As much as Bud Fox, under the alias “Blue Horseshoe,” shared his love for Anacott Steel on the phone with a Wall Street reporter with the hope of manipulating the markets, there is one industry that cyber criminals absolutely love, and they really don’t need to make any call to anyone to impact it. This industry is fintech.
Fintech and data breaches: stats
Brace yourself! Ninety-eight percent of the top-100 global fintech startups are vulnerable to major cyberattacks (phishing, identity theft, data breaches, among others) [Source: ImmuniWeb]. One example among many is Dave, the U.S. fintech giant that reached a valuation of $1 billion in 2019 after just two years of existence. In 2020, 7.5 million of its records ended up for sale on the Dark Web. And if you think that startups in the fintech world have the monopoly of cyber-attacks, you’ve forgotten about Capital One breach. In the summer of 2019, the Capital One breach affected about 100 million American and 6 million Canadian citizens. The Social Security Numbers of 140,000 U.S. citizens, the Social Insurance Numbers of 1 million Canadians, 80,000 bank account numbers, names, dates of birth, addresses, balances, credit scores, and self-reported income data were stolen. The consequences were dire for Capital One: Eroded brand reputation, cost about $150 million dollars, and a 5% decrease in its revenues.
Fintech and data security issues
The fintech industry has been the catalyst for drastic and positive changes in the way financial products and services can be accessed. Thanks to impressive technological innovations in the financial sector, businesses and individuals today can experience faster rates of approval for loans, greater convenience, better-tailored services, lower costs… but advanced security? Whereas the first four attributes seem obvious (most of us have been benefiting from such advances), the last one has yet to be proven. The major breaches the industry has suffered in the last three years certainly do not help its credibility when pertaining to data security and integrity. And, what causes data breaches and what can be done to remediate this issue? The answer: Stolen passwords. Stolen passwords are the simplest and most common causes of data breaches. Are fintech companies powerless over passwords that are stolen from their employees and customers? Based on the list of cyber-attacks that they’ve had to confront in recent years, and for some of them repeatedly, it might seem that way. The reality is that they simply have refused to undertake drastic and much needed changes.
The problem often lies with third-party fintech service providers
Banks and financial institutions are some of the most vulnerable business entities when pertaining to data theft. And the reason is based in the proliferation of not-so reliable third-party fintech service providers on which banks and financial institutions rely heavily. Those third-party providers automate major banking and financial functions and they’re essentially leveraged to increase the flexibility and scalability of internal teams, slash costs, increase efficiency and revenues, introduce new technologies and solutions and/or expand the institution’s customer base. To accomplish this, banks must give these fintech third-parties access to sensitive data, critical systems, and other important resources. But are those fintech service providers using even reasonable care to keep this data secure? Between those that use interns to run (bogus) security checks prior to responding to an RFP and the ones that are still using password-based authentication solutions, the list of data breaches by third parties (in 2020: P&N Bank in Australia, Nedbank in South Africa, Idaho Central Credit Union, Stripe, Paypal, Bank of America, Dave, Graham Capital Management, Fortress Investment Group LLC, Centerbridge Partners and Pacific Investment Management Co., Pell City Valley Bank, Citibank, First Federal Community Bank, Rio Bank, Citizens Bank of Swainsboro, First Bank & Trust) clearly shows the weakness of cyber security strategies and policies in place.
How to resolve the stolen passwords issue
So, if stolen passwords represent the main cause of data breach in the fintech industry, what shift is required, so the volume of data theft each year can finally be minimized? A logical answer would be to lean towards the deployment of a passwordless solution. That’s a good start. But how can you really be sure that the employee or the customer who’s needing to authenticate to access systems or applications is who he says he is? The reality is that most passwordless solutions on the market solely focus on the authentication part. Granted their sales force will tell you that users need their smartphone to scan a QR code before authenticating with Touch ID or Face ID, so it leaves no room for impersonation. It certainly makes it more difficult. But without indisputably proving the identity of the user, there is truly no way of knowing. And identity verification requires an extra layer of technology that can accommodate the enrollment of multiple documents, government-issued and others, all validated in real-time by the proper administrations and services, along with the use of advanced, live biometrics to further verify some of the enrolled attributes. Impersonation becomes utterly impossible. The risk of identity compromises disappears. Authentication becomes identity based. Authentication stops being based on hope.
To conclude: what’s stopping change
Why aren’t there more banks, financial institutions and fintech companies that adopt an identity-based authentication for their employees and customers to mitigate the risks of data breaches? The most sarcastic folks out there may say it’s just insanity, which is to do the same thing over and over while expecting a different result.
Actually, I think the Greeks were spot on when they came up with the word “metathesiophobia.” It means the fear of change. When it comes to change in technology, there are CISOs who experience two conflicting emotions: Excitement at the prospect of something new that brings an irremediable solution to a major pain point while simultaneously experiencing resistance to this new thing. The evolution of technology has fueled this resistance. We, as humans, naturally resist change because we fear what we don’t know. And although we’ve witnessed so many crucial technological advances, we’ve also seen so many technology flops…
As a hacker impersonating Gordon Gekko once said before launching a spear phishing attack on Wells Fargo, “Money never sleeps, pal.” It is time for the fintech industry to embrace the paradigm shift that at least one company to my knowledge has brought to market for ID-proofing and authentication.