Cet article Wavestone publishes its 2020 Belgian Cybersecurity Startup Radar est apparu en premier sur RiskInsight.

A rapidly growing market

On the global scale, investments in the FinTech sector multiplied tenfold between 2010 and 2015 to reach $22 billion. The amount invested in 2016 is estimated to be $36 billion, with this substantial increase being due to the arrival of several major financial players wishing to secure their share in this very promising market.

In October 2015, the European Commission also adopted Directive PSD2, providing a legal framework promoting the use of innovative and disruptive solutions for banking and payment services. This new Directive has helped to change the definition of “payment institution” by making it more flexible and enabling new third parties to enter the market for banking services, which represents a real opportunity for the FinTech players.

This Directive has been in force since January 1^st 2016 in all countries within the European Union and has substantially modified the role of these new entrants into the banking landscape. These new regulations require the banks to open up to these new entrants by developing APIs that allow the FinTech players to interact with their banking applications and have access to some customer data. This new context, seen initially as a threat by the traditional financial institutions, has turned into an opportunity for the banks that have speeded up their digitalization process.

In fact, the banking institutions’ digital transformation strategy has embraced this change and the big banks have not hesitated to create partnerships or acquire FinTech start-ups. Societe Generale, for example, which bought Fiduceo, and BNP that joined the project by Xavier Niel, Station F, the biggest campus of start-ups in the world, located in Paris. The disruption caused in the banking industry by FinTech is due to both the evolution and simplification of services to customers thanks to an improved user experience and greater flexibility, and to the new technologies which are becoming the medium for these innovative services.

Smartphones: Pillar of the FinTech companies

The way that FinTech companies have evolved over the past few years has been driven by two major factors that have been the catalyst for growth in the sector. On the one hand, the financial crisis in 2008: the markets collapsed and the big investment banks went under. Investors no longer trusted the big financial institutions that were losing money, and a certain number of them preferred to turn to the promising digital enterprises in Silicon Valley.

Second factor: 2008 was also the year in which the blockchain was created, and the year when smartphones appeared, following the revolution initiated by Apple in 2007 with the launch of the iPhone. As the solutions offered by the FinTech players were disruptive and based on flexibility and simplicity of use, their growth was further boosted by the widespread availability of smartphones, which have become an everyday necessity. The expansion of the FinTech sector was thus encouraged by the level of maturity attained by smartphones and the applications that they host, which in turn helped them to develop and provide their services directly to users.

The smartphone is also a major vector in the transformation of payment methods, generally agreed to be one of the areas most remodeled by the FinTech revolution. The smartphone is not only the device that provides access to the services, but is also becoming the means of payment with NFC chips, in the same way as a bank card. Applications such as Lydia also make it possible for users to transfer money to their contacts free-of-charge and without having to make the normal bank transfer.

From the very launch of Apple Pay on iPhone, vulnerabilities in the design of the function had led to a rate of 6% of fraudulent transactions in 2016 as it was possible to use any card, without the CVV number and without any verification of the user’s identity, to make payments.

However, the security of FinTech companies cannot simply rely on that of smartphones and it must take into account all the links in the chain: from the design of the service to the data center where the company hosts its infrastructures.

Control of technology and security of the devices: major risk factors

The programming, the infrastructures used and the user’s device are the keyelements that are critical to the reliability, robustness, security and integrity of a financial service. Each of them has inherent weaknesses that it is important to make secure by suitable means that satisfy both the relevant regulations and correspond to external and internal risks. The main weaknesses that have been identified for the elements that are essential to the services provided by FinTech companies are as follows:

1) Devices

As mentioned above, the majority of financial services offered by FinTech companies are accessible to users through their own devices (PCs, tablets, smartphones, etc.). The security of the transactions carried out depends therefore to a large extent on the level of security of the device that is used. In 2016, it became apparent that smartphones were, in just the same way as computers, a target for Trojan Horse type malware that attempts to retrieve the login information of users on the home pages of their online banks. This weakness, which is inherent to the operating system of smartphones, is generally detected when it is too late when it has already been exploited by the hackers. As for the FinTech companies, the solution they most often use to protect themselves against fraudulent operations, following the theft of an ID or password, is multiple factor authentication. This method, already widely used by businesses, is now increasingly widespread among private individuals when they log on to a sensitive online application. The second factor is generally a code sent by SMS or generated by a special application, or biometric authentication using fingerprint sensors embedded in smartphones. However, even a two factors identification along with a code sent by SMS can be ineffectual against a determined hacker who might be able to intercept the SMS if they have managed to compromise the smartphone beforehand.

The manufacturers are therefore working on making their mobile devices secure, and have even made it a priority with regular security updates for the purpose of covering the vulnerabilities that are detected. Every weakness discovered in the operating system of a device receives widespread media coverage and could have a significant impact on sales in this very competitive market, in which the customer’s growing awareness of security can influence the final purchase decision. The most recent smartphones are, therefore, generally considered to be less vulnerable than an aging laptop.

2) Programming

The case of the mutualized investor-led capital fund The DAO , based on the blockchain “Ethereum”, a network that uses a cryptographic currency, is an interesting example to illustrate how a programming error can lead to a substantial financial loss. In this case, an error present in the code that made it possible to carry out false transactions resulted in the embezzlement of $50 million belonging to the various “shareholders” in The DAO.

This risk of hacking using a flaw in the programming is omnipresent for businesses seeking to develop applications and other web services. It is, however, possible to limit the risks arising from these programming errors by carrying out audits on the source codes and using vulnerability scanners on the applications.

In 2016, the researcher Vincent Haupert in hacking the mobile application of the German 100% online neo-bank N26 , not by compromising the smartphone but based on weaknesses in the application architecture. He was able to take full control and carry out illicit transactions. Following his discovery, the bank launched “Bug Bounty” campaign, an operation designed to reward people who report security breaches. Many companies, like the GAFA, but also of a more modest size, have already resorted to this type of campaign to detect potential weaknesses in their products.

FinTech companies therefore need to put security at the heart of their preoccupations when developing their services by integrating it in the design stage. All the more so because the financial sector is a prime target for hackers seeking to exploit any weaknesses they can identify in order to misappropriate large sums. As FinTech businesses tend to grow very quickly, the race for growth sometimes receives more attention than product security.

3) Infrastructures

But the Cloud is not infallible. For example, on February 28, 2016, thousands of websites and web applications belonging to various large companies, including Apple and all over the world, became inaccessible following a failure of the Amazon cloud.

The choice of IaaS and PaaS Cloud services providers is therefore important for businesses like the FinTech companies that supply sensitive services. The latter are subject to a large number of banking regulations, such as the PCI DSS for the protection of account information, or European regulations such as the General Regulation on Data Protection (GRDP) which will come into effect in May 2018, and expose businesses to some very dissuasive financial sanctions (up to 4% of global revenue).

Companies must therefore be certain that the level of security and the related processes put in place by their suppliers comply with the regulations that cover them. At end-2016, in an attempt to help companies outsource their infrastructures, the French data protection agency ANSSI published a standard to be used to certify trustworthy providers of Cloud services with the Franco-German label: European Secure Cloud.

In the more specific context of FinTech companies, ANSSI has also invited itself to the table to contribute its recommendations. ANSSI has become a partner of the FinTech Forum created by the French financial markets regulator (AMF) and prudential and resolution control authority (ACPR). The purpose of this forum is to encourage the emergence of these new financial sector players by assessing the risks and opportunities associated with their development.

National agencies, fully aware of the challenges posed by the transformation of the financial sector, are working towards creating greater transparency in companies regarding their overall ecosystem, and also on cyber security.

Risks that are indeed difficult to cover for FinTech companies

So, the cyber risks that are omnipresent for any business are all the more critical for FinTech companies. Viral infections and cryptolockers, attacks on web applications, and Distributed Denial of Service (DDoS) attacks, to mention but the most commonplace, can just as well affect devices, as applications and infrastructures, as discussed above.

The fight against these risks, inevitable for a business whose applications are exposed on the Internet, requires specific security skills and the putting in place of incident response plans in order to ensure the integrity and quality of their services. To respond to these challenges, banks have considerable resources, such as teams that are responsible for the continuous supervision of digital infrastructures, and they invest several tens of millions of euros every year simply to be able to guarantee their cyber security. As things stand, FinTech companies are not always able to put in place comparable financial and human resources. However, their advantage lies in their agility and the modernity and lack of obsolescence of their infrastructures, making it possible to implement effective security measures more quickly and at a lower cost. Furthermore, the increasingly close cooperation between the big traditional players and the FinTech companies means that they can benefit from the formers’ maturity in terms of security, with the crux being to strike a balance between security and flexibility, one of the success factors of the FinTech companies.

Cet article FinTech: at the time of the digital revolution how well are the risks understood? est apparu en premier sur RiskInsight.

Changing Internet thechnologies and uses

At the user end, the uses that have emerged over the last decade will simply become more prevalent and will further expand by 2020. The growth and diversification of social media will make it possible to further accelerate the sharing of personal data with increases in technical efficiencies and the numbers of users. This phenomenon, profoundly generational in nature, might well continue to develop and therefore raise numerous questions relative to trusting in information and the limits of freedom of expression.

At the company end, as part of the ongoing virtualization of the workstation, teleworking is becoming an issue in the strategic roadmaps of many groups who see it as an opportunity to reduce property overheads that generally constitute their second highest budget item. Cloud Computing is growing and is leading to the integration of an ever greater share of the information capital of businesses by specialized service providers, especially in the security of infrastructures.

Finally, the IoT and Machine Learning will cause major upheavals to the business models and the positioning of historical players in all fields. 3 new societal needs will have to be taken into account in order to remain competitive: mobility, knowledge and trust.

A regulatory framework yet to be defined

The recent demonstrations of the power of the GAFA, capable of combining gigantic databases of users with leading edge artificial intelligence methods, are ushering in a new era devoted to the ultra-personalization of services, but also to mass monitoring. In fact, the immense opportunities opened up in the area of marketing through the ultra-personalization of services and mass monitoring hide a more alarming reality: a regulatory framework that provides less than adequate protection for Internet users confronted with the abusive and discriminatory practices of public and private players alike.

Given the situation, “intelligence acts” are emerging in many western countries in an attempt to impose standards on the already widespread practices of these services. Begging the question of the individual freedoms being under threat because of the pretext of the fight against terrorism, these laws are regularly adopted despite the protests voiced by civil society.

After a number of revelations about the activities of the NSA in Europe, the European Union decided, in October 2015, to overturn the Safe Harbor agreement that had until then allowed the United States and Europe to freely exchange data, considering that its partner across the Atlantic was no longer able to guarantee a sufficient or adequate level of data protection. To fill the legal void surrounding the use of personal data, the GDPR is the new benchmark law for personal data protection in Europe, applicable by the 28 member states as of spring 2018. The law will actually protect users to the detriment of companies who will at best see their potential usage reduced to a need to seek “explicit and positive” consent. Similarly, the European NIS Directive for the security of digital services, will gradually be transposed into national legislation, including in France in connection with the military programming law.

Finally, the recent tussles between the giants of the web and the American administration have proved the government’s inability of imposing on Apple and Google the enforcement of the Patriot Act. This has enabled these players to claim a certain primacy in the respect for individual freedoms and a certain autonomy from political bodies, which had previously been the sole arbitrators in these types of situation. There is a slow but definite shift in the historical balance of power, with state authorities losing out to the major players in the economy, and it is as yet very difficult to say where this will all lead.

Therefore, two factors will have become decisive by 2020, and even after that, in adapting to the technological age: innovating and surviving beyond the rapid evolution of the rules of competition. On the one hand, a comprehensive knowledge of the regulatory limits and constraints, and on the other hand, an ability to make the most of the available data without crossing the legally authorized limits. The whole challenge in the future environment based on the Web 3.0 will therefore be to build and maintain a relationship of mutual trust with both customers and stakeholders, particularly government.

New threats in cyberspace

As part of a forward-looking study aiming to establish how cybercrime might evolve by 2020, a committee of experts has announced the types of recurrent threats to be expected by private enterprise and individuals. The primary threat to businesses will be attacks on the availability of their systems, such as denial of service, the theft of strategic data for sale to the highest bidder, and attacks on the corporate image (disinformation and denigration campaigns). For individuals, the most important threats to consider are scams and misappropriation, to which must be added attacks on alarm and home automation systems in support of physical intrusions.

Two scenarios will become widespread and will feed into each other to become characteristic of the overall landscape of threats in 2020:

• The “attack as a service” The rapid and continuous growth of the number of connections to the Web will lead mathematically to the opening up of a very broad area to attack. Non-targeted attacks, or those based on networks of slave machines (machines controlled remotely by a hacker and used in large numbers to saturate web services, for example) could be deployed on massand achieve such a level of firepower that we cannot currently even begin to imagine it. A study conducted by university academics in Israel has estimated that 6,000 smartphones would be enough to destroy an emergency call system such as 911 in the United States; what then, might not be achieved with a network of millions, or even billions, of objects infected by Botnet malware (malware that allows a hacker to remotely control the infected machines)? These attacks are of low complexity, but massive impact.
• Economic warfare A context of extreme competition between the major economic players in industrialized countries will lead to higher levels of “geostrategic” threat. The Internet will become a new battlefield on which will be played out the economic and political interests of nations. The threats will be targeted and will range from acts of sabotage, as was the case with the Stuxnet virus, to industrial espionage. These offensives could reach high levels of complexity and will be implemented by teams of professionals with the benefit of various forms of protection and extensive, or even unlimited, financial and operational resources.

With Cloud Computing and connected objects becoming more widespread, the digital uses currently emerging will be commonplace by 2020. New threats are expected to accompany this evolution, less targeted at businesses and individuals and more at governments . The legislative framework, subject to major change, is currently designed as much to protect Internet users as to support businesses, and where the balance of power will end up is anybody’s guess.

Cet article What security for cyberspace in 2020? est apparu en premier sur RiskInsight.