SIBOS: AI, DATA & SECURITY
Security: The end game
The digital age has seen banks drawn into an intense, brain-melting, 24/7 real-time strategy game against cyber criminals and the cyber curious. Harriet Rees, Head of Data Science, and Simon Waring, Chief Information Security Officer, at Starling Bank, discuss tactics As more and more of us trust our finances and transactions to digital technology, an ongoing war of attrition is taking place between the global banking industry and cyber crooks. It’s a 24/7 conflict with constantly changing battlefields and rules of engagement. Could the next raid on your personal data be initiated by your kettle or fridge freezer by virtue of their connection to the Internet of Things? Will biometric advances enable criminals to render redundant still-evolving security measures, like fingerprint recognition, as even your body parts become too vulnerable to counterfeiters to be considered secure authentication? And will any smart phone be safe from increasingly sophisticated malware? This is the financial technology arms race that’s usually conducted behind closed doors. It’s one in which the boundaries between ‘good and evil’ are sometimes blurred for legitimate, tactical reasons. Take ‘bug bounties’. A small-but-growing number of financial institutions are now willing to crowdsource ‘curious’, as opposed to malicious, hackers ( ‘security researchers’ , to give them their sanitised title) to test the defence of their systems. They are rewarded for disclosing any weakness they detect in what have become known as bug bounties. Starling Bank runs a responsible disclosure programme, as Harriet Rees, Starling’s head of data science, explains. “The disclosure programme is essentially a break- the-bank programme where we invite people to try to break
TheFintechMagazine | Issue 13
through the security systems. If they can, it allows us to then see where a potential vulnerability would have been.” The scale of the problem the industry faces is hard to ignore. Between 2017 and 2018, £1.2billion was stolen through digital scams and fraud in the UK alone. About a third of that (£393 million) was through personal details illegally obtained to make online payments, according to banking trade organisation UK Finance. Incidents of card-not-present (CNP) fraud grew by 49 per cent, while card ID theft leapt by 117 per cent. So, the conundrum now faced by banks is how to retain customers’ confidence in the security of their digital systems, while continuing to make the user experience as fast and simple as possible. Getting that balance right is especially critical to newcomers like Starling, which in 2017 became the first digital challenger in the UK to offer an app-only current account with a full banking licence using Cloud-hosted technology that it developed in-house, hosted by Amazon Web Services with Google as back-up. Key to Starling’s open banking business model is its Marketplace, which allows select third party providers to link directly with its 820,000 customer accounts over the Starling application programming interface (API). In addition, Starling offers a number of external integrations over third party APIs. Rees says protecting it from cyber attacks has been a key concern from day one, and is constantly evolving. For instance, in March this year, Starling started to rollout 3D Secure, a one-time password system for online payments by its customers, ahead of the imminent
introduction of new EU anti-payment fraud regulations that make such systems compulsory. "Fighting cyber fraud and cybercrime is important in every industry today, but we are a digital bank, so it’s our number one concern, and something that our customers feel confident that we are handling appropriately,” says Rees. The bank benefits from a purpose-built, dedicated interface that securely identifies every third party accessing customer data; the credentials of each third party are unique to them and the level of access they are granted is also unique to them, giving the bank maximum visibility. Starling would argue that, effectively, makes it more secure than methods used by some other banks.
Thinking the unthinkable Organisations that have embraced open banking have accepted that a castle and moat approach is no longer enough and the temptation to ‘do security by obscurity’ not an option. Instead, Starling’s penetration testing (or pen testing as it’s known) is a combination of sophisticated technology and psychology that combines the best human and artificially intelligent brains. And it is conducted both internally and using external specialists, who are parachuted into the most sensitive areas of the system to see what damage they can do in a controlled environment. “If we’re thinking like fraudsters and hackers, we have the right mindset, and can then try building the controls to prevent that happening before it happens for real,” says Simon Waring, Starling’s www.fintech.finance
Fintech Finance presents: The Fintech Magazine Issue 13