With the rise in online purchases, it is more important than ever to adopt sophisticated payment security solutions.
Unfortunately, many e-commerce businesses are reluctant to invest in cybersecurity. As a result, malicious actors actively target companies with weak cybersecurity postures to gain financial benefits.
We’ve reached out to Eimy Veronica Rodriguez, a Cybersecurity Engineer at Htech, to talk about the most common cybersecurity mistakes that companies make and how to effectively protect your credentials online.
Tell us more about the story of Htech. How did it all start?
Htech is a Mexican company founded in 2010. In the beginning, we were a small team of 15 people. Then, we started working with large clients, mainly international Telcos with whom we built a very good working relationship, and now, in 2022, we have 150 people in the company.
Can you walk us through your operations? Which fields are your solutions mostly used in?
We can describe ourselves as a financial technology company since our main line of business is online payments. However, our development services go further by offering multiple software solutions for Telcos and other FinTech companies. Our customers trust us because information security is at the core of our solutions/products and IT infrastructure. We have a culture of security in all our departments, and we maintain our PCI DSS Level 1 compliance.
What types of technology do you use to detect fraudulent payments?
We have built our own anti-fraud system based on user transaction tracking, user identification, and dynamic behavioral rules. Hybrid (SQL and NoSQL) database strategies along with near real-time data processing are part of our technology stack deployed in the cloud of Amazon Web Services which is one of our main technology providers.
How did the recent global events affect your field of work?
Information security goes hand in hand with the events that are being experienced. There are two very specific cases of this, and one of them is derived from the pandemic of COVID-19. It shows that many companies began to perform their operations remotely, where users would be working outside the infrastructure of the company or in ways where they're not protected by perimeter tools, such as a firewall. COVID-19 brought an increase in cybersecurity risks and brought to cybersecurity professionals something that has never been thought of or prioritized – home offices and their risks.
Another event that also affected the world was the recent Ukrainian-Russian war, which facilitated an increase in attacks on various industries that were part of NATO and vice versa. This increase in destructive attacks could affect core industry systems and make them unusable.
What are some of the most commonly utilized fraud methods? How can companies tell if something is amiss?
In the online payment business, there are common automated attacks that always look for open ports and vulnerable routes. However, in addition to that, we need to monitor data behavior patterns for irregularities that could be related to mass theft or leaks of credit card details and take action on time.
In fact, you must know your system and the flow of confidential information very well to prevent security incidents. Paying with stolen credit cards or massively requesting chargebacks are common fraud types in the industry of FinTech.
There are also more specific attacks when legacy/unmaintained third-party components of web platforms are part of your workflow. Even though sometimes you can feel confident when you did a good job regarding the security of your project, you must be aware of all the actors involved in your solution and propagate the security culture across all departments, including customers, partners, and providers. Otherwise, you could be under attack even without knowing it.
Which cybersecurity details are often overlooked by new businesses?
I think new businesses do not think about cybersecurity at first. They only take it into account when something has already happened. Then, they usually miss three things with the first one being the internal threats – someone inside the company can perform a malicious attack voluntarily or involuntarily and compromise the data.
The second thing that's often overlooked is that technology is always changing and evolving, and so do cybercriminals. Traditional tools can help you mitigate some typical risks, but new and updated tools can detect advanced threats and give you more insights into what is happening and how to protect your data.
And lastly, it's security awareness. The information has to be shared with people to work with it, and this is a risk everyone has. It doesn’t matter how many security solutions you implement. If someone has access, then data can be compromised. That’s why we need to make them aware of these risks and proper precautionary measures.
Why do you think companies often hesitate to try out new and innovative solutions to secure their business operations?
It's usually because of three things: cost, risk, and disinformation. We can think: “Why would I buy or change something if the actual process works?” It makes sense, doesn't it? Here comes the disinformation: if we don’t measure security, have audit logs, demonstrate how it would benefit the company or how the application is not working properly or doing enough, the decider won’t know why it must change. That’s one of the main things we must validate.
And even if these reasons are proven, there's another barrier – the cost.
Usually, when the decider sees the prices, they try to look for the lower price or don’t see the value of spending that additional amount of money. Some companies see security as an expense and not an investment, and it shouldn’t be like that.
Finally, the risk. If we have a critical application, and you want to upgrade or change something tool-related, the common answer is don’t do anything, it’s risky. Unfortunately, after some time, this application will be known as legacy software and it will be more difficult to deal with it.
What security measures are essential for companies and casual Internet users to implement?
Firstly, security awareness is one of the most important things today. It helps users to identify security threats and risks. Also, it facilitates the development of a cybersecurity mentality which helps the organizations to build their cybersecurity culture and maturity. When employees have this mentality while performing their daily activities, they are less susceptible to attacks, such as social engineering.
There are several ways to protect users from this type of attack. Since cybercriminals try to get credentials from users, implementing tools or technologies, such as a Multifactor Authentication (MFA), protects users from credential theft.
Another common mistake made by a lot of users and employees is using the same password for different platforms, which can be very harmful in the future. Just imagine that the password of a user was compromised: the first thing to do is to identify which accounts have the same password, then change every password on each platform.
The perfect solution to this problem is the use of a tool called a password manager. It automatically manages all passwords of each platform that the users have. You don’t have to remember all credentials, just the master password to access the password manager.
Share with us, what’s next for Htech?
We currently work with companies in 7 countries, and we are looking forward to expanding our coverage and having more clients. Every company that has products online needs online payments, right? So, Htech will be one of the best options to process online payments correctly and safely, always with security as part of our core principles.