How technology-enabled generational shifts in banking behavior could play into attackers’ hands


Trevor Reschke Head of Threat Intelligence

If there is one thing the tech world is good at, it’s disruption. Over the last twenty years or so, as microprocessors have become smaller and more effective and fast connection speeds ubiquitous, technology has eaten the foundations of many traditional business models. Some have toppled, many others are fighting for survival and most, if not all, have been forced to adapt.


The financial services sector is by no means immune. Here, technological change is causing a generational shift in how people want to manage their money, which services they are using and through which providers. Here, the biggest gainers are set to be the tech firms, who are currently amassing on the border of the financial services industry.


McKinsey sums the future of this trend up best with research citing that 73% of U.S. millennials would be more excited by a financial services offering from Google, Square or PayPal than their banks. This points in a very clear direction. The customers of the future want to interact with their money in new ways enabled by tech. In China, people are already racing towards this reality, being able to message friends, invest money and carry out financial transactions through WeChat.


But is this utopic vision choosing functionality over security? What are the bigger picture implications of a shift from banks to tech companies and how can the security industry help?


First, it will continue to accelerate a shift away from brick and mortar interactions with banks, bringing them purely onto a digital plane. The bottom line is this creates more risk from cyber-attacks. Anyone in the security industry knows that the mind-set of attackers means that any large-scale service adopting more connectivity paints a target squarely on its broader attack surface. More points of connection simply provides more gaps for malware writers, social engineers, application hackers and other wrongdoers to force open. If money is flowing across a platform, then this effect only increases. Yes, tech companies are good at delivering services that look nice and work – but are they up to the challenge of protecting them? Banks, the most well capitalized organizations in the world, have been trying for many years with limited success.


More specifically, the arrival of block chain and socially enabled banking and trading indicates a move towards decentralization of financial services. Whereas once a bank sat in the middle authorizing and controlling the flow and allocation of transferred assets, the current direction of travel for many disruptive start-ups cuts out the middle-man. Social engineers are licking their chops at the prospect of being able to take money directly from source without the involvement of a validating third-party. Attackers are already setting up scam initial coin offerings (ICOs) designed to part unwitting people from their cryptocurrency. As this trend continues, the security community, backed up by regulation will need to step in to act.


The final big picture trend that plays into this shift is the gradually reducing reliance on the device for such interactions. With services and interactions increasingly hosted in the cloud, laptops, mobiles, tablets desktops and a whole plethora of emerging connected devices are relegated to the role of dumb enablement devices serving up financial services portals or apps. This creates an interesting conundrum for banks – who have typically tried to enforce protection of the endpoint through a combination of consumer education and offering software downloads through endpoint security software partners. In a world where more connected devices appear and are therefore vulnerable and varied – this will drive a switch towards protecting individual user sessions. The devices themselves become too numerous, and too vulnerable, to secure.


Whether for traditional banks or for emerging tech companies offering financial services, the new model is to bypass the futile endeavor of fully securing every device, and instead focus on protecting the full transaction stack for meaningful digital interactions.