A brief guide to fintech security

In 2019, the global stock market grew by $17 trillion, and despite world markets being battered — to put it mildly — by the pandemic, interest in investment has not gone away. Since the beginning of 2020, the number of trading app users has only risen.

On the downside, the assets and personal data of e-traders are attractive prey for cybercriminals, and in the event of an incident, it is trading platform operators that have to deal with the consequences. In this post, we talk about the main threats companies face and how to defeat them.

App vulnerabilities

Like any software, trading platforms have vulnerabilities. In 2018, cybersecurity expert Alejandro Hernandez found holes in 79 such apps including not using encryption to store or transmit data (anyone could see or change it) and not logging out users after a period of inactivity. Design-level flaws included permitting weak passwords.

A year later, analysts at ImmuniWeb carried out similar research and reached an equally negative conclusion: Out of the 100 fintech developments they tested, all were vulnerable to some extent. Issues were found in both Web and mobile apps, with many bugs inherited from third-party developments and tools used by the programmers. For some of the vulnerabilities, patches had long existed but hadn’t been applied. One such patch was released back in 2012, but the authors of the fintech app never got around to installing it.

As sure as night follows day, if a product has security issues, they will make themselves known, potentially harming companies’ reputations and scaring away customers. And if, as a result of a bug in an app, users suffer a data leak or financial loss, the developer could face a big fine or be forced to pay damages.

Sometimes, a platform’s creator is the only victim. For example, the authors of the Robinhood trading app failed to spot a bug that allowed premium users to borrow unlimited funds from the platform to trade securities — and one user borrowed a million dollars against a deposit of just $4,000. Traders dubbed it the “infinite money cheat code.”

To avoid losses associated with bugs and vulnerabilities, trading platform coders need to consider security in the development stage, thinking in advance about such things as automatic user logout, encryption, and a ban on weak passwords. They should also regularly review the code for errors and fix them promptly.

Supply-chain attacks

To save time and money, most companies not only write their own code, but also employ third-party developments, frameworks, and services. If a provider’s infrastructure is compromised, the companies that use it can also suffer.

That’s what happened to currency broker Pepperstone, for example. In August 2020, cybercriminals infected the computers of a company contractor, gaining access to its account in Pepperstone’s CRM system. Although the break-in was quickly neutralized, the attackers still managed to steal some client data. The broker says its financial and trading systems were not affected. All the same, recall that data leaks can be very costly for companies even if third-party code is to blame.

To avoid potential burns, always choose reliable, security-minded partners, and never rely on their protection mechanisms alone. Any company in the field of finance should adopt a stringent security policy.

Spear-phishing

The human factor is often the cause of cyberincidents.

Continue reading

This post was originally published on this site