Whether driven by regulation or market competition, the financial services sector in several jurisdictions is progressing toward open banking, interconnectivity and a freer flow of data between customer accounts and third parties. As such, data security has simultaneously emerged as a renewed focal point for the financial services market, because the more data moves and the more actors touch it, the more exposure that information has to nefarious actors.
The data security risks linked to data sharing and bank-FinTech interconnectivity are complex and, in some ways, the full threat of the issue has yet to reveal itself. Sumit Agarwal, VP of product management and co-founder at cybersecurity firm Shape Security, said he sees several data security trends occurring simultaneously that have major impacts on the way the banking and broader financial services landscape will develop.
Prior to the kickoff of Open Banking, PSD2 and other such data-sharing trends, Agarwal told PYMNTS that he’s seen a shift in the strategy criminals use — moving from high-value, but less frequent theft gained from infiltrating bank accounts to lower-value, but far more frequent hauls.
“No matter how small the take is (it can be $10 per account), I, as a criminal, can make millions of dollars in ways that are non-dramatic, but very powerful,” Agarwal explained. “That’s the way the space has shifted: from dramatic, multi-thousand-dollar losses that happen at low frequency to a high frequency of very small losses that evade the traditional silos of security that everyone has installed.”
Cybercriminals are refining their tactics to gain access to millions of usernames, passwords and other credentials that he said spill out onto the internet every day. Technology allows them to take a systemic, automated, widespread approach to exploiting that information, and casting such a wide net for low-value steals enables fraudsters to remain undetected by security teams, even at some of the largest U.S. and multinational banks.
The “existential crisis” for the largest institutions, Agarwal added, is not when a significant amount of money is stolen all at once. It’s when 100 of their clients see simultaneous hacks that the real problem occurs.
This is where open banking initiatives come in to make the problem even more complex. With consumers now exercising their ownership and control of data, more information is being shared between banks and FinTech apps. Those third-party platforms gain permission to access user data, making it more difficult for security experts to ascertain whether an automated computer logging in to a bank account is one of those platforms with permission or if it’s a nefarious actor with malicious intent.
It’s not the only security concern that this data-sharing trend has created in financial services, however. According to Agarwal, attackers can also exploit these APIs to gain access to bank account data, even without logging in to an account directly.
“If I can’t attack the banks’ front doors, maybe I can pose as a small developer and find an alternative side door that still gets me through to the bank, one way or another,” he said.
In another scenario, one that Agarwal noted is likely to emerge as a rising threat as open banking initiatives continue to spread, industry consolidation and M&A activity is thwarting security experts’ ability to keep track of who has access to what data. In a highly competitive market, third-party personal finance companies and other FinTech firms may obtain half-a-million customers, yet still struggle to become viable. They’ll ultimately end up selling their technology, platforms and data to a buyer, who then takes control of that information.
This is the “new, pernicious trend” that Agarwal highlighted, adding that some acquirers become “a nefarious actor who really cared about buying the 10 million legitimate bank accounts and brand name of this small, emerging PFM [personal finance management] app. There’s an ever-growing pool of smaller PFMs, and the majority won’t make it. What happens? They sell their assets to somebody, and criminal gangs realize they can buy the users, the technology, the brandname of the PFM — all that legitimacy, for pennies on the dollar.”
While security experts may be waking up to this threat, Agarwal said the broader financial services market remains focused on promoting data sharing and consumers’ data ownership, and it’s likely to take a significant amount of time for this risk to be fully understood and addressed — both by regulators and industry players.
He emphasized that a collective, collaborative approach to bank security will be essential moving forward. One major, multinational bank may have near-endless resources to invest in security and mitigate losses from fraud, but it won’t make a meaningful impact on the fundamental changes occurring in how financial data is safeguarded, Agarwal said.
“No amount of expertise or technology or economic investment, when applied to one bank, is sufficient,” he stated. “The only solution that will work in light of the adversarial environment is a collective defense.”