BS&T associate editor Bryan Yurcan recently spoke with Paul Smocer, president of BITS, the technology policy division of The Financial Services Roundtable, about how banks can best fight cybercrime, the importance of sharing data and how to build secure software.
As mobile payments and mobile wallets become more prevalent in the U.S., what are the top security concerns for banks?
Smocer: The mobile payments space is at the early stages of development. As with any technology or delivery channel that is new, what we're trying to do as an industry is get ahead of the security concerns. There are a lot of players getting into the space, but in general financial services companies themselves are getting into it cautiously.
Companies that aren't traditional financial services companies are pursuing this channel a little more aggressively, and that's one of the things we're working on: How are these companies implementing security, and how is it being overseen? Mobile payments is a channel -- unlike other delivery channels that financial institutions use -- that has the broadest number of players involved. You have the delivery service, the phone carrier, you have the security around the physical device itself and there are a lot of additional players in the ecosystem. We are trying to work with those players to ensure there is security built in along the whole value chain. We're looking at the physical protections around the phone, and what role the carriers play and their security. Banks should make sure that the providers they are partnering with have the proper level of security, because financial institutions are ultimately held accountable for their partners.
How best can the financial services industry combat cybercrime? What level of cooperation and information sharing is necessary?
Smocer: When it comes to cybercrime, there is always more work to be done because the challenge always changes. Like any crime, the criminal actors get more sophisticated as time goes on. We have seen much more organization among the groups committing cybercrime. That certainly proves the fact that we as an industry need to be collaborating as well.
You start with security at the individual institution, of course, but there are also a number of collaborative efforts underway. We have an information-sharing and analysis center that provides information to the industry with regard to attack patterns and potential vulnerabilities in order to raise the level of awareness.
[Pace of Fraudsters Moving Online and Away From Counterfeit Schemes Accelerating.]
Getting information from sources within the government about threats is also a component piece of this. We are looking at how to do that more effectively going forward. A lot of cyberattacks are not just focused on the financial services industry in particular, but are intended to be multi-industry attacks. So we need to share a lot of cross- sector information as well. This is one area where the industry realizes that collaboration is vitally important.
How can banks build secure software?
Smocer: There are a lot of techniques that actually start with the design of the software itself. Financial institutions must recognize that as you are designing the functionality, you also need to design in the security from the beginning. It really starts from the design phase of a piece of software; as it's being built there should be a lot of testing about how to secure the app.
It's also very important to educate developers about how to build in security. In many cases, banks are relying on pieces of software they didn't build.
There is a challenge in the fact that much software today is multilayered and relies on components in the mainframe world, the middleware world and the end-device world. It's important to build in security from the beginning, and ongoing maintenance of the app is also important.
What data security shortcomings exist in the financial services industry, and how can banks improve enterprise security?
Smocer: One thing to recognize is that there is a distinction between compromised financial data and breaches of financial institutions. Many of the breaches we read about with regard to financial data are not breaches that occurred at a financial institution, but ones that occurred elsewhere that involved financial data.
If there's a data breach at a large retailer or payment provider, it has a downstream effect on financial institutions. FIs recognize that a breach creates a reputational issue. People want to trust that whoever is holding their funds can keep it secure. That creates a focus on making sure breaches don't occur in the first place. That's why it's important for financial institutions to be aware of the third parties that house financial data and to try and ensure its security.