• Ghazi Ben Amor, VP - Corporate Development at Zama


• 09.05.2024 11:45 am
#creditcard #security

It’s no secret that the credit card approval process is complex. But because it involves several entities accessing highly sensitive data - the applicant, the bank, credit bureaus and credit scoring agencies - it’s also vulnerable, open to identity theft and financial fraud.

In fact, financial institutions are the ideal choice for cybercriminals. Not only do they possess the two most sought after things - incredibly valuable data and money - but as they continue to embrace digital changes, cyber attackers find more ways to exploit vulnerabilities and steal that data. That’s why the financial sector is one of the top targets for cybercriminals, second only to manufacturing.

In order to provide credit cards, banks need to access sensitive information about applicants’ employment, spending, debts and other personal details, in order to assess their creditworthiness; information they’ll often turn to credit bureaus and credit scoring agencies to find. 

Despite the fact that this data is highly attractive to criminals, and this process creates multiple points for it to be compromised, customers have no choice but to trust financial organisations with their data and hope that they maintain the highest standards in data protection.

Unfortunately, sometimes standards slip. Take Equifax’s recent role in one of history’s largest cyber security breaches to date. The FCA ended up fining the credit bureau firm £11 million because they failed to manage and monitor the security of UK consumer data they’d outsourced to their US-based parent company

The incident was a stark reminder that our data ecosystem is not water-tight, the system is not without its flaws and cyber criminals will continue to take advantage - until innovation can step in, that is.

Innovation helping address some of the privacy challenges the industry faces

While the Equifax incident happened only last October, Privacy Enhancing Technologies (PET) are still evolving as I type. Some are already being utilised to minimise the risk of data breaches, while others hold immense promise in terms of securing sensitive data and protecting customer privacy:

Secure Sockets Layer (SSL) or its successor, Transport Layer Security (TLS): one of the most common encryption methods currently used in the credit card approval process, SSL/TLS significantly reduces the risk of data breaches. It works by encrypting the communication between an applicant’s device and the financial institution’s server, so that data exchanged during the application process is protected from interception by unauthorised parties. However, while it guarantees the transfer of private data to the bank’s servers, once it is there, it is at risk. For example, insiders ( bank advisors, risk team, data analysts and IT admins) all have access to sensitive data and may abuse their privileges to steal sensitive data or undermine security measures, leading to potential data breaches. Vulnerabilities in the financial institution’s server or web application could also expose sensitive data that attackers could exploit to gain unauthorised access to the server or execute arbitrary code.

Fully Homomorphic Encryption (FHE): FHE has made significant advancements in recent years, but is still considered to be in its early stages of being fully realised. Seen as an ideal solution for a situation involving multiple parties - such as the credit card approval process -  it allows data to be encrypted and processed without ever needing to decrypt it. This means that sensitive data can be shared and analysed without exposing the actual information to any of the parties or the server processing it. In the context of credit scoring processes, because data from various sources can be combined and analysed to make a more informed decision, this would enable a more thorough and accurate assessment of a person’s creditworthiness.

Each party’s data remains confidential with FHE, addressing several of the threats facing SSL/TLS encryption methods mentioned above. In the case of server-side vulnerabilities, for example, even if attackers gain access to the server or exploit vulnerabilities in the server-side software, they cannot access the decrypted data, nor can those looking to attack from the inside. As a result, the risk of data leaks or breaches is significantly minimised.

Challenges to overcome 

FHE offers a sophisticated and promising solution to the delicate balance between data utility and confidentiality, but the technology still faces hurdles around efficiency and practicality.

However, recent years have seen significant advancements around the practical application of FHE, making it accessible to developers without a deep background in cryptography for the first time.

Current and ongoing research and development efforts are also focused on enhancing the performance and usability of FHE solutions. Once these challenges are solved, FHE will open up for a number of applications grappling with major privacy concerns - one of which we hope will be the credit card application process in the not-too-distant future.