Years ago, banks were afraid of the armed criminals who could rob their branches. Today, one of the biggest problems for modern financial institutions’ security is cybercriminals breaking the banking security systems and causing significant financial loss. Through this lens of transformation, you can see how banks have evolved and how the world has changed. Security issues in fintech should be also approached in the same context.

Currently, cybercrimes are considered to be one of the biggest problems for banks all around the world. According to statistics, in 2021 global cybercrime costs reached $6 trillion. Moreover, according to a report by Accenture and the Ponemon Institute, the cost of cybercrime reached its top in banking, with $18.3 million per company. Also, in this context, it’s worth noting that in an interview with The New York Times, the Mastercard’s security executives reported combating 460,000 intrusion attempts in a typical day, up 70% from a year ago.

At 42flows.tech, we keep abreast of all the potential threats and take them into account when building chatbots for the fintech industry.

 

Top banking chatbot security issues and how we solve them

 

Data storage security

There are two main approaches for storing the personal and financial data of users: on the customer’s servers (on-prem) or in the cloud (cloud storage). Both approaches have pros and cons, so the choice depends on security risks and local regulations. Typically, our customers, especially banks, prefer on-prem data storage as it allows integration with their already existing monitoring and security infrastructure.

From a security perspective, protecting data on-prem requires carefully securing each level – network, OS, applications, accesses, and data fields. Putting sensitive data in the cloud requires a different security approach, as a cloud already provides ready-to-use tools for authentication, monitoring, access control, and backups.

We rely on field-level encryption of sensitive data before storing it in the database. The important thing is that the database doesn’t have access to the data in plaintext. Field-level encryption could be done by using tools like Acra database security suite, or by building a security layer that encrypts data transparently before putting it into the database.

At 42flows.tech, we use the data storage option, convenient for the customer as we provide data storage security independently of the storage location, which is so important in the banking industry.

Data transfer security

The banking sector traditionally uses the payment card data security standard, PCI DSS, designed by the international payment systems Visa, MasterCard, American Express, JCB, and Discover. The standard describes 12 detailed requirements for ensuring the security of cardholders’ data during storage, processing, and transmission. The PCI DSS certification process is quite long and extensive, but it’s one of the foundational standards for fintech, and we rely on PCI DSS requirements when working with sensitive data.

We use traditional transport security measures, like encrypting data with TLS 1.2 and 1.3 with mutual authentication to prevent unnoticed MitM attacks. Also, we use security features beyond the traditional set, like data tokenization or end-to-end encryption – depending on the use case, system architecture, and customer requirements.

Data tokenization allows substituting cardholders’ sensitive data with non-sensitive tokens. For example, we store PAN (primary account number) encrypted in secure storage but operate with a non-sensitive token to identify the account holder. Thus, for most actions, neither the applications, nor the databases “know” which account they operate. Tokens are anonymous and replace confidential information.

End-to-end encryption of transferred data means that only the sender and receiver have cryptographic keys to decrypt the data, while all applications and databases in between operate with ciphertext. End-to-end encryption is not a silver bullet, it requires careful architecture design, as applications (“ends”) should have access to the trusted cryptographic environment. In many cases, we combine tokenization with transport encryption instead to provide security during transmission.

Authentication

We use multi-factor authentication (MFA) for ensuring security of user login. We rely on one-time password (OTP) as a second step after validating username and password. OTP codes are short authentication tokens that are valid for a short time (typically, 30 seconds). OTP codes can be delivered via email, SMS, push notification or using applications like Authenticator. SMS delivery is one of the most simple and popular ways, although SMS cost money and could be intercepted. We rely on NIST SP 800-63b and OWASP recommendations when advising customers how to solve security/usability tradeoffs.

Multi-factor authentication blocks attackers from using the intercepted password, and is one of the most reliable ways to protect user accounts.

Phone theft 

However, the mobile phone could be stolen and criminals could gain access to the chat. We use a so-called “step up authentication” or “repeated authentication” approach to prevent this from happening. A chatbot asks for special pin codes when the user tries to get access to their personal or financial information. Thus, only knowing the account’s username and password, having access to OTP, and knowing a pin code, allows accessing the sensitive information.

The users have the ability to log out from all chatbot sessions if their device is lost. It means that all local data will be wiped, and the attackers won’t gain any confidential information.

Account hacking

Unfortunately, no one single security measure will protect against account hacking. Fortunately, we have implemented many of them! For example, account blocking – if the user has entered their password wrong several times in a row, an application introduces a delay before the next attempt. The delay protects from automated brute-forcing of the password. Also, the users can configure the security setting whether they want to “log out and clean all the data” after 10 incorrect inputs in a row.

Another example of protection measures is using a security-conscious error messaging: we don’t reveal details that would help attackers to break into users accounts. 

Conclusions: Banking Chatbot Security Lessons

Instead of a long chain of emails or phone calls, chatbots provide instant solutions, saving resources for both parties and allowing businesses to serve more customers simultaneously. Chatbots are a rather new technology, backed by strong and well-rounded security methods and technologies taking care of current and potential threats and vulnerabilities. 

Developments in new technologies are always accompanied by security risks. Our company’s experience and expertise allow us to offer progressive and reliable solutions that fully ensure clients’ personal and financial information confidentiality. 

It is important to note that for ensuring security, at 42flows.tech we use data encryption and tokenization, firewalling, access control, MFAs, security monitoring, and many more. None of our projects was leaked, we guarantee security to our customers.

We take security seriously. So, with proper threat modeling, secure development, vulnerabilities management, security testing, and a user interface designed to educate customers unobtrusively about online safety, chatbots are a safe and effective way to do business. 

42flows.tech guarantees customers that confidential data is well-protected. You can trust us.

We use encryption and data protection solutions of our partner Cossack Labs to ensure the security of our customer and their data.

42flows.tech is ready to build a secure chatbot for your business! Do you want to know more? Drop a line to the following email: success@42flows.tech

 

About 42flows.tech

42flows.tech is a progressive IT service company where people work with challenging and promising projects. Let’s revolutionize the fintech world together!

We are looking for talents, come join our team!

42flows.tech is proud of:

  • 24+ years of overall team expertise.
  • 90+ talented developers from 8+ cities in Europe and Asia.
  • 37+ launched projects.
  • 16+ successful internships.

We also have many other interesting articles to share? You are welcome to explore our blog.

Leave a Reply

Your email address will not be published.

CONTACT US

Let’s talk. Just enter your details and we will reply within 24 hours.