Cyber Risk For The Payment Industry
We’re only starting to understand how important the issue of cyber risk is. This conference exposes the risks and the solutions currently occurring.
Cyber-risk is Coming to the Payment Ecosystem
One way to think about this issue is to understand why we’re talking only now about it. It is odd because we have computers since decades. Digital became the main way to convey information for our specie. We experienced this technical transformation 10 years ago and it took us another ten years so that turns into both economic and security issues.
The card industry is still about credit card or debit card, important ways of making payments. As we look forward, 5 years from now for example, there’s a very high chance that purely digital things like e-wallet will constitute most of all payment transfers done online.
The impact of cyber incidents increases on stuck prices. It has a lot to deal with the business environment. If you’re one payment processor among many other competitors, with only a couple of clients, and you must announce one big incident, then it is very easy for your main client to switch providers. That is why you’re going to lose a lot of money and value.
Resilience to Hacking, Cryptography and Smart Card Architecture
Hacking can be implemented by terrorists, foreign countries and mafia organizations, but we shouldn’t be defeated. To understand what we are facing, we must analyse the things we think are secured or not secured:
- Third-party spy software: put on your device, which aim is to access the data held by your secure software, or to modify the behaviour of your software. To avoid this issue, you shouldn’t allow any other software to run on your device or use ring fencing in your device.
- Software spoofing: your software is replaced by a similar one, designed to change the behaviour of your software or steal some private data. You must make sure that only the right software is allowed to replace the original one. You can also encrypt your data.
- Key breaking: key is used to encrypt data and make things secret. You don’t want people to guess your key, but the power of computers keeps increasing, so a safe key will be broken. You can spread different keys to every device or associate verification procedure to your system.
- Hash breaking: the hash is the summary of the data. It is used for digital signatures. You need to diversify the data, so the hashes are different on every device.
- Key breaking with lowering clock speed or other good scientific knowledge: keep restricted the circulation of your keys and extract the key and put it on the other side of the system. You can also get memory which gets erased physically as soon as people try to go physically on it.
- You have a sensor closed to your device: that might just retransmit something that it’s broadcasted to. Only allow devices which are assembled with your device in the factory and get these devices safe to be registered within the system so that when they’re connected you can identify them.
- You can spy on the keypad, on the macro processor activity, radio signals of battery conceptions: make sure your device is recognizable. It’s also better to separate the sensitive data from this device which may be hacked. In case of suspicion you can replace it easily.
- Unauthorized access to the device: you can track its use from the moment it’s been reported hacked, you can also call the police or disable the device.
The Israeli Approach to Financial Cybersecurity
Over the years, especially in the last 5-6 years, Ram Levi has been working with a lot of organizations. The more he learns the little he understands about cybersecurity because of the complexity of the question. He exposes 3 issues:
- Lack of understanding of cyber threats because we can’t see or touch them. We also have a low ability to translate this understanding to people who make decisions. That is why we need a new approach of training and teaching people how to understand what it’s all about.
- How each environment is changing, so we have to adapt constantly.
- How we create a cultural change.
Everything changes all the time, what is right one day isn’t the other day. Terrorists put the time to know the network better than the one who designed it. If you really want to protect your network, you have to know it and the organisation you have to protect.
The only significant thing you can say about the security of a system is the context of the threats (countries, regulations, architecture, people, skills…). Cybersecurity is about giving a management solution to technical problems that we have created because of the way computers are built. Banks are facing data breaches for the purpose of money, political and social motivations.
Cyber threats are becoming more and more professional. It’s not a question of “if” but “when” you will be attacked and how quickly you will be able to answer. In 2002, the government of Israel decided to create the national information security of agency put under secret services. In 2010, they created a task force of 80 people from military, intelligence and private enterprises. In 2015, the general inspector of the banks made directive 361: banks have now the obligation to do cyber defence.
Cybersecurity & Payment System - Understanding the New Legal Angle(s)
GDPR was a big shock in 2018. It is the arrival of a standard in Europe. Fintechs cover a lot of different actors, but even in law we try to adapt facts to regulatory and legal systems. New challenges are coming in terms of breaches and protection of data. Regulation is here to give a secure environment.
In any organisation, you must be aware of the different regulations. You should be able to prove you made everything properly to react and to do the best you can to avoid any breach in case of control. With the GDPR, one thing to keep focus on is the breach of data. You must notify to the CNIL in 72 hours after becoming aware of the breach. You also have to inform the person concerned and the sanctions are very high if not.
The NIS directive for network and information security matters a lot. The parliaments and the local authorities keep in mind the rules but shall adopt according to their own instruments the way to reflect what is provided there. In any case, from a jurisdiction to another one, the rules can be different. There’s an issue in terms of management and cyber risk. Progressively, all those different instruments converge.