Malware protection and anti-fraud in the modern fintech paradigm


Trevor Reschke Head of Threat Intelligence

The UK is leading the charge in attempting to revolutionize banking. In January this year, high-street banks were required to comply with new regulations around Open Banking – although only three of the nine banks were ready, the rest have been given an extension of varying lengths. The legislation (in brief) means banks have had to develop open APIs in order to allow third parties to access bank systems, with the idea that they can then offer a wider range of services based on individual data. It’s opt-in, so bank account holders have to agree to share their data but, when they do, third-parties will get access to all that person’s financial data. For now, the rules only apply to bank accounts but, over the next 18 months, will extend to credit cards, prepaid cards and ‘e-wallets’ like PayPal and Apple Pay.

It’s an ambitious project and one that could change the way UK consumers deal with banks and associated organizations. If you apply for a loan, the provider can quickly access your data to see if you can afford it. Want to manage your spending better? Give a budgeting app access to your account, it can analyze your spending and give you tips. There are some clear benefits for all concerned and I wouldn’t be surprised if similar initiatives start spreading around the world.

But for all the good, there are undeniable risks. Financial data is obviously highly sensitive – but even more so when it’s coupled with other personal information like names and addresses. While there are tight security controls in place, experience tells us that sooner or later someone will ruin the fun for everyone. Equifax – and others – can no doubt speak to that.


New opportunities for bank fraud

One of the main risks is in the way some service providers get access to the data. While banks simply pass the information back and forth, there’s a host of fintech start-ups offering things like budgeting apps and aggregation services, for whom it works differently. For these, you’ll need to give your log-in details, including passwords, to the company. Most banks have updated their terms and conditions to allow for this, but there’s still a huge risk involved and unless the service being used is regulated by the UK’s banking regulator – the Financial Conduct Authority (FCA), any fraud losses won’t be reimbursed if anything goes wrong.

Then there’s the issue of copycat or fake sites. There’s going to be a slew of new services that take advantage of Open Banking and some may not be all they seem. Hackers aren’t going to have to learn any new skills to mimic a legitimate website, they’ve been doing it for years and have caught many unsuspecting victims with imposter URLs. Again, just ask Equifax. Then there’s the opportunity for fraudsters to launch the latest money management tool, make it look legitimate, take the online banking details of thousands and simply run away with them.


We need to revolutionize data security and web security to match

Protecting consumers and banks through this evolution as it spread from country to country must be a top priority. Much of this is going to be about education for consumers. They need data security training (again and again) teaching them to not give their login details to any service provider that hasn’t been approved by a regulating authority and to remain vigilant of any unexplained activity on their accounts. There’s also a risk that data can be used by criminals for other scams – if they get access to your data, see you have a Verizon account, and use that information to extort money in different ways. That means that any strange communications from any business need to be dealt with carefully.

Banks and other service providers also need to play their part in data security. Clearly there will be reservations from a large number of consumers about handing over their details. It has, after all, been drummed into us repeatedly to never share banking login information with anyone. But there are benefits and by carefully managing transaction security and the communication around it, users can be reassured that they are safe.

Our technology is used by banks all over the world to protect the full transaction stack when conducting sensitive transactions online. We prevent malware from accessing and exfiltrating data, and from interfering with transactions at all. It works because it doesn’t require users to install anti-virus (or other endpoint protection software) and instead automatically wraps sites in an invisible layer of protection, effectively blinding any type of crimeware to the information. This approach can also be used across the broader financial services sector, and across mobile and web.

For Open Banking to succeed – and be adopted here in the US and other countries – data security and consumer confidence is paramount. With the tools in place to offer both, it’s likely the concept will completely change the way we think about our finances.