Major cybersecurity challenges in the financial sector
The Digital Transformation process of the financial sector, produced in recent years with the emergence of Fintech and Open Banking models (both from banks themselves and other financial actors such as Amazon, Google Pay…) has generated greater effort by all these entities, as far as the compliance and protection of cybersecurity of their business assets.
Although the infrastructures of the financial sector, by the activity of their business, have been more exposed to suffering more attacks; these have been increased as a result of the pandemic and the rise of transactions and payments made through web channels and mobile telephones.
As a result, Banking, with the aim of giving its customers confidence, has had to strengthen security measures to achieve greater protection of its method of payment systems and thus minimize the risks of fraud.
In turn, the process of digital transformation has led to the incorporation, in the infrastructures of the financial sector, of new disruptive and emerging technologies that have to coexist within the financial ecosystem, which must have efficient security mechanisms to ensure the confidence that customers expect and demand. These technologies include the following:
Blockchain cryptographic technology has been consolidated over the past year, taking relevance in certain financial transactions, in addition to its application in the creation and management of cryptocurrencies or digital currencies and other financial transactions related to digital signature and identity verification in contracts for insurance, loans, mortgages, international payments, etc.
Blockchain incorporates cryptography to encrypt transactions and makes use of the digital signature, where only the user has access with their private key, thus eliminating the possibility of alteration or fraud. All this provides transparency, traceability and agility in the processes minimizing the bureaucracy of the procedures of financial management. In turn, the use of Smarts Contracts, in a decentralized network, allows to certify the reliability of all participants in the chain and the traceability of each event.
The incorporation of this technology into financial business processes is giving rise to what many experts call the new Internet.
Although initially, its entry into force was scheduled for 14th September 2019, 2021 is the year in which the mandatory compliance with the PSD2 European Directive has been established, the main aim of which is to protect payment transactions, both from banking operations themselves and from purchases made through e-commerce, thus avoiding fraud.
This regulation requires entities to implement dual-factor authentication mechanisms for users when transacting through Methods of Payment. The Strengthened Customer Authentication (SCA) identification and validation model is based on something the customer owns and knows (such as a mobile device and password or PIN).
It should be noted that some financial institution has already been implemented or is working on the implementation of triple Factor Authentication (3FA) whose step lies in the biometric analysis of the user through technologies such as facial recognition or fingerprinting.
In contrast, there are still quite a few European financial institutions which, having no technology to perform two-factor authentication, continue using SMS messages to comply with PSD2 European regulations, assuming the high cost that this involve for any entity.
· Verification of customer identity through cryptographic methods.
More and more financial actors are making use of cryptographic methods such as the electronic ID managed by some Governments of different European countries or against the citizens of public bodies DB such as the INE in Mexico, which as a public body managing the identity of Mexican citizens, acts as a verifier of the identity of the citizens of that country since 2016 as I pointed out in the post of my blog “Hardware Security Module (HSM) to verify identity y protect customer data”.
This form of identity authentication and validation aligns with the new European Payment Services Directive (PSD2), mentioned above.
· Payments Tokenization.
Faced with the proliferation of online payments and the reinforcement of steps for better security, tokenization emerges as an addition to greater agility in payments on trusted sites, since in common operations, it is already possible to use a unique identification code or “token”, generated through cryptographic algorithms, instead of exposing the full PAN data of our bank card each time we carry out a transaction. Of course, without forgetting the security of the process since this token is personal and will only be valid on the device and/or platform where the transaction is made.
In turn, with tokenization, financial institutions meet the requirements established by PCI DSS certification, to which both financial institutions and retail sector are required to comply with the PCI Consortium.
It should also be noted that this trend will be of great importance in payments made between the different devices connected to the Internet of Things Ecosystem.
· Internet of Payments (IoP)
The ecosystem of smart devices connected to each other and communicating through the Internet of Things is already a growing reality and therefore a field that also requires securization, especially when it comes to payments made through these devices if we want to create reliable environments.
Such transactions are part of the Payment Digital Transformation process, where cash becomes secondary.
Examples already implemented, of these automated payments, are motorway tolling and license plate recognition in parkings. Likewise, with the proliferation of the Internet of Things, other payments such as a refrigerator that detects the needs of purchase, orders it and makes payment from the device itself is already feasible with the Internet of Payments.
In conclusion, it can be said that, in the face of all these new technological trends, different financial actors must face the challenge of implementing robust, efficient and trustworthy cybersecurity solutions.
In this direction, most of the technologies mentioned above make use of cryptography (digital certificates, encryption or digital signature), a highly robust and reliable cybersecurity technology when it is based on cryptographic hardware (HSM) and has been certified by a certified and reliable Certification Entity, as is the case of the PCI Consortium (VISA, MASTERCARD) when we talk about compliance with cybersecurity in the financial and methods of payment fields.