The Challenges & Solutions to Securing Digital Payments

Paper Check writing, wire transfers, and automated clearing house payment process continue to be sunsetted in favor of the global expansion and accessibility to the digital asset currencies backed by fintech ledger technology architectures.

In need of a global digital transformation strategy, the idea of banking, payments, and front-end and back-end processing has been replaced with the need for equal access to credit, funds, and accessibility of digital payment services for all citizens across borders.

 Next-Generation Security Supporting Internet Payments

Peer-to-peer payments continue to gain traction across several countries. 50% of point-of-sale transactions in China are completed with mobile apps, including WeChat and UnionPay. Cash utilization fell by 40% in the United States and 23% in Sweden.

A contributing factor to the growth in digital currencies, peer payments, and the mobile banking industry has been the COVID-19 pandemic. Virtually overnight, as many people across the globe went into isolation, working from home or relocating to less populated areas, the need to conduct commerce transitioned to online solutions. With the growth of eCommerce for medical supplies, home food deliveries, and access to fintech services, more people relied on online transaction systems' availability, accessibility, and resilience. Electronic payment services became even more of a necessity for people to receive and send mobile payments to from customers and partners. The online bank quickly replaced a trip to the bank branch. The transition was sudden and widespread; many companies did not have the requisite cybersecurity protocols in place to protect the reams of consumer data now being exchanged online.

In fact, only 40% of small businesses had an adequate cybersecurity policy after the outbreak of the public health crisis, according to the Cyber Readiness Institute. Many malicious actors concluded that this trend was a highly lucrative opportunity to exploit unprepared online companies and exfiltrate consumer data for financial gain, and that has caused the number of attacks to increase in recent years. Research from Accenture found that cyberattacks increased by 31% between 2020 and 2021.

Threats from Cyber Attacks and Fraud

With the rapid expansion of online financial, shopping, and meeting systems, the growth of cybersecurity attack vectors against these new attack surfaces impacted organizations, governments, and individuals.

Cybersecurity breaches grew between 2019 to 2022 in these areas:

• Identity theft - Assuming someone else’s identity to commit fraud.
• Data exfiltration - Theft of confidential internet information from an unauthorized user
• DDoS Attacks - Disruption of services by overwhelming application and network systems
• Integration (API) exploits - Exploiting interconnection applications through known and unknown vulnerabilities.
• AI data analytics manipulation - Manipulation of data sets ingresses into AI models with the attempt to corrupt machine learning outputs.
• Insider threats - Personal within the organization, steal information, disrupt systems, and open access to outside threats.

Phishing is historically one of the tried-and-true methods of data theft, but it continues to be an effective form of hacking in the digital economy. According to research from Proofpoint, 83% of organizations were subject to a phishing attack in 2021, a 26% increase from the previous year.

While many of these attack vectors existed before COVID-19, many hacker techniques expanded into attacking newer digital current assets and platforms. Payment service providers, including Vimeo, Zelle, PayPal, WeChat, UnionPay, LINE, and others, all began to enable strong customer authentication capabilities to meet regulatory and privacy mandates to help reduce consumer risks.

The Challenge of Increasing Attacks Against Fintech’ and Digital Currency 

With the creation of digital currency offerings, several current and next-generation technology capabilities are needed to enable this fintech offering. Cloud computing, blockchain, multi-factor authentication, anti-phish, anti-malware protection, and secure biometrics are all associated with a fintech platform for bitcoin, stablecoins, medical record protection, and financial transactions.

Blockchain's architecture relies solely on a decentralized and distributed ledger system to ensure optimal security, confidentially, and data reliability. While many organizations are still considering blockchain as a digital transformation, this next-generation platform is the backbone behind Web 3.0, including artificial intelligence, edge security, and autonomous machine-to-machine functionality. Considered primarily secure, blockchain and fintech systems still are vulnerable to cyberattacks.

Digital currency wallets, peer applications, and online transaction systems all remain vulnerable to several attack vectors, including:

• Malware and Ransomware - Attacks spread literary within the victim's networks and systems.
• Email Phishing Attacks - The most common attack vector in the world. They are designed to trick the email receipt into performing specific actions to assist the hackers with their attacks.
• Digital current manipulation - Financial terrorism, hostile national exploitation, and corporate espionage are impacted or contribute to global currency manipulation.
• Attacks against the cloud computing infrastructure - As more organizations move towards digital transformation and fintech systems, cloud computing infrastructures continue to target hackers and cybercriminals.

 

Cybersecurity Breaches Impacting Digital Payments

As more fintech organizations roll out their global payment capabilities, including new service offerings, cross-border payments, and ease-of-use wages payment systems for employers, security requirements, meeting security regulations, and privacy protection are top-of-mind.

Many countries considering fintech digital payments and currency have many challenges in supporting these offerings. Fintech relies on stable mobile internet service and infrastructure to deliver reliable connections between the payee and payer. The dependency on the internet in many developing countries, including the ability to protect the fintech platforms and users from cybersecurity breaches, is a concern for many.

Hackers, leveraging a security-vulnerable fintech platform hosted in a developing nation, could use this platform to launch attacks into other countries through the various integration connections, API, along with mutual access to the central bank digital currencies (CBDC systems).

Impersonation and Fraud Within Digital Currency and Payments

Like legacy banking payment and financial systems, hackers use various methods to access people's bank accounts, healthcare records, and personal emails.

A global survey of financial institutions in 2021 revealed that account takeovers had become a favorite source of attack by cybercriminals, with the number of attempted takeovers rising 282% between 2019 and 2020.

These methods include:

• Business email compromise - Email phishing attacks attempt to impersonate an individual or organization to trick the user into paying an invoice or transferring funds.
• Email Phishing attacks- Well-crafted emails trick the victim into disclosing their passwords or opening access to corporate data.
• Mobile device attacks - With the greater adoption of digital wallets, mobile fintech apps, and personal data on a mobile device, hackers continuously look for exploits to steal information from unsuspecting users.
• Impersonation Attacks - A hacker impersonates someone to attempt to intimidate a victim into performing specific acts, including disclosure of their password or username.
• Account Takeover - Using email phishing attacks, hackers will send malicious links to victims enticing them to click the link to change their password or download an attachment loaded with malware.

These attack vectors are a concern even in a blockchain fintech architecture. While layers of blockchain are designed to be more secure than traditional client-server three-tier security architectures, no system is without some flaws, especially with human interaction still part of the daily operation. With the inception of web 3.0 incorporates intelligent agents and leveraging of autonomous machine executions, hackers still find exploitable elements to breach.

Safe Guarding Fintech Systems

Organizations with an immature security operations team, process, and response capability continue to be hampered by data security breaches, identity theft, and loss of digital currency.

With cybersecurity at the forefront of blockchain deployments, organizations should still consider the following protection and prevention strategies:

• Penetration testing - Increase the frequency of pen testing leveraging engagement methods including black box, gray box, and white box throughout the secured software development lifecycle.
• Red Team/Blue Team - Organizations, as a required practice, should engage external red teams for comprehensive testing across all elements of the fintech support system, platform, cloud, and personal.
• Investing in talent to support the fintech blockchain deployment is necessary to reduce cybersecurity attack implications.
• Several organizations continue to partner with global IT firms to help with the architecture, deployment, and optimize their blockchain platforms, partially due to the lack of available talent to help address cybersecurity concerns.

Global Compliance and Privacy Mandates

Fintech platforms must meet several global and national compliance and privacy regulations, including GDPR, PCI-DSS, and PSD2. Compliance mandates requiring several payment control systems, including:

• Data-at-risk encryption
• Data-in-transit encryption
• Strong single-factor and multifactor authentication
• Device-level secure biometrics
• Containerization of mobile applications
• SMS-based OTP authentication

<h3> Aligning to PSD2 Standards

Payment Services Directive 2 (PSD2) was an initiative of the European Commission designed to improve the functioning of the Single Market for payments within the European Union. It aimed to achieve greater interoperability between electronic payment network methods and services and to provide consumers with better protection against fraud and abuse.

Wider Acceptance of Blockchain in Web 3.0 and Fintech

The backbone of fintech platforms is the incorporation of blockchain architecture. Blockchain architecture provides a solid security foundation for fintech to help reduce cybersecurity risk. Fintech, however, is also mandated by a financial operation to comply with several other laws and mandates, including:

• Fintech companies are required to comply with anti-money laundering (AML) regulations. These need financial institutions to take measures to prevent and detect money laundering.
• AML laws and programs for fintech regulation should include customer identification and screening, transaction monitoring, and reporting of suspicious activity.
• Financial terrorism - Fintech's ability to offer financial services to simplify cross-border financial transactions and provide a faster means for clearing transactions compared to SWIFT and ACH, exposes the risk of economic terrorism. Access to move currency faster, with less regulatory oversight and deposit insurance requirements, while delivering instant access to funds, is a risk to many banks and government currency systems.

The Role of MSSPs in Securing the Fintech Industry and Digital Payments

Organizations developing blockchain solutions for fintech and other vertical markets will struggle to find talent with expertise and experience. Blockchain is still a relatively new technology with a limited field of candidates with working experience.

Many organizations are leveraging managed security services providers to help with monitoring, incident response, and compliance legislation which mandates log monitoring and reporting for the various privacy requirements. MSSPs have an essential role in ensuring the fintech blockchain is deployed correctly and will maintain security operations, patching, and remediation of systems.

MSSP’s can also provide organizations guidance concerning compliance mandates like the Payment Card Industry Data Security Standard (PCI DSS.) PCI DSS provides companies with a detailed set of guidelines they can use to enhance the protection of consumer credit card data. There are 12 components required to be PCI DSS compliant, including using secure firewalls, encrypting cardholder data, updating software on a routine basis, and restricting access to systems and devices.

While PCI DSS compliance could add a layer of security to digital payment systems, it also signals to consumers that companies take the privacy and security of their data seriously, which could help to create stronger customer relationships.

Conclusion

Developing a globally accepted digital payment, currency, and cybersecurity standard may be years away. Many developing nations are recovering from COVID-19 and struggle with the cost and lack of expertise to develop and offer digital fintech services to their customers. That said, many organizations continue to expand the acceptance of digital currencies, including stablecoins and bitcoin. Central government banking systems, including the United States, also are preparing their payment systems to adopt a centralized bank digital currency alignment. The US, in 2023, will launch the FedNOW Service to expedite faster access to funds and payment processing for all citizens. The goal of FedNOW is to help people access available funds 24 hours a day. No longer will fund availability fall into traditional banking hours.

Cyber security has a critical role in the future of digital payments and currency. Blockchain implementations will help address cyber concerns. However, the complexity and risk of fintech should be addressed by cyber security best practices and resilience strategies which we discussed in this post and embraced in other industries.