Hacker-Powered Security, Government Support Needed to Protect Financial Services Consumers from Application Vulnerabilities
What is the current state of security in the financial sector? How can governments contribute to this security?
These questions were addressed by Christopher Parsons in his testimony before the Standing Committee on Public Safety and National Security (SECU) in Canada. Christopher is a research associate in the Citizen Lab at the University of Toronto.
His testimony shines a light on some major issues facing the security community in Canada and across the world.
The Current State Of Computer Security in the Financial Services Industry
Christopher shared his concerns about the wide-ranging consequences of software vulnerabilities. When they’re found in customer service applications, vulnerabilities affect businesses, government agencies, and individuals. A bug isn’t just an inconvenience. Someone could lose their livelihood overnight.
The use of shared libraries, APIs, and random number generators across many applications creates another dangerous situation for the industry. When a vulnerability is found in a shared library, all applications using it are now vulnerable to attack. Dozens, hundreds, or even thousands of applications could be open to attack because of one coding error.
Another trend in the financial sector is the growing use of cloud computing services. Vulnerabilities have been found in cloud technologies used to host a company’s data or systems infrastructure. These problems put user data at risk.
The Government’s Place in Establishing Security in the Industry
Strong encryption is necessary to protect data. Many countries have asked for ‘backdoors’ in encryption software, however, that will allow law enforcement agencies to read the encrypted data of their citizens.
Pushing for these changes “will fundamentally endanger the security of all users of the affected computer software and, more broadly, threaten the security of any financial transactions which rely upon the affected applications, encryption algorithms, or software libraries,” according to Christopher.
Christopher argues that governments mustn’t adopt irresponsible encryption policies. These run the risk of introducing systemic vulnerabilities into the software used by the financial sector. Christopher argues that “access to strong, uncompromised encryption technology is critical to the economy.” Governments should seek to keep encryption strong, not weaken it for their own gain. Consumer confidence is important in the financial sector and strong encryption is the only way to gain it.
Keeping Security Vulnerabilities Secret
Government agencies often discover vulnerabilities and keep them secret in order to use them in espionage activities. This practice leaves unpatched vulnerabilities in common applications and systems, leaving them open to attack by malicious actors who discover the bug.
Unfortunately, it’s not always clear how governments choose to withhold vulns or tell the companies. Governments should publicize how it makes this decision and include members of the business and civic communities in making the decisions.
Create a Vulnerability Disclosure Policy
Security researchers routinely discover vulns, but few companies have explicit instructions on how to submit vulns to the company. Without VDPs, researchers may fear litigation from the companies they’re trying to help.
A good VDP should:
• Make clear to whom vulns can be reported
• Assure that no legal action will be taken against researchers
• The period of time the company will take to remediate the vuln
• What researchers commit to, such as not disclosing the vuln until a period of time has passed or it has been patched
It’s important for both private and public sector organizations to have VDPs available for security researchers. It’ll lead to safer applications for everyone. If you need help developing your VDP, HackerOne can help.
Move Systems Toward Two-factor Authentication
Two-factor authentication (2FA) is an authentication scheme requiring two factors to log in. The factors to choose from are something you know (password), something you have (hard or soft token), and something you are (biometrics, thumbprint scanners).
It’s not uncommon for financial companies to require 2FA to protect key internal systems. Christopher notes, however, that many customer-facing applications still don’t have 2FA enabled. This makes account takeover a major threat to the financial sector, allowing malicious actors to steal money from customers.
Another area of concern, according to Chris, is a lack of robust 2FA on the applications that do use it. Financial companies may use SMS as the second factor, but SMS is a weak channel. In fact, NIST no longer recommends SMS for use as a second factor due to the insecurity of the channel.
Christopher believes financial institutions should be required to offer 2FA to all clients--the second factor should be a hardware or software token.
Three Paths to Better Security
You can check out Christopher’s entire testimony to see the details of his arguments. They boil down to three main ways security can be improved in the financial sector:
- Governments need to take responsibility for setting policies that support, not undermine, secure systems
- Companies need vulnerability disclosure policies so security researchers have a safe avenue to report problems with their software.
- Two-factor authentication is a must for consumer-facing applications to best protect consumer assets.
Use these points to inform your security strategy moving forward in 2019 and beyond.