Fintech or financial technology is a broad term used for organizations that use new technologies like the internet and mobile or software applications to deliver financial services. Any company that uses such modern means to offer services and products like personal financial management, insurance, digital payment, asset management, etc. are considered part of the fintech family.
Earlier, the term fintech was used to refer to back-end systems of business organizations, but with time and technological advancements, it has become more consumer oriented. People can now trade stocks, manage funds, clear our EMI dues, and pay for food delivery online through fintech applications installed in a small device like a smartphone. The global fintech market is expanding at a very rapid pace. According to a report published by the market research firm The Business Research Company, the value of this market segment stood at USD 127.66 billion in 2018, which is likely to expand to USD 309.98 billion in 2022.
Within the fintech space, the banking services take a lion’s share. A 2016 report by the fintech research firm Jupiter Research estimated that over two billion users would access banking services on mobile devices by the end of 2021. The report further states that in some markets the use of mobile banking apps had already started outperforming internet banking.
This number is bound to grow as more customers wish to enjoy the ease of accessing financial services through their devices. But, there is a catch in this popularity. Fintech apps carry users’ sensitive information and are prone to data thefts. Users expect that financial service providers will take utmost care in protecting their data. But, recent instances of breaches have not only hurt the customer-business relations but have caused huge financial losses to users and business organizations. For example, in a data theft reported in March 2019, the restaurant chain Earl Enterprises lost credit card information of around two million of its patrons in a 10-month-long breach.
It is vital that fintech companies develop more secure applications and reduce the threat of any major attacks that compromise their integrity. These companies and their tech partners need to be aware of the hacker ecosystem which works from different parts of the world to exploit any security loopholes left accidentally open by developers. Below we discuss a few key areas that app developers and brand owners need to keep in mind to create secure applications and win the trust of their customers:
- Storing relevant data: This idea works on the premise that sensitive information cannot be stolen if it does not exist in the first place. For instance, credit and debit card numbers are not needed to carry out payments. Servers only require the token to identify billing methods which then are transferred to a different server. The server that deals with payment does not need to know billing information. If this information is not stored, payment data leaks can be reduced.
- Defining permission structure: Fintech applications are complex and have a lot of features that users cannot gain access to. A proper system needs to be in place to set up roles and grant permission accordingly. Developers can take the aid of systems like role-based access control (RBAC). RBAC is user friendly and easy to implement. Another model that can also be explored is the access control list (ACL) that lists out all activities a particular user is allowed to carry out.
- Using strong passwords: An organization dealing with financial transactions needs to have a sound authentication process in place. Username and password are the most rudimentary type of information that can be stolen by miscreants. Fintech applications must demand their users to use strong passwords with an extensive character set. Basic safety parameters, like enforcing a minimum number of characters in length, the mandatory use of special characters, changing passwords at regular intervals, etc., should be religiously followed.
- Using two-factor authentication: Fintech companies should look beyond the basic username-password authentication of applications to beef up their security. One of the most widely used two-factor authentication mechanisms is the one-time code either sent through SMS or email. Push notification system, a process that allows customers to verify their identity with a single touch, can also be implemented.
- Employing alternate authentication: Although password is the most commonly employed authentication method, tokens, smart cards, and even biometric systems are also catching up. Facial recognition software and retina scans are new technologies that are expanding as well. A good authentication mechanism does not rely solely on one of these methods. Developers can use any of these methods to build on the two-factor authentication process.
- Maintaining neat logs: User activity logs should be stored systematically and neatly. All information, such as transaction activities, user-ID details, IP addresses, geolocation, and other vital information must be recorded. These logs are vital pieces of information required to carry out ‘postmortem analysis in case of a breach. Maintaining logs are key to prepare a sound report that includes root cause analysis, comprehensive timeline, and breach details.
- Constant monitoring: Security professionals should be vigilant and stop suspicious transactions in their tracks. All transactions can be labeled into three broad categories of threats: low, medium, and high. If a transaction of the high threat level category is being initiated, the app system should automatically pause the activity and notify the technical team of the company that should analyze logs.
Write Secure Code
Since sensitive user data is stored on the servers of fintech companies, it should be top-priority to create strong algorithms that can help you easily identify any flaws in the app code. Secure code is the backbone of a safe fintech app. The code must be scanned meticulously and regularly to check for any vulnerabilities. The code must be swift and easy to move between different devices and platforms. Here are a few habits that can be inculcated to improve app safety:
- Include input validation: This deters attackers from injecting the app with any malicious code. The absence of input validation is the primary cause of websites and application breaches.
- Prevent broken access control: Access control rules must be clearly defined while putting together a fintech app. The policy laid down has to be followed strictly to avoid unauthorized data access.
- Averting SQL injection: SQL injection is still a hacking technique used widely. Apart from installing the latest updates and security patches, the application should be tested with controlled internal attacks.
- Secure sensitive data: Firstly, developers must determine which data is the most sensitive and requires additional security. There are various ways of reinforcing the security wall and the most common method is installing an SSL certificate on the site. Other safe practices include using a web application firewall and avoiding data transfer in the form of clear texts.
Boost Infrastructural Security
Attackers tend to target the servers of fintech companies, since that is where user data, algorithms, security protocols, and other information is generally saved. A compromised app can lead to an attack on the server or a compromised server can lead to attacks on user devices and theft of their personal data. Therefore, on the one hand, it is important to protect the code and data of the app; on the other, the security team of the fintech company must protect its servers. Below are some of the areas which need security consideration:
- Keeping OS updated: Fintech companies use a variety of operating systems on their servers, like Windows, Red Hat, Ubuntu, CentOS, etc., for different purposes. Operating systems send regular security updates to users as new threats emerge and security flaws are detected by the developer community. The tech team of the fintech companies must ensure that these updates and patches are immediately applied on servers to keep them secure against emerging threats.
- Leave the server alone: Non-essential software, like office tools, email clients, and utilities should not be installed on the server, as they can add to security holes and may require regular updates, which adds to the workload of the security team. For this reason, the developer community prefers command-line tools to keep the system load light and the need for updates at the minimum.
- Monitoring third-party components: Developers have to be extra vigilant where a third-party API is integrated with the fintech application, which is a norm these days. Third-party components are often weak links that potential attackers try to latch on to. The third-party APIs should be constantly updated to the latest versions released by their coders. There should be a plan of action in place in the case a vulnerability is discovered in a third-party component. The developer must ensure to use libraries only from trusted sources or whose coding skills they can vouch for.
- Protecting web server: Application servers are the primary targets of attackers. A separate drive to maintain web files must be maintained and should not be stored along with other system files, OS files, or logs. A content security policy should be devised to avert cross-site scripting and data injection attacks.
- Using HTTPS: The tech giant Google advocates the use of HTTPS SSL certificates. In the current set-up, almost all browsers notify the user if the website they access does not have a secure SSL connection. An SSL certificate ensures encryption of communication between the client browser/device and the application server. While an SSL certificate is essential for all kinds of web traffic, it is a must for fintech-related traffic.
Integrate Security in Daily Workflow
In the 2020 EY Global Information Security Survey, 39 percent of the Canadian respondents claimed that careless or unaware employees as the top vulnerability to a cyberattack to their company’s infrastructure. The organization’s human force is often considered the weakest link when it comes to cybersecurity. A simple click on a malicious URL has the potential to compromise the whole network’s security. As the adage goes “It is human to err.”
Whether the security compromise takes place due to a human error or persistent hacking attempt, the system stand compromised. In such cases, what precautions can a company take against such security holes? Here are some suggestions:
- Data backup policy: The tech team should keep a proper mechanism in place to automatically backup code and data files and important databases. The organization needs to decide on the frequency of the data backup processes. They can outsource the activity to backup experts who carry out the process regularly and in a systematic manner, which can be accessed with ease during the time of a crisis.
- Segmentation of development process: To ensure that data security is not compromised, the app building process has to be divided into separate compartments. These segments include development, pre-production, and production stages. Developers have access to only the development stage and are kept away from business data, which becomes part of the app launching process in later stages. The top management takes care of the pre-production and post-production stages, thus ensuring the protection of critical business data.
- Non-disclosure policies: All parties involved in the development and maintenance part of the fintech service delivery, such as employees, contracted security professionals, vendors, data-entry operators, etc., should sign non-disclosure agreements with the fintech company. This gives the company legal teeth to fight any deliberate attempts made my any party to sully its brand image or make illegal gains from their deep involvement in the service delivery process.
Testing is one of the most important phases of developing any application. In the case of fintech, it is even more vital that the app is tested rigorously, since a lot of money and sensitive user data is at stake.
First and foremost, it is important to test the network, servers, devices, and DNS. Critical areas, for instance servers, routers, and firewalls, must be examined thoroughly. Areas that are prone to attacks, such as operating systems, databases, and storage need to be double checked. Ensure that the latest operating systems are in place and all patches are loaded.
Fintech organizations should mimic an attack and carry out the recovery process while recording the whole exercise. Penetration testing has developed into a detailed field of inquiry into a system’s security vulnerabilities, through which specialized teams of testers record key security metrics, like server downtime, presence of vulnerable data, and other flaws during each mimicked attack. The results of these tests can help an organization create a robust security policy.
Encrypt Sensitive Data
As per the recommendations made by the Federal Financial Institutions Examination Council, a nodal body of fintech companies, banks, and other stakeholders working under the US government, financial institutions must encrypt sensitive information such as:
- Personal details, including names, addresses, and contact numbers of users
- Transaction data, like all kinds of transaction details, such as account numbers, payment history, debit and credit information, etc.
Data encryption is the process where information is translated into codes that can be decoded only by those who have the correct decryption key. The data makes sense to only the intended receiver, and unauthorized users or hackers cannot decipher the information in the absence of the decryption key. With time, encryption standards have undergone a change. The encryption paradigm shifts regularly since hackers get smarter and end up cracking earlier encryption protocols. Developers can use any of the following standards to protect their fintech apps:
- Advanced Encryption Standard: There are quite a few encryption algorithms in the market that can be used, and AES is the most popular and secure among them. HTTPs and SSL are not foolproof during data transmission and, therefore, it is vital to encrypt your data alongside its communication. The US Federal Government uses AES to encrypt its data. Every second Android and iOS application uses this encryption method.
- Rivest-Shamir-Adleman: Named after its three key designers, RSA is an asymmetric algorithm that assigns different keys for the encryption and decoding process. The encryption key remains public while the decryption key stays private, making it a highly secure algorithm. It is ideal for small-scale fintech companies that deal with limited data transfer and processing. The algorithm is a touch slower than the others, and lags become visible while dealing with huge databases.
- Triple Data Encryption Standard: It is a DES cipher based algorithm, where each data block undergoes three cycles of block cipher algorithms. TripleDes has a larger key length than other algorithms and is preferred to encrypt card PINs and other kinds of passwords.
- Twofish: It is a symmetric block cipher that uses a single key of any length up to 256 bits. Irrespective of the key length, 16 rounds of data encryption takes place. Twofish is an open-source algorithm designed by Bruce Schneier’s Counterpane Systems.
- Tokenization: It is a process where sensitive data is converted into random chains of symbols or tokens. Although they are linked to the original data, tokens cannot be used to decrypt them unless you the authorization to access a special database. The information about the link between the original data and token is called a token vault. Without database access, tokens are worthless symbols. Tokenization is one of the most secure methods of storing and transmitting sensitive data.
Compliance with Security Protocols
Fintech organizations must be well versed with the regulations and norms of the region they wish to function in. They have to be certain that all protocols are maintained. There is no room for complacency in this area as non-compliance is a costly affair. According to a 2017 study done by the US-based data research organization Ponemon Institute, the average cost for organizations that experience non-compliance issues was estimated at USD 14.82 million, a 45 percent spike from 2011. The listed losses included damages incurred due to lost productivity, business disruption, fines, and penalties.
Though compliance varies from country to country, there are some standard guidelines that fintech companies should follow. They include:
The General Data Protection Regulation
The GDPR protocols apply for fintech companies in the European Union and the European Economic Area. The regulations were formulated to protect the data of European Union residents. Those fintech companies that deal with European customers but have their physical offices elsewhere have to comply with these guidelines as well.
Second Payment Services Directive (PSD2)
This is an EU directive to regular payment services in Europe, which is managed by the European Commission. It aims at boosting competition in the fintech market and protect the rights of users in order to create a fully integrated European market. It set capital and risk-management requirements for new players wanting to enter into the electronic payment segment.
Payment Card Industry Data Security Standard (PCI DSS)
These information security regulations were put in place by the industry consortium Payment Card Industry Security Standards Council to protect credit card data and avert breaches. All fintech organizations dealing with credit card information are bound by these regulations.
Even if a fintech company possesses a state of the art security system, with all the latest updates in place, users can still be exposed to data breaches if they fail to comply with safety protocols. Companies should educate users about safe practices to ensure that their data is not compromised. Here are a few points that companies need to share with their users:
- Always use the official, authorized app stores for whichever mobile platform they use
- Do not access fintech applications on public Wi-Fi networks
- Consider using a VPN as an additional security cover
- Do not store username and password credentials on fintech apps
- Avoid rooting devices
- Beware of the kind of data the fintech app accesses and stores on its servers and grant it appropriate permissions
Apart from the steps mentioned above, a fintech company should consider incorporating a payment blocking feature into the app development process. This system can detect suspicious transactions and alert the user and authorities in real time. This feature is already a part of major banking apps.
Fintech, no doubt, is the future of financial services. Gone are the days when people had to carry their passbooks and financial instruments to a physical bank to initiate transactions. Users can now carry out the same process sitting in their living rooms with the help of their mobile devices. The industry, however, faces a lot of roadblocks in protecting the user data and meeting compliance targets. Security breaches deter customers from using fintech apps. This is why companies developing their fintech apps have to ensure that they hire the best in business. These companies should use real-time protection mechanisms, such as AppSealing services, that provide source-code protection, app integrity protection, anti-debugging, network packet sniffing/spoofing tool detection, and cheat tools in real time.
To secure your fintech applications without any additional coding, click on the link below to know more about AppSealing and sign-up for a free trial.