Millions of US citizens are subject to cyber attacks each year, as nefarious actors look to outwit individuals, businesses, healthcare and educational institutions as well as government bodies.
Phishing, denial-of-server, malware, password attacks, intellectual property theft, rogue foreign attacks and espionage are among the cyber threats these institutions are looking to detect and deter, as criminals become ever more sophisticated.
Challenger banks, and other fintechs, are prime targets for rogue operators, as victims of cybercrime can be carrying out something as innocuous as online shopping or online banking. The target on the back of fintechs, meanwhile, in the eyes of criminals, is growing even bigger courtesy of high-profile funding rounds and M&A activity.
A boss at the US fintech trade body underscored how important having top-notch cybersecurity is to fintechs. “For any bank or fintech, that holds account numbers, the customer’s money, or both, cybersecurity is of paramount importance, protecting these assets is key. Your business depends on it, your reputation depends upon it,” says Scott Talbott, senior vice president of government relations at the Electronic Transactions Association (ETA).
Talbott adds that cybercriminals are always trying to get ahead of fintechs. “We build a 10ft. wall, they [hackers] build an 11ft ladder. So, we need to build a 12ft wall. We can never rest, we must always be vigilant in terms of cybersecurity.” Failing to detect and deal with a cyber-attack, say experts, can ruin a fintech’s reputation.
Meanwhile, coronavirus has upped the risks of cybercrime and financial fraud, as hackers attempt to capitalise on fears about coronavirus and the fact many people are working from home.
Recent examples of cyber attacks
A cyberattack, it seems, is seldom out of the headlines. Most recently, a massive trove of US government emails was targeted in a hack understood to be carried out by Russia, according to US officials. The hack, the biggest against US officials in years, started when a pernicious code was sneaked into updates to the popular software called Orion, made by SolarWinds, which monitors the computer networks of businesses and government for outages.
Despite the mayhem wrought by the hack, according to John Mileham, CTO of Betterment, the New York-based digital wealth company, believes that high-profile data breaches like SolarWinds help keep cybersecurity in the public conscious, potentially making the public-minded to be careful.
Cyber attacks resonate in public consciousness
Mileham said: “Cybersecurity is also very front of mind for folks given the recent SolarWinds breach. “There is a growing awareness of cyber threats as a thing in people’s minds as more data breaches have happened and as various high-profile hacks have taken place.”
Fintechs have not been immune to recent cyber hacks. Last year, Robinhood, the California-based trading app, had 2,000 trading accounts hacked, according to Bloomberg. In response, Robinhood said a “limited number” of accounts had been compromised and also sent a push notifications through its app encouraging its users to implement two-factor authentication.
Major cyber threats facing today’s US fintechs
So what are the top cyber threats facing today’s US fintechs? Criminals wanting to make money are the top of the tree for Betterment, says Mileham. He adds: “We find that our primary threats are and remain criminals.
“And they are operating with a business model that only allows them to spend so much time and energy compromising a given institution or compromising an individual customer within an institution in order to turn a profit.”
Fending off customer fraud ranks top on investment app Stash’s list. Gavin Grisamore, VP of information security at Stash, said: “Mitigating any threats of customer fraud or account takeovers are the top priority for Stash’s cybersecurity team. Maintaining customer trust is absolutely vital.”
Distributed denial-of-service (DDoS) attacks; where hackers try and make a website or computer unavailable by flooding or crashing the website with too much traffic are becoming more commonplace, says Steven Gall, VP of engineering at M1 Finance, the Chicago-based money management platform. “We have never had a data breach,” says Gall. “But we are always under attack. It’s naïve to think you are not.”
Impact of Covid on cyber threats
Firms and government agencies have warned consumers of increased risks of cybercrime and financial fraud amid coronavirus, as hackers attempt to capitalise on fears about Covid-19 and the fact that so many people are working from home, often logging onto new virtual computer systems.
“So, coronavirus definitely changed the cyber threat landscape a bit. There was a massive uptick in unemployment insurance fraud in the US, “said Mileham. “This required us and our partners to work together to help get our arms around it, make sure that we were able to serve our customers without putting them at undue risk.”
Gall says at M1 Finance, it has invested heavily in ensuring its cybersecurity policy is enforced amid a workforce working remotely, so it’s able to carry out measures like auditing staff work stations remotely. He points out that many data breaches occur when temporary users are granted god-like powers across systems in firms, which are never viewed and audited. He also stresses the importance that staff should be given only the online privileges their jobs require, never more.
Tie-ups with partners can help ward off the cyber threat
US challenger banks partnerships with existing banks can help shore up their handling of a cyber-attack, says Talbott. He adds: “When a challenger banks or an internet bank works with an existing bank that existing bank is going to make sure that the challenger bank is compliant with all the laws and regulation that the traditional bank is subject to.”
Grisamore said that Stash “works with several key organisations-across sectors- to ensure the company is up-to-date on the latest cybersecurity intelligence and trends.” Meanwhile, Mileham says that its proprietary technology gives it an advantage to other financial institutions in combating the cyber threat challenge.
He says Betterment has “built and own and maintains its own technology” which “allows us to provide better consumer service while tailoring specifically to the risks and threats we face as a business.”
“It allows us to be more responsive to new threats and it allows us to build next-generation solutions to cybersecurity challenges and roll them out quicker than you would be able if you were working heavily with vendors and vendors of vendors.”
Gall gives an example of a company M1 Finance works with, which recently told its customers it had been subject to “unauthorised access” of its systems but was not sure if its customers’ passwords had been compromised. He said it’s “alarming” and “concerning” that the company was unable to disclose specific deals about the access, pointing out that M1 Finance’s own systems would have handled the situation better.
Size of fintech cyber teams
At Betterment, Mileham says it has an overall team of around 100 engineers which builds the Betterment product, within which sits a “small” cybersecurity team which has four dedicated engineers focussing on security.
Mileham adds: “They work in partnership with engineers who build the product to help secure it through a variety of means.” This includes carrying out exercises like penetration tests and simulating events like data breaches.
Likewise, M1 Finance has a small dedicated team of three concentrating on implementing security but Gall says the key is having a “security-focused organisation”.
Stash, meanwhile, has a team of five full-time cybersecurity engineers. “The team is primarily tasked with detecting any potential threats to our customers and the businesses at large,” says Grisamore. “They’re also in charge of assessing Stash’s technology footprint across the internet, and reducing its attack surface to the greatest possible extent.”