Monthly Archives: January 2020

The cybersecurity threat to financial technology and software

Larry Ponemon

While all industries must ensure appropriate data protection safeguards are in place, the financial services industry must be especially vigilant for a variety of reasons. These include the value of the data to attackers, the need to comply with difficult regulations and prevent costly fines and the importance of maintaining the trust and confidence of consumers. The purpose of this research is to understand the threats to financial technology and software and steps taken to minimize the risks.

Sponsored by Synopsys, Ponemon Institute surveyed 414 IT and IT security practitioners in all sectors of the financial services industry including banking, insurance, mortgage lending/processing and brokerage.

All participants in this research are involved in assessing the security of financial applications within their organizations. Their roles include installation and implementation of financial applications, development and manufacture of financial applications, provider of services to the financial industry.

(Visit Synopsys for the full study; the results are summarized here.)

Financial service companies worry about the third-party risk. We asked respondents to rate their concern about the cybersecurity posture of financial software systems developed by their organization or supplied by a third party from a scale of 1 = not concerned to 10 = very concerned. Figure 1 shows the most concerned responses (7+ on the ten-point scale).

According to respondents, 74 percent of respondents are very concerned about the security of financial software and systems supplied by a third party. However, only 43 percent of respondents require contractors, business parties and other third parties to adhere to their cybersecurity requirements. Fewer respondents (62 percent) are very concerned about the financial software and systems developed by their organizations.

Part 2. Key findings

In this section, we provide a deeper dive into the findings of the research. The complete audited findings are presented in the Appendix of the report. We have organized the research into the following topics.

  • The cybersecurity posture of financial services companies
  • Risks to financial software and applications
  • Security practices in the design and development of financial service software and technologies

The cybersecurity posture of financial services companies

Most companies are effective in detecting and containing cyberattacks. Respondents were asked to rate their effectiveness in preventing, detecting and containing cyberattack from a scale of 1 = ineffective to 10 = very effective. The majority of respondents are confident in their effectiveness in detecting (56%) and containing (53%) attacks but less so in preventing an attack (only 31%).

Most organizations have a cybersecurity program or team. Sixty-seven percent of respondents say their organizations have a cybersecurity program or team. Some  60 percent of respondents say cybersecurity is part of the traditional IT cybersecurity team and more than half (51 percent of respondents) say the cybersecurity team is decentralized, with cybersecurity experts attached to specific product development teams. Only 23 percent of respondents say cybersecurity is the responsibility of product development.

Pen testing and dynamic security testing/DAST are considered the most effective in reducing cybersecurity risks. Some 65 percent of respondents say pen testing and 63 percent of respondents say dynamic security testing/DAST are the most effective activities in reducing cybersecurity risks. Also effective are security patch management, system debugging and threat modeling.

Organizations need more resources and in-house expertise to mitigate cybersecurity risks. Only 45 percent of respondents say they have adequate budget to address cybersecurity risks and only 38 percent of respondents say their organizations have the necessary cybersecurity skills.

Respondents are more concerned about the cybersecurity posture of the financial services industry than the difficulty in complying with regulations. Respondents were asked to indicate their concern about cybersecurity risks on a scale of 1 = no concern to 10 = very concerned. Some 65 percent of respondents are very concerned about the cybersecurity posture of the financial services industry. Despite new regulations, such as NYDFS, 61 percent of respondents say regulatory requirements in the financial services industry are not keeping pace with changing financial technologies.

Risks to financial software and applications

Cloud migration tools pose the greatest cybersecurity risk. Of the software and technologies that pose the greatest cybersecurity risk to financial services companies, 60 percent of respondents say cloud migration tools followed by blockchain tools (52 percent of respondents) create the greatest risk.

The threat of malicious actors is motivating companies to apply cybersecurity-related controls in financial software and technologies.  Some 84 percent of respondents say their organizations are very concerned (7+ on a scale of 1 = not concerned to 10 = very concerned) that a malicious actor may target the financial software and technology developed by or used by their organizations. As a result, 83 percent of respondents say there is a very high urgency (7+ on a scale of 1 = low urgency to 10 = high urgency) to apply cybersecurity-related controls in financial software and systems. Only 25 percent of respondents are confident that security vulnerabilities in financial software and systems can be detected before going to market (7+ on a scale of 1 = not confident to 10 = very confident).

To read the rest of the results, and more comprehensive analysis, visit the Synopsys website.

Popular beauty/selfie apps from China ‘spy’ on users; Grindr, Tindr, dating apps accusing of privacy violations

Click to read the report (in English)

Bob Sullivan

Earlier this week, Bernie Sanders told The New York Times that he had no apps on his smartphone, citing a semi-anonymous but militant cybersecurity staffer named “Melissa” who keeps him safe.  There’s fresh evidence this week that we should all listen to Melissa.

Two separate studies have found that seemingly harmless beauty and dating apps are repeatedly violating users’ privacy, sharing intimate details of their lives — including granular location data — with a vast network of commercial firms looking to exploit it.

As I’ve mentioned in our So, Bob podcast “No Place to Hide,” the privacy-violating arena exists because of a “big fish eat little fish” ecosystem. The big money for surveillance capitalism — AdTech — wouldn’t exist if large companies didn’t support it. Here, you’ll see how it works.

The first report, published by a Norweigian government consumer agency, alleges that the makers of Grindr, Tinder, OkCupid, and several other similar apps packages up user data and sells it to third-party advertisers without user consent or knowledge, a violation of European privacy laws. The report, titled Out of Control, claims “a large number of shadowy entities that are virtually unknown to consumers are receiving personal data about our interests, habits, and behavior.” The 10 apps studied sent data to at least 135 companies, the report found.

For example: “The dating app Grindr shared detailed user data with a large number of third parties that are involved in advertising and profiling. This data included IP address, Advertising ID, GPS location, age, and gender,” the report says. “Twitter’s adtech subsidiary MoPub was used as a mediator for much of this data sharing, and was observed passing personal data to a number of other advertising third parties including the major adtech companies AppNexus and OpenX. Many of these third parties reserve the right to share the data they collect with a very large number of partners.”

The report also studied a makeup app named Perfect360, accusing it of sharing GPS and other data with at least 70 partners.

A separate study, published by a new Lithuanian-based security news site named Cybernews.com, focused entirely on makeup and selfie enhancement apps and found similarly troubling results.

The so-called beauty app category is immensely popular, especially with young women and girls — individual apps boast of as many as 300 million downloads. Cybernews found many of the apps request permissions they don’t need to perform the simple task of fine-tuning selfies.  Among the findings, according to Cybernews:

● Three seemingly separate developers seem to be run by the same group, and may be connected to apps previously found to contain a widely-dispersed Trojan
● One app developer was found to install malware through its software
● Unnecessary permissions include recording audio, using GPS, and seeing users’ phone statuses
● While only a few permissions are required for the app function, one app includes a whopping 40 total permissions
● More than half (16) of these apps are based in Hong Kong or China

In other words, Chinese app developers know an awful lot about the whereabouts of many teen-age Western girls.

“So why does a beauty and filter camera app needs to record audio, track your GPS location, or read through your contacts list? The apps may be free, but they are selling your data and the more they know about you, the more valuable your details become,” the report says. It sites a Buzzfeed article claiming that app makers can earn $4 a month for every 1,000 app users from tracking companies looking for location data. “If they have 1 million active users, they can get $4,000 a month.”

U.S. consumer groups reacted strongly to the report out of Norway; a coalition of nine urged the Federal Trade Commission to open an investigation on Monday.

 “The illuminating report by our EU ally the Norwegian Consumer Council highlights just how impossible it is for consumers to have any meaningful control over how apps and advertising technology players track and profile them,” said Susan Grant, Director of Consumer Protection and Privacy, Consumer Federation of America. “That’s why Consumer Action is pressing for comprehensive U.S. federal privacy legislation and subsequent strong enforcement efforts. Enough is enough already! Congress must protect us from ever-encroaching privacy intrusions.”

The coalition also asked attorneys general in California, Texas, and Oregon to investigate.