In the previous post, we discussed cyber security risks associated with FinTech business models. I argued that one of the main business model-inspired FinTech cyber risks is directly related to the unique services provided by the sector and the way in which they are monetised - i.e., the FinTech secret sauce. In this post, I expand on the nature of the FinTech secret sauce and the main cybersecurity risk associated with it.
The Many Flavours of the FinTech Secret Sauce
The FinTech secret sauce refers to major innovations and business models associated with them, which are delivered to customers in effective, transformative and disruptive ways. The FinTech secret sauce is inherently dynamic and fast-moving, leveraging on the most recent data, business models and business model innovation in the banking/financial sector delivered through digital means. So, what are the main favours of the FinTech secret sauce, which have emerged in the last few years? Several notable examples include, but are not limited to:
Encrypted cryptocurrency trading - simplifying cryptocurrency trade operations (multiple providers around the globe)
Cross-border e-commerce and payment - facilitating international commerce and payments (e.g., M-Daq)
Global financial remittance service - catalysing global financial transfers and gift-giving (e.g., TransferMate)
Customer identity verification and fraud prevention - managing customer digital identities (e.g., Moqom)
Social community borrowing marketplace - facilitating peer-to-peer connected borrowing and lending (e.g., Flender.ie)
Cryptoservices from wallet to bank account - ensuring continuous crypto customer journey (e.g., TenX)
Supply chain cryptocurrency-enabled cycle - disrupting all parts of the supply chain with crypto (e.g. PundiX)
Inclusive finance - financial service-provision for underprivileged groups (e.g., M_Service through MoMo providing a range of services for the low-income family segment)
Smart audit -improving data-enabled audit (e.g., CheckVentory)
Handshake loan brokerage - providing a platform for lenders and borrowers to meet (e.g., Funding Societies matches SMEs with potential lenders)
Research and market intelligence services - providing research-based insights (e.g., Smartkarma provides analytics and intelligence for investment sector)
Evidence-based planning intelligence - facilitating planning through data science intelligence (e.g., Corlytics)
Non-traditional insights through innovative analytics - using out-of-the-box analytics to generate/improve customer value (e.g., Eagle Alpha)
What Is the Main Danger?
Even though all these innovations are quite distinct and use different business models, they have two things in-common - they all (i) rely on digital delivery means (e.g., online apps or tools) as well as (ii) are dynamic and require adaptive and fast-moving upgrading and updating. And this is where the main danger lies. Dynamic upgrading and updating means that FinTech systems are vulnerable to a wide variety of cyber threats as human psychology is not wired for dealing with change very well. Especially when we consider change in the digital technology. Consider the following: when you decide to upload an app, a digital tool or some software, do you consider risks and vulnerabilities associated with downloading this app or tool as well as giving it permissions to access your personal data? Obviously, there is a considerable individual heterogeneity in app/tool/software downloading behaviour. Yet, many people are if not cautious about making new downloads, then are at least considering pros and cons (benefits and costs) and do some research prior to installing the app on their devices. So, when you are downloading a new app or tool, you are, quite possibly exercising some caution and thinking about security and safety.
Now, how about software updates? Do you exercise the same caution when the app, tool or software needs to be updated? The problem is that most people tend to blindly trust all updates and fail to review app/tool/software permissions when updates are implemented. Furthermore, people often do not even read the updated Terms and Conditions, giving away ridiculously dangerous rights to completely unknown software. This makes FinTechs particularly vulnerable as the very nature of the FinTech secret sauce requires frequent and dynamic changes to be made continuously. And when one makes frequent changes, it is easy to miss important security considerations. An example of this (which does happen quite often) is when companies secure the app core content, but fail to secure advertisements, which, in turn, become easily hijacked by cybercriminals. Furthermore, it allows adversaries to masquerade as FinTechs as the dominant strategy for cybercriminals becomes to execute a 2-stage attack, where in the first stage they launch a benign-looking app and in the second - launch an update with malware.
FinTech secret sauce implies that quick and dynamic innovations are deployed by the FinTech companies frequently. Yet, software upgrades are not well-understood by the humans, who often rely on their initial judgement about the safety of the provided digital financial service and fail to consider multiple and frequent changes in the digital tools designed to deliver this service.