How financial services need to strengthen their defences in a connected world

• On the Internet of Things

By Hiyal Biyagamage

The Internet of Things (IoT) is ushering in a new era for payments companies and manufacturers. The rapid expansion of the Internet of Things (IoT) offers an opportunity to facilitate payments beyond mobile phones, cards, and point-of-sale terminals, on a broad and diverse ecosystem of internet-connected devices. 

During the second session of the 2019 Cyber Security Summit, experts from the cybersecurity industry discussed how the proliferation of internet-connected devices has made it easier for companies in the financial services industry to identify different habits and trends of consumers that will allow them to improve their services for customers individually and collectively. Furthermore, they spoke about how the increased agility of connected devices has brought a new set of challenges for IoT security. 

Into the ‘Industry Revolution 4.0’

Visa Head of Risk for India and South Asia Vipin Suralia said: “The financial service industry sits at a pivotal moment. Year after year, the financial service industry is being updated by the regulatory forces, disruptive technologies and evolving consumer habits. However, technology has become the top priority for all key stakeholders in the financial services industry. The growing crowd for the Cyber Security Summit shows that our interests are aligned in securing the financial services sector ecosystem for your consumers, government and corporations.” 

Taking the audience through the journey of the payment industry, Suralia explained what is happening in the IoT industry by looking at the larger landscape of how the financial ecosystem has changed over the years.

“Last year, almost 3.3 billion people had their information compromised. If you look at the global population, it looks like every second person had their information compromised. Not to be surprised, ‘1234’ continues to remain as the world’s most popular password. Static login credentials are one of the most common ways in which cybercriminals can breach cybersecurity defences. Two years back, it was estimated that the Asia Pacific region would face a potential economic loss of $ 1.75 trillion due to cyberattacks. With these numbers in sight, it is important to look at what happened around the payment industry and the economy surrounding it.” 

“In the outset of a fourth industrial revolution, we are witnessing a revolution in the way people make payments, in fact in the whole lifestyle of our consumers, which on a scale is close to a technological revolution. It is because customers now have powerful connected devices – mobile or smartphones, which provide constant 24/7 connectivity, the possibility to access any information instantly, any data, and any knowledge in the world through search systems. With the advent of connected devices, the payment industry is also moving to a fourth revolution – from currencies to tokenisation to emerging technologies like cloud computing, artificial intelligence, IoT and big data,” said Suralia.

The amount of data doubles every two years, and according to global research reports, it will reach 45,000 Exabyte by 2020, which is hard to imagine. This data brings new, very strong, capabilities to understand better the needs and behaviours of customers, and to offer solutions personalised to the needs of individual people. Artificial intelligence systems are proliferating, with machine learning capabilities growing fast and becoming available via open platforms to the majority of market participants. Big data plus artificial intelligence and deep learning capabilities are bringing new opportunities on a mass scale organisations didn’t have before.

“On one side, more and more data is coming in as an input and on the output said, more data will be consumed. While there are numerous technology disruptions in the financial services industry, fraudsters are also not keeping quite. Institutions and networks like Visa are securing billions of transactions every day, but the fraud rate is also evolving.”

According to Suralia, there are three trends of payments frauds. “The analogue stage of the payment revolution saw fraudsters trying to steal identities to open bank accounts. The second generation of payments frauds was criminals counterfeiting credit and debit cards to steal legitimate payment data. “Today, we are living in an era of mass breaches. They do three things; they have the ability to do things in scale, allow fraudsters to work and target more efficiently and finally, allow fraudsters to utilise numerous digital channels to unleash their attacks and monetise them. These attackers use military-grade cyber skills to monetise the maximum amount of money they can by manipulating the three components of a payment ecosystem which are data, people and infrastructure.”

While data and infrastructure can be taken care of, thanks to many technologies we use, it is the people factor which is becoming more and more vulnerable, said Suralia. “It is being recognised that people are the most vulnerable factor in the cybersecurity ecosystem.”

Visa’s move into IoT

Visa plays several roles in this process of moving payments to gadgets. The first and very obvious role is the technical enablement on the banking side of the industry, as banks have to implement some changes in their systems to support payments with gadgets. The second part is that Visa is a provider of secured technology which allows storing card credentials securely on mobile devices. Now with this obvious trend of customers moving to wearables/mobile devices there is a need to load payment credentials to millions of devices in a secure way so that fraudsters will not be able to steal these credentials and use them for payments.

“As far as the number of devices is huge, it’s quite difficult to manage this kind of security traditionally. That’s why, Visa together with other payment systems worked on a new standard of storing payment credentials in gadgets, wearables and mobile devices by converting them into tokens. A token is a surrogate card number which resembles a real one, but which is just a pointer to a real card number stored securely on Visa side - at Visa Token Service. When you load tokens to mobile devices instead of real credentials, the fraudsters can’t do much with these tokens. They won’t be able to do payment transactions even if they steal tokens from devices,” opined Suralia. 

Talking about Visa’s move into IoT, Suralia mentioned that it comes at a time when device payments are on the cusp of the mainstream. “Connected devices ownership is rising. Forecasts show that 20.4 billion connected devices will reach the market by 2020. By 2035, it is said that one trillion devices will be connected to the internet. Ninety per cent of cars is expected to be connected, too. For technology companies and device manufacturers who want to offer secure and seamless payment solutions, Visa has expanded its Visa Ready Program to certify and secure payment experiences for the Internet of Things.”

The Visa Ready Program for Internet of Things now provides IoT device manufacturers with a path to embed secure payments into their connected devices, enabling anything from a watch to a car to initiate payments. Imagine with just a touch of a button consumers could pay for gas, food or parking without leaving their connected vehicle. New Visa Ready strategic partners can work with device manufacturers to create these types of payment experiences and guide them through the Visa Ready certification process. Through Visa Ready, device manufacturers will now be able to implement the industry standard for digital payments, EMVCo’s payment tokenisation specification, using a Visa-approved payment reference design. 

However, Suralia believed that IoT has also bought risks as well. The number of smart devices and their inherent vulnerabilities make it difficult for financial services firms to implement IoT security measures to protect against data breaches and other risks. A Gartner report estimates that more than 25% of identified attacks in enterprises will involve IoT. 

“The ability to compromise the security of IoT devices presents the biggest challenge for organisations, particularly for companies that are responsible for their customers’ data, such as financial services firms. IoT devices are designed to easily connect to networks and share information through common wireless protocols such as Bluetooth, which makes them attractive as potential points of attack.”

“IoT devices often lack basic security measures, which could expose sensitive information. They also are often unattended, which may make them accessible to cybercriminals who want to target financial institutions or their customers,” said Suralia further.

In such a context, Suralia said organisations have to focus on five key risk elements when considering IoT implementations. “They are privacy, data security, data management, outdated devices and identity theft. IoT has indeed brought great benefits for the financial services industry, but it has also brought great dangers as cybercriminals have exploited the popularity of smart devices and their vulnerabilities. Understanding these five risks will help you improve your IoT security so that your company and customers can maximise the benefits while mitigating the risks,” said Suralia in conclusion. 

IoT transforming banks into ‘Bank of Things’

Representing the monetary authority of Sri Lanka, Dr. Nandalal Weerasinghe, Senior Deputy Governor of the Central Bank Sri Lanka spoke about how beneficial IoT will be for the financial industry, challenges and from a regulatory point of view, what do institutions like the Central Bank expect out of a technology like IoT and how can these technologies be facilitated while having a robust regulatory framework. 

“In the financial services industry, IoT is the next big and imminent thing that will help the industry to be more inclusive and effective. IoT helps to optimise operations, and it can improve productivity or organisations; all these connected devices will change the consumer experience in the financial services sector.”

“To utilise IoT, organisations have to be proactive and should be able to harness the benefits of IoT to create significant value for customers. The financial services industry is competitive; if you are not proactive enough to hang on to the opportunities provided by IoT, you will miss the bus,” said Dr. Nandalal.

Billions of devices are connected, and in doing so, become an intelligent system of systems. When these intelligent systems and devices share data on the cloud and begin to analyse, Dr. Nandalal said they could transform the financial services industry in countless ways. 

“Customers use smart devices for accessing data which allows banks to provide a complete view of customer finances in real-time. Banks can anticipate the needs of customers through the data collected and offer solutions and advice that can help customers make sound and smart and sound financial decisions. In this way, the ‘bank of things’ can become a potent facilitator to increase customer loyalty.”

The customer data available through IoT will help banks identify their customers’ business needs, their value chains and also gain customer insights, Dr. Nandalal said. Customer information will also help banks provide value-added service, financial assistance and customised products to ensure a win-win situation for both parties.

“One of the most important benefits of IoT in the banking sector is providing rewarding, easy-to-access services to both credit and debit card customers. Banks can analyse the usage of ATM kiosks in specific areas and increase or decrease the installation of ATMs depending on usage volumes. Along with ATMs, banks can also use of IoT data in bringing on-demand services closer to customers by providing kiosks, and increase the accessibility of services to customers.” 

While IoT has countless benefits, Dr. Nandalal mentioned that there are some associated risks as well. He said the data collected could be very challenging to make proper decisions by financial institutions. He believed that financial institutions need to dig deep into data management, security and need to safeguard customer information with a focus on maintaining privacy standards. 

“As a part of IoT, all transaction data, including the information sent through smart devices, will be available to banks and financial institutions. Along with data, banks also have access to customer location, which may lead to a breach of privacy. While banks collect a lot of information from customers, any data breach could lead to a severe repercussion for them. Data infringement and data hacking may cause massive damage to customers and sever their relationship with their banks,” said Dr. Nandalal. 

He also touched on the absence of security by design when discussing risks related to IoT. “Security is considered a top priority when designing a product. There are so many developers today, and for many of them the priority is to develop the products and sell to the market. They are not too focused on the security aspect. As a regulator, we are responsible for any financial product that comes to the market to have minimum security standards.”

Talking about different security measures that need to adopted to ensure IoT security, Dr. Nandalal said, “Implementation of proper security regulations is of utmost importance. The regulators should issue directions to address information security. However, many of them have not properly updated their security regulations to address IoT security concerns. Therefore, it is essential to revise existing regulations to improve IoT security.”

He also emphasised the importance of incorporating security at the design stage, ensuring API (Application Programming Interface) security, identity management, endpoint security management and proper network access control are vital pillars in strengthening IoT security of any financial services organisation. 

Thoughts from panellists

Damith Pallewatta, Deputy General Manager – Risk/ Chief Risk Officer/Chief Information Security Officer at Hatton National Bank and Channa De Silva, General Manager at LankaClear joined both the session as panel members alongside Dr. Nandalal and Suralia. Pallewatta explained why IoT brings immense opportunities for banks and financial institutions and how Hatton National Bank is experimenting with the technology. 

“From the banks’ point of view, IoT is a tremendous opportunity because it creates value for customers and transforms businesses. At the same time, even though the financial industry benefits from IoT, there has to be a lot of infrastructures put in place for us to get that advantage. IoT will provide biometric and positional data. What happens then is that we will get access to physical performance data; all that we do with the data is up to banks.” 

Hatton National Bank is at the forefront of IoT innovations. HNB launched ‘HNB Fit’, an IoT-enabled product by partnering with Fitbit, Apple Watch and Jawbone. It is a mobile application that connects to a customer’s fitness device as well as their bank account. The mobile application monitors the steps through the data collected from the fitness device. Once he or she reaches their daily step target, the customer’s money will be transferred to a high-interest account. With this new age application, they aim to engage with digital-savvy customers and promote health and fitness among the community. 

“Whether you are a veteran fitness enthusiast trying to maintain your muscles or a newbie in the game of losing weight, the online application will become your ultimate fitness motivator allowing you to earn an attractive interest rate every time you achieve the daily fitness goal we have set for you,” said Pallewatta.

Pallewatta also brought to the table the challenges which surround IoT. “We have compliance-related challenges; how best financial industry organisations can comply with the regulations needs to be addressed. Secondly, how can we work with privacy so that data privacy and data management become a challenge for us? We need to overcome that challenge to get benefits of IoT. There is another challenge of legacy devices; how can we ensure that devices connected to the banking core system are of a particular standard?”

“On the other hand, identity theft is a massive challenge. How do we validate the identity of a user who is using a wearable? These challenges remain to be resolved to a great extent to move smoothly in the IoT space. Among all these things, if you are moving to the IoT space in the financial services sector, we believe we have to be aware of certain elements. We need to have proper monitoring capabilities to keep an eye on IoT devices; there needs to be continuous visibility 24/7. If we have a state-of-the-art Security Operations Centre (SOC) running in Sri Lanka, the financial services industry could capitalise on it so that we have the required visibility,” said Pallewatta.

Pallewatta also spoke about the importance of having a proper mechanism to understand continuous risk levels of devices. “People change devices frequently, devices go out of service, and devices get upgraded. How do we understand that challenge? Also, mitigation is another challenge. How do we react when something negative is observed and how fast we could go and rectify the issue? Banks should consider having a proper mechanism to address that challenge as well.”

Speaking about striking a balance between technologies and adoption, Channa De Silva said, “The whole idea of IoT, in terms of technology as a concept, is based on what is fundamentally provided. If implemented correctly, you could switch off your lights from your office or refill your refrigerator with supplies. With challenges like data security and privacy, IoT has put us in a trap. That is where the problem lies. On one side, we are trying to provide convineince, and on the other hand, because things are not secure, we are trying to include so many security mechanisms, making life difficult for people. How we strike a balance plays an important role here.”

“Because risk and compliance are critical factors, financial institutions are adding layer after layer to strengthen their security. What this does is that since the whole process is cumbersome with barrier after barrier, people stop using your product. That is the challenge we are having right now and how do we make it convenient, and at the same time, provide a seamless experience for customers is the real game-winning point,” Channa.

De Silva also opined that in the Sri Lankan context, adoption had been the real challenge, not the availability of technologies. “People are not using technologies enough. Cards have been in operation for more than two decades, but if you look at the number of transactions and the usage of cared versus cash, it is pretty low. We have cards available, but people are hardly using them. We have an adoption issue and to address this, we are trying to make them more convenient. Hopefully, we will improve adoption but then if you put barriers to make it more secure and inconvenient, people will move away. How do we achieve a fine balance and make it more secure in a seamless way is the key to success. if we do not achieve that, people will just stay with cash,” De Silva stressed during the panel discussion.

Pix by Upul Abayasekara and Ruwan Walpola