Cybersecurity – the challenges for fintech

Fintech faces a unique set of cybersecurity challenges.
17 August 2022

Fintech and Cybersecurity – robust partners?

Fintech is one of the business sectors that needs cybersecurity most – and needs it to be most effective. That’s because it’s a sector which, alongside the hardcore functional and ransom-worthy data that makes any business work, also potentially holds the financial data, and therefore direct access to resources, of all its customers. Fintech and cybersecurity should go together like a lock and a key.

Unfortunately, cyber-attackers know that just as much as fintech companies do – which has a tendency to make fintech companies a big prize for bad actors, and a big nightmare for insurers, because in the event that a fintech organization suffers a bad cyber-attack, the implications have far more ripples than would be usual outside of the sector. In the fintech sector, there’s more lucrative damage to be done by targeting the users of the tech, who may have significantly less rigorous cybersecurity in place, than there is in targeting a fintech company head-on. One malicious app, loose in the app ecosystem, can strip fintech users of their assets, and leave the fintech company with a reputation in tatters for failing to prevent the attacks.

Unleash Profitable Chaos!

That level of chaos and potential pay-out inspires bad actors to create ever more sophisticated ways to access everything from banks and neobanks to crypto wallets – and sometimes, to do it in ways that don’t flag up their activities until it’s far too late.

Ways like the new generation SOVA banking trojan, which is making a return in 2022 in a new upgraded form. When it first appeared in September 2021, it could target 90 different apps, and hit both financial and shopping apps, all across the US and Europe, harvesting credentials by launching overlay attacks.

Now, less than a year later, it can infect 200 apps. It hides inside fake apps that use the logos of legitimate traders like Amazon and Google Chrome, and can then scrape credential data at will. That’s made easier in the latest iteration by features that allow it to both capture screenshots and record device screens. It can also get data from your Binance and Trust Wallet accounts, including both passwords and seed phrases. And to deflect both automatic systems checks and human suspicion, the trojan uses its access to permissions to disable attempted uninstalls, and re-route users back to the home screen with the bogus message “This app is secured.”

The Next Generation Threat

Besides spreading its reach to even more apps, the next iteration of the SOVA trojan is already expected to carry a ransomware element, which will only deepen the need for cybersecurity to be at the forefront of the fintech world’s consciousness.

And the SOVA trojan is of course just one of the many threats deployed by bad actors attracted to the high potential rewards of fintech. Blockchain hackers are reported to have stolen $1.3 bn in just the first quarter of 2022. The Binance smart chain ecosystem in and of itself is $100 million than it was at the start of 2022.

In fairness to the fintech industry, it is aware of the increasing scale of the problem, and it is at least trying to develop mitigations. Many fintech companies – and the apps that connect them with their users – are learning from past mistakes and introducing multi-stage authentication to their system, whether in the form of one-time randomly-generated PINs, or knowledge-based authentication (KNA), to avoid internal compromise of fintech systems. But it’s arguable that neither of these are at the cutting edge of cyber-attack mitigation, since the first can be re-routed, and the simple levels on which knowledge-based authentication usually works means those systems are easily compromised – especially in the event that the hackers have access to social media.

Facial biometrics are also coming into play as the next level of supposedly uncrackable security, and some fintech firms are using them but the long cycle of development and deployment means that there are already bad actors out there, working to spoof biometric scanners, circumventing the new technology before it really has a chance to become established as a security standard.

Ways To Win

Inside fintech companies, there is work to be done, as there is in other sectors, to reduce the size of the window of opportunity for cyber-hackers to compromise systems. Rigid password policies, using the most up-to-date password management programs, enforced use of VPNs for remote staff, to make hacking harder, server-side software to interrogate rogue links and downloads before they’re allowed to deposit malware onto computers and systems, etc. These are all in the basket of practices advocated by cybersecurity experts in the wake of the recent Mobile Security Index report that showed a 22% rise in cyber-attacks in 2021.

But in terms of the apps fintech companies use to attract and keep users, the devil is in the length of the development and deployment cycle. Traditional pre-release security testing is now more or less bunk, as it delays release cycles and gives the cyber-attacker the same lead time to develop ways around a presumed end product. A new security culture-minded development process known as DevSecOps may offer some hope against the likes of the next iteration of the SOVA trojan, by testing parts and sections of the development (such as an anti-trojan app upgrade) as the process is ongoing, rather than lumping all the testing together at the end of the development process.

Bottom line, though, there’s little substitute for user awareness and caution. Whether in the fintech companies themselves or among the user-communities, espousing rigorous protective behaviors and making the people who might act as accidental entry-points for a cyber-attack aware of the dangers and the mitigating approaches is crucial alongside any technological approaches to the battle.