Eliminate FinTech cybersecurity risks with APP and SWIFT CSP compliance

2022 / 07 / 12

As the world has continued to be shrouded in the epidemic in recent years, it has accelerated the progress of digitalization and also injected a catalyst for FinTech (financial technology). However, it seems to be a double-edged sword, leading to more frequent hacking attacks and making cybersecurity a hot topic in the financial industry.

Sean Yang senior cybersecurity consultant of the Cybersecurity Compliance Department of Onward Security, who has extensive experience in financial cybersecurity audits, believes that when it comes to FinTech cybersecurity issues, such as cybersecurity law compliance, financial APP security testing, and SWIFT CSP compliance assessment are all the points that need to be paid attention to.

OWASP Checklist L2 is listed as a necessary test item for mobile APP cybersecurity

Sean Yang said that in the early years, the Internet was underdeveloped, and the financial operating environment was in a closed network, so the security risk was relatively minor. In contrast to today's financial transactions, the only parts that banks can control are their own back-end databases and transaction systems, and the front-end has been replaced by smartphone APPs. The competent authority is aware of the security concerns and requires all financial institutions to submit the APP to a third-party qualified laboratory for testing to ensure its security. Qualified laboratories will conduct security inspections based on the cybersecurity testing benchmarks of mobile APPs.

It is worth mentioning that the latest version of "Standards for Mobile Device Applications Operation of Financial Institutions" issued by Taiwan's competent authority focuses on amendments to Article 9. The new amendments regulate that APPs provided by financial institutions to customers should undergo basic testing every year, and should perform source code scanning or black-box testing on related applications and servers. In addition, it also adds a new requirement to comply with the "OWASP Mobile APP Security Checklist L2".

The Checklist L2 contains 8 major categories, and is different from the previous focus on the security of the mobile application APP itself. Its first item requires that the mobile APP needs to carry out architecture, design and threat modeling analysis during the development process. Plus, the requirements for mobile APP security are also more stringent.

The consultant said that when financial institutions submit test data to the laboratory, the responsible personnel are often at a loss when it comes to providing data, because they are not familiar with the content of "architecture, design and threat modeling analysis". In view of this, Onward Security not only provides testing services, but also conducts Threat Modeling analysis and teaching through the consultant team to help customers clarify related doubts. A secure application development process is to conduct a system analysis to clarify the security requirements before programing an APP, and then develop it according to the detailed specifications. If this security analysis task is omitted, it is difficult to comply with MSTG-ARCH-6 - A threat model for the mobile APP and the associated remote services has been produced that identifies potential threats and countermeasures.

In fact, Thread Modeling is similar to the Data Flow Diagram (DFD) of traditional structured analysis. The only difference is that there is an extra "security perimeter". Security perimeter refers to the line between controllable and uncontrollable. As long as there is data flow across the security perimeter, every possible risk needs to be analyzed in order to pay close attention to all risks associated with the APP.

Some tools are available on the market that perform scanning for mobile APPs according to the OWASP Mobile Top 10, but the contents of OWASP Mobile Top 10 and Checklists L2 are different. In order to ensure the rigor of the testing procedures, the regulations stipulate that the APP must be tested by a qualified laboratory, and the laboratory shall issue a qualified test report as a basis. However, this does not mean that these tools are useless. The tools can still be used as an internal self-test by financial institutions.

Five steps to complete a SWIFT CSP compliance assessment

SWIFT's Customer Security Programme (CSP) is a specification that is updated every year, and many financial institutions do not know how to meet its compliance requirements.

Society for Worldwide Interbank Financial Telecommunications (SWIFT) is an international financial association. Its system allows mutual authentication between banks to conduct foreign exchange transactions, credit risk management, credit limit control and other mechanisms. After the change of membership conditions, it allows enterprises and organizations with a large number of cross-border transaction needs to join the membership to facilitate foreign exchange transactions between members. However, this move also unexpectedly spawned a counterfeit transaction that caused a global sensation in 2016 due to system security vulnerabilities.

SWIFT immediately announced the security guidelines in the year of the incident in 2016, namely the CSP security framework in order to improve transaction security. Initially, SWIFT allows members to conduct CSP security assessments by themselves, but from 2021 onwards, the security assessments must be performed by independent third parties. In other words, the self-assessment would be difficult to gain trust from transaction parties, and SWIFT members need to be assessed by a third party on the compliance effectiveness of Customer Security Controls Framework (CSCF).

Every July, SWIFT publishes a new version of the CSCF document for the new year. To sum up the CSCF from 2020 to 2022, its necessary items have gradually increased from 21, 22 to 23. Its requirements have also begun to differentiate between different information system architectures. Therefore, even though the number of items has only increased slightly, the content has become more stringent.

The consultant concluded that if you want to conduct a SWIFT CSP compliance assessment, you can complete it according to the following five steps. The first step is usually to confirm the scope of security control. The second step is to confirm the applicable version of CSCF. SWIFT does not mandate the adoption of the latest version. Therefore, although the 2023 version was announced in July this year, the 2022 or even 2021 version is still accepted. The third step is to perform the SWIFT CSP security assessment. The third-party independent evaluator needs to adopt the SWIFT-based checklist and fills in the items listed in this table one by one. After the detailed assessment is completed, the fourth step is to submit the CSCF Assessment Completion Letter to SWIFT. The final step is to organize the security assessment reports and fill out the KYC-SA questionnaire. After that, the assessment is completed and the case closed.

With the frequent hacking incidents of listed companies in recent years, most companies have been under pressure. Enterprises are eager to take stock of security vulnerabilities effectively, and grasp defense trends and cybersecurity strategies as soon as possible, so as to improve the security protection of financial transactions. In this regard, Onward Security’s qualified laboratories with multiple certifications can assist enterprises to carry out security testing of key businesses such as FinTech APP and SWIFT CSP. If necessary, we also provide consulting services to clarify the implication of various testing standards. We are able to help enterprises obtain domestic and foreign certificates, while helping you to optimize the security of financial transaction systems.