Threat Management, Security Strategy, Plan, Budget, Application security

The rise of the banking ‘super app,’ and how it could drive threat modeling for crypto

Today’s columnist, Sam Bakken of OneSpan, says that PayPal is one of several U.S. companies looking to create a financial “super app” that can manage the vast majority of a consumer’s banking, insurance, and financing apps. (Photo by Justin Sullivan/Getty Images)

Two factors arguably impede cryptocurrency’s ability to nudge its way into the proverbial fold of traditional finance: it’s the preferred form of exchange in cyberattacks, creating an unfortunate association with criminals; and the security of its platforms remains relatively uncertain.

But demand among consumers for more widespread recognition (and acceptance) of cryptocurrency as a legitimate means of online transactions is driving a shift among more financial services companies — many of which now recognize the need for threat modeling specific to cryptocurrency-based systems, and for regulators to catch up.  

“If the pandemic taught us anything, it’s that we're in an inflection point for digital currency and digital experiences across the board,” said Assaf Keren, vice president of enterprise security at PayPal, during the SC Finance eConference. “People don't want to handle cash anymore. And I think that digital wallets, digital currencies and blockchain technology or blockchain-based currencies are the future.”

PayPal launched its “super app” in September, combining traditional offerings like payments, savings and bill pay, with emerging offerings, like buy-now-pay-later services and cryptocurrency. That came about a year after PayPal became the the first company to receive a Bitlicense from the New York State Department of Financial Services to enable customers to buy, sell and hold certain cryptocurrencies. The service is offered in partnership with Paxos Trust Company, a New York State chartered trust company, which provide cryptocurrency trading and custodial services to PayPal for the benefit of PayPal customers. 

To Keren, PayPal is transforming use cases for cryptocurrency to what was always intended: an easy way to pay for offerings online.

Bill Bowman, chief information security officer of Emburse, also expressed optimism for cryto’s potential during a subsequent panel at the conference, recalling a project where he was tasked to build out platforms for hedge fund security traders to be able to execute their trades.

“We were always being pushed to figure out how we can better innovate; what those pieces are that we need to be able to put in place for customers,” Bowman said. “Crypto is a fantastic example of good guys collaborating and good guys being able to try to figure out how we can utilize some of the aspects of a blockchain, to utilize this whole concept of trust principle, then take it into this next level of innovation for banking.”

But cryptocurrency and associated platforms are still new concepts that bring security considerations. Earlier this month, in fact, hackers stole $120 million in crypto from the BadgerDAO crypto network, a decentralized finance platform, only days before crypto trading platform BitMart confirmed that a security breach allowed hackers to withdraw nearly $200 million worth of cryptocurrency. The CEO of BitMart said the criminals stole a private key that opened two hot wallets.

“We assume blockchain is secure. I think that's been the premise,” said Grant Bourzikas, CISO of Silicon Valley Bank on the same panel. “But then you look at BitMart, with a $150 million loss. I think to that point, we need to really challenge and think about the threats.”

That’s particularly true for companies just now inching into the crypto space. Keren acknowledges that PayPal adding cryptocurrency to the company’s traditional arsenal of offerings with banks, peer-to-peer money transfer companies, or retailers requires different risk models and threat models to ensure a secure experience for consumers, merchants and partners. He expects such a framework to gain more widespread traction switch time.

“That's going to be really interesting to see,” he said, predicting innovations that will impact the whole financial ecosystem. “I'm happy to be part of it.”

He also predicts that “regulators are going to swarm this environment really, really soon,” which will ultimately force a security framework to gain traction across the industry.  It’s a point emphasized as critical during the panel by Jonathan Reiber, senior director of cybersecurity strategy and policy at AttackIQ, and former chief strategy officer for cyber policy in the Office of the U.S. Secretary of Defense during the Obama administration.

“My hope is that regulations will evolve and mature,” he said. “The financial sector is adopting cryptocurrency. But it's at the edge of the bleeding edge of the regulatory process. So it'll be very interesting to see how regulation works over the next year.”

Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.