Finance

Open source security will keep financial institutions seeing green

Published

4 months ago

May 16, 2023

admin

By Brian Fox, CTO, Sonatype

Do you know what’s inside the software your company uses? More importantly, does the C-Suite at your company?

If the 2022 State of Open Source in Financial Services report from FINOS was any indication, financial institutions should care about that question, especially because of the rampant spread of open source software across the sector. Open source is everywhere, not just in banking and finance, which has made it an attractive target for bad actors to carry out targeted cyberattacks against software supply chains. And in a sector with data this sensitive, that’s particularly concerning.

We saw a big wake-up call at the end of 2021 with the discovery of a critical vulnerability in the Java logging component log4j, impacting a ridiculous number of applications across many sectors. In just 72 hours, nearly 800,000 attacks were launched.

Now, to its credit, the financial sector responded a lot faster than others in the race to patch any and all software using this component. But log4j was one piece of software. And the real wake-up call, unfortunately, as the FINOS report itself points out, is that we’re going to see more exploits and vulnerabilities – whether it’s open source or not. We’re even starting to see a daisy chain-like tactic of software supply chains being exploited to trigger attacks on yet more software supply chains.

The data paints a stark picture – a 742% average annual increase in software supply chain attacks over the past three years. So that’s the gravity of the situation out of the way and should tell financial institutions it’s high time to carefully monitor the make-up of their software.

What can be done

Unfortunately, a lot of organisations generally speaking are shockingly unaware of what that software composition looks like, which makes it tricky to track down vulnerabilities old and new.

If we return to log4j for a moment, despite that we’re a year and a half out from that critical vulnerability’s discovery, development teams are still downloading the compromised version 30-40% of the time (https://www.sonatype.com/resources/log4j-vulnerability-resource-center) . More broadly, 96% of the time someone downloads an open source component, there’s a safer and more up-to-date alternative they could have downloaded instead. On a granular level, there are some objectively bad decisions being made here: for example, the latest version of a software component isn’t always the best version. Software upgrades should happen consistently but also only when necessary.

This isn’t necessarily born of neglect – many developer teams at financial institutions I’ve worked with around the world – many of which are massive in size – are inundated with having to manually audit all their open source components in the software they’re developing. And these are often spread across very disparate environments. Time is money, and when you only have so much time to spend on security audits, you can see where the issues arise.

The rub is that without better visibility, the potential damage in monetary and reputational terms could be catastrophic. A DDoS or ransomware attack would cost dearly, with IBM estimating that data breaches cost UK enterprises $3.88 million per incident on average. This doesn’t even account for the ripple effects of further financial losses incurred from losing customers or getting sued.

How organisations can approach bolstering their open source security

Sounds like we’re stuck between a rock and a hard place, right? Not necessarily…

Breaking down the silos that commonly exist between teams in banking and finance will be essential to nurturing the collaboration needed to standardise and formalise policies across different departments for implementing and upgrading software. Some financial institutions have made encouraging pledges to the Open Source Security Foundation to expand knowledge sharing surrounding open source. But generally speaking, the sector still needs a more universal approach to open source adoption and security.

One solution everyone in the industry has to get behind as a starting point for software visibility is implementing Software Bill of Materials (SBOM). Similar to a bill of materials issued by a car manufacturer, an SBOM shows you all the parts – in this case, open source components – that make up the whole software. Using these could help IT professionals speed up their response times to finding vulnerabilities.

I say ‘in theory’ because an SBOM doesn’t tell you where an ingredient came from, and whether that place was poisoned in the first place. And there’s also the issue of human error. Some level of automation will inevitably become more and more important – whether it’s through AI, dependency firewalls, and other tools for software composition analysis that reduce the security workload pressures on IT teams so they can focus on innovation instead. There are lots of different options on the market, in addition lots of free guidance from the likes of the Linux Foundation and OpenSSF on how to make effective use of them.

Proactively, rather than reactively, maintaining software supply chains means the sector will ultimately become safer, saving people and institutions time and money. There will be road bumps as teams initially struggle to adopt SBOMs and other tools, but the sooner this happens, the more likely it is that organisations will evade a nasty security incident that costs them and their customers a lot of money.

Can the UK government help here? It can probably do more than it realises, though we’re seeing signs they’re waking up to this fact judging from its recent call for views on software resilience for businesses. Currently, there’s simply not enough comprehensive regulation and guidance. Any regulation or legislation that does get implemented should, if anything, be as prescriptive as GDPR.

To improve open source security posture, and software hygiene more generally, we need extremely clear, uniform guidance across their board. greatly boost software hygiene. One thing’s clear. Open source is here to stay, and as more industries enjoy its innumerable benefits, they will inevitably have to grapple with the explosive rise in increasingly complex and severe software supply chain attacks. Methodical proactiveness is the key here to staying on top of the pesky incidents that lie ahead.

Up Next

Connecting ATO and Transaction Fraud Dots: Bots are the Key

Don't Miss

How merchants can adapt their payment offerings to better capitalise on the incoming surge of Chinese commerce

Finance

Investing In Bitcoin: What You Need To Understand Before You Buy

Published

19 hours ago

September 25, 2023

admin

Bitcoin—the digital currency that launched a financial revolution—is more than a trending investment. This decentralized currency, free from traditional banking systems, presents a unique set of opportunities and challenges. It’s crucial for investors to tread carefully, fully grasping the intricacies of this complex yet alluring financial landscape.

The Birth and Evolution of Bitcoin

In 2009, an unknown entity going by the name of Satoshi Nakamoto introduced Bitcoin to the world. Unlike traditional fiat currencies, Bitcoin is a digital currency that operates without a central bank. Transactions are verified by network nodes and recorded on a public ledger known as the blockchain. Over the past decade, Bitcoin’s value has fluctuated wildly, reflecting the market’s ebbs and flows, as well as its adoption into mainstream finance.

Developers continually adapt and modify the Bitcoin codebase, making it more robust and secure. However, being open-source also makes Bitcoin susceptible to scrutiny, potential regulation, and even forks—events that create new, separate cryptocurrencies. An understanding of Bitcoin’s origins and technical underpinnings can give investors a more profound comprehension of its true value and potential drawbacks.

Keeping Tabs on Market Conditions

Cryptocurrency markets are notoriously volatile, and Bitcoin is no exception. Prices can swing dramatically within short periods, influenced by market sentiment, macroeconomic factors, and regulatory changes. Seasoned traders often use technical analysis, charting historical price movements to predict future trends.

To stay updated on market trends, many investors turn to a reliable crypto and bitcoin news site like News BTC. This source provides up-to-date information that can be vital for making informed investment decisions. Additionally, the burgeoning field of crypto analytics offers tools and platforms that provide deep insights into market behavior, helping you decipher the market’s seemingly random oscillations.

Understanding the Risks

Risk management is at the heart of any investment strategy, but with Bitcoin, the rules are still being written. The cryptocurrency landscape is rife with tales of lost fortunes due to forgotten passwords, hacks, and market crashes. Security is paramount; using hardware wallets, two-factor authentication, and keeping backup phrases secure can go a long way in safeguarding your investment.

But risk extends beyond security. Regulation is a looming specter in the crypto world, and government actions can have immediate and dramatic effects on Bitcoin’s price. For example, when China banned financial institutions from offering Bitcoin-related services, the market reacted with a swift and significant downturn. A nuanced approach to these risks can make the difference between capital preservation and costly mistakes.

Diversification and Investment Strategies

Adhering to an investment strategy can also help manage risks effectively. Whether you choose to day trade or hold long-term, having a disciplined approach is essential. Strategies like dollar-cost averaging, where investments are made at regular intervals regardless of price, can help mitigate the impact of volatility and lower the average cost of your Bitcoin holdings over time.

Tax Implications and Record-Keeping

While it’s easy to get caught up in the allure of high returns, it’s essential to understand the tax implications of your Bitcoin investments. In many jurisdictions, cryptocurrencies are considered property, not currency, and are therefore subject to capital gains tax. Investors must keep meticulous records of all transactions, as well-rounded documentation will simplify tax reporting and potentially save you from penalties.

Professional advice from tax experts familiar with cryptocurrency regulations can provide invaluable insights. Also, various software tools are available to help track your transactions and calculate potential tax obligations. Ignorance is not a defense in the eyes of tax authorities, making it crucial to stay informed and prepared.

The Takeaway

Bitcoin investment is not for the faint of heart. From understanding its complex technical foundations to keeping tabs on market conditions and managing risks effectively, the arena demands a well-rounded, educated approach. With potential for high rewards but equally high risks, Bitcoin requires investors to be vigilant, diversified, and ever-adaptive. As the world of finance continues to evolve at a breakneck speed, it’s those who invest the time to understand this dynamic landscape that will likely reap the most significant benefits.

Banking

Building towards an inclusive financial future

Published

4 days ago

September 22, 2023

editorial

By Catharina Eklof, CCO of IDEX Biometrics

From the visually impaired to displaced migrants, the unbanked, and people living with dementia – a burgeoning financial gap exists across many areas of society. In fact, as of late 2021, almost one-third of adults around the world were reported as unbanked according to the World Bank Group. That’s around 1.7 billion people – with half coming from the poorest 40% of the world’s population. Being financially excluded in this way means not having access to common financial services including savings accounts, loans, a credit rating, or even a bank account. Those who are awaiting clearance to join a country’s financial ecosystem, such as migrants, are also finding themselves left behind by the modern financial infrastructure.

As societies reliance on digital and contactless transactions over cash continues to grow, this financial gap is only set to widen. In less than 10 years, the share of Americans not using cash for payments has increased by double digits, reaching 41%. By 2031, cash payments are expected to make up only 6% of all transactions.

Fortunately, biometric smart cards can bridge this gap for people in the Global South, migrant populations, as well as those with visual or cognitive disabilities worldwide, who deserve to feel secure, included, and independent.

The challenges surrounding passwords

COVID accelerated the transition from cash to contactless payments and the use of digital wallets, creating a challenge for many. By 2024, it is expected that digital wallets and cards will account for 84.5% of all e-commerce spend.

Digital transactions traditionally rely on the use of PINs that can easily be forgotten, as studies have found that we manage 100 passwords on average across various sites and services. In the US alone, consumers report relationships with more than three financial institutions and have more than four accounts per household. The challenge of password recollection is only growing. To counter rising cybersecurity threats, several countries now mandate two-factor authentication for retailers and service providers, creating further complexity.
However, organizations are responding to financial exclusion. Card provider Mastercard introduced its contactless PayPass offering, as well its Touch Card developed alongside Amjan Bank which enables the visually impaired to distinguish between their cards. Both look to provide a better customer experience for people struggling with the digital changeover. For those living with dementia, Mastercard has also partnered with Sibstar and the Alzheimer’s Society to create a specific card where limits, transactions, top-ups and notifications can be viewed and managed via a complementing app. Likewise, Turkish neo bank Papara introduced a Bluetooth debit card that provides visually impaired users with audio prompts when making payments.

Protecting the visually impaired

There are at least 2.2 billion visually impaired people globally. In 2019, it was found that 89% of visually impaired have been victims of fraud or have made errors when paying for goods and services. This figure comes prior to the pandemic, and the proliferation of digital transactions, suggesting an even bigger concern today.

PINs present an obvious security issue for this demographic, with others able to oversee their inputs and then manipulate them. Contactless payments go some way to solving that problem but pose the risk of fraud as there is no PIN verification below the increasing threshold amount, now at £100 in the UK, where the average annual wage is £27,756. In India, where the average annual wage is 9,45,489 rupees (roughly £9000), contactless limits are set to 5000 rupees (£48). Many accounts also require visual-based inputs to prove identity, such as CAPTCHA, proving as a barrier for the visually impaired.

Enhancing awareness on a regulatory level is key for driving change and reassuring vulnerable groups. The EU Accessibility Act is an example of how payment service providers are obliged to comply with accessibility standards. This includes making interfaces perceivable, operable, understandable, and robust, to ensure that individuals with disabilities can effectively navigate payment interfaces.

Paving the way with biometrics

Including braille on cards for easy identification is a crucial step for the visually impaired. This can also be used on biometrics smart cards, with sensor textures to confirm the user has selected the correct method of transacting. Not only do these cards provide convenience and inclusivity, but they also promote ultimate security by linking a person’s identity directly to their fingerprints. This data is encrypted within the card itself, reducing any concerns surrounding fraudulent behaviour or of data being lost via a centralized breach or large-scale hack.

In this context, biometrics can be used to serve the unbanked and those currently unrecognized within national infrastructures. South America is an example of an early adopter of biometrics, turning to th e solution to cope with swelling population sizes, and the challenges associated with accessing proof of identity when setting up traditional bank accounts. Meanwhile in India, pension payment fraud has dropped by 47% thanks to bypassing the need for prior credit ratings or credentials.

Liveness detection, however, which ensures the biometric sensor is reading a true biometric source (rather than a false or recreated image of one), is vital to the success of financial aid programs globally. Securing remittances through biometric authentication ensures transparency and better fund control. Directing funds to cold wallets or biometrically authenticated cards can also improve program efficiency, safeguarding the interests of individuals and communities.

Overall, the biometrics market is expected to grow to US$87.4 billion by 2028, at a CAGR of 17%. Whilst its value as a simple and secure method of transacting is growing substantially, you can’t put a price on its impact on those who have so-far fallen through the gaps of finance’s digital revolution.