As concerns about Cybersecurity increase, the issue of security becomes a key factor in our trusting any company with our data, and never more so than with a bank. We would all like to be able to trust our financial service providers to have a robust system to protect our data. We take a look at the basics of ‘data breaches’, what’s happening in this area and Xinja’s approach to data security.
Will we tell you everything? We could, but we’d have to kill you 😉
What is a “Data Breach”?
A data breach as Forbes tells us is an instance of unauthorised access to sensitive customer data, such as passwords, credit card numbers, banking information, driver’s licence numbers, medical records etc.
Criminal hacking – whilst the most eye-catching – is just one example. There are many kinds of data breaches and they are not all malicious. An employee taking paperwork home that they didn’t notice contained some customer data or sending a document to the wrong email address. As we move to the darker side, ‘phishing’ and social engineering (eg: working out birthdates of children from social profiles and trying these in passwords…) are common, before you get to the installation of malware and full on hacking. So data breaches come in different sizes and flavours.
How do data breaches affect me?
There are 2 main categories as consumers we need to think, although they are interconnected and overlap. One is identity theft (when someone gets hold of our ‘personally identifiable information’ or PII) and the other is the theft of our financial data (typically a credit card number that can be sold on the dark web and used up until the point we realise and put a block on it). Of course, someone can use your PII to get access to your money, by impersonating you to a bank (that’s obviously why you’re always being asked the name of your first pet etc) or to set up financial accounts in your name for nefarious purposes.
What’s happening with banks and data breaches in Australia?
A glance at domestic cybersecurity incidents in the past few months shows that many banks, including the big four, had incidents in which customer details were exposed, either as a result of system vulnerability or human error.
In many cases these involved PayID, part of the New Payments Platform that was introduced in 2018 and is being rolled out and allowing us to send real-time payments (between financial institutions using information that’s unique to a customer, such as phone numbers or email addresses, in lieu of the more cumbersome BSB and account numbers). “User enumeration” is a common technique used by cybercriminals against a bank’s PayID where the cyber attackers generate random mobile numbers into the system to confirm the name of a corresponding number holder.
In June 2019, a PayID attack was perpetrated against Westpac putting almost 100,000 Australians’ private details at risk of exposure, although “no customer financial information was compromised”, as the bank claimed. It’s important to note that not all attempted data breaches are successful and they do not all result in harm.
But it’s not all PayID. In July 2019, NAB disclosed a breach involving 13,000 customers’ driver’s licences as a result of human error, where customer details were uploaded to the servers of two data service companies without authorisation.The security team managed to have the leaked information removed within 2 hours of the incident. Whilst 2 hours may or may not be fast enough to secure some or any of the data, where prevention fails, mitigation actions taken after a breach are critically important.
Data breaches overseas
Also in July 2019, an outsider gained unauthorised access to Capital One (US) credit card customers’ information. Although no account numbers or login details were compromised, it has been estimated that this cyber incident had affected 100 million individuals in the U.S. and 6 million in Canada. Luckily, such information has not been used for fraud, nor has it been shared by the individual. Capital One notified affected customers and took immediate action to protect those impacted.
Whilst the Monzo cyber incident was not malicious, was internal, and harm to the customers would only have resulted if one or more of a small number of Monzo employees chose to behave maliciously, theirs was a good example of taking every data breach seriously and being transparent with customers about what had occurred. This is because every data breach has the potential to result in serious problems.
Xinja’s approach to cybersecurity
With all the new technology that has empowered today’s growing Fintech sector, cybersecurity threat still is one of the most significant problems that neobanks must properly address. The rising cybersecurity concern poses both a challenge and an opportunity for neobanks worldwide. How strong does Xinja stand in security?
We spoke to Jean-Baptise Bres, the Chief Information Security Officer (CISO) at Xinja, to get more insights on data security, what Xinja does to protect customers, and how we help them cultivate cybersecurity awareness.
JB pointed out that it’s about being ready for the fact that nowhere in this world is fully secure.
“Can we fully eliminate risks? No. But our primary job in information security is to radically mitigate them. ”
– Jean-Baptiste Bres, Xinja Chief Information Security Officer
And the good news is, Xinja is ready.
At Xinja, we look at everything through a modern lens and make sure that the best available technology is being implemented. Because we are new, we have been able to build in security from day one, as opposed to bolting (literally) it on afterwards.
As JB says, we embed “security” in everything we design.
“All our different systems and capabilities needed to work independently, and we make sure that every input we get is secure.”
Zero trust architecture
A key aspect from our security strategy is Security by Design, with an emphasis on Zero Trust Architecture (ZTA). Built upon the Zero Trust principle of “never trust, always verify”, Xinja’s security systems are designed in ways as if they don’t trust each other – if the security of one part of the system gets compromised, it won’t move to the next layer – so that there would be no potential for cross-contamination when data breaches occur.
Apart from the resilient security backbones we put into our systematic design, Xinja is working progressively to deploy new technologies to increase our security levels. These include machine learning and data correlation, which are the key enablers to breach prevention, detection, and prevention. JB went on to highlight that at Xinja, we follow the U.S. National Institutes of Standard and Technology Cybersecurity Framework (NIST framework) (a set of guidelines and best practices that prepare companies to identify, detect, and respond to cyber attacks) so not only are we able to detect anomalies or anything that falls significantly outside the ordinary as early as possible, we also have recovery solutions to get us back on our feet when they do happen.
In additional to standard security technologies such as Multi-factor authentication (MFA) and Biometrics (e.g. facial recognition, digital prints, finger prints, behavioural pattern recognition, and etc.) we are also planning to implement Dynamic Geographical Checks, a technology that recognises suspicious “impossible travels” and “impossible transactions” across geographical areas, to help ensure customer data safety. For instance, if your Xinja App indicates that you are currently in Sydney (assuming the location of your mobile phone is where you are) but your latest non-e-commerce transaction history suggests otherwise (e.g. somewhere in Europe), then Xinja will notify you ASAP.
Xinja Data Security 101
People, processes and technology – this is how security is conceived at Xinja. “People” come first, because their understanding about security, and equally importantly what a breach means to them, is ultimately what determines how much effort they put into keeping themselves safe online.
Believe it or not, lots of data breaches are happening all the time. We almost have to be comfortable with the idea that breaches are inevitable. Scary as this may sound, there are ways to level up your security, and all that we ask of you is to be more mindful about how you use and give away your information.
Ask yourself the following questions:
Am I using the same password for everything?
“If you use the same password for Google, Facebook, and Tinder, and if one of them gets compromised, you can fairly safely assume that others will be, too,” says JB.
Am I using strong passwords?
“Also, having strong passwords always help, ” JB said. 1password and LastPass are handy tools you can use to securely manage the passwords on your devices.
Ask yourself, Am I giving away too much? If the answer is “No”, think again.
Here’s a simple rule – DON’T give away information that you think an App or website doesn’t need. For example, if they are asking for your location and date of birth, and you don’t think they need this information to provide you with the service, DON’T GIVE IT AWAY. If there is no value for you in telling the service provider what music you like or the name of your dog, DON’T TELL THEM.
Has my data already been compromised?
You can also quickly track down if your data has been breached in the last 10 years on “Have I Been Pwned”, so that you can take necessary action against it.
Data Security vs. Ease
At Xinja, we will do as much as we can to make sure that your information is secure. It is important to us that you understand how your privacy is being respected and protected, so that you can actually feel safe banking with us. However, the reality about cybersecurity is that great security solutions can sometimes be a not-so-great user experience
When being asked about “Do You Worry About Your Data?” on the Xinja Community Forum, a Xinja customer answered, “I am not a fan of (2 factor-authentication) 2FA for banking, I always think it’s going to be helpful but usually it just gets in the way.”
Levels of concern about security differ. Our job is to bring in the right level of security, and ensure customers understand that, whilst it can be irritating, it is essential.
Ultimately, we hope to give customers the option to define the level of security they are ready to accept, with one condition attached; we have to make sure that customers understand what these options mean to them.
“This means that we need to be very strong in education. If we want to protect everyone, we have to educate them on what the trade-offs are for each option they choose. ”
So what does the future of information security look like?
JB envisages that in the next 5 to 10 years, the Australian government will put in place more regulations to ensure companies take security and privacy seriously. In Europe, for example, new legislation requires that 1 in every 5 contactless payments be declined and that PINs will be requested at the Point of Sale (POS) – shades of things to come as we pay the price for ‘frictionless’? Australia is likely to have to go through the same process in the near future. At Xinja, we are trying to stay ahead of the game by putting reliable data protection measures in place from day 1, and being ready to adapt as the landscape evolves. And we will be as transparent as we can be about those measures. Will we tell you everything? We could, but we’d have to kill you 😉