FinTech + InfoSec = Good Combo? [Disruption possible?]
#1
Something that recently crossed my mind is the recent emergence of FinTech in 2016 and how InfoSec could possibly be a strong fit for startups (and existing companies that have soon-to-be-out-dated tech) to implement within their company and/or software. 


A quick overview of FinTech:
FinTech refers to new applications, processes, products or business models in the financial services industry. These solutions can be differentiated in at least five areas.
  1. First, the banking or insurance sector are distinguished as potential business sectors. Solutions for the insurance industry are often more specifically named "InsurTech".

  2. Second, the solution with regards to their supported business processes such as financial information, payments, investments, financing, advisory and cross-process support. An example is mobile payment solutions.

  3. Third, the targeted customer segment distinguishes between retail, private and corporate banking as well as life and non-life insurance. An example is telematics-based insurance that calculates the fees based on customer behavior in the area of non-life insurance.

  4. Fourth, the interaction form can either be business-to-business (B2B), business-to-consumer (B2C) or consumer-to-consumer (C2C). An example is a social trading solutions for C2C.

  5. Fifth, the solutions vary with regard to their market position. Some, for example, provide complementary services such as personal finance management systems, others focus on competitive solutions such as e.g. peer-to-peer lending.
And here is a table from Wikipedia denoting the basis of the system/objectives:

[Image: 808881556a398091de71ea24484b213d.png]

The most important part to take from this is the 'Customer segment' and it's 'Interaction form'. More so, Retail banking and B2C + C2C (I'd presume these type of transactions are going to be the most important and prone to be the most vulnerable as well).

Now I want to go over an important aspect of this sector (in fact, probably applies to all sectors), money/cash flow.

There has only been growth in terms of financing as shown in the graph below.

[Image: 55e4c05e7610625ad20b94212db346d4.png]

While the US is listed, it looks like UK and Ireland are reigning top, which is to be expected, considering Europe-regions usually come out on top in regard toward any Finance industry. However, as you can see, there is a lot of money going toward the development of this industry which is both good and bad. Ideally, we want to assume the best and hope that the money can be used to properly update current infrastructure toward better efficiency and usage. 

But I don't believe this to be the case.

See you might be wondering why I also said that funding (in this case, seems to be excess funding) can also be bad. The reason for this is that I feel like there are just investors who are pouring money into an industry where they feel will bring them the most returns. Being a big player in an emerging field can mean serious cash and bank statements, where FinTech is now the next new field.

Just look at the first quarter of this year:

[Image: e1fc306c0ff404858da06a8e6a18dc4b.png]


Insane, 4.9B in Q1 alone! Look at all this cash, and what shows for it? Perhaps someone can do a more in-depth analysis but my hypothesis for now is that a lot of start-ups are currently being over-valued and there isn't proper responsibility/management for the cash

I know it's a bold statement, but considering the adoption of leading tech in the finance sector and industry to usually be the slowest, I honestly wouldn't be surprised if the budget goes toward PR/Marketing to make shareholders happy than R&D and implementing new infrastructures. 

So what I'm getting at, is that if what I'm saying is true (over-valuation + inefficient use of resources) than this industry will be prime for attacks, and of course this is where InfoSec is going to have a major play in this. 

Right now, over 50% of attacks have been targeted toward Financial services.

[Image: 959fb42feb52e13a87b6499d7f2d7383.png]

And an interesting point here, a group called DD4BC carried out attacks from 2014 to 2015:

[Image: ef9d73b4313ed0276277943c42961911.png]

And which industry did they target? You should automatically know the answer by now. 

Here is one of the messages they left (I'll admit, I love their ethos behind it):

[Image: 1579048242c9d52abddc38e7e456ba23.png]

Right now, most of their attacks have just been ransom at best, but what if someone was able to get a DB leak? What then? 

I think eventually, the message will get across that InfoSec in this sector is no joke, and if someone wants something, it won't be hard for them to get unless FinTech players pro-actively step up and acknowledge that these types of attacks can be detrimental and put more of an effort (well, cash) into creating security.

But for now, until there is an accepted universal system that is secure from most attacks (in the case of credit cards, even switching from Magstripe to EMV at POS isn't perfect), there will be a plethora of exploits just waiting to be found. And with so much money lying around, I can only assume ransom attacks become a lot more apparent as this industry takes off.

What do you guys think?

Also, just a quick cliff:

[Image: 541e4be15b2b3d3bba022aca2a456c18.png]

For those of you that would rather be part of the innovation, looks like Python is reigning supreme in FinTech.
Reply
#2
Excellent analysis of the situation. To be honest DD4BC is not kidding when they say a massive DDoS is hard to mitigate, there are patch on solutions like load balancing but in the financial sector every hour of downtime is a massive loss to the company. That being said, there are of course opportunities a plenty for InfoSec folks. Black, white and greyhats alike. Good to know Python is the name of the game as far as development in FinTech is concerned. I'll keep that in mind.
Reply
#3
(08-27-2016, 11:09 PM)Vector Wrote: ...in the financial sector every hour of downtime is a massive loss to the company...Good to know Python is the name of the game as far as development in FinTech is concerned.


I could easily see that if FinTech takes off, Python Devs will be a much more valuable asset to have. But as for the now, it's not going to be a question of if this industry will be exploited, but rather when will it be exploited and how will it be done? Apart from the ransom example I had posted, what other ways could infiltration occur?

It's going to be an interesting ride.
Reply
#4
(08-28-2016, 05:08 AM)cum Wrote:
(08-27-2016, 11:09 PM)Vector Wrote: ...in the financial sector every hour of downtime is a massive loss to the company...Good to know Python is the name of the game as far as development in FinTech is concerned.


I could easily see that if FinTech takes off, Python Devs will be a much more valuable asset to have. But as for the now, it's not going to be a question of if this industry will be exploited, but rather when will it be exploited and how will it be done? Apart from the ransom example I had posted, what other ways could infiltration occur?

It's going to be an interesting ride.

It's hard to say without having in depth knowledge of the security model they work with. But what struck me was insider threat, if you sign up as a developer or a security architect you will become intimately acquainted with the processes. If you have malicious intent you could easily get good intel and ample opportunity to do something nefarious.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Quick list of InfoSec Resources cum 10 29,833 02-09-2018, 07:07 PM
Last Post: enmafia2
  Is this Possible? (Database Trading Site) Database Man 16 14,614 11-14-2016, 03:19 PM
Last Post: NO-OP