The banking and payments sectors need to do more to counter the various new strategies employed by cybercriminals, argues David Jones, global head of payments and banking at Irdeto. Not only are attitudes towards security lax, some of the industry’s current strategies may even be aiding hackers
Payments on mobile devices, tablets and PCs are an everyday occurrence. Consumers do not think twice about making payments or conducting their banking activities online at any time, from any location.
Go deeper with GlobalData
According to the annual Payments UK report, last year the average adult made 648 payments – that is 54 payments a month. In addition, UK consumers spent £114bn ($138bn) online in 2015, and this trend shows no signs of slowing down.
With the rising number of digital payments, it is no surprise that the web applications consumers use to make these payments are a constant target of cybercriminals.
According to the latest Verizon Data Breach Investigation Report (DBIR), in 2015 40% of all data breaches were the result of web app attacks.
Each year billions are spent on trying to secure online banking and payments; however, cybercrime is still as frequent as ever. What is worse, banks and payment service providers (PSPs) may inadvertently be aiding hackers by overlooking these three common threats:
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalData- Web browsers are inherently insecure. Whenever a browser communicates with a website, vulnerabilities specific to the browser can be exploited and the attacker can gain privileged access;
- Web APIs are not only a conduit for consumers to access devices and online services, they are an entry point for cybercriminals. API vulnerabilities are often the result of lax development practices and the increasing use of insecure, cloud-based tools and services. Hackers use algorithms to search web sites for exposed APIs. Then, through parameter tampering, spoofing or man-in-the-middle attacks, steal the keys to the app and gain access to data and company assets, and
- Secure app development is still a common problem, resulting in easy-to-avoid security vulnerabilities in most organisations. A laissez-faire attitude toward security seems pervasive in the development community with less than 10% of organisations ensuring that all critical apps are security reviewed. There is a subset of developers trained specifically in how to develop secure apps, but becoming one of them is not a priority for the vast majority of developers.
Simply put, organisations that do not safeguard themselves are easy targets. So what should banks and PSPs do to ensure customers are protected from cyberattacks?
Change the security mindset to mobile
For years, the security pitfalls that many banking and e-commerce applications face have been accepted as the cost of doing business on the internet. This is partly because there is a common mindset among security professionals that throwing hardware at a security problem is the best solution. But this mindset is not only behind the times, it is bad for business and for customers.
With mobile devices being used by consumers to shop and bank online, it has become an open and highly distributed world of e-commerce. Threats can originate from locations far removed from the data centre. Sensitive financial information is exposed to insecure environments located anywhere a consumer can take their tablet, smartphone or PC.
Unfortunately, implementing a hardware solution is simply not feasible in today’s mobile world. However, good software security can not only be equally as secure as hardware, it can also be more cost-effective. By shifting the organisation’s security mindset to mobile, banks and PSPs are able to respond and protect.
Think like a hacker
Hackers can exploit a weakness anywhere in a system, from the OS to a USB port. No matter how a hacker gets inside, applications are vulnerable. Imagine a scenario in which applications and their APIs are fail-safe.
Banks and PSPs can defend against the many different ways that hackers gain access to their infrastructure and are hardened against the hostility of their environment. They are also impervious to vulnerabilities created by insecure browsers, devices or poor development practices. Having a fail-safe app ensures that even if a hacker finds a back door, they will not be able to steal assets.
Get up to speed on whitebox cryptography
Today, cryptography protects virtually all electronic communication: from sending texts to making payments. But the current standard for cryptographic models is that the communication endpoints, the user’s or merchant’s devices, are presumed to be trustworthy. In other words, they are assumed to be used in a safe, attacker-free environment. But this is a totally unrealistic scenario for e-commerce.
E-commerce is most often conducted in a ‘whitebox’ environment, which means the endpoints are presumed to be insecure. Cryptography used in this sort of environment is called whitebox cryptography, and in its most effective implementations, the endpoint devices are presumed to have been compromised.
To achieve this level of protection, cryptography needs to be supported by technologies whose purpose is to ensure the authenticity of the JavaScript that is requesting communication. If the requesting code is authentic, the communication can be secure.
This approach protects web apps from data tampering, reverse engineering and man-in-the-middle attacks.
The payments and banking sector must look at ways to innovate services to keep pace with consumer demand while also addressing new strategies employed by cybercriminals.
While cash was still the most popular payment method in 2015, it is predicted that by 2025 cash payments will decrease to 27%. With this in mind, organisations must take the actions needed to protect their web apps.
By employing cybersecurity strategies, organisations are able to avoid commonly overlooked threats, allowing them to keep up with new banking trends to offer a safe and innovative customer experience.
