a solution to track and manage fiat currency and cryptocurrency transactions for another company.
Two Wallets
When somebody says, “Hot and Cold” you usually think of Katy Perry. In the context of cryptocurrency companies, this phrase has an entirely different meaning. There are two main types of wallets: hot, and cold.
Hot is the place where you would keep your liquid assets in, while the cold wallet is where you want to store your savings because it is not directly connected to the internet. This form of protection is especially relevant now, since many major coins are switching to “proof of stake” consensus algorithms While saving the environment, they put big responsibility on exchanges: they will hold massive amounts of cryptocurrencies, which they will have to safeguard.
Two & Multi-Factor Authentication
As we have written in a post beforehand, passwords are problematic Without rewriting everything, passwords are hard to remember, and the ones that are convenient for us are also convenient for malicious actors. In short, there are four recommendations we have for you:
- Enforce strong passwords,
- Make your login form password-manager-friendly,
- Encourage, or even enforce, the use of a 2FA app,
- Eliminate the use of passwords altogether, instead authenticating users with external apps,
- Use hardware multi-factor authenticators
Conclusion
Wherever money is involved, top-notch safety needs to be involved as well. The services need to be safe, available at all times, and fast.
Whether you are developing in-house or hiring an outsourcing company, you must be certain you are hiring top specialists who know how to design the best software and make sure it is secure. We might know a thing or two about that. We’ve worked with very impressive clients, here’s what David McGowan, Chief Technology Officer (CTO) at Kabbage, has to say about our cooperation:
“Kabbage’s partnership with ITMAGINATION has been instrumental in completing our goals.
ITMAGINATION has helped support our internal engineering teams implement numerous major projects and features for Kabbage.
Their project managers and software engineers were able to quickly learn our domain processes and technologies to immediately provide value. We recommend ITMAGINATION as a professional provider of Software Engineering services.”
That’s only one thing our clients said about us: for more comments, be sure to visit our Clients’ page to read our case studies, or visit our Clutch profile at clutch.co/profile/itmagination, and read more about us. If you prefer us to explain why we are the right company for the job, don’t hesitate to contact Marcin Dąbrowski, our Chief Innovation Officer.
Originally published at https://www.itmagination.com.
