Neobanks must address the growing threat of web supply chain attacks. With this approach, attackers don’t have to breach the servers of neobanks to steal user data in bulk; instead, they breach their third-party code providers and inject malicious code that then ships and runs in neobanks’ applications.
This presents an appealing attack opportunity, as these third-party providers are often small companies or even individual developers who noticeably don’t have a budget for cybersecurity that even rivals those of neobanks.
Neobanks’ shorter product development time also derives from integrating external services and avoiding developing every line of code in-house. Hence the concern about this attack vector among fintechs and their investors.
The average modern web app sources two-thirds of its code externally. If fintechs even remotely match this statistic – which most likely seems true – they now have to address an enormous attack surface that they have almost zero control over. Possibly dozens of ill-protected code suppliers with hundreds of code suppliers of their own. Attackers can and have traced these web supply chains to an extremely unprotected third-party and injected malicious code there to reach its target downstream. Such an attack cost British Airways $230 million in a GDPR fine.
If, by any means, neobanks’ apps become compromised, customer distrust kicks in and it may very well mean the beginning of the end for the company, especially considering that neobanks, by default, are already losing the race on this track, with 61 percent of consumers saying that they trust a bank more than a fintech. And even when we discount the factor that neobanks are typically less risk-averse than traditional banks, they cannot ignore that 82 percent of consumers say that ensuring the security of transactions is a critical concern when choosing a bank.
In the current panorama of application security, there’s no infallible way of being sure malicious code or markup isn’t injected into companies’ applications. As such, neobanks must actively monitor the client-side of applications in real-time and set automatic countermeasures to react to attacks. By getting full visibility of client-side threats such as web supply chain attacks, fintechs become fully equipped to stop these attacks at their inception and prevent massive data breaches.
Neobanks are truly a new force in the industry. They have helped redefine the paradigm of banking by presenting innovative responses to consumer needs. But they still don’t escape the fundamental of banking: banking is trust. By relying on cutting-edge and proven security solutions, they are successfully climbing this ultimate mountain and demonstrating how they are as secure, if not more secure, than traditional banks.
For reprint and licensing requests for this article, click here.