Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security Financial Crime
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Why it’s time to wake up to the quantum threat

Quantum computing is proving to be enormously exciting for financial institutions. Already, Goldman Sachs and Deutsche Börse are exploring quantum algorithms to calculate risk model simulations 1,000 times faster than currently possible, while BBVA is looking to quantum to optimise investment portfolio management.  

But a more sinister aspect to the technology also lurks just around the corner. Because of their computing power, quantum machines will be able to smash through the mathematical algorithms underpinning all modern encryption - posing an unparalleled cybersecurity risk.

It would take a traditional computer years to break the public-key encryption relied on today by just about every financial services company, but a fully-scalable quantum computer could achieve the same in a matter of hours. 

According to roadmaps laid out by major players in the field, we will have a quantum computer capable of doing this within the next decade.

Mapping the vulnerabilities

Banks and financial institutions use a range of cryptographic algorithms to ensure the security of transactions, including symmetric key cryptography (e.g. 3DES) and public key cryptography. Although public key cryptography is most exposed to the quantum threat, some types of symmetric key cryptography are also vulnerable to attack.

Core to these operations are hardware security modules (HSMs). These form a key part of the physical infrastructure that stores and generates secure keys using cryptographic asymmetric algorithms to authenticate and validate transaction information.

A chain is only as strong as its weakest link, so unless up-to-date, quantum-secure HSMs are in place, there’s a risk of quantum attackers exploiting a single vulnerability to expose all data within the payments ecosystem. 

What complicates the issue is that quantum decryption can be applied retrospectively.

Bad actors could begin collecting encrypted data from institutions today, with the intent to ‘harvest now, decrypt later’. Financial services companies could unknowingly be victim to an attack today, and only suffer the consequences in the future when quantum computers become available.

Thankfully, some institutions are already paying attention, with early movers like ScotiabankJP Morgan and Visa all taking the threat seriously.

Beginning the fight back

The world began to take note of the quantum threat when, in 2016, the US National Security Agency issued an official warning to industry. Shortly thereafter, the US National Institute of Standards and Technology (NIST) launched a post-quantum cryptography standardisation project to lay out the path to a quantum-secure future. 

NIST is running the process as a competition. The project is now in its final stages, with seven finalist algorithms left after 80 submissions from six continents. The final algorithms will be chosen in 2021, with draft standards to be published thereafter. 

It’s anticipated that the US government will require contractors to incorporate the new NIST standards in order to conduct business with its agencies. As critical infrastructure, financial institutions are also likely to find that  quantum-secure cryptography soon becomes a technical necessity. 

The path to quantum security

The migration to new cryptography standards will be a massive undertaking - one of the biggest cybersecurity shifts in decades. 

The transition will be complicated for banks, too. Each institution will be starting from its own unique position, with its own legacy systems and infrastructure, and each will be vulnerable to the quantum threat in a different way.

Financial institutions can save time in the long-run by taking steps to plan their own transition before NIST’s new standards are even announced.

The first step is to conduct an audit, pinpointing each and every place where encryption is being used within the organisation. This will help to identify weak spots, find areas in need of rationalisation, and so on.

NIST agrees that companies should start preparing for the transition today: 'It is critical to begin planning for the replacement of hardware, software, and services that use public-key algorithms now, so the information is protected from future attacks'. 

Looking ahead

Institutions have invested huge amounts of time and effort building customer trust in digital banking, and cryptography was the main mathematical tool that allowed this to happen.

Now that quantum computers threaten to break it, it’s time for the sector to fight back.

The security of all sensitive data, past and present, relies on it.

 

 

4351

Channels

Security Financial Crime
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (0)

Join the discussion
Ali El Kaafarani

Ali El Kaafarani

CEO & Founder

PQShield

Member since

14 Jul 2021

Location

Oxford

Blog posts

1

More from Ali

Community
See all blogs »
Fintech 

How innovation in encryption is helping secure the credit card approval process

Ghazi Ben Amor

Ghazi Ben Amor

Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Fintech 

The importance of risk management in trading

Kate Leaman

Kate Leaman

Digital Identity Management 

Navigating the digital identity landscape: A blueprint for financial services competitiveness

Adam Preis

Adam Preis

Now hiring

See more