After a year away due to pandemic concerns, financial innovation conference Money 20/20 came roaring back last week in Las Vegas.
And, not surprisingly, cybersecurity featured largely in the major trends that were highlighted at the industry conference, namely data management and cryptocurrency usage in particular, according to financial industry experts and conference attendees.
Kimberly Sutherland, vice president of fraud and identity strategy at LexisNexis Risk Solutions, who attended Money 20/20, found that IT security and data management are captivating the attention of FSIs. FSIs, she said, are recognizing that when it comes to securely managing information, "It’s all about safety and trust. The market has changed. Consumers are aware now more than ever of what’s being collected.”
At the same time, she said FSIs and their retail and business customers are becoming more aware of increasing security risks as sensitive financial information is more widely disseminated and shared.
“Data minimization is important. We should utilize passive data to derive details like device and location,” Sutherland adds, underscoring the need to use less private, non-financial data points where possible for security. “Businesses who have entered into the new digital life brought on by COVID don’t always know what to do.”
Steve Lappenbusch, principal product manager at People Data Labs (PDL), concurred that at this year’s Money 20/20, “we saw the financial services industry diving deeper into data in order to prevent fraud, as well as amplify know-your-business [KYB] customer verification methods and target personalization.
In the past, Lappenbusch said the conversation around authenticating customers and mitigating financial losses “has focused heavily on biometrics and document verification, as remedies for identity fraud. However, that assumes that there are no other sources of quality identity data.”
Similarly, the concepts surrounding authenticating business customers, from both a security and compliance standpoint, are beginning to change just as "the definition of a business entity is expanding rapidly” in this post-pandemic, remote working world, he added.
"That said, for the financial services industry there’s value in knowing business owners as professionals rather than just names in a registry," Lappenbusch continued.
It’s also little surprise, given the growing fixation with the rise and fall of cryptocurrencies and the recent and rapid skyrocketing interest in non-fungible tokens (NFTs), that cybersecurity concerns surrounding these payments and transactions are also captivating FSI executives. At least 32 incidents of hacks and fraud, amounting to just under $3 billion in losses, have already taken place so far this year, according to Benoit Grangé, chief technology evangelist at OneSpan.
Grangé, who also attended Money 20/20, said he believed this is just the tip of the iceberg, as he expected “the number of cryptocurrency hack incidents will break records in 2022.” Since crypto exchange platforms are developed “very rapidly from open source without taking security seriously... and since the platforms are unregulated and not secure there's no guarantee that customers get their money back after a hack," he noted.
This can also make for some very sticky regulatory issues for U.S. FSIs that might want to support cryptocurrency platforms and transactions for their own customers. As with many forms of financial fraud, the most common types of so-called "crypto-hacking" utilize phishing and social engineering scams, according to Grange.
While new security methods and products are likely to emerge to safeguard these systems and transactions, Grangé believed that traditional banks already enlist “technologies to protect customers against those attacks.” In the short term, he saw FSIs turning to push notifications instead of one-time passwords sent via text to prevent SIM SWAP attacks.
“Also, application-shielding can protect wallet applications from cloning and secret extraction,” he said. However, in the long run, "the only way to mitigate these attacks is to bring in more regulation and rules, like PSD2 and the requirement for strong customer authentication,” as well as continuing to provide more engaging customer and employee education.
“If fraudsters are creating networks to commit crimes, we need to create networks to fight them,” Sutherland concluded. “It takes a network to fight a network.”