Cyber defences in the age of digital car finance
With the motor finance sector moving swiftly into the digital era, the industry is learning to adapt quickly to new and growing security challenges. Chris Farnell talks to Kevin Phillips at ieDigital, a software developer and provider of financial services technology.
Acombination of the after-effects of the pandemic with the rapid pace of technological change is having a significant knock-on effect on raising customer expectations.
Where once it was considered efficient to complete a motor finance agreement within a week, online solutions mean customers now expect journeys that can be completed in minutes. Walking into a showroom and driving away with a new, finance-funded vehicle is rapidly becoming the norm. Even going into the showroom is not as common as it was, with customers expecting to apply for finance, service their agreements or switch providers from any device, at any time of day, anywhere.
“It is becoming more common that manufacturers and non-captives sell motor finance online,” says Kevin Phillips, head of solution engineering at ieDigital.
“It is a compelling proposition to offer customers the ability to select and configure a vehicle, choose add-ons and upgrades, then buy the vehicle with HP or PCP finance, all from the comfort of their own home.”
Most motor finance agreements last an average of two-to-three years, so it is important for providers to create a relationship with their customers as quickly as possible, to be front of mind when it comes to renewing or buying a new vehicle. One of the best ways to do this is through a digital self-servicing channel, much like the way banks offer online and mobile banking.
While customer expectations are rising, meeting those expectations brings new challenges, many of which the customer might never even think about.
The Financial Conduct Authority (FCA) has mandated that suitable cybercrime countermeasures are in place and always maintained. Finance providers in the UK must secure their networks from attack to keep their services up and running, as well as to safeguard their customers’ data. Failure to do this can lead to providers losing their licence.
A lot of the counter-measures motor finance providers need to have in place are common across the finance sector, such as securing online portals and mobile apps for customers to use to service their agreements.
However, there are also industry-specific issues that need to be taken into account.
Head of solution engineering at ieDigital Kevin Phillips.
“Motor finance providers use brokers, like mortgage and asset finance providers, where additional considerations need to be made to counteract the threat of cybercrime,” explains Phillips.
“Perhaps unique to the motor industry are the dealerships and independent showrooms in the motor trade. Away from more secure office locations or retail spaces, these showrooms now let the dealer and the customer complete motor finance agreements that use automated underwriting services and e-signature processes to capture, credit score and obtain finance on behalf of customers.”
Many dealers have full access to customer data, which means preventing Personal Identifiable Information data theft is as important as stopping external threats from hacking remote servers. This risk is exacerbated by the presence of third parties, which can be vulnerable to threats such as devices used to access services becoming infected with keystroke logging, remote access or ransomware threats.
Cyber security, real-world assets
One aspect of motor finance that separates it from other financial products is that it is secured against a high-value, mobile asset.
Sums of money can be larger than that of a personal unsecured loan, particularly for high-end cars, caravans, vans and lorries.
This means that any risk assessment for fraud or other criminal activity must take into account that while customer data might look legitimate, the vehicle itself may not even exist, has been recently scrapped or is being used to take out multiple simultaneous agreements with different providers.
Providers must not just secure networks, online portals and databases, but also ensure they are not being used as gateways for other forms of cybercrime.
The new arms race
As solutions improve, the challenges are also developing at a rapid pace, and where larger banking providers might once have been a prime target, as they do better at securing themselves criminals are moving their attention elsewhere.
“Cyber security has become an arms race. With the top-tier banking providers now spending vast amounts of time and effort securing their sites, attackers are turning their attention to smaller financial service providers, whom they think will be more relaxed and less secure,” Phillips points out.
“While accessing a motor finance agreement portal does not give a hacker direct control of a current or savings account, they are likely to obtain PII and banking data, such as bank account or card details stored for making repayments. It is critical then that motor finance providers of any size put cyber security at the top of their agenda.”
Phillips argues that the benchmarks services should be measuring up to are ISO 27001 or PCI DSS standards to give the level of comfort they need, particularly among small to medium enterprises without the means to build and maintain their own secure solutions with small armies of development and operations teams.
“They must rely on outsourcing the development and support of such solutions to third parties, and so put their reliance on these organisations to build, host and support these services in a way that gives them the best chance of keeping cyber threats at bay,” Phillips says.
“Providers hold both PII and banking data on their customers, both of which are exactly what cybercriminals are looking to get their hands on, so this must be secured from both direct server-side attacks as well as attacks via front-end platforms such as dealer portals and customer banking apps.”
As self-servicing is growing rapidly, there is also the threat of portal access through sheer brute force or the social engineering of usernames and passwords.
The technology continues to move forward at incredible speed. The introduction of products like smart leasing may open the door to new crimes such as drive-by hacking to steal payment data, or car theft, not to steal the car itself, but the data on board it.
“The motor industry is going through of period of high innovation, with both the evolution of electric vehicles and the connectivity vehicles have to the internet,” Phillips points out.
“Competition for sales is just as high as it has ever been, with the price for new vehicles under pressure while at the same time escalating due to increasing global inflation and escalating manufacturing costs. Makers are looking for alternative ways to get their vehicles out into the market, with wider options for leasing and pay-to-drive becoming more attractive.”
Owning a vehicle outright is no longer the default option. Manufacturers are looking at the rise of pay-to-use bicycles or e-scooters and want to scale up that model for motor vehicles. The opportunities are rife - for businesses and criminals alike.
“This intrinsic link between the asset and the finance model is leading to manufacturers looking at embedding finance payments within the vehicle itself,” Phillips explains. “But if a vehicle is to be linked with PII and payment data then it becomes an attack surface, with the potential for cyber criminals to invent new ways to hack connected vehicles such as downloading finance data while in the garage or come up with drive-by wireless hacking.
“The arms race is only set to intensify in the future. They are all under the watchful eye of the FCA, so a serious breach has the potential to be ruinous, with fines often large enough to seriously damage their ability to continue as a viable business.”