Peter Cavicchia

Blog

Cybersecurity Best Practices for Fintech
Cybersecurity Best Practices for Fintech

As the digital world expands, so does the ever-growing threat of cyberattacks targeting customer data and transactions. On average, it takes 206 days for a U.S. company to detect a data breach, costing them an average of $4.45 million per breach. Account takeovers (ATOs) were trending at the highest loss rate among different fraud types in 2020.

While it is unrealistic to expect to never be the target of a cyberattack, the best cybersecurity practice that fintech companies can adopt to proactively ensure the security of customer data is a layered security defense. Layered security entails implementing several security products and strategies to create multiple layers of defense. If a breach of one layer of security occurs, the subsequent layers will eliminate it. While every company has its own specific needs, a robust layered security solution should have the following features. 

My new article on LinkedIn describes these. Read it here.

Read More
Peter CavicchiaPeter Cavicchia, Fintech, Cybersecurity
New Fiserv Fintech Innovation Center to Open at Rutgers University
New Fiserv Fintech Innovation Center to Open at Rutgers University

Fiserv has partnered with Rutgers University-Newark to create the Fiserv-RU-N Program for Inclusive Innovation. This exciting new project is designed to drive diversity and innovation within the field of financial technology by providing resources, jobs and opportunities to students, faculty, and local businesses.

As part of the program, Fiserv is providing $5.15 million in funding to open a state-of-the-art innovation center on its campus at Berkeley Heights, announced last fall. It will house technology and provide ample space for collaboration and research. Fiserv-RU-N will support research involving technology and commerce, such as cybersecurity and legal and ethical topics in the field of fintech.

Additionally, Fiserv-RU-N will offer forty $2,500 scholarships annually to Rutgers undergraduates, half of which will go to military veterans and Rutgers Business School students. RU-N will also provide support for career modules to prepare students for internships and jobs, including positions at Fiserv.

Deepening Our New Jersey Roots

Fiserv’s foothold in Berkeley Heights, together with the RU-N program, is slated to retain or create roughly 3,000 new jobs, providing a significant boost to commerce in the Newark region and beyond.

Apart from the Fiserv-RU-N Program, Fiserv supports Rutgers-Newark through the Center for Urban Entrepreneurship (CUEED) and Rutgers Advanced Institute for the Study of Entrepreneurship and Economic Development (RAISED), which work with minority, women, and veteran owned businesses throughout New Jersey.

Facilitating Innovation Through Diversity

Diversity and inclusion are two of Fiserv’s core principles. The diverse Rutgers community is the perfect incubator for creative fintech solutions that benefit people from every walk of life. A wide range of perspectives helps develop new answers to the challenges we face in the financial services industry.

As Chief Technology Officer at Fiserv, I am looking forward to seeing the creative solutions that will come from the young minds at RU-N. Since beginning my career 20 years ago, I’ve seen the business technology landscape change more rapidly each day. I have no doubt that the RU-N community will deftly meet these challenges.

You can follow Fiserv’s developments at our newsroom.

Read More
Peter CavicchiaFiserv, Rutgers, Fiserv-RU-N
Fintech and the Physical World
Fintech and the Physical World

The latest innovations in Fintech are transforming how we experience the world around us, from our daily physical interactions to our relationships with the many different spaces we inhabit and traverse.

The pandemic accelerated the adoption of some digital technologies. One trend that Fiserv highlighted in its 2021 Commerce and Fintech Midyear Review is cashierless checkouts. While self-checkout kiosks in grocery stores, pharmacies and other retail businesses have been common for years, Amazon has taken cashierless shopping to the next level in its physical Amazon Go and Amazon Fresh stores. They harness AI, sensors and computer vision technology to provide an even more automated and frictionless in-person shopping experience. New cashierless Whole Food Market locations opening next year will expand the use of this “Just Walk Out” technology, and wide adoption will surely follow—Amazon has already begun licensing it to third-party retailers.

Fintech is also reshaping the fan experience at sports and entertainment events. Milwaukee’s Fiserv Forum, home of NBA champions the Bucks, is one of many venues around the world now employing a connected ecosystem of omnichannel commerce, mobile phone integration and cloud-based point of sale technology to create a more efficient, safe and intuitive customer experience. Fans avoid long concession lines and spend more time in their seats enjoying the game, while the venues have new sources of data to analyze and improve operations.

Other technologies Fintech is using to connect the physical and digital worlds include augmented reality (AR) and biometrics. Retailers and brands such as Warby Parker, L’Oreal, IKEA and BMW already employ AR apps that allow customers to preview what their products will look like on their faces, in their homes and behind the wheel. Biometric authentication, which can verify a person’s identity by scanning their face, fingerprint, palm or voice, has emerged as a critical fraud protection technology and will serve as the foundation for the secure digital wallets of tomorrow.

The lines between physical and digital blurs further every day. The most influential and exciting Fintech innovations are those that bridge these worlds with hybrid solutions. It will be fascinating to see where such advances take us as we emerge from the pandemic and head back out into a changed world.

Read More
Peter CavicchiaFiserv, Amazon, Omnichannel Commerce
The Future of Fintech and the Rise of Super Apps
The Future of Fintech and the Rise of Super Apps

“There’s an app for just about anything,” Apple declared in a 2009 iPhone commercial. That statement would be if anything even more accurate today, with the rise of super apps that aim to do almost everything themselves.

Super apps, which provide a variety of different services within a single interface, first emerged and have found the most success in China. With the country’s rapid adoption of smartphones and sparse data regulations, leading super apps WeChat and Alipay have been able to build an expansive ecosystem of services and amass more than a billion active users.

In the United States and Europe, where privacy and data laws are more restrictive and competition is stiffer, super apps have yet to catch on in a similar way. But it may not be long before they do. Fintech super apps, for instance, are aiming to “change money forever.” And they are making headway, thanks to the growing prevalence of cryptocurrencies, digital trading and neo banks.

Paypal is moving swiftly forward with its much-touted plan to become a Fintech super app, including a revamped digital wallet and numerous other new services such as messaging, check cashing, cryptocurrency support, bill pay, budgeting tools, subscription management and shopping tools. Popular mobile trading app Robinhood and digital payments company Square are also growing their range of services quickly—as is ambitious London-based neobank Revolut.

Expanding an app’s services to extract more value from users is an enticing prospect, but risk compromising its usefulness if not done carefully. As The Financial Times’ Tim Bradshaw puts it, “Most super apps are not super great,” because they “solve a problem for the company, not the customer.” New services also add additional degrees of complexity to the daunting and ever-evolving challenges of Fintech cybersecurity and regulatory compliance. These are all factors for contenders to keep in mind as they vie to become the top Fintech super app of tomorrow.

Read More
Peter CavicchiaApple, iPhone, WeChat, Alipay, PayPal
New Horizons in Technology Leadership
New Horizons in Technology Leadership

I recently took the reins as Chief Technology Officer at Fiserv, the world's leading payments and financial technology provider. In this new role I am drawing on over 20 years of experience in cybersecurity, IT and FinTech to navigate today’s rapidly transforming business technology landscape and chart the best course for tomorrow.

I will continue to share my insights and analysis on this blog, addressing critical developments in cybersecurity and data protection while also expanding coverage to include the broader issues and challenges that CTOs and other business technology leaders face today.

To begin this new chapter in the conversation, here are a few important points this industry will be focusing on moving forward.

Security Remains Paramount - A CTO must look at the big picture and develop an overarching technology vision and strategy, and integrating security at every level is an essential part of that. Financial services are a prime target for cybercrime, and, as our technological systems grow increasingly complex, failure to maintain comprehensive protections can result in the accrual of significant “cybersecurity debt.” Safeguards must extend from incorporating the latest innovations, such as confidential computing, to maintaining physical security and understanding the role of employees in protecting valuable assets.

The Cloud Is Key - Regulatory compliance and security concerns have slowed traditional financial institutions’ adoption of cloud computing, but innovative cloud technology is becoming an increasingly valuable and vital tool in FinTech. It’s important to avoid a “Frankencloud” model—last year’s SolarWinds cyber attack showed how catastrophic that can be—but a strategic hybrid cloud approach can unify networks, minimize cybersecurity debt, supercharge efficiency, and allow for unprecedented flexibility and future transformation.

AI and Other Innovations - Coupled with the speed and flexibility of the cloud, artificial intelligence, machine learning and other forms of automation are unlocking a host of new possibilities in FinTech. With traditional know your customer (KYC) verification technology quickly becoming antiquated, advanced AI such as biometric scanning is a valuable new tool for preventing identity fraud in digital finance. Contact Center as a Service (CCaaS) is also catching on by using the cloud to connect a scalable remote agent workforce, automation to streamline workflows, and AI-powered virtual assistants to personalize and enhance both the agent and customer experience. Other advanced tools are helping utilities bolster their defenses against increasingly frequent attacks on critical infrastructure.

Much more lies ahead, from the next-generation SCION Internet architecture, which will provide more stability than the current outdated Border Gateway Protocol (BGP), to debates about the ethics of algorithms and how to bridge the broadband divide. I look forward to discussing these and other critical technology issues here in the future.

Read More
Peter CavicchiaFinTech, CTO, Cloud
Fiserv’s 2020 Fraud and Security Survey
Fiserv’s 2020 Fraud and Security Survey

Over the summer Fiserv interviewed 1,037 American adults to determine consumer trends in digital commerce. The results shed light on ways the COVID-19 pandemic has been central to consumer decisions, especially in driving greater adoption of digital commerce and payment options. Even as 79% of consumers say they are at least as concerned about cybersecurity threats as they were last year.

A third of respondents have increased their use of touchless payments, and more (69%) anticipate increasing their use of touchless payments going forward. Credit and debit cards are still the preferred payment types (used by 52% of respondents), but 33% said they often use phone apps to pay and 15% use QR codes. Gen Z consumers lead in adoption of mobile payments apps (with 41% using them regularly). Millennials are close behind at 38%, while 21% of both groups report using QR code payments regularly.

Touchless payments have facilitated a rise in buying online and picking up in-store (or “BOPIS” shopping, at 43% usage) or curbside (50%). In fact, 43% of Gen Z’ers report that their phone has replaced their physical wallet—against only 16% of Baby Boomers.

Increasing confidence in the security of e-commerce platforms

Consumers show increasing confidence in the security of e-commerce platforms. Only 18% considered it the most vulnerable channel (in 2017 52% felt they were most vulnerable to a cyber-attack while shopping online). And only 22% of consumers reported a credit card compromise in the last year (down from 57% in 2017), a decline that is attributable to the rise of chip cards as well as improved cyber security.

Younger consumers are much more likely to report having shared their personal data with someone through email, and perhaps therefore are seeing their personal information compromised as a much higher rate. Among all respondents, only 23% are confident in the security of the Personally Identifiable Information (PII) they use in payments. 36% report they are changing their passwords more frequently this year.

Based on these responses, Fiserv encourages businesses to incorporate multi-factor authentication into user profiles as a way of boosting security and customer confidence. Touchless payments will continue to grow in the years ahead. For more insight, read the survey results here.

Read More
Peter CavicchiaFiserv, COVID-19, Cybersecurity
Interview with Evy Poumpouras: Keeping Safe in Cyberspace
Interview with Evy Poumpouras: Keeping Safe in Cyberspace

Evy Poumpouras is a former Secret Service Agent and colleague, as well as a co-host on Bravo TV’s series Spy Games, author of Becoming Bulletproof, and national media contributor who covers national security, law enforcement and crime. This excerpt from her recent interview with me is timely and reflects the most pressing issues facing you today.

Where are we vulnerable and how do we defend ourselves?

For the most part, criminals are looking for personal data they can use with minimal effort to gain access to funds and move them quickly to be able to conduct cash-out activities and disappear. The most important defense mechanism against cybercrimes is taking advantage of strong authentication in every channel you use. The leading cause of cyber driven scams is account takeover, password theft, and impersonation.

TIP: Turn on multi-factor authentication for all your accounts, including email.

Online gaming has become a huge target these days because many of them require payments to play or buy upgrades Early on there weren’t many protections around this, but more recently gaming platforms have added parental control features and levels of authentication.

TIP: Parents, make sure to set parental controls for your kids’ online gaming.

Personal computers should have some level of malware protection installed. Most anti-malware tools update themselves automatically and will catch a bad attachment or malicious website and block them.

TIP: Don’t open emails or links that you do not recognize or seem suspicious, even it’s from someone you trust. Email accounts get hacked all the time.

Read the full interview here.

Read More
Peter CavicchiaEvy Poumpouras, multi-factor authentication, anti-malware
COVID-19 and Cybersecurity: As Coronavirus Pandemic Spreads, Threats Surge
COVID-19 and Cybersecurity: As Coronavirus Pandemic Spreads, Threats Surge

As it spreads rapidly around the world, COVID-19 has triggered a huge spike in coronavirus-themed cybercrimes. Considering just the volume of threats so far, the pandemic could become the largest cybercrime theme of all time.

It's happening against a backdrop of the long-term trend toward increasing reliance on digital technologies and services, and that trend has taken a large leap forward with stay-at-home orders. The COVID-19 threat landscape presents new vulnerabilities in addition to heightening existing areas of risk.

It's important that businesses meet the challenge head on by identifying new weak points, preparing for a potential uptick in attacks, and adapting protections for sensitive data and critical systems.

It's important that businesses meet the challenge head on by identifying new weak points, preparing for a potential uptick in attacks, and adapting protections for sensitive data and critical systems.

Cybercriminals have found new ways to exploit the opportunities arising from the sudden transition to remote work. They seek to take advantage of poorly protected residential connections and employees mixing personal and business browsing that leaves them more open to malware attacks.

Researchers say lures related to the new coronavirus comprise more than 80 percent of the threat landscape, including more than 500,000 different variations of emails, 300,000-plus malicious URLs and more than 200,000 malicious attachments. We can also expect to see a surge in threats related to the upcoming distribution of federal relief money.

Continue reading: Be Prepared: Pandemic Creates Targets of Opportunity for Cybercriminals

Read More
Peter CavicchiaCoronavirus, Cybercrime, Malware
Fraud in Online Gaming
Fraud in Online Gaming

I discuss fraud in online gaming in an interview with PYMNTS, the leading online resource for the online payments and commerce industry. With the recent revelation that fraudulent activity was the source of “nearly all” trades in a digital marketplace for the popular video game Counter Strike, this issue has rightfully been gaining more attention.

It is not surprising that gaming platforms have become hotbeds for fraud. Security architecture is typically a secondary focus, at best, in game design, and they present myriad opportunities for bad actors to find and exploit weaknesses while remaining anonymous. Earlier this year, a report uncovered money laundering in the massively popular game Fortnite. Account takeovers are another common form of fraud in online gaming.

Giving such fraudsters the boot from online gaming will require a proactive approach. Gaming platforms need to adopt the same safeguards used in online banking and ecommerce, such as out of band step-up authentication on the front end and AI detection tools on the back end. If those protections are coupled with increased cybersecurity awareness among users, they will be a large step forward making gaming platforms less shadowy and more secure. 

It was a pleasure to speak with PYMNTS. From its founding in 2009 the site has long been an invaluable B2B resource for up-to-the-minute news and insight on the latest trends in online payments and commerce. It’s a FinTech must-read.

Read More
Peter CavicchiaOnline gaming, money laundering, PYMNTS
A Look Ahead: #FinTech Cybersecurity Safety in 2020
A Look Ahead: #FinTech Cybersecurity Safety in 2020

Left to right: Noah Kroloff, Amy Hess, Peter Cavicchia & Bryan Cunningham

How we can all make our companies, our cities and our nation safer is top of mind everywhere. Each year at the annual Summit on Security presented by Fiserv at the #9/11 Memorial & Museum, experts and national leaders come together to discuss the critical need for organizational resilience and vision in the face of heightened security threats.

This year, I spoke as part of the panel Keeping Ahead of the Threat, which examined key threat areas in the quickly evolving cybersecurity landscape, as well as the security infrastructure surrounding those areas.

The panel was moderated by Bryan Cunningham, the Executive Director at UC Irvine’s Cyber Security Policy and Research Institute (CPRI). I was joined by fellow panelists Amy Hess, the Executive Assistant Director of the FBI’s Criminal, Cyber, Response and Services Branch, and Noah Kroloff, the Principal and Co-Founder of Global Security and Innovative Strategies.

Cyber security strategic planning in Fintech is complex, involving issues such as rapidly changing data use regulation, consumer consent, and the ever-present threat of supply-chain, state-sponsored and other forms of attack. The areas of largest risk range from account data and personally identifiable info to high speed trading models.

In addition to preparing for external malicious threats, you also need to prepare for internal mistakes and errors in judgement. Nonetheless, consumers want the option of open banking. That is the future of financial services, and the industry must make the transition. As we addressed in Keeping Ahead of the Threat, this will require streamlined integration approaches as well as highly effective data-centric security measures.

Read More
Peter CavicchiaSummit on Security, 9/11 Museum, FinTech, Noah Kroloff, Amy Hess & Bryan Cunningham
Cyber Security and Physical Security
Cyber Security and Physical Security

In cyber security we focus on cybercrime as our main threat. But to protect our organization’s data, we also need to understand physical threats. It is a relatively low-risk venture for someone halfway around the world to send out malware and hope it penetrates critical systems. But with the presence of both high-value information and a determined adversary, you have to be ready for traditional espionage techniques as well as the most advanced digital tools.

Old-fashioned black-bag jobs are not out of the picture, as one CEO learned in 2017 when he returned to his office after a company celebration. Moles are also still used, and disgruntled employees may be approached by hostile actors.

As a cyber professional, such physical attacks will not be your sole responsibility. But by working with other departments you can play a central role in preventing them. In fact, as in conventional cyber security, identifying and tagging critical data is the most important step. Then you can limit access to and usage of that data, and then flag and trace unusual usage patterns.

It may be tempting to focus on high-risk areas—for instance an employee taking a laptop on a business trip to a foreign country. But as in all areas of cybercrime, hostile actors look for weak points (and may just as likely to attempt physical access to that employee’s data when he is at a conference in Las Vegas). Critical data must be protected no matter its location. And just as you identified your critical data, seek out and identify weak points in all areas of your security infrastructure.

Read More
Peter CavicchiaSecurity, Cybersecurity, Data
The Future of Facial Recognition
The Future of Facial Recognition

Facial recognition has a central position at the high-tension intersection of privacy debates, security requirements and consumer demands for increasing convenience. Digital identities are critical to companies competing to offer their services quickly while demanding less input from customers. Facial recognition is in many ways the best tool for verifying identity. It is considered the best biometric, and is ultimately convenient. In fact, it can require no action by the consumer, unless identity confirmation fails.

Since the release of the iPhone X (and its groundbreaking facial recognition capability) many consumers have come to understand the allure of, and accept, facial recognition. And it is gaining greater adoption in all areas of e-commerce—especially in the security-conscious financial industry. FIthas already been accepted as valid identification method by Europe’s banks. JetBlue has started using it instead of boarding passes. And it is rapidly becoming big business: Allied Market Research predicts that the global face recognition technology market will generate sales of $9.6 billion in 2022.

Read More
Peter CavicchiaSecurity, Cybersecurity, Data, Fraud, FinTech
Synthetic Identity Fraud
Synthetic Identity Fraud

Synthetic identity fraud, in which an identity is created instead of stolen, has been around in some form for a long time. Estimates are that it produced over $6 billion in losses in 2016 alone. But as the security community has been able to successfully address other forms of cybercrime and fraud, synthetic identity fraud has become much more popular.

Synthetic identity fraud is uncommon in that it requires both a long-term view and long-term expenditures—often for years—before the identity can be exploited. But the crime is also very difficult to detect. In fact, it is impossible to know how many “busted out” identities still exist, inactive and tagged with an abysmal credit rating.

The crime begins with a social security number. It is often a child’s, but criminals can also simply make up a number. The rest of the identity will consist of a mix of stolen and made-up PII (personally identifiable information) and a “home” address controlled by the criminal.

The SSN should have no credit history attached to it. The criminal sets about building one. The simplest way to do this is to apply for—and get rejected by—credit cards. This will establish a credit history. Eventually they will get a card with a very low limit. Then they diligently work to improve the credit rating and increase card limits. Some pay credit repair agencies and for-profit “credit piggybackers” to hasten that process.

Eventually, perhaps after years, the criminal will “bust out” the identity, running all the cards up to their limit and walking away from the identity.

A developed synthetic identity can also be assumed by a real person, for instance an undocumented immigrant or even someone who wants a better credit score.

Any company that doesn’t employ in-person verification at some point is vulnerable to this type of fraud. It is difficult to detect because there is no way (yet) for companies to verify SSNs with the government. Another is that SSNs have been randomized since 2011 and are no longer correlated to date or place of birth. Security programs lost those critical verification factors.

For consumers, once the issue shows up on your credit report it is too late. But you may want to freeze your children’s credit score (if that is allowed in your state). Companies have the larger challenge, but a sophisticated verification system that looks at depth and consistency of PII will help.

Read More
Peter CavicchiaSecurity, Cybersecurity, Data, Fraud, FinTech
Formjacking, a New Security Threat Facing Consumers
Formjacking, a New Security Threat Facing Consumers

Formjacking is an increasingly popular tool in the ever-escalating war for your data. It is the digital equivalent of card skimming: Where a skimming device captures your card data when you swipe it at a gas pump or ATM, formjacking code captures it the moment you submit an order entry form on an infected website.

As a consumer there is nothing you can do to prevent it (short of making all your purchases offline). It is not your device that is infected with the code, it is the website. Even well-established, well-regarded online retailers are vulnerable, if cybercriminals are able to infect less-protected third-party software down their supply chain.

Symantec reports almost 4 million formjacking attack attempts in 2018, with an average of about 4,800 sites successfully infected monthly. The cyber security community can protect against these attacks, but as always systematic and comprehensive vigilance is the key.

As a consumer you won’t know you’ve been formjacked until your data is used. So, this is another good reason to monitor your financial statements and credit reports carefully. You should institute a credit freeze the moment you suspect a problem—and strongly consider doing it now.

Read More
Peter CavicchiaSecurity, Cybersecurity, Data, Fraud, FinTech
A Challenging Cyber Security Talent Market
A Challenging Cyber Security Talent Market

If you are responsible for an organization’s cybersecurity, challenges are part of your daily life. Building a talented and cohesive team is among them.

The demand for cyber professionals far surpasses the supply of those that have training or experience in the field. A study by ISACA’s Cybersecurity Nexus (CSX) reports barely 50 percent of organizations can count on receiving at least five applications for each cybersecurity opening.

In such a competitive market the talent will be choosing you as much as you are choosing them.

You need to be proactive and creative in your talent search. Include relevant technical schools and professional organizations in your pipeline. Take pains to show you welcome diverse talent such as women and minorities into your department—data show both are underrepresented and underpaid in this industry.

Finally, cybersecurity talent should have analytic skills, attend to detail, and in the best case have communication skills that allow them to collaborate effectively across every area of your company. Those are the traits to look for in junior hires. The techniques of cybersecurity can be taught. New hires should have a passion for cybersecurity, but a background in mathematics, analytics, problem solving, and investigations can be just as promising as one in programming.

So think expansively. Core skills can be more important than certifications. Creating a supportive environment where employees continually learn new skills from other seasoned pros in the group (in addition to formal training) helps guard against another hazard of this competitive market—talent poaching by your industry peers.

Read More
Peter CavicchiaSecurity, Cybersecurity, Data, Fraud, FinTech