Timing is everything when it comes to investment and Reinventure is getting well ahead of the innovation curve with its recent funding of Kasada. According to Westpac’s venture capital arm the threats and the opportunities are clear. Not only is the financial services industry grappling with balancing the opposing forces of cybersecurity, innovation and digital transformation; it now faces Australia’s new data breach notification laws.
Data breach regulation catches up with the rest of the universe
Prior to this year, Australian companies were not required to report data breaches to anyone and they pretty much ignored the Privacy Commissioner’s polite suggestions to be good corporate citizens and ‘fess up their data breach sins. In one outrageous example, online deals website Catch of the Day took three years to advise its customers to update their passwords because the company had been breached.
Regulation has, however, caught up with real life and the rest of the developed world and the Privacy Act now mandates that government agencies, government contractors and companies with revenue greater than AU$3 million a year must notify customers if their information has been exposed to a data breach which may cause “serious harm.”
Ease of access to data vs. ease of hackability
While this measure is long overdue it’s also giving the financial services industry a headache. Australian financial institutions compete fiercely amongst each other to attract new and better serve existing customers. In the process, they’re driven to expose more sensitive processes and data to the internet. At the same time as data is being made more freely available, hackers are innovating and automating their attack processes to access accounts, extract data and monetize their efforts.
A favored attack vector for malicious automation is the online customer portal, a ubiquitous feature of all sectors of the financial services industry. With the increasing momentum of digital transformation, institutions are looking to provide a richer user experience by boosting the capabilities of these portals. However, the greater functionality is also leading to a change in the risk profile.
In many cases these portals have limited security enforcements in place. Institutions traditionally believed the risk profile was low because the functionality of the site sat behind a log-in page. As a result, security risk assessments relied on the effectiveness of the authentication process to keep attackers out; the security controls in place behind the log in process were often limited or non-existent.
Enter account takeover attacks
Despite warnings, typical users reuse passwords. Account takeover attacks use usernames and passwords stolen from less secure websites to flood the online portal and hackers gain access to the account and the ability to extract data.
As digital transformation gathers pace, the potential targets multiply. Increasingly, superannuation firms are creating transactional bank-like account functionality for retirees; a terrifying prospect which combines customers with low cyber-awareness levels and companies with less sophisticated security practices.
Accounting for takeovers
Kasada provides an eloquent and comprehensive web portal protection from account takeovers.
Automation – malicious or not – is an unexpected behaviour for authentication. Installing Kasada’s proof of work into the process enables proactive security control and prevents account lockouts, negative customer impact, and data theft.
Our sophisticated proof of work prevents attackers from gaining any advantage from a distributed botnet. We are effectively rate limiting an attack at the source. By leveraging the abundant resource of the attacker’s CPU, we change the economics of web application defence. In effect, we make it uneconomical to attack our customers.
Click here to see a demonstration of our exclusive Polyform technology in action.