Even with all the news surrounding epic data hacks—some affecting millions of users on a worldwide scale—the financial industry is missing a major opportunity to bolster the security of its services and keep hackers out of customer accounts and data. And to that end, banks and other financial institutions are slow to adopt an increasingly common best practice in the security world: vulnerability disclosure.
This continues despite the fact that banks remain—perhaps indefinitely—prime targets for attacks. Financial institutions have so much at stake. They also possess a unique capability to quantify the losses from a breach. For instance, they know exactly how much money they will lose due to 10,000 compromised accounts. If an Internet giant such as Google and Facebook were to get hacked, any monetary loss would be open to question or perhaps not much of a factor at all.
With bank accounts, real money is on the line. Thus the question: Why do financial institutions fail to get on board with vulnerability disclosure if they rank as prime attack candidates—and have so much to lose?
On other fronts, banks tend to be early adopters of security defense technologies, such as multi-factor authentication and fraud detection. They know continual investment keeps them ahead of the technology curve, particularly when it comes to cyberattacks, which gain in frequency and sophistication on a daily basis.
But unlike startup culture—which rewards experimentation and radical new approaches—the financial services industry is conservative by nature. It moves slowly. It’s time for banks to rethink their strategies, given the constant battle they face to keep attackers out of customer accounts.
Immunity illusions, bug bounty solutions
No company or industry is immune to software bugs and security problems. Just based on the amount of code in banks and the law of averages, software with security holes will pop up—even with the most carefully written code within financial institutions. And yes, hackers will find them because they constantly look. Banks need to make it easy for ethical hackers, the “white hats,” to report bugs they find in software so the institution can enact quick fixes before bad actors exploit them.
And so, this solution: Vulnerability disclosure programs make it easy for people who find bugs to report them. There is no downside.
Banks are also particularly well suited to provide “bug bounty” programs—a more advanced version of disclosure that involves payouts to hackers who uncover vulnerabilities—since they can price what they pay out to fit the exact cost of any given vulnerability. They depend less on market prices for bugs than other industries because they can easily correlate bugs to the potential loss of account information and money stolen: A quantifiable connection exists.
Yet bug bounty programs have not caught on amongst banks, even despite huge pickup in the broader FinTech industry and even with the U.S. Department of Defense and USAA.
Financial services companies cautious about cybersecurity-related projects with outside contributors can easily test the vulnerability disclosure waters by starting with a limited program. This could mean creating a “security@” inbox so researchers who find bugs can contact the company to report it. Many companies don’t have an easy way for people to contact them about security issues. This is a big problem.
One financial services firm we work with decided to create a bug bounty program after a security researcher was forced to disclose a vulnerability to the company via its Facebook page. Unusual? Here’s why it happened: The researcher couldn’t contact anyone on the phone, email or Twitter, while finding that someone on the marketing team was responsive on Facebook.
Today, the company has a direct path for researchers to report security issues straight to the security team away from the glare, and potential scare, of using social media.
Parting shot: The two “onlys”
Companies also can begin with a private program where only specific trusted researchers are invited to disclose vulnerabilities—and only on one of the firm’s external surfaces, such as a mobile application. A private program is a low-risk proof of concept that can easily scale up to a large program as needed.
Compared to other industries, the stakes for financial services can range even higher, yet the benefits easier to calculate. Security teams need to ask themselves this: Is it more difficult for attackers to compromise their systems and customer accounts every year? If the answer is no, they must do something about that. Not might. Must.
Attackers ramp up their capabilities by the day and it’s easier for them to worm their way into networks. Financial services companies need to take advantage of proven techniques to protect themselves such vulnerability disclosure programs.
Here there is good news: They commitment to extra resources is low, and the defense boost against attackers is high—and of high financial worth as well.
Want more Banking Strategies? Sign up for our free newsletter!
Michiel Prins is a co-founder at HackerOne, a hacker-powered security platform. As an information security expert, hacker and developer, he frequently writes and presents on vulnerability disclosure best practices, advocating for ethical hacking and security for web applications.