PayThink

Challenger banks pose a distinct security challenge

Register now

The ongoing digital transformation in payments and financial services has brought forward a whole new segment of companies that operate only digitally. The so-called neobanks or challenger banks have racked up millions of clients across the globe with their growth rates exploding thanks to aggressive funding rounds.

Taking a deeper look at the IT strategy of neobanks, we realize that, while it makes neobanks remarkably nimble and responsive, it also makes them more vulnerable to the growing threat of web supply chain attacks.

The financial and identity risks to clients and neobanks are substantial. Estimates of global costs of Magecart attacks surpass $1.4 billion in 2019, and the FBI recently issued a warning about the risks of developer supply chain attacks. Here’s why.

A neobank’s value proposition is simple: a digital one-stop-shop for money management and payments with excellent performance and usability. By being fully customer-centric and rapidly evolving their platforms according to customer feedback and demand, neobanks reach record levels of customer satisfaction. In the U.S., 90% of neobank clients say they are satisfied, while the figure fails to go over to 66% for traditional banks.

At the root of this disruption in the banking industry, we find neobanks creating innovative web and mobile applications built on scalable IT infrastructures based on third-party code. With this approach, they can release faster product updates and quickly catch up with evolving consumer demands. However, this effectively means that a significant portion of these apps’ code is not directly under the control of neobanks themselves.

And it gets worse once we understand exactly who these third-party code providers are. Often, this externally sourced code is provided by small companies or even individual developers who noticeably don’t have a budget for cybersecurity that even rivals those of neobanks - opening the door to web-based supply chain attacks. And so we must weigh development nimbleness against application security.

Web-based supply chain attacks occur when attackers breach their targets through third-party code suppliers, namely live chat or website widgets. With this approach, attackers don’t have to breach the servers of neobanks to steal user data in bulk; instead, they breach their ill-secured third-party code providers and inject malicious code that then ships and runs in neobanks’ applications. Such an attack cost British Airways $230 million in a GDPR fine.

Security-wise, the picture for neobanks doesn’t look great. At the expense of agility, these challenger banks have to face an enormous attack surface that they have almost zero control over. Hence the concern for web supply chain attacks among fintechs and their investors.

If, by any means, neobanks’ apps become compromised, customer distrust kicks in and it may very well mean the beginning of the end for the company - especially considering that, as we stand today, 61% of consumers say that they trust a bank more than a fintech. And even when we discount the factor that neobanks are typically less risk-averse than traditional banks, they cannot ignore that 82% of consumers say that ensuring the security of transactions is a critical concern when choosing a bank.

Swimming upstream, neobanks have to unlock customer trust. In the current panorama of Application Security, there’s no infallible way of preventing malicious code from being injected into companies’ applications. As so, neobanks must stay one step ahead, actively monitoring the client-side of web applications in real-time. With such a web page monitoring solution, they become able to stop these attacks at their inception and prevent massive data breaches.

Neobanks are truly a new force in the industry. They have helped redefine the paradigm of banking by presenting innovative responses to consumer needs. But they still don’t escape the fundamental of banking: banking is trust. By relying on cutting-edge and proven security solutions, they are successfully climbing this ultimate mountain and demonstrating how they are as secure - if not more secure - than traditional banks.

For reprint and licensing requests for this article, click here.