The risks mobile payments present to financial services
By Jonathan Nguyen-Duy, vice president of strategic programs, Fortinet
It's no secret that the financial services industry is a top target for cybercriminals looking to steal valuable data. In fact, data shows that financial firms face daily attacks that attempt to bypass defenses protecting a growing number of attack vectors. Of this regular cadence of attacks, a staggering 36 percent result in data loss.
This growing risk comes at a time when financial services firms are turning their focus to innovating new technologies and features to meet evolving consumer demands. Providing regular updates and new online products is a necessary key differentiator in the competitive financial market. However, rolling out new features at such a fast pace also increases the attack surface and potential vulnerabilities.
The growth of mobile payments
Chief among these innovations is mobile payment capabilities. There are 4.9 billion unique mobile device users globally, and as mobile payments grow in popularity, financial services and fintech firms have to be increasingly wary of related cyber risks. Vulnerabilities lurking in payment applications, mobile phones and POS systems can become entryways into customer accounts and even broader financial networks.
Mobile payments have become popular among consumers, especially since the release of products such as Apple Pay and Google Wallet. Research shows that regular use of mobile payment solutions is growing in the U.S., up to 17 percent from six percent in 2014, while in many Asian and Latin American nations, this has become the primary form of payment. As a result, more than half of financial institutions (56 percent) claimed that developing digital wallets was their primary focus of innovation over the past three years in order to catch up on demands for mobile payments and online banking. Additionally, 42 percent of financial firms are also focused on creating innovative P2P solutions.
Cybersecurity risks of mobile payments
Data security has traditionally been one of the primary inhibitors of mobile payment adoption. Many consumers have been concerned with putting such sensitive information on devices that can be easily lost or stolen. However, in addition to risks to the physical device, there are a myriad of cyber risks that extend across the entire mobile payment process. Making a mobile payment involves a mobile device, a merchant, a POS system, financial institutions that process those payments for merchants, and organizations that issue these cards to the consumer. Inadequate security measures at any of these stages can put cardholder data at risk.
Should a cybercriminal gain access to a financial network through exploiting a vulnerability or using social engineering to compromise any of the stages in the payment process, the result is not only the loss of private personal data but also payment fraud as criminals circumvent fraud detection systems. Some of the attacks that banks and fintech firms should be most aware of when securing mobile payments are application layer attacks, DDoS attacks and botnet attacks, in addition to malware and advanced persistent threats. In fact, 14 percent of respondents to the Threat Landscape Report Q4 2017 reported the presence of mobile malware in their systems.
Enhanced security is especially necessary as consumers become more comfortable with mobile payments and increasingly rely on their banks for security. A recent survey of U.K. residents, for example, revealed that 37 percent of consumers trust their banks to secure their personal information when paying with a phone.
Adding security to mobile payments
As mobile payments grow in popularity, cybercriminals will aggressively target this process with increasingly sophisticated attacks. Criminals are already adding automation to attacks, such as smart botnets and polymorphic malware. To protect against these attacks and keep consumers, fintech companies and financial services firms from compromise, they must incorporate integrated and automated defenses and threat intelligence. In an effort to prevent and detect such attacks, new solutions are arising to protect financial service providers.
One tactic is to use machine learning to stop cybercrime.
An automated threat detection system, for instance, would use machine learning to analyze threats at machine speed. This ensures that as new threats are developed to target mobile payments, security defenses are aware of them and can work in real time to detect and mitigate them. Another recent entrant into the security armory is behavior analytics, which leverages machine learning to recognize regular user habits and behavior, such as common times of use and location.
Baselining these sorts of activities are integral to detecting anomalous behavior that may be indicative of malicious activity or a breach. We'll next see the marriage of artificial intelligence, machine learning with security fabrics that facilitate deep visibility and control at speed and scale. This is critical as security needs to operate at the same accelerated machine speed of financial transactions.
Given the hyper-connected ecosystem of devices, applications and data in which financial services now exist, it is important that they also deploy and use interconnected security features and solutions, as point solutions will no longer be a sustainable approach to today's threats. This tactic provides and extends the power and functionality of an integrated security fabric. It incorporates scalable and adaptive security features that allow defenses to seamlessly stretch from endpoints, to the cloud, to applications – all of which play a key role in the mobile payments process. Each component of the security fabric communicates with other parts to stop attacks across hyper-connected, distributed environments.
Consumers are rapidly adopting mobile payments and are expecting banks and financial services firms to ensure their security when using these solutions. As a result, financial services organizations and fintech firms must increase their ability to leverage security features deployed across distributed environments to keep pace with modern, automated cyberattacks.