Breaking

Showing posts with label cyber crime. Show all posts
Showing posts with label cyber crime. Show all posts

Wednesday, 15 April 2020

07:41

How Financial Organisations can Improve Cybersecurity

How Financial Organisations can Improve Cybersecurity
How Financial Organisations can Improve Cybersecurity
BFSI sector, NCIIPC
The financial industry experiences 35 percent of all data breaches. It houses high-value data and assets that are attractive to attackers for obvious reasons. The US National
Institute of Standards and Technology (NIST) divide financial institutions into four levels of cybersecurity maturity. 
Partial: At this level the organisation cybersecurity risk management practices aren’t formalized and risk is managed
in an ad hoc (and sometimes reactive) manner.
Informed: This maturity level is characterized by institutions where management has approved risk management
practices, but these practices are not established as policy across the organization.
Repeatable: At this maturity level, an organization’s risk management practices are formally approved and expressed
as policy.
Adaptive: At this highest maturity level, organizations adapt cybersecurity practices “based on lessons learned and
predictive indicators derived from previous and current cybersecurity activities.”
Forbes advises financial institutions to apply some thought to three different steps to verify greater data security and minimize
legal exposure. Firstly, they ought to draft internal policies, procedures and contractual provisions associated with the
investigation, and remediation and reporting of breaches. Next, institutions should obtain appropriate insurance sum for various
varieties of cyber risks and consider the adequacy of existing insurance programs. Not only will this help to mitigate risk if an
institution is successfully attacked, but organizations may end up proactively improving their cybersecurity environments
because it is the easiest way to increase coverage or lower their premiums. Finally, financial institutions should seek out thirdparty cybersecurity partners that will help them manage their security environments and forestall data breaches
References:
[1] https://biztechmagazine.com/article/2020/01/how-financialservices-firms-can-improve-cybersecurity

0
By at No comments:
Labels: , ,

Monday, 19 March 2018

22:47

Business From "CyberThreats" -Guidelines

Business From "CyberThreats" -Guidelines

Here are a few tips that you can use today to protect your business from cyber threats:
  • Review access and permissions and limit remote access – only allow those who need the access to your most sensitive data permission to do so.
  • Implement complex password requirements – having your employees create and maintain strong, complex passwords is a great practice to minimize cyber-attacks and protect data.
  • Train employees – make your employees aware of the various cyber threats, such as phishing or business email scams so they’re better able to recognize them. Consider including this training in your new hire onboarding, and be sure to schedule refresher courses regularly.
  • Ban or severely restrict USB access – flash drives can be dangerous vehicles to smuggle out confidential business information without detection, or provide access for hackers to transfer malware on the device.
  • Disable Microsoft Office Macros – macros, computer code used in Microsoft Office to automate tasks and add functionality to your files, can be used as a vehicle for malware, making your company susceptible to an attack.
  • Maintain robust and secure backups – properly securing your data is key to recovery following any type of cybercrime.
  • Update plug-ins – out-of-date plug-ins should be updated immediately. Fraudsters are known to exploit this vulnerability to steal data, install malware access networks. Some of the most commonly target plug-ins include adobe and java, so keep a special eye on those to avoid any attacks.
  • Utilize encryption – encrypting files ensures that your data is protected should your system be hacked or your laptop is lost or stolen.
  • Consider penetration testing – penetration testing is used to exploit cyber security vulnerabilities so you can make improvements before an attack would occur.
  • Develop an intrusion response plan – having an incident response plan can help mitigate damages.


0
By at No comments:
Labels: , ,

Thursday, 22 June 2017

19:59

Providing physical of identity (IDs) may soon become a thing of the past.

Providing physical of identity (IDs) may soon become a thing of the past.

While it’s not entirely possible to have the correct identification within reach at all times, there may be a new way to certify someone’s identity without the need to produce papers or a plastic ID card, all while promoting cybersecurity in the process.

This week brings us news that Accenture and Microsoft are partnering up to help develop a digital ID network through the use of distributed ledger blockchain technology. This is part of a larger United Nations-backed project to provide legal identification to people around the world without an official document. The goal of this project is to help refugees (currently 1.1 billion people) prove they are who they say they are in order to receive essential services like education and healthcare.
During the second ID2020 Summit in New York this week, the prototype for this distributed ledger network, which will connect with current record-keeping systems with blockchain technology, was debuted. Thanks to the partnership between Accenture and Microsoft, through this new system, refugees will be able to access their virtual paperwork wherever they’re located.
Accenture’s Managing Director of Financial Services, David Treat, highlighted the importance of legal ID access with this new offering. “Without an identity,” he said, “you can’t access education, financial services, healthcare, you name it. You are disenfranchised and marginalized from society.”

Source:PYMNTS.com
0
By at No comments:
Labels: , , ,

Tuesday, 28 February 2017

By at No comments:
Labels: , , , , ,

Wednesday, 8 February 2017

08:06

Threats to Bitcoin users from cyberattacks and illegal activities -RBI

Threats to Bitcoin users from cyberattacks and illegal activities -RBI

Post RBI caution, startups form a chain around blockchain tech

Bitcoin players such as Zebpay, Unocoin, Coinsecure and Searchtrade have formed the Blockchain and Virtual currency Association of India and are in the process of formally registering it.
A circular by the Reserve Bank of India last week, cautioning users about virtual currencies such as Bitcoin, may have led to an alarm among Bitcoin investors in the country , but for startups in this space, it has served as the right push for creating an industry association.
Bitcoin players such as Zebpay, Unocoin, Coinsecure and Searchtrade have formed the Blockchain and Virtual currency Association of India and are in the process of formally registering it. In fact, in their first meeting in Mumbai on Friday, the members discussed the RBI circular among other things. "While we have been planning to create an association for some time, we finally pushed things after the circular,“ said Saurabh Agarwal, cofounder of Bitcoin trading and wallet company Zebpay .
"We had thought of reviving the old association -Bitcoin Alliance of India (formed in 2014 but now defunct), but we also decided to add blockchain companies and create a larger association," he said. Currently , there are four member companies, but the association looks to add more from the 20 odd Bitcoin star tups in the country. Mohit Kalra, CEO of Coinsecure, said that the first attempt at a Bitcoin association had failed since the companies were still small.
The main objective of the new association is to create an industry body to engage with regulators, but the association will also focus on making Bitcoin trading safe by ensuring members follow strong KYC measures and by creating awareness among users about Ponzi schemes and other risks.
"The goal is to have a uniform self-regulation amongst ourselves," said Sathvik Vishwanath, cofounder of Blume Ventures-backed startup Unocoin. Bitcoin is currently not regulated in India, and as per the RBI's notice on February 1, in which it reissued a circular from 2013, the regulator "has not given any licenceauthorisation to any entitycompany to operate such schemes or deal with Bitcoin or any virtual currency." The RBI said that the creation, trading or usage of virtual currencies such as Bitcoins as a medium of payment are not authorised by any central bank or monetary authority .It also warned of threats to Bitcoin users from cyberattacks and illegal activities.
The warning comes even as Bitcoin's popularity in India seems to be on the rise, especially after its value rallied post events such as Brexit, demonetisation and Donald Trump's victory . It was also considered the best-performing currency globally last year.

 Source:Banking Updates
0
By at No comments:
Labels: , , ,

Sunday, 11 December 2016

08:14

Digital payments and internet shutdowns cannot go hand in hand

Digital payments and internet shutdowns cannot go hand in hand
India will need to rethink its stance on internet shutdowns if the digital payments push is to continue. Over the last few years, suspending internet services partially or otherwise has emerged as a favoured tactic of the government to counter potential security threats. But one look at the current digital payments trends and it is clear that the shutdown approach will now be as useful as the old Rs 500 and Rs 1000 notes.
In August this year, an internet shutdown in Gujarat following the Patidar agitation resulted in a loss of Rs 1,500 crore in one day, according to the Maha Gujarat Bank Employees Association. In September 2016 on the eve of Eid-ul-Zuha, Kashmir saw a 72-hour suspension of internet services and mobile internet (barring BSNL) as a “precautionary measure” to contain a security threat. In Haryana, Sonipat had internet and mobile services suspended ahead of the June 2016 protests by the Jat community.
Think tank The Brookings Institution calculated the financial loss suffered by India as a result of its 22 temporary internet shutdowns between July 2015 and June 2016 (pdf). It arrived at a figure of $968 million. This figure accounts for the percentage of the GDP “derived from the internet economy”, online ad services, and of course, digital payments.
This was then.
Within a week of the demonetisation announcement of 8 November 2016, Indian digital wallet companies like PayTM, Freecharge, and MobiKwik claimed an increase of up to 200% in mobile downloads. And now, Prime Minister Narendra Modi himself is advocating an uptake of digital payments and pushing the Unified Payments Interface cause.
In part due to this push, and in large part due to lack of options, adoption of digital payments has gone up by nearly 300% in one month alone.
One can do the math to see where this will eventually go looking at the latest numbers. According to a recent Medianama and Akamai report, the number of debit card transactions stood at 129.07 million between July 2015 and July 2016. These accounted for transactions of Rs 17,091 crore. Number of mobile banking transactions for the period March 2015 to March 2016 stood at 49.47 crore. The amount transacted in this period grew at a jaw dropping rate of 239%. The absolute value of the transactions stood at Rs 57, 280 crore at the end of this time period.
By March 2017, these figures are sure to swing higher up with the ongoing cash crunch. If an internet shutdown were to happen now, the financial losses would be colossal. In going for a digital payment push with a reliance on internet shutdowns for law and order, the Modi government has planted both its feet in two boats headed in different directions. Neither of them seems built to float.
In the course of implementing the demonetisation project, we have seen the government bumble through several obvious snags that anyone with a plan would have foreseen.  Lack of circulating cash, ATM machines that were not calibrated for the new currency bills, and accounting for those not covered by the formal banking system were just some of these. Now as a clean-up is cobbled together at the last minute, one can only hope policy makers account for the consequences before the government approves another suspension of internet services.
DISCLAIMER : Views expressed above are the author's own.

0
By at No comments:
Labels: , , , ,

Thursday, 1 December 2016

19:33

More Secure Together This Global Shopping Season

More Secure Together This Global Shopping Season

Consumers, retailers, payment processors work together to reduce fraud and enhance security in this holiday shopping season

Thanksgiving in the United States has already come and gone, and we’ve dived headlong into the heart of shopping season. And the season doesn’t stop at the end of December; the shopping frenzy will continue – globally – through February 14 of next year. Many forecasts from research and retail organizations (see some links below) predict retail sales will rise around three percent when compared to the previous year, but the biggest gains will be made in online and mobile commerce. According to Adobe Systems, Black Friday online retail sales in the US were up 21.6 percent this year, while sales via mobile devices were up 33 percent.

More than other times of the year, fraud and security are on the minds of both consumers and the entities involved with settling the transactions, including retailers, banks and payment processors. Payment data, such as credit card or debit card numbers, can be stolen in large quantities and monetized quickly and profitably. This is primarily why financial and personal data remain a prime target for hackers. While there are existing security best practices and safeguards to protect consumers from fraud, it takes both the consumers and the settlement entities to work together to successfully reduce payment fraud.

Here are some tips for consumers on how to keep your data safe in the era of cyber shopping. Some additional tips for both in-person and online shopping experiences:

For in-person shopping, use your smart payment cards, also known as chip-and-PIN cards. These cards have been proven to reduce counterfeiting. The chip embedded in the card makes the transaction more secure by encrypting information when completing a transaction at a chip-enabled payment terminal. It has been available in most of the rest of the world and is now (finally!) available in the U.S.
When shopping online, look for reputable payment processing partners like PayPal, Authorize.Net, and for SSL certificates like Verisign, or accredited by the Better Business Bureau. Whenever you enter payment information online, there should be a lock symbol by the browser’s URL.
If you are a first-time buyer on an online store and you are not sure whether they have solid security practices, make your purchase as a guest instead of creating an account if there’s an option. This way, your personal and payment data will not be stored.
Another way to assess whether the online store has sound security practices is to see whether it has published security and privacy policies on the website. A reputable online merchant will communicate such policies publicly. It’s a good way to learn more about the company.
Keep good records – always check purchases against credit card or bank statements. Report discrepancies immediately to your bank. If you use credit cards, your liability is limited. In some cases, banks will refund the entire purchase.
As the consumers’ partners-in-anti-crime, the retailers, banks and payment processors are the other side of the coin in fighting fraud. Here are some best practices for IT departments to secure their apps and consumer data against fraud:
  • For retailers, when completing a transaction, use payment terminals from reputable vendors that are secure and support end-to-end (or point-to-point) encryption, including Ingenico, Vantiv and Heartland. End-to-end encryption means payment data is encrypted immediately when you enter your card number, and that the data remains encrypted as it is transmitted to the processing system. Other acceptable data anonymizing methods include masking and tokenization.
  • Don’t keep the data in your payment terminals or on mobile devices that accept credit cards via a dongle, or in any of the apps in your data centers if you can help it. Transmit the payment data directly to the bank or global payment processor to settle the charge. But if you have to store personal or payment data in your IT system, make sure that data is encrypted, masked or tokenized, and that the application is segmented from other applications.
  • For banks and payment processors that have to keep the payment data for settlement purposes, purge the transactions from the database as soon as you no longer need them. Unless the transactions are recurring for subscription services, get rid of payment data after the normal length of time that banks allow for processing chargebacks (in the U.S., generally 18 months). For storage, always make sure the data is anonymized and that the database is separated from other apps that are vulnerable to malware, like web apps.
  • Maintain Payment Card Industry Security Standards Council (PCI-DSS) compliance for starters, but keep updated on all security best practices. Perform constant penetration testing against the system. Bring on board reputable security assessors to check out your systems. Don’t forget to train your employees to observe security practices, as well as ensure physical offices and stores are designed to discourage insider threats.

Only together can consumers and settlement entities reduce fraud and enhance security in a meaningful way. Start now and don’t stop fighting the good fight! Happy shopping!

Source:Citrix
0
By at No comments:
Labels: , , , , , ,

Sunday, 6 November 2016

08:47

Android malware targets bank and social media apps

Android malware targets bank and social media apps
Cybersecurity experts are warning about new Android malware that can steal the login credentials from 94 different mobile banking apps around the world. The malware masquerades as a Flash Player app that, once installed, appears in a phone launcher, says Fortinet. If a phone owner launches the app they see a fake Google Play screen asking for permissions that grant the malware administrator rights.

Then, when a banking app is opened, the malware creates a fake overlay, tricking victims into entering their login credentials. Among the bank apps being targeted are those of NAB, ING Direct and Citi, as well as PayPal.

In addition, the malware is also taking aim at social media apps. When users launch Facebook, Whatsapp, Snapchat, Twitter, Instagram and more, they are faced with a screen overlay asking for payment card details.

Meanwhile, due to its ability to intercept SMS communications, the malware is also able to bypass SMS-based two-factor authentication. 

Fortinet says users can disable the device administrator rights through their phone settings and then uninstall the fake Flash Player.

Source:finextra.com

0
By at No comments:
Labels: , , , , , ,

Monday, 24 October 2016

23:00

Cyber security: making banking safer

Cyber security: making banking safer

Protecting the banks’ crown jewels – money and personal data – may have become more difficult than ever, but financial institutions have fortified their defences with a little help from their fintech friends.

Cybercrime is the greatest existential threat banks face today. According to The Depository Trust & Clearing Corporation’s latest Systemic Risk Barometer Survey, cyber risk remained the number one concern globally among financial service professionals, with 70% of all respondents citing it as a top five risk.

This anxiety is well founded. Verizon’s 2015 Data Breach Investigations Report found that the financial services sector experienced 277 confirmed breaches in 2014, second in number only to the public sector.

An example of a cyber attack uncovered in early 2015, dubbed Carbanak, saw a criminal gang employ an advanced persistent threat-styled attack to successfully steal £650m ($980m) from more than 100 financial intuitions worldwide over a two-year period. One firm had $10m stolen via its online platform, according to reports.

While money is an obvious enticement, cybercriminals also look to steal valuable customer data held by banks. Simon Hales, chief information security risk officer at HSBC, says: “The current reality is that threats realised through digital channels can also target the information financial institutions hold. It depends on the motivations of those committing cyber attacks, which are increasingly global and diverse. Furthermore, the exposure also extends to the financial institution’s partners and external parties.”

The 2014 attack on JPMorgan Chase illustrates the potential magnitude of a cyber breach: hackers compromised 76 million personal accounts and more than 7 million small business accounts. Public confidence in the security of banks was shaken by this attack, considered to be one of the biggest breaches in history.

As Troels Oerting, group chief information security officer at Barclays and former head of the European Cybercrime Centre, points out: “The bank is all about trust and keeping their customers’ sensitive information safe.” A significant breach may prove costly in terms of stolen money or large regulatory fines, but it can also destroy the client relationship beyond repair.

Systemic importance
Cybercriminals also target financial institutions because of the critical role they play in a functioning economy. Governments and regulatory authorities have become acutely aware of the impact a major threat cybercrime might pose to the resilience of the financial system as a whole.

David Navetta, partner at law firm Norton Rose Fulbright (NRF), says: “Governments have a special interest in ensuring that the financial industry is secure because the global economy depends on the movement of money and open access to capital. This encourages much more cross-jurisdictional co-operation, as well as careful scrutiny of banks and financial institutions’ security practices.”

For example, on November 12, 2015, the US and UK conducted joint offline ‘war games’, dubbed Operation Resilient Shield, with global financial firms. The exercise focused on sharing information, incident response handling and public communication.

The European Parliament and European Council are in final negotiations over the Network and Information Security Directive (NISD) aimed at ensuring critical infrastructure in Europe is adequately protected against cyber attacks. Marcus Evans, a partner at NRF, says: “The real development [in the directive] is the formalised sharing of information between EU member states, as well as in due course with third-party countries such as the US.”

Governments and regulators are also paving the way for increased information sharing within national borders. For example, the US Senate passed the Cybersecurity Information Sharing Act of 2015 on October 27, 2015, encouraging sharing among private entities and between private entities and the federal government.

Bank-to-bank intelligence
While some banks remain reticent about sharing information among peers, Mr Oerting dismisses the idea that security is a competitive differentiator. “Catching crooks is something that we should all be united around,” he says, adding that if Barclays is hacked, then it is likely another bank will face the same attack. “We should share information so that the other bank can increase its security before being attacked,” he adds.

Orion Hindawi, co-founder and chief technology officer at cyber security start-up Tanium, agrees. “We know of hundreds of cases where customers were alerted by their peers which allowed them to fortify their defences,” he says.

“Criminals collaborate, learn from each other, leverage each other’s code and share system access. Yet on the flip side, we shy away and don’t want to talk about it,” adds Greg Day, vice-president and regional chief security officer, Europe, Middle East and Africa, at network and enterprise security company Palo Alto Networks.

In order to address this disjunction, 16 months ago Palo Alto Networks teamed up with Fortinet, Intel Security and Symantec to create the Cyber Threat Alliance. The security vendors participate in a technical collaboration forum to share information in real time. “With hundreds of thousands of customers, we have a huge crowdsourcing ability to see cyber attack trends,” says Mr Day. “We can leverage that data to provide better insight into what will hit our clients next.”

There are myriad industry alliances facilitating intelligence sharing and co-operation between governments, law enforcement and the financial services industry, including in the National Crime Agency’s National Cyber Crime Unit, the Cyber Defence Alliance, the Financial Services Information Sharing and Analysis Centre and the City of London’s Police National Fraud Intelligence Bureau, to name just a few. The next step must be to join up these separate initiatives, argues Don Randall, the Bank of England’s former head of security and chief information security officer.

Mr Randall also believes that suspicions and attempts should be included in the scope of shared information. “The main industry alliances are predominantly focused on actualities. But if a group of hackers unsuccessfully attempted to breach five major banks at the same time yesterday morning with the same methodology, we don’t have that data at the moment,” he says. “We have to get into the position of sharing this information because invariably the attempts will turn into real attacks.”

Raising the complexity bar
A number of developments have combined to boost the difficulty banks face in defending themselves and their customers against cybercrime. Overall, the modernisation and mobilisation of financial services is a fundamental shift that has seen the majority of financial transactions now conducted via cyber means, i.e. mobile phones, tablets, watches, cloud, etc.

Banks are constantly worried about whether their online customers are secure, using out-dated software or vulnerable to fraud. As oft bemoaned, the customer is the weakest link. Employees are also more mobile: working from home or a coffee shop, at a conference, satellite office or customer site, which all bypass perimeter or network-based security that a bank has already invested in.

Laurance Dine, managing principal for the Verizon Investigative Response Unit, highlights how end-user behaviour is changing due to the ‘Internet of Things’ (IoT). “The new generation wants to have access to everything, so trying to secure every single device is a difficult task,” he says. “Ongoing employee training and security awareness programmes are critical to maintain within every business.”

In addition, the financial industry has seen a lot of merger and acquisition (M&A) activity and global expansion. “Most banks face great difficulty in tying together different infrastructures, data bases and computer assets across multiple jurisdictions,” says Ben Johnson, chief security strategist at next-generation end-point security company Bit9 + Carbon Black. “Trying to defend their digital landscape in a cohesive, all-inclusive way is a huge challenge for them.”

Differentiating the motive and actors behind cyber attacks can help determine the proper level of response, resilience and budget. These range from organised crime syndicates, state-sponsored groups and militaries, hacktavists trying to make a point and insiders attempting to steal information for personal gain. “If the intention is to steal through organised crime or nation-state espionage, then the sophistication level will most likely be higher,” says Mr Randall. “But if the objective is to take down, disable or irritate, then simple old-fashioned methodologies can do the job.”

These categories are showing signs of blurring. “Some use hacktavism as a façade for a nation state attack. We also see co-operation between nation-states and organised crime,” says James Chappell, chief technology officer and co-founder at Digital Shadows, a UK-based cyber intelligence start-up. “Attributions are more difficult now because it is not easy to unpick who the culprits are. Luckily forensics is also developing at pace to help with that.”

Growing sophistication
Most experts report greater sophistication in cyber attacks. For example, cybercriminals are hitting banks with advanced distributed denial-of-service (DDoS) attacks, threatening to shut down their websites unless they pay a ransom. On November 30, the Financial Times reported that a group of hackers targeted three Greek banks and demanded 20,000 Bitcoin ($8.1m) from each institution.

DDoS attacks are also being used as smokescreens for other crimes. “As a bank automatically reacts against this very loud attack, criminals might be doing something around the back,” says Mr Oerting. “We need to have adaptive and flexible defences, so we aren’t just looking at where we hear noise but also our back doors.”

Mr Navetta recounts a client experiencing a cyber fraud in which an email referencing a secret M&A deal was sent to a person in accounting, purportedly from the CEO. The email convinced the accountant to wire transfer millions of dollars to a Hong Kong bank, which NRF has been trying to recover for its client; while Mr Chappell reports instances of hackers proactively seeking out digital developers to obtain pre-released versions of a bank’s website code.

Adam Ely, co-founder of San Francisco-based start-up Bluebox Security, has witnessed a rapid growth in malware targeting banks’ mobile apps. “We are at a tipping point where the banks are starting to invest more heavily in mobile technology and related security because the hackers are following them into this space,” he says.

In addition, cybercriminals are continually refining their tools. Richard Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit, says that the new bots being developed today are smaller and more targeted. “We are seeing a rise in Trojan downloaders, which drop other malware. One example is the Shylock banking Trojan, which primarily targeted UK financials. We have to adjust our strategy both legally and technically to adapt to the different things they are doing,” he says.

A losing battle?
In many ways banks appear to be fighting a losing battle, particularly when it comes to organised crime or state-sponsored adversaries. As Mr Dine says: “We are facing ‘hackers for hire’: people that are paid to hack all day specifically targeting financial institutions.”

“An underground economy has cropped up – crime as a service is a reality,” adds Mr Chappell. He reports that the more advance techniques, which usually begin in the realms of the nation state, are now appearing in exploit kits and software that can be bought online.

Launching attacks has become much easier, adds Alex van Someren, managing partner of early-stage funds at Amadeus Capital Partners. “The tools for directing various forms of attacks against organisations are becoming increasingly automated, so it is easier for people who do not know much about hacking to nevertheless be successful in building attacks against enterprises,” he says.

But while attackers are stepping up their game, the industry is responding with new and innovative defences, Mr Chappell emphasises. “Together as an industry we have become much better at sharing information on attackers and how these crimes are carried out. The types of tools and services available to defend us are also progressing – there is great innovation in this space. We are part of an ecosystem of security companies that are helping banks with these problems,” he says.

Cyber security start-ups
As an investor that focuses on cyber security start-ups, Mr van Someren believes that this space presents impressive growth opportunities. In January 2015 he founded a start-up accelerator, Cyber London, to foster a more robust cyber security ecosystem in the UK. The programme helps start-ups grow their businesses faster by connecting them with customers that might help trial their products.

He is convinced that working with start-ups is the way forward for banks. “If a bank builds something in house, only they pay for it and only they get the benefit. If a start-up builds a solution externally, other banks help pay for it and it benefits the industry more generally,” he says.

Like many other banks, HSBC has an innovation investment programme that looks for organisations with innovative technology that it can help fund as well as internalise. “This engagement helps to evolve our capabilities to thwart our adversaries,” says Mr Hales. “It informs us what is possible and allows us to test out new ideas.”

At Barclays, Mr Oerting has a particular interest in start-ups exploring blockchain use cases and intelligent authentication technology. “We need to be engaged in order to build in security that is convenient and trustworthy. This will be a differentiator in the future,” he says.

Diverse solutions
Threat intelligence and next-generation data loss prevention products are areas that Mr van Someren sees attracting interest. Amadeus Capital currently invests in Exonar, a firm that identifies and controls sensitive information flows.

A few examples of the diversity of cyber security start-ups include Tanium and Bit9 + Carbon Black, whose solutions target end-points, for example, ATMs, point-of-sale terminals, servers, desktops, laptops and cloud. According to Mr Hindawi, banks can roll out Tanium’s software for monitoring and changing end-point activity. Deployed on just one server, it can scale to millions of end-points.

Mr Johnson likens Bit9 + Carbon Black’s software to a surveillance camera. “A client can install the software on each computer in the environment and it monitors end-point activity. The client can detect suspicious behaviour, respond faster to that behaviour and remediate it,” he says.

Digital Shadows, on the other hand, provides a complete view of a customer’s digital footprint, identifying defence weaknesses and data loss. It also tracks attackers by looking at their tactics, techniques and procedures. By monitoring malware, how it is being used, the relative prevalence of different malware types and criminal techniques, clients can better align their defences to defend from those attacks, explains Mr Chappell.

And Bluebox Security focuses on securing mobile apps. The technology allows organisations to produce self-defending applications, according to Mr Ely. “If another app tries to modify the Bluebox-secured banking app, the latter can defend itself. It can respond by either shutting down and notifying the user of the problem, or preventing the attack to keep malware at bay,” he explains.

Much more than IT
In order to combat cyber threats and engage with innovative security technology, over the past two years many banks have elevated the chief information security officer to a more strategic role.

The financial sector has the highest percentage (88%) of chief information security officers, followed closely by IT/telecom (86%), according to the Governance of Cybersecurity: 2015 Report by Georgia Tech Information Security Centre. In addition, the sector increased the percentage of chief information security officers/chief security officers reporting to the CEO/chief operating officer.

“The chief information security officer role has been elevated to a truly C-level position in banks,” says Mr Hindawi. “They are being moved out of IT and placed either under the chief operating officer or report directly to the board. Even if they don’t have direct access to the board, they are often invited to give a cyber update and educate on the new existential risk.”

The chief information security officer’s remit should include policy and standards, education and awareness, intelligence and investigations, and forensics, providing the bank with a threat landscape, according to Mr Randall. He also recommends including a geopolitical analyst in the cyber team, a suggestion that may have raised eyebrows a few years ago but is more accepted today.

Barclays, for one, has adopted this management structure. Mr Oerting, who took up the chief information security officer role at Barclays in February 2015, reports directly to Michael Harte, Barclays’ chief operations and technology officer.

He drafted the bank’s first security strategy focused solely on cyber rather than an overall technology strategy. It includes four key priorities: protect the ‘data estate’, regardless of whether they are on premise or in the cloud; enable the bank to go to market in a fast but safe manner; innovate, including partnerships with accelerators and start-ups; and educate.

“Education is aimed at the whole staff, regardless of whether they work in communication, IT, a branch or HR – every employee must know that security is in our DNA,” says Mr Oerting. “I believe that culture eats strategy for breakfast. Any management can send out new strategies but if it is not in the cultural of an organisation, then employees won’t implement them.”

Barclays has three cyber centres: a security operations centre; a solutions and innovation centre, with an internal ‘white hat’ hacking team; and a security control centre, which includes third-party vendors that report to Mr Oerting. “We now have a global security system that applies to the whole bank,” he says.

HSBC has taken a different approach and drives information security risk management through the chief information security officer, which reports into the chief information officer, and a chief information security risk officer, which reports into the chief risk officer. This decision was taken following the application of an Operational Risk Management Three Lines of Defence framework.

As chief information security risk officer, Mr Hales is responsible for setting policy and strategy, and aligning both to an organisation’s risk appetite around information security incidents. He also ensures that the businesses receive independent advice and guidance regarding operational risks. The chief information security officer, on the other hand, is responsible for day-to-day operational controls and development of technical controls.

Mr Hales continually challenges existing controls, not only to see if they are working effectively, but also to ascertain if they are fit for purpose. “We research current threats, not just the ones that impact us directly but those that are materialising in other business areas that may impact us,” he says. “This includes geopolitical concerns and other non-technical areas where threats materialise.”

The interplay between the lines of defence provides HSBC with greater assurance that it is getting security right. Mr Hales says: “The design, supported by audit as the third line of defence, ensures we are better positioned to manage the risk holistically, and provides management and regulators with a greater level of assurance.”

0
By at No comments:
Labels: , , , , ,
08:26

Debit card data theft: Who broke into your bank account?

Debit card data theft: Who broke into your bank account?

With cyber criminals becoming savvier by the day, learning how to safeguard yourself is imperative

The data breach that has led to an estimated 3.2 million debit cards getting compromised is only a small manifestation of a larger malaise called cyber crime. The breach occurred due to an introduction of malware in the network of a third-party payment processor.

Living in a digital world, we need to be aware of different types of cyber frauds and take steps to safeguard our financial well-being.

Password theft: Today, people have apps on their mobiles for almost everything - buying vegetables or furniture, booking a taxi, stock trading or anything else. Given the large number of apps, many people keep the same password and e-mail id for convenience - a wrong move. "The level of security at all online websites is not uniformly good. While Google's site will be difficult to hack into, an online retail start-up may not have the same level of security. Stealing of passwords usually happens from websites that have a lower level of security," says Shomiron Das Gupta of NetMonastery, a threat management provider.

Most use the same password at numerous websites. After hacking one weakly protected site, the hacker will have your user name, password and, in most cases, your email ID. He will then enter the other websites and misuse these. He could even send out mails from your email account and receive new passwords for other sites, thus blocking you out.

0
By at No comments:
Labels: , , , ,

Sunday, 15 May 2016

10:15

Retail Banking 2020: Evolution or Revolution?

Retail Banking 2020: Evolution or Revolution?

Powerful forces are reshaping the banking industry. Customer expectations, technological capabilities, regulatory requirements, demographics and economics are creating an imperative to change. Banks and credit unions need to get ahead of these challenges and retool if they are to find success in the upcoming decade.
Subscribe TodayGrowth remains elusive, costs are proving hard to contain and ROE remains stubbornly low. Regulation is impacting business models and economics. Technology is rapidly morphing from an expensive challenge into a potent enabler of both customer experience and effective operations. Non-traditional players are challenging the established order, leading with customer-centric innovation. New service providers are emerging. Customers are demanding ever higher levels of service and value. Trust in financial institutions hovers near historic lows.

Such is the backdrop with which PwC uses to frame its world-class report, “Retail Banking 2020: Evolution or Revolution?” addressing the financial industry’s future head on.

As dire as the current situation facing financial services firms may sound, PwC actually believes traditional institutions a bright future. And despite all the gesticulating, undulating and bloviating from pundits about the “imminent death” of banks and credit unions, PwC doesn’t see “outside disruptors” driving a dagger through the heart of the banking industry — the fundamental concept of a trusted institution acting as a facilitator of transactions and credit resource is not about to change. However, the landscape will change significantly, as customer expectations, regulatory requirements, technology, demographics, new competitors and the fundamental economics underpinning the banking industry all shift and evolve.

PwC says existing banking providers must accept that the status quo is not an option. But does all this change signal a revolution, or an evolution? PwC says it’s both. The industry has historically changed slowly — evolutionary, incremental change. While the changes PwC envisions are less about imagining
some unknown future, and more about implementing and integrating all the things we already know today, the pace of change is intensifying rapidly. Financial institutions that fail to shift gears risk being left in the dust.

To produce their report, PwC integrated insights from 560 client executives from leading financial institutions across 17 markets. They examined the challenges and opportunities of this evolving landscape and how they plan to respond. 70% of global banking executives said they believe it is very important to form a view of the banking market in 2020 — to understand how global trends are impacting the industry, and what they need to do to develop a winning strategy.

Respondents aren’t sure who will be the primary beneficiaries of these trends. Just over half (54%) believe that large banks will be the winners, while the other half (46%) see smaller banks capturing share through increased differentiation. Industry executives are also divided as to the threat posed by non-traditional new players: 55% believe they pose a threat to traditional banks, while 31% believe they present innovative partnership opportunities.

Executives also differ in their views by geography. For example, fewer US executives think it important to form a view of the industry in 2020 (61%) than executives in the emerging markets (79%). And many more US executives view non-traditional new market entrants as a threat (71%), than executives in Asia (42%), where more view them as an opportunity (44%) for partnering and prospering together. This divide between developed and emerging market thinking is a theme throughout PwC’s survey.

Seven Macro-Trends Impacting The Future of Retail Banking

1. Technology will change everything — becoming a potent enabler of increased service and reduced cost. Innovation is imperative. In the last few years technology has rapidly evolved — big data, cloud computing, smartphones and high bandwidth are all now commonplace. PwC says we’ve reached a tipping point that’s analogous with what has already occurred in other industries (e.g. music, video, and print media), where the digital channel will compress revenues, enable new attackers, redefining service and crippling the laggards. The pace of innovation will continue to increase, and financial institutions will need to enable or leverage this innovation if they want to keep up.

2. Every bank will be a direct bank, and branch banking will experience
a significant transformation. PwC says that as technology shifts more and more activities online and as cash
usage drops, traditional branches
will no longer be necessary. Given their high-fixed cost, branches will need to become dramatically more productive,
or significantly less costly (e.g., smaller). Banks and credit unions have already reduced staff levels, closed less viable locations, and are experimenting with new retail concepts. PwC predicts branches will remain relevant, but will adopt many different forms — from flagship “engagement hubs” to compact “smart kiosks.”

3. Competitive reach will no longer be determined by branch networks,
but rather by banking licenses, technology and marketing budgets. When every aspect of banking can be done digitally,
a bank’s target market and competitive arena is no longer defined by its physical footprint, but rather by its technology, its regulatory boundaries and the sheer limitations of its marketing budget. In the US, for example, top regional banks could become viable national players
and ambitious foreign entrants with resources but without any brick-and-mortar footprint could suddenly find themselves compete on a new, larger field. New entrants could sprout up rapidly, potentially spawning dozens of new competitors and refragmenting the landscape further than it already has. Indeed, PwC envisions there will be increased competition from non-bank players. As a result, branding and marketing will be more important than ever before.

4. Banks will organize themselves around customers instead of products or channels. PwC says the winners of tomorrow will offer a seamless customer experience, integrating sales and service across all channels. They will develop the ability to view customers as a “segment of one,” recognizing their uniqueness, and tailoring their offerings so that customers view banks as “meeting their needs” not “pushing products.”

5. Banks (in most countries) will evolve their customer experience to be more female-friendly. In one US survey, 73% of women said they were dissatisfied with the financial services industry. Complaints range from a lack of respect, to being given contradictory advice and worse terms than men. Smart institutions will address this through a combination of branding, products, and service solutions. Furthermore, PwC forecasts that significantly more bankers working in the industry will be women by 2020; many banks publicly state this as an ambition.

6. Social media will be the media. Today, most financial marketers view social media as co-existing alongside traditional channel. By 2020, PwC says social media will be the primary medium with which financial institutions connect, engage, inform and understand consumers — everything from the mass “collective social mindset,” to the minutiae of each and every individual. Information and opinions — both good and bad — will be amplified. Mastery of social media will be a core competency, according to PwC.

7. Cyber security is paramount to rebuilding trust. Winners will invest significantly in this area. Recent high-profile security breaches
and media commentary surrounding cyber attacks have sparked fear and uncertainty, further eroding consumer trust. There are now higher expectations about security of information and privacy among clients, employees, suppliers and regulators. A proactive response is vital.

Six Priorities for 2020

Through PwC’s proprietary research and insights from client worldwide, they were able to identified six critical priorities for success in 2020:
  1. Developing a customer-centric business model
  2. Optimizing retail delivery
  3. Simplifying business and operating models
  4. Obtaining an information advantage
  5. Enabling innovation, and the capabilities required to foster it
  6. Proactively managing regulations, risk and capital

There is broad agreement among banking industry executives that these six areas are all “very” or “somewhat” important, but fewer than 20% feel they are “very prepared” to address these priorities. A similar number report that they are making significant investments in these areas.

Financial institutions seem to universally agree that they are hindered from addressing these priorities by financial, talent, technology and organizational constraints. Banks and credit unions need
to take aggressive action to ease these constraints, and manage themselves in a more agile manner to enable innovation and transformation they so desperately need.

1. Developing a Customer-Centric Business Model

Financial marketers today have a simplistic understanding of their customers and a vastly complex product set. They typically do not know their customers very well. Many still send customers multiple product offers in the hope that something will stick. They struggle to join the dots internally and prepare bank-wide views of a customer relationship, let alone integrate external sources of data. For instance, few can analyze a customer’s deposit account, recognize that their salary increased, and send a note congratulating the customer on their promotion together with an offer of a premium card and a higher credit limit.

PwC says the winners of 2020 will develop a much more complete understanding of their customers. They will need to acquire, integrate and analyze multiple sources of internal and external data. They should be able to understand people’s needs, and be present relevant solutions at the time of need. They will simplify their product sets, redesign their core processes from the customer’s point of view.

PwC’s survey indicates a growing awareness in this area, but a significant gap in preparedness. 61% of industry executives say that a customer-centric business model is “very important,” and 75% are making investments accordingly. But few — if any — have attempted the sort of wholesale transformation PwC prescribes.

2. Optimizing Retail Delivery

Historically, banks with the best and/or biggest branch footprint have dominated, gaining a disproportionate share in their markets. By 2020, much of today’s infrastructure will not be a competitive advantage. Leading institutions will offer an anytime/anywhere service, fully utilizing all banking channels in an integrated fashion.

The shakeup in branch-based banking and the need to optimize distribution networks
is clearly top of mind for banking executives. 85% of respondents in PwC’s survey said they see optimizing retail channels as important. 59% of respondents expect the importance of branch banking to diminish significantly as people migrate to digital channels. Yet, only 16% of respondents viewed themselves as “very prepared” for this shift. Respondents globally view the largest banks as benefitting most from these changes, and smaller regional and community banks being the most threatened.

3. Simplifying the Business and Operating Model

Banks have developed staggeringly complex and costly business models. Now they must simplify. Rising customer expectations, increasingly active regulators and stagnant shareholder returns demand it. Efforts thus far have not been enough. Many financial institutions have been built over decades of acquisitions, and new product and channel development, typically with each development adding additional systems, layers, processes and costs. Few have tackled the difficult and expensive work of integrating, optimizing and simplifying their platforms.

A majority of banking executives (53%) believe that simplification is very important, and 70% are making some level of investment in simplification. Yet, only 17% feel well-prepared. Taking a customer perspective, a majority of executives
believe their banks must simplify products, channels and prices/rates. Taking an internal perspective, a majority of executives believe they must simplify their technology, their processes and their back offices. Bankers believe that simplification will lead to
better service, lower costs and increased profitability.

PwC says you should start with the customer and work backwards. Simplifying the experience requires that products, channels, organization and operations all must change. The most successful banks will learn from other industries. Many consumer products companies (Adidas, Apple) do not own
the entire value chain. They focus on what makes them distinctive — product design, marketing, distribution — and contract out much of the rest to third-party specialists.

Granted, all this sounds like a major undertaking, but PwC says the rewards for those who get it right will be huge.

4. Gaining an Information Advantage

Getting this right will be a game-changer. Fast movers will create competitive advantage in every area of the bank — from customer experience and brand management to underwriting and pricing.

The banking industry and the consumers they serve now generate exponentially more information than ever before. Few banks are positioned to integrate, analyze and act on the insights from the massive data streams available today; imagine how the volume of data will have ballooned even further by 2020.

In the future, PwC say leading players will exploit both structured and unstructured information — from traditional sources (such as credit scores and customer surveys) and from non-traditional sources (such as social media, and cross-channel bank customer interaction data). They will collect and purchase other behavioral data (such as mobile location and purchase data) — particularly as customers grow accustomed to surrendering privacy in a voluntary value exchange.

Leading players will develop advanced analytics capabilities to integrate this
vast library of data, analyze it and create actionable insights. 57% of bank executives consider these capabilities to be “very important,” while 92% considering them at least “very” or “somewhat” important. Three-quarters of institutions are making investments in their data analytics capabilities, yet only 17% believe they are fully prepared.

5. Enabling Innovation

Innovation is the single most important factor driving sustainable top- and bottom-line growth in banking. But PwC points out that financial institutions today are not known as places where innovation thrives, nor are they the first choice for top software engineers. Banks and credit unions need to organize and manage themselves differently, PwC says — protecting and enabling talent, becoming agile in their development processes and being open to partnerships with outside institutions. Successful executives in the future will need to be fluid and savvy — mentally nimble, with an innovative mindset.

Innovation within the banking industry
is considered to be somewhat or very important by 87% of respondents, yet in stark contrast, only 11% believe they are very prepared. And there are significant regional differences — over 60% of executives in Asia-Pacific and the emerging markets view open innovation as very important; however, only 40% of European executives and 28% of US executives agree. We believe developed world executives need to take more of an emerging markets view of the importance of innovation, particularly once the new regulatory framework stabilizes.

Executives believe that the large global and national banks will benefit most and that smaller community banks and credit unions will be the most threatened. Respondents report that their main focus areas for innovation are customer interfaces and channels (57%), followed by customer need identification (53%), products (52%) and core platforms (52%).

6. Proactively Managing Regulations, Risk and Capital

The post-crisis flood of regulations signals a major mindset change for regulators. In the past, regulation was just one of many considerations. Capital was plentiful and not a significant business constraint. Conduct issues were thought to be few and far between. Today, not only are the rules much more complex, but regulators are more suspicious, and less flexible with their demands to improve compliance, reporting, and the underlying business processes and data. Leading banks are taking a different and more comprehensive approach to managing their regulatory obligations. This approach is pragmatic, proactive and increasingly integrated into “business as usual.”

Executives in all regions — unsurprisingly
given what’s transpired in this area over the last few years — consider this the biggest priority they need to address, with 64% citing this as very important. Again, however, very few (only 22%) consider themselves very prepared. Respondents say the biggest obstacles to addressing these issues are the level of financial investments required and technology constraints.

Download Full Report : PWC.COM 

0
By at No comments:
Labels: , , , ,

Sunday, 24 April 2016

08:26

When banks leave the front door open

When banks leave the front door open

Cyber attacks against the banking industry have soared in the last few years. And financial institutions now face 300% more attacks than any other industry. Comparatively with other industries, the financial services industry isn’t shy where it comes to cyber security investment and generally has a superior level of protection.

But this attracts a more sophisticated demographic of hacker, who will hone different types of attacks to target a bank, as they are fully aware of the rewards they could reap if they succeed.

But, given the investment banks plough into defence, how do the hackers succeed? According to the FBI, one of the key entry points for cyber criminals is to gain employee login credentials through using spam and phishing emails, key stroke loggers and remote access Trojans.

This was certainly the case for JPMorgan Chase, when, in 2014, it became the victim of the world’s biggest hit on a financial services company. This was despite having spent over $250 million and having over 1,000 of its people focused on cyber security. Hackers gained access through the computer of an employee working from home, stealing their login credentials and targeting a network server that only needed a username and password. More than 83 million customer records were compromised and although no account information was taken, the bank’s reputation took a considerable knock.

For financial institutions, the JPMorgan Chase breach highlighted a few important things. The first is the effectiveness of malware; the second is the vulnerability of workers, particularly remote workers; and thirdly, how easily hackers are able to roam around company networks once they get in. The hackers in the JP Morgan attack were “inside” for over a month before the breach was discovered.

So why is remote working such a weak spot? One reason is user authentication – over 75% of cyber attacks stem from weak or stolen passwords. In the case of JPMorgan Chase, having poor authentication in place effectively meant they left the bank’s front door open. Using phishing or key-stroke loggers, hackers can identify usernames and passwords. The proliferation of devices is also to blame – banking employees want to be able to use their smartphones and tablets to access company systems. But “bring your own device” (BYOD) has added multiple layers of complexity to security.

When you consider the risks, you can understand banks’ reticence to sanction remote working. But financial organisations can make massive productivity gains through remote working policies – allowing people to work from home, the train or when away with work gives business productivity a real boost. The question is, how do you lock it down and make it as secure as possible?

Authentication is a key consideration. As demonstrated by JPMorgan Chase, many have password only solutions and hackers use dictionary attacks or brute force attacks to get in. Others have two-factor authentication in place but even these solutions can be compromised, as they involve tokens or cards that generate pre-issued passwords based on seed files, which can be hacked.

Biometric technology is becoming more popular but it is flawed and phenomenally expensive to implement and manage. And it can be compromised. The US’s Office of Personnel and Management was recently involved in a massive cyber attack where 5.6 million fingerprints were stolen. Fingerprints, if stolen, can’t be changed.

Multi-factor authentication (MFA) is a solution that banks and insurers could consider – it captures and uses contextual data around each login to determine whether the user should be granted access, such as a user’s connection, their geographic location, a valid point of entry and time of day. If there is nothing suspicious, a one time passcode is generated in real time and sent to the employee’s mobile, allowing them to log in securely.

The cyber security threat facing banks is increasingly exponentially. And IT professionals on the front line owe it to the bank and its customers to have every solution at their fingertips to try and circumvent attacks. MFA is only part of the solution, but in terms of locking down security around authentication, they need to do the best they can.

0
By at No comments:
Labels: ,