InfoSec People Profile: InvestiFi CEO Kian Sarreshteh

By Roy Urrico

Finopotamus presents InfoSec People Profiles, a series spotlighting individuals working in information security (infosec), cybersecurity and/or information governance to protect data and transactions at credit unions, other financial institutions, and fintechs serving the financial services industry.

Kian Sarreshteh, CEO of InvestiFi, builds fintech organizations that leverage innovative technology incorporating banking, investment, financial wellness, cloud-native blockchain, and digital asset trading and fulfillment. The Dover, Del.-based InvestiFi bills itself as the only “investtech” platform that enables credit union members to invest in securities and crypto from their checking account.

When it comes to securing what his company does, Sarreshteh has learned an important lesson. “Information security is something that is of the utmost importance for our business, and it really has been since inception,” he told Finopotamus. “IT security is usually looked at as overhead and you do not really get to deliver a lot of business value to banks and credit unions that we are trying to sell to. But in this industry what I learned early on is that having buttoned up IT security will make any sales process go smoother and will make a lot more banks and credit unions want to work with you.”

Current Role in IT Security

Sarreshteh grew up outside Springfield, Ill. He earned a Bachelor of Science in business administration from the University of Missouri in 2007; and a Bachelor of Arts in international studies in 2011. However, his passage into IT was probably influenced more by family than studies. “Growing up my dad was in IT and so I knew I always wanted to get into this field. But I was not sure if I wanted to be a hands-on keyboard kind of guy or eventually emerge as a business leader in the IT space. I took the business path.”

His first job out of school was a mixed bag: selling software and managed services and as well as recruiting. Prior to co-founding InvestiFi in 2021, he also consulted with various fintechs across the country, giving him insight and perspective in the IT space. “That is really where I cut my teeth initially on IT security. My initial client base and my career just sort of took me in the direction of fintech,” Sarreshteh recalled. “Serving banks and credit unions is one of the most important industries; IT security needs to be a priority for these organizations.”

Sarreshteh quickly recognized InvestiFi needed a solid security foundation, which is why InvestiFi obtained SOC 2 (System and Organization Controls 2) certification in its second year of operations. A cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 helps organizations validate their security.

“(SOC 2) is a very extensive checklist of various policies and IT security controls that you need to have within an organization,” said Sarreshteh. “That's really a forcing function to ensure that you are following best practices from a cybersecurity standpoint.”

Current Cybersecurity Operations

When it comes to cybersecurity technology, Sarreshteh cited a few specific areas of focus. “When you're serving a bank or credit union, you're usually integrating with their digital banking provider, which is the front end, the UI (user interface) that the actual end users actually engage with, and then also the banking core where a lot of that data sits of the individuals that are banking with a particular institution.”

Sarreshteh recalled, “One of the early decisions we made was that we are not going to store any PII (personally identifiable information) internally on our own servers, which mitigates risk fairly significantly for us internally and for all of our FI clients. So, if there ever was a breach, there is not a honeypot of personal sensitive information for any hackers to actually get.”

From a security standpoint, Sarreshteh recommended three all-important steps:

1. Having strong application programming interface (API) authentication mechanisms. This helps ensure that “we're authenticating users coming from a bank or credit union and the credentials that they've already logged into their digital banking environment.”

2. Having strong identity and access management policies. “Ensuring that only folks with appropriate authorization can actually access our software and our systems that are integrated inside of the banking applications.”

3. Enhancing webhook security for third-party integrations. This is “just another function that is really a best practice for any fintech that is going to be working with banks and credit unions.”

InvestiFi uses Amazon Web Services (AWS) and its specific security services, detailed Sarreshteh. These include Amazon Cognito for secure authentication and user management, AWS Secrets Manager for secure credential storage and management, AWS CloudWatch for comprehensive monitoring and alerting, and AWS CloudTrail for auditing and tracking user activity across its infrastructure.

In addition, Sarreshteh explained InvestiFi is serverless, “which has a lot of security benefits.” To this end, the fintech runs AWS Lambda, a serverless computer service for running code, as well as AWS Identity and Access Management (IAM) policies to provide guidance.

“There's also a few specific cryptographic security protocols that we use throughout our environment,” said Sarreshteh. AWS Libcrypto for Rust (aws-lc-rs), an open-source cryptographic library for developers; and AWS's native encryption capabilities delivers encrypted data at rest and in transit.

The Threat of Social Engineering and Crypto

At InvestiFi, social engineering represents a challenge from a technical perspective, acknowledged Sarreshteh “because scammers out there have gotten so good. It is especially sensitive for our business because we do digital investing. And part of digital investing is crypto.”

If there is an account takeover, Sarreshteh offered, a scammer can authenticate their way into InvestiFi’s digital investing experience and buy crypto. “They think they can send it to a third-party wallet outside of the platform, which is how they steal it. This happens all the time today on Coinbase and Kraken and all the major crypto exchanges. But what we have done is built in specific security controls on our crypto solution to hedge against a lot of that social engineering.”

InvestiFi protects against that tactic by making their system closed loop, “meaning that it is only buy, sell, hold. And so crypto is only for investing purposes with the credit unions and banks that we partner. If you buy crypto, you cannot send it off platform,” said Sarreshteh.

Social engineering is a bigger risk factor, he added, because it becomes challenging to “unwind certain transactions” when there is an account takeover. “There's so much reputational risk with all these social engineering scams and people losing thousands or even millions of dollars to crypto scammers on all of these third-party exchanges. When that crypto's gone, it is (really) gone. It is very rare that you can get that back,” Sarreshteh maintained.

He noted, “We work with clients to ensure that we have the right authentication mechanisms built in and doing things like MFA (multi-factor authentication) to hedge against these sorts of account takeovers.

“I'm starting to see more credit unions and banks start to educate their account holders on to ensure that they're aware at least of common social engineering scams,” said Sarreshteh. “Having the education throughout banking communities is incredibly important because folks are just not aware of how common these sorts and scams are these days.”

Concerned About Stablecoins

One of the hot topics right now in banking and fintech is stablecoins, a type of cryptocurrency designed to maintain a stable value, usually tied to a reserve asset.

“There's inevitably going to be adoption of stablecoins,” Sarreshteh said. “When stablecoins become mainstream to actually use as payment rails, how is the traditional dispute mechanism going to work?” he proposed. “Because today consumers at banks or credit unions, they feel safe if their debit card gets compromised and there's fraudulent transactions on their account, they can dispute those transactions and have a reasonable degree of confidence they are going to get reimbursed by their financial institution.”

Sarreshteh elaborated further on his concern. “But [with] stablecoins, the settlements there are final and it is very similar to Zelle. It is very hard to reverse. If stablecoins are used as a primary payment mechanism, I am just more curious than anything how that is going to evolve and how banks, credit unions, fintechs are going to allow for users to be able to dispute stablecoin transactions with a technology that is really branded as being irreversible on the blockchain.”