JAKUB RŮŽIČKA ON CYBERSECURITY
Recently, we took you on a ride into the world of Blockchain and followed up with aninsight scoop on PSD2, the new banking regulation. To continue down the Fintech path, we sat with a cybersecurity expert, Creative Dock’s own Jakub Růžička.
With all the recent Fintech trends and booms, cybersecurity is indispensable.
But the rabbit hole goes deep, much deeper than we imagined.
ENTER: JAKUB RŮŽIČKA
JAKUB, IS MY MONEY SAFE ONLINE?
I don’t know. Do you know?
NOT REALLY. BUT LET’S START WITH WHY CYBERSECURITY IS MORE IMPORTANT THAN EVER?
Well, we are seeing a couple of groundbreaking trends in Fintech that make customer's lives easier. However, all those trends come with a potential threat: a huge security risk. The trends I’m talking about are mainly blockchain and cryptocurrencies, peertopeer payments (like Paypal), mobile wallets, PSD2 and machine learning.
In theory, all those trends can have a positive effect on user experience. In practice, they make us more vulnerable to attackers online and require a greater level of enduser security awareness.
OKAY, SO LET’S GET MORE CONCRETE. HOW BIG IS THE RISK ONLINE?
Well, that depends on what's your attack surface?
That’s from how many different anglescalled attack vectorsyou can get attacked. So picture a guy who has only cash. Nothing else. All attack vectors around this guy revolve around someone robbing him and stealing all his money (I can use different methods/vectors to rob him, but the attack surface is quite simple and manageable).
A guy with a bank account already has a broder attack surface: someone could phish his password or steal his online identity. Also, the bank could get hacked. Now, let’s say we have a guy who deals cryptocurrencies online. This guy’s environment has countless attack vectors.
The exchange can have a vulnerability in their code and get hacked, the exchange can have a vulnerable web interface, the cloud environment the exchange is running on can be badly configured, the guy's wallet can get hacked. Moreover, he possibly transfers his money among multiple operating systems and platforms (desktop and mobile) which also increases the risk - the exchange can be banned by the government, and so on.
So, to keep it short, the overall risk really depends on how many endpoints you need to protect.
AND WHAT’S THE ATTACKERS FAVORITE MOVE THESE DAYS?
We call it social engineering, and it has been around since the beginning of computer hacking. A criminal tries to persuade you that he is actually your bank, or payment provider. The culprit carefully crafts an email that looks just like a real email from the bank. The email will lead to a landing page. That page will try to capture personal data, orwhen you are not paying attentionmorph into a different page that looks like Facebook or something.
The possibilities are limitless these days.
Unfortunately, people are the weakest link in the cybersecurity chain and attackers will always go for the weakest link. That said, the most effective defense is education. People who are aware and pay attention to what they are doing online are less likely to fall prey to a blackhat hacker.
AND WHAT ARE THE LATEST TECHNOLOGICAL TRENDS TO COUNTER CYBERSECURITY ATTACKS?
At Creative Dock, we are heavy on big data and machine learning.
Companies monitor loads of data these days. Let’s say you want to log into one of your accounts. You enter the wrong password three times. Now, this will be recorded, for it seems like an attack. However, in most cases, the user simply forgot the password. It happens all the time and there's a team of people who need to the the tedious job of manually reclassifying hundreds or thousands false positive events like these.
With data analysis and machine learning, we develop tools and algorithms that automatically filter out what’s important from what is not.
OK, BUT HOW CAN DATA HELP A NORMAL USER LIKE ME
We find consistencies and look for the minimum common denominator to teach people. Like I said, people, even security experts, are and always will be the weakest link in the chain. We can setup controlled experiments and A/B testing to find what works and what does not as it's been found out that current user security training solutions are largely ineffective and we're lacking the needed data to improve it.
SO, IN A NUTSHELL, WHAT CAN WE DO TO STAY SAFE ONLINE?
Think! Pay attention to what you are doing online. Become aware of the risks and never ever enter your details anywhere, unless you doublechecked it’s the website you wanted to visit. When you receive an email, prompting you to visit your bank, check the link. Is this really the bank’s website?
Remember, there's never a situation when somebody, even a company's representative, should ask you for your password. Review permissions you're giving to a mobile app you're installing and also don't share your invoice Excel sheet with your colleague via any public file sharing site.
At the end of the day there are no silver bullets.
Attackers and defenders both get smarter at the same time and what's more, attackers are usually at least one step ahead Use multistep authentication, if possible. And last, try to not use the same passwords online, at least not for important pages.
THANK YOU, JAKUB. THIS WAS INTERESTING STUFF…