30 apps, 29 hacks and one surprised Money20/20 audience
At this year's Money20/20 USA, ethical hacker Alissa Knight, revealed her latest research work.
"Generally, the reaction has kind of been 'you have to be kidding me, this is crazy'," she told us, after we managed to grab some time with her towards the end of the event. In fairness to Knight, it's a perfectly reasonable reaction.
A day earlier, she had unveiled the results of a research project into the security of financial services apps. Specifically, that she had hacked 29 of 30 apps chosen from some of the biggest players in banking, stock trading, digital currency wallets and insurance. Each of them in less than eight minutes.
"It's a real problem," she told us, "and, basically, I'm the one that gets paid to be the bearer of bad news, which feels pretty cool."
"Are you guys all sitting down?"
Meeting people like Knight is rare. It's also eye-opening. Having started hacking at the age of 13, her life (so far) includes working for the US intelligence community in cyber warfare, being a serial entrepreneur, spending time in Germany hacking into, and taking control of, connected vehicles and hacking into a bank's internal network through its CCTV cameras in the parking lot.
At Money20/20 she largely focused on her app research, and the wider implications it has on cyber security. Following her opening gambit - "are you guys all sitting down? I don't think any of you are doing anything correctly" - she proceeded to outline the key findings.
She also explained that, as well as major banks, she looked at a number of fintech apps, noting that I actually thought that the smaller companies would have the most vulnerabilities, but it was the complete opposite. The cryptocurrency wallets in smaller companies have more secure code than their larger counterparts. It's the weirdest thing – the bigger banks, the bigger institutions have the worst, most horrible apps.”
- Money20/20: fintech for good
- Money20/20: Rise Up and Breaking the 19
- The future of money: Money20/20 key themes
- Read the latest edition of FinTech Magazine, here!
Knight explained to us the routes of the problem, including "too much outsourcing, but very little checking", and the shift in direction to an API-first world. "They’re securing them with web application firewalls or API gateways, and that's wrong [...] We need to be looking at APIs differently."
As part of a new project - details of which will be featured in the next edition of FinTech magazine - Knight is doing just that. She has, in short, created a fake bank with internet-facing APIs and a fake website, all with the idea of better understanding the threat faced by hackers. "It’s based off the idea of Sun Tzu’s Art of War: if you’re going to defeat your enemy, you need to understand your enemy," she said.
Read the full interview with Knight in the next edition of FinTech magazine