What Happens When Your Fintech Provider Gets Hacked?

March 23, 2020 CyberCecurity Leave a comment

Fintech is a term, that refers, loosely, to all of those companies that want to “help” you manage your financial data in the cloud and are not banks. Examples are Mint, Chime, Credit Karma, Coinbase, Kabbage and hundreds of others. Fintech can also include service providers to banks.

Here is the problem.

Fintechs are not banks. Banks are regulated. For the most part, fintechs are not regulated.

Okay, so why am I talking about this? Today?

Finastra provides a wide range of tech solutions to the banking industry and apparently operates as an online service provider.

On Friday they announced that they were shutting down key systems but did not say why.

Finastra is not a startup. They have 10,000 employees and 9,000 customers in 130 countries, including nearly all of the top 50 banks globally.

So you would think their security is pretty good.

Just not good enough.

Initially they said that they saw “anomalous activity” so they shut down systems to protect themselves.

That was a couple of days ago. Today they said it was ransomware.

So what does all this mean?

Well, a couple of things. People are using more fintech technology. Mobile apps. Data aggregators. Many other things.

These apps and web sites have your financial data.

Maybe they have decent security. Maybe not. For the most part, they are not regulated.

The ones that are under contract with your local bank, like Finestra, are likely better than many because banks like Chase and Wells and other top 50 banks know that it is THEIR reputation that is going to take a hit if one of their vendors gets hacked. I know; I was one of those vendors and they take the problem very seriously.

Finestra has been less than forthcoming with what is going on. Many ransomware variants steal data in addition to encrypting it. Was this one of those? We don’t know.

In this case, their disaster recovery strategy apparently worked out reasonably well because they have already started bringing systems back up. Likely, as a $2 billion company they probably have “cold sites” – data centers with hardware in them but powered off, just for situations like this. These data centers are off line in addition to being powered off. As a result, they are virtually impossible to infect with ransomware – at least until they are brought online.

Obviously, for your bank, this is very important. For your bank, it is both inconvenient and embarrassing to tell a client who walks into a branch or logs on online “gee, our systems are down; come back another day”.

Moving back to consumer grade fintech, the problem is, if they are hacked, for example, is the security of your bank account compromised? Could a hacker empty your bank account?

If a hacker breaks into your bank and steals your money, almost always, as a consumer, federal law forces the bank to eat the loss. Even if the bank fails and goes out of business, consumer deposits of up to $250,000 per consumer are guaranteed by one of many parts of the federal government.

Under this scenario, the law requires the bank to give you back your money now and figure out what happened later.

This is not the case with fintechs. You could be arguing for a while. Worst case, you might have to sue them. You might not win in court. It could take years to sort out.

We have already seen this with some of the cryptocurrency exchanges that have been hacked. They don’t have the money or the insurance to make their clients whole. They file for bankruptcy and you are just another unsecured creditor.

All this does not mean that you should not use financial technology and keep your money in your mattress.

It does mean, however, that you should be smart. Understand the risk. Protect yourself. Become knowledgeable about the solutions you choose to use.

BECAUSE THE LAW IS WAY BEHIND – AND I MEAN WAY BEHIND – ON THIS.

Just sayin’.

Source: Brian Krebs