The current global investment in fintech is estimated at $13.8 billion, with $4.5 billion invested in the Asia-Pacific region across 140 deals, according to KPMG and CB Insights’ The Pulse of Fintech report.

Let’s agree, fintech is disruptive and it’s the future. Many new technologies like bitcoin and blockchain are changing lives every day, with more than a million applications now integrating bitcoin.

However, peer-to-peer lending, faster payments, robo-advisers and automated trading will be severely affected if application security is not accounted for from the start.

Why is security important in fintech?

New technology is exciting, but it can open many doors to new threats, such as the recent SWIFT attacks.

Bitcoins have already been under severe attack, and companies such as Mt Gox and Bitstamp have already lost millions of dollars to cybercrime.

These attacks have demonstrated the importance of security and controls from the start. The quicker the technologies are developed, the more opportunities there are for hackers looking to make quick money.

New technologies such as bitcoin make cybercrime investigations more difficult to solve due to anonymity and a lack of regulation at various levels.

Hackers have a better understanding about the latest in fintech than most chief information officers; fintech is the biggest of technologies’ many unknowns and has become a playground for hackers.

Security forms the foundation of financial services industry and, aside from convenience, keeping customer information secure is the biggest responsibility for any fintech company.

It takes a complex and systematic approach to address all the elements of cyber security and help a company be better equipped and educated to battle the full spectrum of potential attacks.

Current state of fintech security

Cyber criminals have moved on from the network attacks of the last decade to application layer attacks.

Globally, more than 65 per cent of fintech products that have already started financial transactions on their apps haven’t performed a single thorough application security assessment.

For the remaining 35 per cent, penetration testing is often not enough. Why not?

Turing award-winning computer science engineer Edsger W Dijkstra said, “Program testing can be used to show the presence of bugs, but never their absence”. 

He said this 50 years ago, and we still see application security as just penetration testing, a traditional checklist based testing done by enterprises with certified resources.

Security researchers are different from hackers, and hacking and penetration testing are not the same.

In fact, there are very few security vendors who understand fintech and have the capability to secure these sorts of products and platforms.

What should fintech companies do?

Fintech security needs to innovate. Fintech start-ups need to work closely with real hackers and catch up with the latest threats and vulnerabilities being exploited by the underground hacker community.

You need real hackers constantly hacking into your product to secure it, but can your organisation do that?

Does your chief technology or chief information officer have the capability to interact with real hackers?

Are they familiar with the dark web and internet relay chats where hackers login? Can they interact safely? Additionally, it will be difficult for them to have time for all these tests.

This makes achieving absolute security for new technologies extremely difficult and the best way to handle this is to start thinking about security from the start. Bring security into design and think of secure design patterns.

Did you know that more than 90 per cent of Uber’s code is not custom? Instead it’s built on secure application programming interfaces (API) provided by secure platforms like Google and Amazon Web Services.

What should fintech companies do?

Most developers see security as an impediment, when they should see it as a way to adopt speed and build trust with both users and regulators. It has to be in your organisation’s culture.

Have you heard of Tesla’s open challenge to hack into them? Tesla chief executive Elon Musk may hire you if you hack them. With connected cars, you can’t be cavalier with lives. Similarly with fintech, technology could seriously affect a person’s career.

The solution

Your team should think about security right from the start, before writing even a single line of code.

Check the technology stack you want to use for existing zero day vulnerabilities. Be 100 per cent sure of your technology stack.

Don’t use unknown open source technologies. Use secure APIs that are trusted across the globe and in your industry. Stay updated with changes in their API.

Whatever custom code you write, make it robust and secure.

Try to challenge your product’s security every day through hackers and select an organisation to hack you during the development cycle, not after production.

Perform code reviews; if something is not right, figure out the source of the problem.

Once you are fairly confident about your platform (but before you’ve released it), list it on bug bounty platforms and let hackers attack it to check its resilience.

Securing your technology from the start ultimately turns out to be a very cost effective solution.

Mohan Gandhi is the chief executive of Entersoft, an offensive cyber security start-up focusing on application security