Gustavo Camargo, commercial director at VU.
Financial crimes are troubling from “banks” to fintechs. THE Febraban and the Ministry of Justice this month began negotiations to create a National Strategy for Combating Cyber ​​Crime, which intends to involve a task force formed by the State, Ministry of Justice, Federal Police, Central Bank and other bodies. Fintechs are also starting to look very closely at the issue.
Cybersecurity specialists heard by the portal Fintechs Brazil, Blocknews partner, attest that the number of queries on the subject by banks that operate 100% online has grown in recent years. According to the Febraban Banking Technology Survey 2021 (base year 2020), banks invested R$ 2.5 billion in information security last year, an amount that represents 10% of spending on technology in the period; totaling BRL 25.7 billion, 8% higher than that recorded in 2019.
Another survey done in June this year by F5 Labs, Major Security Incidents 2018 – 2020, points out that the financial sector remains the main target of digital gangs. The study mapped attacks against banks, insurance companies, fintechs, payment processors, brokerages and investment funds around the world, pointing out the hidden risks in the Open Banking ecosystems.
In the case of fintechs, companies that were born digitized and in the cloud, the attacks take on another aspect.” While the digital structure of the payment processor is typically private and with a more limited number of IP addresses, fintechs are more adhering to the cloud and they have a myriad of IP addresses to attack,” says Ewerton Vieira, director of engineering solutions at F5 Latin America. According to Vieira, 38% are credential theft attempts, 25% are volumetric DOS attacks, 13% are attacks against Web applications and, finally, 25% are other types of breaches.
“The hacker, at the end of the day, needs to look for opportunities. You won’t waste time on those who invest a lot in technology and security, but on those who are more fragile and vulnerable”, says Gustavo de Camargo, commercial director responsible for the expansion of VU in Brazil, a global cybersecurity company focused on identity protection and fraud , with a strong presence in the financial system and retail. According to him, fintechs are targets of attacks, theft, money laundering, and need to act before being attacked. Your company offers a digital onbording solution and consultancy in the area.
According to Pedro Ivo, CEO of PhishX, a SaaS B2B platform that works on gamification and awareness in cybersecurity, the question that the manager of a fintechs has to ask today is not whether there is a risk of being attacked, but when. That’s because, the increase in the siege against cybercrime takes place at the same time as the incidence of these attacks grows. In 2020, according to Febraban, the financial sector avoided losses in the order of R$ 4 billion; this year, so far, this volume has already doubled.
“Cybersecurity it involves something much broader than the technological issue, which is extremely important, but it is one of the disciplines within the broader spectrum of governance, compliance, security and information risk. It involves business processes, physical environments, institutional, business continuity, handling of incidents, especially in the case of companies in the financial system, especially fintechs, which do 100% of their transactions and services through digital means”, said Ivo, in program on Youtube Fintech chat, by JoĂŁo Bezerra Leite, angel investor and leader of the Fintech pool at Bossa Nova Investimentos.
If before the issue of governance was a challenge for large companies, now it reaches the universe of fintechs, especially those that don’t have the clout to afford sophisticated security solutions. “Thinking about safety doesn’t cost, it’s a mental act, it’s not an investment act”, says Ivo. According to him, when you create a fintech, you think about the customer, service, performance, technology, friction, user experience, distribution channels, but often the issue of security is not a priority. “Security must be considered in the company’s conception”, says Ivo.
“Homemade” tip
With more than 20 years in the cybersecurity market, Ivo says that customers buy security on two occasions: in love, with compliance and the need to do something that needs to be attended to by some regulatory force, or in pain, where it happens the attacks. “We have to change this scenario, get out of the 8th or 80th, I only go when I am forced or attacked, when the damage is already done, with media exposure, often irreparable,” he adds.
He gives a “homemade” tip to avoid criminal attacks. According to him, without spending a lot of money, it is possible to carry out a verification process within the company, carrying out, for example, the testing of the process by a person other than the one who developed the software. It compares the function to that of a text editor, who is not the one who writes. “This checker will test the entire path taken by the customer to see if it has any vulnerabilities. It can be free software found on the internet, capable of scanning and identifying vulnerabilities, such as vulnerability scanners.”
Before the end of the first half of 2021, Unico’s facial biometric authentication service, idtech for digital identity recognition, would have already avoided R$16 billion in losses. Much of this amount is in the fintechs account: of the R$ 5 billion blocked in May this year, R$ 4 billion were related to these companies. “Through fintechs, people can open a bank account in less than two minutes. However, criminals are also keeping an eye on this new movement, hence the large volume of fraud attempts”, says Marcelo Zanelatto, product director at Unico, a facial biometric authentication startup.
LGPD lights the alert
The LGPD issue is also a concern linked to the player’s security and credibility. It was one of the themes of the third virtual edition of the Congress on Innovation in Financial Services (CISF), held this week by the Brazilian Association of Banks (ABBC).
On the occasion, Marcelo Guedes, general coordinator of Technology and Research of the National Data Protection Authority (ANPD), said that the LGPD places some duties related to the data subject and that may culminate in the notification to ANPD.
“First, the incident response team must act and then carry out an assessment of this incident to have information such as the nature, category, number of affected parties, that is, have some element that allows classifying the risk according to the vision of the organization itself that suffered the attack”, declared Guedes. According to him, in cases of data leaks, the first action is to deal with the event, stop the criminal action and restore the system. Then he has some obligations.”
Thiago Diogo, Unico’s technology director, emphasized at the same event the issue of the importance of protecting digital identity. “I always recommend that it is important to know the flow, know where the credentials are used, where your digital identity and that of your customer, both internal and external, are being used, understand the authentication, password and registration data flows, having everything mapped, which takes us to the second step, which is threat modeling, to understand how exposed your flow is”, says Diogo.
Home Office, weak point
Another panelist at the ACCB event was Renato Dolci, CEO of Decode, a company that develops data analytics solutions focused on business intelligence and revenue maximization, commented during the debate on the fact that the pandemic has accelerated informality within some platforms . “That’s why it’s important to invest in technologies to keep our information inside the environments, but, most of the time, what I notice is that in the exchange of information, we end up being little careful”, says Dolci.
According to Gustavo Duani, cybersecurity director at Claranet, a UK multinational specializing in cybersecurity, with a focus on retail and financial systems, information security is done thinking about process, technology and people. In the matter of the process, he explains, it is necessary to have mastery to know how to apply them; the technology will be used to apply migratory controls on top of the process and people will be the executors.
“People are the weakest link, because regardless of the company and the investment it makes in security, if it does not have employees aligned with the business and security risks, it can become vulnerable and have a great impact on the business, as it was the case of Renner, even with all the investment in the retailer’s security”, says Duani.
The machine that the user uses at home, for example, which was used exclusively at work, is now used for personal purposes and with that, controls are not applied, updates have not been made. “The wholesale bank loses credibility, so I see security as a matter of the company’s survival,” adds Duani.
For the executive of Claranet in Brazil, with the advent of the home office, companies have opened yet another weak point in terms of security. With this, Claranet noticed a growth in queries by fintechs to know their degree of adherence to protection and obligations that come with the entry of the Data Security Law (LGPD), which will penalize companies responsible for data leakage of your customers.
Open Banking and PIX increases vulnerability
“PIX is a solution that enters into the bank’s application more connected to fraud, which exposes the final consumer. Open banking uses APIs, which are codes that integrate with systems to perform some action in the financial system. These API’s need to go through a security code review to eliminate vulnerabilities, to avoid data theft, systemic fraud”, he says.
Open banking opens up several possibilities for cybersecurity attacks such as fraud. Claranet is another company that offers solutions to prevent these crimes with solutions that range from data scanning to proactive alerts of attacks that are taking place.