The future of Financial Technology (fintech) in Germany is not only about offering services: FinTech and mobile banking institutes should invest in security.
Based on my analysis and understanding of the status of financial technology (“FinTech”) in Germany, I conclude that the zeal to embrace this innovation is high, but that the technology and IT strategies being adopted are still not sufficiently advanced. For the most part, neither FinTech start-ups nor large banks understand how the on going digital actually works.
Gone are the days when customers would visit their bank to do a transaction or to get advice. Today, all such efforts are easily done on the web. However, the scalability of this technology is still uncertain. As I see it, the need for the FinTech organizations to enhance their digitalization boils down to creating and maintaining trust with their customers.
Sadly, most FinTech start-ups in Germany neglect security, and focus instead on convenience. The latter does not always add value, as there is a large gap between needs and wants in the concept of demand in economics.
In one of my writings, I emphasized the need for FinTech innovators to see value added not just in convenience, but also in trust that customers have lost with their private bankers. As they lose this trust, customers will seek other businesses who can give it.
Over the past few years, the mass media have spoken about the security of data transactions, while at the same time reporting about malicious hacking into that data – mixed messages that have reduced customers’ trust in technology. In one of my articles, I proposed that efforts to improve trust between FinTech organizations and customers should not be focused solely on data confidentiality, integrity and availability; as there are other factors that need to be considered — I will refer on these factors in my next article.
Sadly, most FinTech organizations neglect trust, and instead view their technology as a means of making a fortune without making customer data a high priority. Digitizing data is not just putting products together and selling them via Apple or Google. In my view, the design of most products sold today lacks appropriate notations, and neglects object-oriented principles.
In this article, I first focus on the issues of accessibility and security; then, on client-side and server-side technology. I also focus on the democratic and revolutionary nature of FinTech applications. Finally, I make some recommendations.
Web-technology is all about communication between two computers, where one is the client-side technology (web browser or mobile phone), a functional logic [second tier], and the server-side technology. This is called 3 Tier Architecture. Communication between the client-side and server-side technology respectively is done through the Uniform Resource Locator (“URL,” also called a Uniform Resource Identifier).
The URL specifies the technology to be used (HTTP, FTP, TELNET, etc) when the client-side makes a request. This is done through a web-service — i.e, web browser software (Web-API) — on the client-server [first tier], that sends a request to the web-server (fat client) through a functional logic [second tier]. The web-server interprets the client’s request in ASCII format, and sends the request to the server [third tier] through a web service – using internet communication protocols like HTTP and TCP/IP. The server-side responds to the interpreter, which then compiles & interprets the results to the client-side web browser in MIME format.
This is how the World-Wide-Web, (“WWW”) works. A common WWW structure includes presentation services (HTML or Java-script), functional logic (a programming language like Java) and data management or data warehouse (such as a MYSQL). The client-side script might also play a role by using a test (such as CAPTCHA) that only humans can pass, thus validating data before it is sent to the server. This speeds up the process, by taking some workload from the server-side.
At other times, when things get complex, the business logic is broken down into pieces: the functional logic will need to make the request to several servers by calling the “list clients ()” function, instead of a direct SQL database query. This is called N-Tier Architecture, and it enhances flexibility across layers.
Today, hybrid apps are web interfaces that are accessible on the client-side, by which clients interact with the web-server to transmit and organize their data. Almost all organizations rely on a web-based approach to acquire the information they need, as the web has, since 1999, become almost universal. By 2006, semantic technology was being touted as a new way to organize web data, while others were saying this will remain a dream due to the difficulties in creating & maintaining the structure, as well as in measuring its effectiveness.
This article notes that FinTech innovators should give priority to customers’ data at the start of programming; and continue to do so in the data collection, data transmission, storage, and processing of that data.
Today, customer data is now kept at a warehouse (Server-Side-Technology) for later use. A data warehouse could be viewed as a knowledge memory or a Web-server, where data is kept for future access by the client server. The question that must be addressed is the security measures used by these innovators to prevent data leakage.
My research shows that many of these innovators collect raw data using SSL protocols in the belief that the data is secured. However, SSL is not a secure channel if further threats are not addressed. 99,999% of banks in Germany transfer unencrypted data to these FinTech API innovators over the internet. The unencrypted data is then transferred to these FinTech start-ups also over the internet. It is also known that, unencrypted data sent over the internet can be intercepted by hackers.
Furthermore, most of these FinTech innovators use a single key to encrypt all customers data while others do not even encrypt this data. Others use deprecated algorithms like the MD5 and SHA1 to encrypt this data. Subsequently, others encrypt the database where this data is kept while the data itself is not encrypted. Most of these firms also use bad algorithms that brings about coalitions.
In the aspect of Hashing data, fast hash are vulnerable and moreover hash coalition could also bring about data manipulation. I also do advise organizations not to use SHA for passwords but only for verifying data transmissions. A common mistake done by many FinTech and well established organizations as said earlier is the usage of MD5 or 128 bit key encryption and even with timestamps. For the 128 bit scenario, we have “2” raise to the power “64” (264) to forge a valid ciphertext if it is not validated. There is no question, that, 128 bit key is not vulnerable as well as MD5. Even SHA 256 needs more attention.
Many FinTech apps come with bugs that make them unusable. It is thus essential that FinTech organizations implement technologies that will not only create a positive impression on customers, but also increase trust — thus enhancing the adoption of FinTech.
The future of financial technology in Germany is not only about offering services: FinTech and mobile banking institutes should invest in security. Penetration testing should be done frequently, and any vulnerability found must be addressed at a high level. CEOs should understand that security is not a product but a process. There is never an end product in security, and CEOs should not demand an end result from security officers.
Associate: University of Derby, University of Koblenz