Cyber Security & Blockchain
By Shirley O’Sullivan
As we become more and more reliant on the internet for our everyday lives, activities such as shopping and banking online are the norm. This offers convenience for the consumer and savings for the service provider, but it also brings opportunity for the cybercriminal. Banks, in particular, are an obvious target and experience a high volume of attacks, a worrying proportion of which are successful in stealing information. In the past, these attacks have focused on using malware to compromise machines and raid accounts. More recently, we’ve seen the taking over of accounts by stealing credentials, using a combination of phishing and social engineering techniques. We’ve also seen DDoS attacks used in an attempt to bring down banking services in order to extort money. But, of course, the technology landscape never stands still for long. As consumers move to greater use of mobile devices and the finance industry starts to exploit the benefits of blockchain, so the threat landscape is beginning to shift.
Mobile internet traffic has overtaken desktop with around 53 percent of global web traffic coming from mobile devices. In banking terms, this means increased reliance on apps. This opens up a new threat vector in the form of ‘overlay’ attacks which place a fake window over the genuine app to intercept the user’s credentials.
The use of insecure public Wi-Fi also leaves apps at potential risk. Solving this problem is as much a matter of educating consumers as of hardening apps. Traditional security techniques including firewalls and anti-malware programs that rely on signature-based detection are increasingly losing the battle against sophisticated threats. New ‘frictionless’ security technologies such as Runtime Application Self-Protection are likely to come to the fore in keeping mobile banking apps secure. This means that security needs to become an integral part of the development process, not something that gets bolted on at a later date. Applying security at the application level mandates the adoption of a secure development lifecycle and the treating of security issues in the same way as any QA bug.
Fraud & Compliance Measures
The banking sector is already leading the way in terms of its use of technology to detect and prevent fraud. In the coming years, we will see an increase in the use of artificial intelligence and machine learning techniques to spot unusual behaviour patterns and query suspicious transactions. By risk scoring transactions in this manner, banks will be able to reduce losses to fraudulent transactions and better defend against sophisticated attacks.
With the European PSD2 (Second Payment Services Directive) measures on open banking having come into force this year, there is an increased focus on regulation and security. Third-party companies will be able to offer services including paying bills, making loans and transferring funds. This opens the way not only for disruptor banks but also for the tech giants including Google and Facebook to enter the payments sector. PSD2 imposes new security requirements and the opening up of APIs to allow access to data, both of which will impose an increased security and compliance burden on banks while at the same time threatening their business model.
Identity & Electronic Signatures
As more and more transactions become electronic, there is a need to ensure that they can be trusted at every stage of the process. Activities such as signing a contract or opening a bank account will no longer rely on the traditional handwritten signature. The use of passwords is already regarded as inadequate in many circles and we’re seeing increasing moves towards multi-factor authentication measures. More advanced options including e-Signatures and the rise of biometric options such as retinal or fingerprint scans are likely to come into play too. It’s important that the methods chosen are able to work effectively at volume and that they are easy to use and don’t add complication to the consumer experience. There’s likely to be a shift to behavioural biometrics that learn how a user interacts with the device, the way they swipe the screen or use a mouse for example. This makes it hard for anyone else to exploit a lost or stolen device.
Up to now, blockchain has been associated with cryptocurrencies such as Bitcoin, but the banking industry is beginning to see its potential for securing mainstream transactions too. Blockchain works on the basis of a distributed ledger, so that no one system holds a definitive version. When a transaction occurs, it is combined with others taking place around the same time into an encrypted block and sent to all machines on the network. So-called ‘miner’ programs then work to validate these blocks. The major advantage of blockchain – and its attraction for traditional banks – is that it allows for trusted peer to peer transactions. It’s pretty much impossible to go back and alter a transaction once it’s in the blockchain because doing so would corrupt all the preceding blocks. This means that a successful hack would need to change the entire chain back to its starting point. This may involve millions of blocks and would need to be done simultaneously.
Blockchain, therefore, has the potential to radically transform the way in which we carry out financial transactions. It allows immediate transfer of value without the need for an intermediary. In the context of buying goods or financial instruments, therefore, blockchain provides for an instantaneous transfer of funds with no need for escrow accounts or waiting for payments to clear. It also paves the way for smart contracts that allow payments to be automatically triggered when certain events occur. Transactions within the blockchain are also essentially anonymous, so there are implications for greater security of information.
These examples show that both the threats in the digital banking space and the solutions currently being developed are ever evolving. A CISO in the banking sector needs to stay hot on the heels of any new developments in safety protocol and newfound vulnerabilities. Technology may be driving the evolution of the banking threat landscape but the inherent opportunities are staggering.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.