Authorised and regulated by the UK’s FCA to provide investment accounts, we are bound by CASS rules to segregate and protect client assets.
Picture this scenario: customers are unable to log in to a company’s service using their smartphone app, and the company’s website has stopped working. It’s a common scenario, and it is usually caused by cybercriminals or hackers swamping a company’s computer systems with vast amounts of traffic from all over the internet. It is what is known as a distributed denial of service (DDoS) attack.
A DDoS attack is one of the biggest threats faced by fintech companies, according to Andrew Martin, CEO of London-based security consultancy DynaRisk. The very nature of their business makes financial institutions an obvious target for hackers; attacks are relatively easy to launch and smaller companies’ systems can be overwhelmed by them.
DDoS attacks can be launched for a number of reasons: to extract a ransom in return for stopping the attack so that the victim can resume business, as a diversion to tie up security staff while hackers carry out a separate attack, or as an exercise to hone hacking skills or simply to earn bragging rights for mischief-making in the hacking community.
The good news for smaller companies is that, unlike their larger rivals, they are unhampered by cumbersome legacy systems. Agility, innovation and collaboration are key to combating cyber crime, and small firms can harness the power of cloud-based DDoS protection services. Dmitry Tokarev, Dolfin’s Chief Technology Officer, says these external services have huge network capacity so they can filter out large amounts of DDoS traffic without being overwhelmed. This allows legitimate traffic from customers to get through without interruption. “We actually use two such companies: one to provide DDoS protection, and one to intercept scanning activity,” he says.
“Scanning activity” refers to the practice used out by many hackers of attempting to scan a company’s computer systems by sending traffic to its network in the hope of finding software with known vulnerabilities. These can then be exploited to gain access to a company’s computer systems.
Social engineering risks
Another way that criminals may try to gain access to computer systems is through the use of “social engineering” techniques, says Martin. This often involves emailing or calling staff and tricking them into believing that they are talking to a fellow employee. “Staff can be a company’s greatest asset, but also their greatest security weakness,” Martin explains. “If a hacker can get in to company’s email system, he can send an email to an employee saying that he has forgotten his password to a key computer system, and then get in to the payment system and transfer a large sum overseas.”
Social engineering poses a major security threat, but it is also a threat that affects larger organisations far more than smaller fintech companies. That’s because they have fewer staff members and they are likely to know one another well. But companies of all sizes use training and strict processes (such as requiring a call-back to confirm email requests) to prevent it.
Criminals also target fintech companies’ customers to try to access their accounts, and then to carry out unauthorised transactions such as transferring money out. The simplest way to do that may be to grab a customer’s phone and then demand that they reveal the password or PIN needed to log in to financial services app.
To protect their customers from this type of attack, many companies, including Dolfin, use “panic password” technology. This allows a customer under duress to enter a special PIN code or password when they access the app, which then automatically notifies the company’s security team and law enforcement officers that someone is being coerced.
But what’s really clever about this type of system is what happens next. “The app appears to continue to work normally, socially engineering the attacker by emulating the process of transferring money from the account,” explains Tokarev. The victim can therefore look like they are cooperating while raising the alarm.
Another way in which fintech companies can protect their customers is through the use of two-factor authentication. Many large financial institutions require some extra information in addition to a password to log on to a service, often a one-time password or PIN that is sent to the customer’s phone via a text message or generated by an app on their smartphone. Other companies offer dedicated security tokens that generate a short code on a built-in screen.
Two-factor authentication provides better security than a password alone because even if a hacker can guess a user’s password, they can’t use it unless they have the smartphone or security token as well. And this type of technology is relatively low cost, making it perfectly feasible for smaller fintech companies to implement.
Ultimately the threat from cyber criminals and hackers will never go away. But through the use of increasingly sophisticated security technologies, companies of all sizes are able to manage this threat to protect their customers and their data.