Connect with us

Banking

BANKS UNDER ATTACK: HOW FINANCIAL INSTITUTIONS CAN PROTECT DIGITAL GROWTH

Published

on

By Victor Acin, Threat Intelligence Analyst, Blueliv

 

Financial services firms are increasingly being told to embrace disruption in order to compete in a fast-evolving market. But this very disruption threatens to drive a new type of risk: the risk of data loss, service outages and fraud on a massive scale. The resulting hit to the bottom line and corporate reputation may undo all the good work that digital transformation has helped to foment.

As we enter a new decade, banks need to think carefully about how they respond to these mounting cyber-risks, without holding back digital innovation. Cybersecurity, with threat intelligence at its core, must be a central part not just of business strategy but also of corporate culture.

 

Digital goes mainstream

According to PwC, financial institutions are increasingly migrating infrastructure to public cloud systems, as “digital becomes mainstream” in 2020. These investments are helping to create the more user-friendly services that customers are demanding today. With fintech innovators often leading the way, lenders have invested heavily in mobile app-based services at the front-end and more streamlined processes for opening accounts and other laborious tasks. In the future, it’s predicted that AI and robotics will become commonplace, and that blockchain will disrupt.

However, PwC also warns that amidst all this change, cybersecurity will be one of the top challenges facing financial institutions in 2020. The truth is that financial institutions have always been a main target for hackers — after all, they guard huge volumes of highly sensitive data, as well as money. And as they build out more digital infrastructure, cyber-risk increases unless proper controls are put in place.

 

What does cyber-risk look like?

The bad news is that hackers have developed multiple ways to get what they want. A typical financial institution’s attack surface covers not just core banking IT systems, but also customer accounts and the wider payment ecosystem. That’s a lot to protect.

Humans are often perceived as the weakest link in the security chain. That’s why attackers target banking customers in raids aimed at accessing their back accounts. Phishing emails, automated tools which try huge volumes of breached passwords (known as credential stuffing), and malware are some of the most popular mechanisms for account takeover. In fact, earlier this year Blueliv’s threat researchers noticed a 283% increase in activity linked to Trickbot, one of the key botnets used to spread a banking Trojans designed to compromise customer accounts.

Humans are also targeted inside banks themselves. Phishing emails sent to employees are a common first step in potentially sophisticated multi-stage attacks designed to illegally transfer huge sums of money or steal large data troves. Other threats to banks and their customers come from ransomware and DDoS, designed to extort money and deny critical services, and attacks aimed at harvesting payment card details — either from POS systems in retail and hospitality outlets or from e-commerce sites.

 

Money, money, money

If any indication were needed of the riches to be gained from targeting financial institutions, it’s the relatively large number of sophisticated attack groups that have emerged over recent years. The Carbanak/Cobalt gang is believed to have stolen $1.2 billion from over 100 banks in 40 countries, installing malware internally via phishing emails which either dispensed cash via ATMs or facilitated illegal SWIFT wire transfers, for example.

Others include Dridex, the group behind one of the most prolific banking Trojans ever created, and the North Korean state-backed Lazarus Group, which is thought to have been responsible for the audacious $81 million cyber heist at Bangladesh Bank.

As for the victims of such attacks, there’s a host of potential knock-on effects that can undermine financial stability and customer confidence. There are costs associated with: investigation and remediation of the incident itself; customer notification and possible credit monitoring; and business interruption, if services are taken offline. Legal costs may follow if customers take their bank to court and there may be follow-on fraud attempts to tackle. Then there are the less immediate impacts such as regulatory fines, declining share price, damaged reputation and customer churn.

The latter risk is particularly acute given the UK’s new Open Banking environment, in which a new breed of fintech start-ups are entering the market. More than ever, banks have to prove that they can offer their customers value, and keep their data and finances safe.

 

What happens next?

The bad news is that attacks are on the rise. The number of cybersecurity incidents reported to the FCA jumped by 1000% between 2017 and 2018. But there are things financial institutions can do.

A layered approach to security is required, promoted from the top down by engaged executives. Company-wide security awareness training is also essential: even by spotting and reporting phishing emails more effectively, staff could transform from being the weakest link to a formidable first line of defence against attacks. Tried and tested incident response plans are also essential: it’s inevitable that hackers will eventually target an organisation, so best be prepared.

Most importantly, banks need to improve their threat intelligence. Systems powered by accurate, real-time data from multiple sources can enhance decision making, improve the resilience of existing cyber-defences, automatically block attacks and support incident response. They can also scour dark web marketplaces to alert security teams if customer card data or user logins are about to be traded by cyber-criminals.

With this in place, banks can move from a reactive to a proactive security posture, hunting down those who seek to do them harm, cancelling cards and resetting passwords before an attack can even be monetised. Collaboration within and between organisations is also key. The bad guys are past masters at sharing information and expertise to get what they want. It’s time the security teams within our banks did the same.

 

Banking

COMBINED RISE OF M&A AND CYBER RISK CREATES STORMY SEAS FOR INVESTORS

Published

on

UK organisations carrying out merger and acquisition (M&A) activities must improve pre-acquisition due diligence of software vulnerabilities

By Philippe Thomas, CEO at Vaultinum

At present, the UK is seeing a sharp rise in M&As. Indeed, in the first quarter of 2021, the UK saw a £1.1 billion increase in domestic M&As when compared with the same period in 2020 (Office for National Statistics). This trend is set to continue, with 57% of UK executives reporting that their companies intend to pursue M&As in the next 12 months, and 65% of these respondents focusing on cross-border acquisitions (EY). As such, UK businesses have given a clear vote of confidence in moving forward with M&As, making them a focal point for accelerated organisational growth and development.

Philippe Thomas

Traditionally, organisations and investors have conducted due diligence covering financial, legal, operations, and human resources. Comprehensive software due diligence is not always carried out systematically, which has significant adverse consequences given that a company’s technology is increasingly its primary asset. As non-tech organisations use more and more tech for their day-to-day operations, and as the number of tech-forward companies grow, new issues have arisen which are overlooked in traditional due diligence.

 

A crucial time for tech security

Data breaches during M&As have become infamous during the last few years, with more than 1 in 3 executives surveyed by IBM reporting data breaches associated with M&A activity during the period of integration. This figure could be set to increase, as statistics highlight that cyber-attacks are rising sharply in the UK. According to Sophos data, 51% of UK organisations were affected by ransomware attacks in 2020, with criminals successfully encrypting data in 73% of these attacks. Cybercriminals are increasingly targeting organisations in ransomware attacks with the eventual goal of large-scale business interruption. Carrying out comprehensive due diligence that assesses both software and source code during the pre-acquisition phase enables the early identification of data breach risks, providing the acquirer with a full view of the financial and legal consequences at this stage of negotiations.

Acquiring or merging with a secondary company that has hidden data vulnerabilities can impact the primary company’s business operations, investor relations and reputation. The most well-publicised example of this occurred in 2017, when Verizon revealed a pre-merger data breach at Yahoo!. During negotiations of the merger, it was revealed that Yahoo! had experienced a data breach during which a hacker stole the personal data of at least 500 million users, followed by a second data breach in which 1 billion accounts were compromised and users’ personal information and login credentials stolen. In this instance, Verizon had done their due diligence, and were able to make an informed decision about going ahead with the deal. If Verizon had not carried out any tech due diligence, and this data breach had not been revealed during the negotiations, Verizon could have overpaid for Yahoo!, as well as experiencing long-term legal and reputational damage. Instead, both companies understood the liabilities before entering into an agreement.

Other companies have not been so lucky. In 2016, Marriott International purchased Starwood Hotels & Resorts for $13.3 billion. Two years following the merger, Marriot revealed a huge data breach in Starwood’s reservation system that occurred pre-merger in 2014, in which 400 million guest records were exposed through a security flaw. This resulted in a $123 million GDPR fine by Britain’s Information Commissioner’s Office, as well as reputational damage for both Marriott and Starwood. This is an example of an instance in which insufficient software due diligence prior to the merger has catastrophic consequences for both the acquirer and the target company later down the line.

Software due diligence highlights risks and weaknesses in digital assets. This can bring to light data security issues, as well as other vulnerabilities such as intellectual property risks linked to the use of open-source software (OSS) licences and maintainability complications. All of these risks can affect the overall quality of the asset, and thus its value for the acquirer and so uncovering them through comprehensive due diligence at the pre-acquisition stage is essential.

 

Understanding open-source software (OSS)

For any M&A activity in which the target company’s software is a significant asset of the deal, which is now the case in most start-ups which have AI or algorithms at the heart of their offer, the issues do not end with hidden data vulnerabilities. Today, software developers often rely on public code repositories available on websites like GitHub or Stack Exchange, as OSS has a number of significant benefits, most notably that it appears to be free at the point of use. However, many OSS licences are often offered subject to conditional restrictions. When using OSS to create derivative products or linking source code to OSS, the integrated product becomes subject to these conditional restrictions, which can include making all or part of the code public or paying a fee for its use. In other words, a company may not have full rights to their product or software.

This is problematic for any tech-enabled company in general, but can be uniquely catastrophic during M&As. If acquirers carry out comprehensive due diligence in the pre-acquisition phase and discover any such OSS embedded in the target’s software, they may walk away from the deal entirely, or at the very least adjust its value and/or terms. If acquirers do not implement comprehensive due diligence, they become liable for the target’s previous use of OSS, and any terms relating to its licencing.

 

Algorithms add robustness to tech audits

Carrying out comprehensive software due diligence is essential during the pre-acquisition phase, to avoid the aforementioned issues associated with data breaches and software licencing. Today’s advances in AI technology enable these audits to be thorough, analysing every line of code to identify possible cyber vulnerabilities, intellectual property issues (usually linked with the use of open-source code) and maintainability risks.  These methods enrich traditional tech due diligence, by making audits more objective and less susceptible to human error.

Ultimately, this approach protects the acquirer’s reputation, ensures business continuity, and helps avoid possible legal liability for the target’s previous vulnerabilities.

 

Continue Reading

Banking

THE GROWTH OF DIGITAL BANKING: WHY COLLABORATING WITH FINTECHS IS CRUCIAL TO ADAPT TO CUSTOMER DEMANDS IN LIGHT OF THE PANDEMIC

Published

on

The growing customer demand for a seamless digital banking experience looks set to transform how the entire banking industry operates. Traditional banks have been left playing catch up with the emergence of new fintech players and challenger banks. The demand for slick digitally finance solutions is led by the digital native generations, the millennials and Gen Z. However, the coronavirus pandemic accelerated the uptake of online shopping and remote working for whole swathes of the population. Even the older generations have been left wondering why accessing banking services online remains so cumbersome.

Consumers’ growing desire to access financial services through digital channels has already led to a surge in various new banking technologies which are reconceptualising the banking industry. Consumers have rapidly moved to adopt payment solutions such as those offered by apps like Revolut.

Manoj Mistry

Retail banks continue to launch platforms in the Banking as a Service (BaaS) space, in an effort to remain competitive. An example of this in the UK is how NeoBank (Starling) used to only offer business to consumer (B2C) retail banking services. However, once it launched its BaaS platform, Starling was able to rapidly diversify to include consumer services.

New technologies like blockchain and artificial intelligence (AI) continue to evolve, and look set to have an enormous impact on banking over the next three to five years. The type of cryptocurrencies that we have seen to date look set to be far more tightly regulated, given significant governmental concerns about their potential for misuse in cybercrime and money laundering.

In the blockchain space, the transformative development which will accelerate the rise of digital finance is the advent of central bank-backed digital currencies. The US Treasury has described the creation of a digital dollar as a high priority project. China is already trialling its digital Yuan. Meanwhile, the ECB is actively pursuing its plans to launch a digital Euro. The launch of stable, highly secure digital currencies, underpinned by major central banks, looks set to ensure that digital finance will permeate every area of our lives in the not too distant future.

How we use digital finance is also set to change radically. We are used to seeing new technology emerge from Silicon Valley. However, an analysis by KPMG Australia suggests that a new breed of apps which prefigures the future of digital finance has already emerged in the East. The report notes that “super apps” are “already encroaching on traditional financial services territory”.

Super apps are defined as apps which “essentially serve as a single portal to a wide range of virtual products and services. The most sophisticated apps – like WeChat and Alipay in China – bundle together online messaging (similar to WhatsApp), social media (similar to Facebook), marketplaces (like eBay) and services (like Uber). One app, one sign-in, one user experience – for virtually any product or service a customer may want or need.

“Due in large part to their versatility, super apps have quickly become ingrained into users’ daily lives. It is not unusual for a WeChat user in China to set up a date with a friend via instant messaging, make dinner reservations, book movie tickets, order a taxi and pay for every transaction along the way, all using one single app.”

We are already beginning to see trends in this direction in the Western world, with Facebook launching a marketplace and even a dating service within its social network. Facebook also attempted to launch its own digital currency, Libra, but this move stalled when it ran into significant governmental opposition. However, Facebook hasn’t given up, and it is determinedly pursuing the launch of a revamped stablecoin, Diem, which has been redesigned to address regulatory concerns.

A group of Citi analysts recently wrote an interesting research paper, which predicts that “the story of digital money in the 2020s will be the growth of tokenised money”. Noting that both Big Tech and Central Banks “are building new payment formats and rails,” they say that “while stablecoins such as Diem await regulatory approval, they could benefit from the huge network effects of their Big Tech sponsors. In fact, Diem could be an effective tokenised payment format inside the Facebook universe.” The paper predicts that “Stablecoins, such as Diem, could benefit from the huge network effects of their Big Tech sponsors”. With 3.3 billion monthly users, Facebook certainly has remarkable global reach.

The idea of an integrated tech platform which enables people to interact and purchase goods and services – including financial services – is now being pursued by many major players.

Amazon has long been rumoured to be planning to launch its own bank. Yet, research by CB Insights concludes that, “from payments and lending to insurance and checking accounts, Amazon is attacking financial services from every angle without even applying to be a conventional bank.” This is perhaps not surprising. After all, tech companies rarely replicate existing models. They usually find disruptive new ways to achieve the outcomes that consumers want. Even the messaging service, WhatsApp, has recently moved into financial services with the launch of WhatsApp Pay.

As money becomes digitised and tokenised and ever more areas of our lives move online, the distinction between an online marketplace, a social network and a financial services provider will continue to blur. How traditional financial services companies react to these developments remains to be seen. Some may partner with tech companies in creating new services. For example, Visa and Mastercard were involved with Facebook’s Libra stablecoin project. Visa also responded to the popularity of peer to peer payment services such as Revolut by launching Visa Direct, which enables users to make payments directly to another account in 30 minutes. Most major banks now support Apple Pay, which enables users to authorise payment by scanning their face or thumb.

Banks can also collaborate with tech companies in terms of data sharing, in order to better understand what their customers want. A company like Amazon knows what books people like, what music they listen to and what they purchase. By combining such data with wider financial data, remarkably predictive Big Data models could be created. Some banks might increasingly pursue opportunities to monetise data, while others might make privacy their unique selling point.

The banking sector fundamentally deals with money. Yet, the very nature of money is set to change, as it becomes digitised. Banks are no longer merely competing with each other, but they are both competing and collaborating with tech companies and social networks. Looking ahead, the only certainty we have is that we are in for a period of remarkable change.

Continue Reading

Magazine

Trending

News19 hours ago

FINTECH COMPANY PAYEN CHOOSES AQILLA FOR ITS LIMITLESS SCALABILITY AND SUPERIOR MULTI-CURRENCY FEATURES

Payen is a fast-growing FinTech company that provides gateway Payment and FX services to online merchants. Having launched in 2010,...

Business20 hours ago

THE ACCELERATION TOWARDS A MOBILE FIRST ECONOMY

By Brad Hyett, CEO at phos   Over the last year, we have seen a big shift towards contactless payments....

News20 hours ago

NEW RESEARCH REVEALS KEY ROLE OF KYC COMPLIANCE IN DRIVING CUSTOMER LOYALTY, ADVOCACY AND NEW BUSINESS

The impact of financial crime for institutions goes beyond crippling fines   A piece of original research conducted by RegTech...

Business20 hours ago

HOW MERCHANTS CAN IMPROVE THE ONLINE PAYMENTS EXPERIENCE

By Alan Irwin, Senior Director of Product at Global Payments UK   The dramatic increase in online shopping over the...

Business20 hours ago

JUMP-STARTING PROCUREMENT TRANSFORMATION WITH A CLEAR AND REALISTIC PLAN

by Alex Klein, COO at Efficio Consulting   Following a period of ongoing economic uncertainty, business spend has risen high...

Finance20 hours ago

NAVIGATING FINANCIAL SERVICES IN 2021: LOW-CODE TO THE RESCUE

Nick Ford, Chief Technology Evangelist, Mendix   Financial services are the poster child of great digital transformation: today, Britons can...

News20 hours ago

PAYSAFECARD AND NEO EXTEND THEIR SUCCESSFUL PARTNERSHIP

paysafecard, a market leader in eCash payment solutions, and NEO, one of the most successful FIFA teams in the world,...

Finance21 hours ago

WHY THE NORDICS WILL CONTINUE TO LEAD THE WAY IN DIGITAL PAYMENTS

Kriya Patel, CEO, Transact Payments   While the recent introduction of PSD2 — the second iteration of the EU’s Payment...

Banking1 day ago

COMBINED RISE OF M&A AND CYBER RISK CREATES STORMY SEAS FOR INVESTORS

UK organisations carrying out merger and acquisition (M&A) activities must improve pre-acquisition due diligence of software vulnerabilities By Philippe Thomas,...

News2 days ago

PPRO CLAMPS DOWN ON FINANCIAL CRIME RISKS, PARTNERING WITH AND INVESTING IN AI-DRIVEN TRANSACTION MONITORING STARTUP SENTINELS

PPRO, the leading local payments infrastructure provider, has today announced a strategic partnership and minority investment in Sentinels, Europe’s leading transaction...

Business2 days ago

EMV® IN TRANSIT: WHY AND HOW?

Taoufik Sakhi, Smart Mobility Technical Advisory Director at Fime   Today, contactless cards provide a fast and frictionless payment experience,...

News2 days ago

INSTANDA ENTERS THE MIDDLE EASTERN MARKETPLACE

INSTANDA expands global footprint by working with new client, NewTechMe  First product distributed in the Middle East  Announcement signals INSTANDA’s understanding of NewTechMe’s vision to drive digital transformation in UAE...

News2 days ago

RGU LEADS EUROPEAN INTER-REGIONAL NORTH SEA PARTNERSHIP TO HELP HOMEOWNERS IMPROVE ENERGY EFFICIENCY

NB: Image from left to right includes:   Mike Bauermeister, Kishorn Insulations, Jamal Alabid, RGU, Amar Bennadji, RGU, Richard Laing, RGU,...

News2 days ago

JUMIO APPOINTS JENNIFER N. HARRIS TO BOARD OF DIRECTORS

Addition of veteran CFO comes amid period of record growth and product expansion at Jumio   Jumio, the leading provider...

News2 days ago

WISE LAUNCHES ASSETS, YOUR WISE ACCOUNT INVESTED IN THE WORLD’S LARGEST COMPANIES

Assets offers current account flexibility, with the potential for investment returns Wise, the global technology company building the best way...

Finance2 days ago

A CHECKLIST FOR RETRENCHMENT READINESS

By Shelley van der Westhuizen, head of financial well-being strategy & applied research at Alexander Forbes   Your health may not...

News2 days ago

EQUIDUCT LAUNCHES TRADING IN EXCHANGE TRADED FUNDS FOR RETAIL INVESTORS IN EUROPE

Equiduct will offer 436 ETFs and ETPs for trading through Apex   Equiduct, the pan-European retail exchange, announced today that...

Finance4 days ago

THE IMPORTANCE OF MANAGING DATA RISK IN THE FINANCE FUNCTION 

Written by Steph Charbonneau, Senior Director of Product Strategy, Vera by HelpSystems     CFOs and financial controllers play a pivotal role in how organisations evaluate and manage...

Business4 days ago

THE DEMAND FOR BETTER B2B PAYMENTS

By Brandon Spear, CEO, TreviPay   Business-to-consumer (B2C) payments started adapting to digital processes when consumer shopping habits began shifting...

Finance4 days ago

HOW TO BUY USDT AND AVOID THE HIGH VOLATILITY OF CRYPTO

Understanding and breaking down all the different types of crypto can feel like a huge task—there are so many variations...

Trending