The fintech world is having a meteoric 2020. Already riding a wave of early-adopter momentum in recent years, the industry gained massive followers out of necessity as the COVID-19 pandemic disrupted the public’s ability to shop in-person or visit traditional financial firms’ branch offices for banking, lending and other services. On top of all of this, no one could have anticipated the unprecedented $2 trillion stimulus package in March, including forgivable small-business loans and checks for Americans, which further boosted fintech’s acceleration by permitting more of these new apps and services to participate in the recovery effort.
Yet, with every rapid rise come higher stakes and consequences for cybersecurity and overall trust. Criminals know where quick moves under certain circumstances tend to score illicit profits. The FBI recently issued an alert on elevated fraud taking advantage of mobile finance apps’ popularity during the pandemic, warning that individuals are falling victim to a range of threats including malicious software masquerading as financial apps, and password-stealing Trojan software helping criminals perform account takeovers (ATO) of existing, legitimate services. This is discomforting news on top of widespread health and safety concerns but it is exactly in-line with cybercrime history. In fact, the FTC issued similar alerts in 2009 during America’s last financial crisis, warning of deceptive Web sites and malicious messages and links pegged to stimulus buzz, financial uncertainty and greater reliance on online banking.
Cybercrime always follows the money and has upped its game considerably since 2009, so how can fintech stakeholders sustain their industry’s growth? No technology or service is bulletproof, however fintech leaders seeking to build on their value proposition and brand reputations well after the pandemic subsides should consider three factors in the bigger picture.
Make security part of the growth conversation
Fintech’s popularity offers a lot of attack surface for fraud. Before the pandemic, Ernst & Young’s Global FinTech Adoption Index for 2019 reported the rapid growth of these services, noting the “money transfer and payments” slice of fintech had the largest adoption rate among surveyed consumers with “75% of consumers using at least one service in this category.” Now consider the further growth of fintech adoption during COVID-19’s disruptions, when many employers and individuals turn to fintech on the fly to receive income or quickly repay friends and neighbors helping locate scarce food, medicine and other care items.
While fintech adoption might be spurred by convenience or necessity of late, keeping it mainstream requires a renewed focus on security awareness tailored for these platforms. For example, the FBI’s fraud alert noted the effectiveness of outright fraudulent finance apps – suggesting that with so many new players in this space, consumers are evidently willing to experiment, even with brands that may not be household names. This reveals how out-of-date traditional “safe online banking” advice can seem today, because precautions that took years to instill, like “Bookmark your bank’s Web address in your browser, instead of clicking on pop-ups,” and “Mouse over links in messages to see if the URLs look phony” do not really hold up in modern mobile interfaces. When you are living off your smartphone, messages and menus render completely differently than on the desktop and everything is oriented around quick “Yes/Accept” tapping and swiping.
Additionally, mobile app stores now sit between the consumer and banks or fintech platforms. This puts a greater security and integrity responsibility on the App Store or Google Play, but it also reflects the reality that trust and convenience are increasingly intertwined: If a fake or hijacked app makes it into a storefront, even for a brief stint, that delivery mechanism alone is going to grant a lot of trust and privileges.
This is where fintech platforms should obsessively communicate to consumers that fraud follows growth and it takes vigilance on users’ part to protect what is theirs. Start by explaining what a fintech provider will never do, like call and ask for exhaustive personal information over the phone or request your password via text or social media messaging to “authorize” a login reset.
Because fintech and mobile devices are inseparable, other awareness tie-ins need to emphasize simple device hygiene like limiting app downloads to legitimate storefronts, setting OS and app updates to automatic and activating handsets’ useful features like encryption, back-up and remote-wipe features in case of theft.
Monitor the risks of both fraud and friction:
Fintech’s unique challenge is that the mobility and convenience factors behind their value proposition are offset when security and anti-fraud measures add too much friction. When you are ready to spend urgent stimulus funds or quickly pay someone for childcare or groceries, you do not want to run into a series of lock-out screens if you awkwardly mis-type your password or have to call a HelpDesk to prove who you are.
Mobile interfaces are everything, and the reality for more users is that if something is not already on their phone, it’s irrelevant. This is why familiar security measures like SMS-based two-factor authentication and hardware tokens can fall short in the mobile era, since SIM-swapping attacks can hijack one-time PINs and anything sent via text messaging and users tend to disdain, forget or lose fobs and other ancillary hardware that helps protect logins.
While there’s little tolerance for friction in fintech, the risks of fraud – particularly via the chronic trafficking in stolen password credentials – is staggering. According to Verizon’s 2020 Data Breach Investigations Report, over 80% of breaches caused by “hacking” involve brute force or the use of lost or stolen credentials. Financial motivations – always high in Verizon’s annual research – coupled with the power of weaponized, stolen credentials make fintech platforms at greater risk of abuse because too often attackers receive our new passwords almost as quickly as we select and reset them. The fragility of password-based authentication means financial platforms have to chart risk tolerance carefully: How do we accommodate a lot of on-demand transactions without getting in the way of commerce – or letting some of our users be robbed?
While tools like password managers can help enforce good password practices, there is still great demand for technologies that can backstop passwords’ limits without getting in the way. Increasingly, this is advancing state of the art analytics that compute a risk score based on login attributes and activity. Some transactions and patterns are going to scream fraud – others may be more subtle – but analyzed together they can help defend and refine fintech interfaces and user experiences based on risk tolerance.
Embrace mobility’s future in new and impactful ways:
Those of us in security understandably tend to lead with the risk factors and “what if” abuse scenarios of every new technology. After all, studying cybercrime’s evolution from early days to the Web and mobile era can feel like watching the same horror movie script rebooted over and over again. However, the mobile arena is unique terrain for defenders and criminals alike because as devices computing power and software advance, this capacity – coupled with what these devices know about our patterns of life – can finally help turn the tables on cybercrime without creating a new privacy dystopia.
For example, as 5G connectivity takes off there will be faster and larger real-time data analysis in users’ hands, meaning fintech apps will have powerful new opportunities to study what is happening on a phone or tablet, in the context of a user’s behavior, patterns and activity across one or more devices associated with a unique profile. We are used to this data analysis stoking reasonable privacy worries in the case of social media platforms or connected vehicles studying when and where we travel – but financial plays have the business model of being able to focus on the availability and safety of our money, period. When a fintech or similar platform gains a new way to analyze user behavior to defeat fraud, that becomes a strong amenity for the service in a crowded market and should be stated transparently for users’ awareness and consideration. The best way for fintech to safeguard its future is to keep an eye on circumstances driving its adoption, break with outdated security traditions that do not align with its trajectory and take a refreshing tone of openness and disclosure when it comes to data-gathering and security in a mobile-driven future. Taking away the right lessons will put commerce, trust and the digital economy on an even more resilient and trusted foundation.