Connect with us

Business

Scams in a DeFi World and How to Defend Against Them

Published

on

By Roger A. Grimes, Data-Driven Defence Evangelist at KnowBe4

 

The Decentralised Finance (DeFi) world is full of projects, cryptocurrencies, blockchains, financial innovation, and promises. Clearly, DeFi will change the world around us for the better in ways we can’t all imagine right now. It’s also full of hackers, scammers, charlatans, and money grabbers (both legal and illegal). DeFi is currently over promising, under delivering, and stealing billions from early believers.

I’ve been following how attackers and malware programs successfully compromise victim resources, what we call “initial access” in the cybersecurity industry for over two decades. Regardless of an attacker’s intent, there’s basically only 12 ways they gain initial access:

  • Social Engineering
  • Programming Bug (patch available or not available)
  • Malicious Instructions/Scripting
  • Human Error/Misconfiguration
  • Eavesdropping/MitM
  • Side Channel/Information Leak
  • Brute Force/Computational
  • Data Malformation
  • Network Traffic Malformation
  • Insider Attack
  • 3rd Party Reliance Issue (supply chain/vendor/partner/etc.)
  • Physical Attack

By far, social engineering is the number one way that attackers and malware gain access to victim’s computers. It’s responsible for somewhere between 50% and 92% of all attacks, depending on who’s report or data you believe. Nothing else comes close and it’s been this way for over three decades. Vulnerabilities in software are the second most popular threat and are involved in about 20% to 40% of attacks. All the other types of initial access methods are involved in about 1% to 10% of total attacks added up all together.

This holds true even more so in the DeFi world. The vast majority of attacks happen because of social engineering of one type or another. By far the most common type of scam in the DeFi world are malicious individuals and groups posing as a legitimate entity, product, offering, or service, who then steal value (usually cryptocurrency or NFTs) from unsuspecting victims. Over $7.8 billion dollars was stolen from cryptocurrency and DeFi projects in 2021 alone (https://go.chainalysis.com/rs/503-FAP-074/images/Crypto-Crime-Report-2022.pdf).

 

Summary of Cryptocurrency, DeFi, and NFT Attacks

Here are the relevant facts and methods of theft in the DeFi world:

  • Most involve social engineering scams
  • Value stolen (from individual, project, bridge, or exchange)
  • Many outright project scams (i.e., rug pulls)
  • Many fraudulent cryptocurrencies, initial coin offerings (ICOs), and NFTs
  • Many fraudulent trades
  • Many fraudulent exchanges (rug pulls)
  • Many fraudulent mining operations
  • Many fraudulent DeFi projects
  • Buggy contracts
  • Bridge and exchange attacks
  • Stolen resources (malicious miners)

If I had to drill down the above to just the two most damaging types of initial access methods, it would be social engineering and buggy software. Social engineering usually involves enticing a potential buyer or investor into unintentionally allowing a malicious attacker or their malware access to the victim’s cryptocurrency wallet or into buying fake things. Or just as serious, an attacker social engineers an employee of a legitimate project, which allows the attacker to then compromise the project and further social engineer its members. One of the most common scams is for an attacker who has gained access to a legitimate project to then post fraudulent links to fake scams promising “airdrops” of cryptocurrencies or tokens or the ability to buy sought after NFTs early on for cheap. Members read these claims thinking they are legitimate and then spend cryptocurrency or allow access to their cryptocurrency wallets, which the attackers then use to steal value.

 

Buggy Contracts and Bridges

In the non-DeFi world, software vulnerabilities, both zero-days and those with available patches, make up the number two reason why victims are compromised. This is just as true in the DeFi world, but the type of code that is attacked is different. Just like in the non-DeFi world, any software run by a victim is fair game, but some of the most exploited code are “smart contracts” and software code used by cryptocurrency “bridges” and “exchanges”.

In the DeFi world, many, if not almost all transactions are accomplished using smart contracts. Smart contracts are scripts and software code that run within a blockchain, usually Ethereum, which gets sent inputs resulting in predefined outputs. Typically, the inputs are some sort of buying, selling, or exchange transaction, and the output is the accomplishment of the transaction and whatever the predefined results are. For example, someone buys an NFT, and the seller gains the agreed upon cryptocurrency value, the seller gives up the agreed upon value to pay for the NFT and transaction fees, and all the involved parties get whatever transaction fees and actions as defined by the smart contract. The transaction and all the involved inputs and outputs are stored permanently on the involved blockchain.

Cryptocurrency exchanges allow members to buy, sell, and trade cryptocurrencies and NFTs. Cryptocurrency bridges allow different cryptocurrencies and blockchains (which normally cannot directly interact with each other) to transact with each other. A simple example might be someone buying an NFT using the Ether cryptocurrency, which ends up giving the seller bitcoin cryptocurrency in exchange, at an agreed upon exchange price.

Hackers frequently look for bugs in smart contracts, exchanges, and bridges, find them, and then exploit the vulnerabilities to steal value. This often results in the theft of cryptocurrencies or NFTs. Sometimes, bugs in DeFi sites and projects are exploited to allow the hacker to post new fraudulent claims, links, and NFTs. Other times bugs allow an attacker to directly take someone’s cryptocurrency or NFTs. In short, hackers look for code bugs and steal things of value.

In the non-DeFi world, say a regular banking web site, an attacker who finds an exploit bug must then figure out how to turn that exploit into the theft of value. There are usually many steps from the first exploit to the stealing of value. In the DeFi world, the original vulnerability exploit usually directly results in the immediate theft of value, or at least, a lot quicker and easier. Worse, the illegal transaction is usually “locked” to the blockchain, and difficult to impossible to reverse even if everyone knows it happened illegally. Compare that to the non-DeFi world where an illegal transaction is often able to be reversed and the injured parties are made whole.

 

Defences

The defences in the DeFi world are the same as in the non-DeFi world. All DeFi stakeholders (i.e., project leaders, participants, developers, exchanges, bridges, services, etc.) need to enable controls to stop all the possible attack types (as listed at the top of this article). But all participants need to pay special attention to social engineering attacks and code exploits. These two attack methods are responsible for the vast majority of attacks.

To defeat all possible threats, defenders need to implement the best, defence-in-depth, or a combination of policies, technical defences, and education to mitigate those threats. It is especially important that all participants be made highly aware of the most common types of social engineering attacks and how to recognise and avoid them. Nothing will do more to defeat the vast majority of DeFi attacks than a well-educated stakeholder. All developers need to be trained in secure development lifecycle techniques, use more secure programming languages (if they can), do automated and manual code reviews, conduct penetration tests, and educate everyone involved in how to mitigate project vulnerabilities.

The vast majority of DeFi attacks and theft would be prevented by all stakeholders putting down just two threats: social engineering and software vulnerabilities. How well a DeFi project or stakeholder does at preventing these two types of attacks very much determines how well they will do at reducing the risk of a successful attack. The DeFi project and stakeholder that understands their overall importance and concentrates on defeating them the best are going to better reduce cybersecurity than the projects and stakeholders that do not.

Business

A new beginning for financial services B2B marketing

Published

on

Financial services B2B marketing is dead. A bold statement with B2B ad spend set to pass $30bn next year in the US alone. But it is dead, or at least, it’s dead boring.

B2B marketing has long carried a reputation for being dull, lacking emotion, heart or guts. Indeed, the same could be said for financial services, with its technical jargon, long-winded T&Cs and an array of complex services and products to promote. Put the two together and you have a considerable marketing challenge on your hands.

Michael Richards

But there are green shoots of change springing up on the beige horizon, as financial services businesses begin to recognise that they deserve better and start to see the lessons to be learned from their B2C peers. For example, many financial services B2B brands moved to digital to refine client experiences and grow relationships during the pandemic, meaning they could connect with businesses in a more accessible way through tailored and creative solutions. But it’s not enough to just convince a business to buy a product or service with a smattering of data and a selection of charts. There needs to be a focus on provoking the truth about these progressive brands; giving them what they deserve: intelligence, imagination and emotion to provoke their truths and tell their stories in ways that just can’t be ignored.

There are so many financial services B2B brands that are missing the mark on creating provocative work and telling their stirring stories. The industry is full of inspiring stories but needs to adopt the techniques of B2C (and fast) to avoid being left behind.

Below, I’ve outlined three approaches B2B financial services marketing should take from B2C:

 

Be 100% brand and 0% product

Let’s look at the lessons we can learn from one of the biggest brands in the world. Coca Cola used to advertise on a single poster with simple descriptive messaging that didn’t make a lot of sense … but that was in the early decades of the 20th century. Coke is now one of the most instantly recognisable brands in the world. It has evolved so much from that early uninspiring product messaging that some Coke ads today feature nothing more than a red background, a white glass bottle silhouette and the message ‘Open Happiness’. 0% product, 100% brand.

Financial services business brands can learn a lot from this. Very few are tapping into the vocabulary of emotional marketing. They sell their product in line with industry jargon, expecting their ever-changing audience to understand what they mean. When really their product or service should be learning to speak a new language. One that showcases the brand over the product, communicating to their audience with a personality and values of their own.

No company can rely solely on their product features because no product is unique anymore. The power of a brand can generate that differentiating value that will set it apart from the competition.

 

Use data to personalise your offer

Data is the beating heart to personalisation. It gives businesses the foundation to build a product that is bigger and better than its competitor. One that entices new audiences while maintaining loyalty.

Consumer brands are obsessed with collecting data to better their product and reach audiences far and wide. In fact, nearly 90% of UK shoppers will hand over their personal information for improved online customer experiences.

B2B businesses also use data, but on a much narrower scale. In a survey of B2B companies, only 25% of B2B businesses use data weekly to understand customer needs, while 9% admitted they never use data at all. This is evident given that 47% of B2B buyers who need a new financial service go straight to their existing bank, and 75% of those who claim to shop around also end up with their current bank. Most buyers don’t even consider more than two brands. Meaning lots get left behind.

This is where B2B marketing shouldn’t just rest on its laurels of tedious white papers and limited data. It should inject its own personal touch and emotion by undertaking its own research and data collection to produce insightful pieces of research and showcase its unique findings. This can include specific consumer trends and behaviours in the financial services space, so they can really understand their audience and further improve their product.

 

Be audience aware

Audience Blindness is a condition that hinders B2B brands from seeing that business decision-makers have changed. They have become younger; they’re millennials. The content they consume is worlds apart from what their predecessors consumed and is constantly evolving – particularly as we enter Web 3.0 and the metaverse.

Even in the finance sector, B2B marketing is still about appealing to ‘people’ and their needs. B2B isn’t a machine and shouldn’t just cater for a computer. It needs to connect to real life audiences – those with feelings, thoughts and emotions. Because behind every business partnership is a room full of people interacting, debating and sparking ideas.

The B2C financial services sector has progressed significantly, understanding changes in audiences and catering to new needs and desires. The rise in neo-banking, investment made easy and services specifically for young adults and children looking to save is testament to this. They’ve introduced digital-first approaches, influencer techniques and new ways of improving the shopping experience through buy now, pay later (BNPL).

We’ve seen glimpses of B2B’s new beginning, but its future is to live in the present, and inject it with the power of B2C. Only then can B2B see the new audience, hear the new market and feel the new world.

Continue Reading

Business

Need a business broadband package? Here’s what you need to know

Published

on

By

Author: Kerry Fawcett, Digital Director at Radius Payment Solutions

 

Does your business have a broadband supply that is speedy, cost effective, and most importantly, reliable? If not, now is the time to put that right. Online is king in this day and age, and no matter the size of your company, a good business broadband supply is vital to allowing staff to work as they need to. Here are some tips to find your organisation a business broadband package that fits it like a glove.

 

  1. You need to choose the right business broadband package

There are a number of reasons why your business might need a business broadband deal. Such reasons can include email which helps you stay in touch with customers and suppliers, social media access so that you can communicate with your customers and provide support, research and web browsing that your employees may need to do as part of their jobs, and general marketing tools which are nowadays more often than not web-based and require an Internet connection.

Also, let’s not forget that the people who want your products and services are online too—they use the Internet and search engines to find what they need. If this is your product or service and you do not have an online presence, their business will go to your competition.

That said, the decision on which broadband package to opt for is far more complex than simply choosing the deal with the fastest speed, or the cheapest price. Depending on the business, things to account for include data management, other services like email, and backup options.

With any package, however, it is important to look closely at the services being offered and whether they match up with what you are looking for. Also, check to make sure that they are built with business use in mind and have not been designed solely for consumer-grade activity.

To ensure your business chooses the right broadband package for its needs, make sure that you account for these three things. By doing so, you end up in a much better position to begin comparing options:

  1. Before choosing a broadband package, be sure to look at and understand how your business uses the data it is creating and storing. This will ensure that your broadband package can handle the data loads your business produces.
  2. Make sure to read and study service level agreements (SLAs). Every single half-decent business broadband package will have one of these—if they don’t, avoid the supplier—and looking closely at the clauses helps you avoid nasty surprises.
  3. Look for a broadband provider that has a bandwidth utilisation of below 50%. This will avoid bottlenecks and make your website and general broadband services a lot faster, enabling more data to be processed more quickly.

Price is certainly a factor, though. Whether comparing the price of business broadband, business mobile phone tariffs, or anything else, it makes solid business sense to make sure you are getting the best deal possible for your ideal product.

 

  1. Be aware – business broadband is not the same as home broadband

It is wrong to assume that business broadband is the same as the broadband that the vast majority of us have at home—it’s not. Business broadband packages include features that are specifically designed for business customers.

Generally speaking, a business broadband connection is set up and optimised to meet the increased demands of a business. Therefore, the features that are often found in a business broadband deal include prioritised customer support on-hand to provide immediate relief should something go wrong, faster upload and download speeds that can cope the bandwidth demands of a commercial office, better security features that protect your assets and data, and static IP addresses that allow you to run CCTV, host your own website, and authenticate intranet users.

What’s more, business broadband packages will usually come with generous—often unlimited—usage limits and competitive price points that aren’t too dissimilar to home broadband packages and plans.

 

  1. Explained: Business Broadband vs Home Broadband

For any readers still wondering about the most important differences between home and business broadband, here are four things that you don’t tend to get with a home broadband deal.

  1. Guaranteed service levels
    Returning to the point made about SLAs, business broadband providers will offer customers a guarantee to keep the broadband service up and running, and to do all they can to bring it back online should things go wrong. If a situation occurs where a provider is unable to do this in a pre-agreed timeframe, your business will often be compensated.

It is rare for home broadband packages to come with such a guarantee.

  1. Prioritised traffic
    Some of the best-known business broadband providers such as TalkTalk and BT prioritise traffic for their business customers over non-commercial home broadband customers.

This of course means that the speed and quality of your Internet connection will not be negatively affected by other customers’ usage patterns during peak times, such as when HD media and games are being streamed and played.

  1. Business-centric customer support
    As a business, it is vital that your broadband connection is restored as soon as possible should it go offline. If you don’t, you run the risk of losing revenue and having your reputation harmed. Business broadband providers know this all too well, and for that reason they typically offer around-the-clock, UK-based customer support.

This is in contrast to home broadband where customer support operatives are only available at select times, usually during business hours.

  1. A static IP address
    Most business broadband deals provide you with a static IP address. This type of IP address enables you to use your business broadband for some very useful business-critical operations, such as:
  • The hosting of your own server (vital for CCTV, file transfers, client services);
  • The hosting of your own website and domain name servers;
  • Enabling remote connections by your employees to their work desktops; and
  • Making available systems that require authentication, such as intranets.

Instead of a static IP address, home broadband packages include a dynamic IP address which changes each time a new connection to the Internet is established.

Continue Reading

Magazine

Trending

Finance2 hours ago

Why You Should Work on Your Financial Literacy

Ebo Aneju   A lack of financial understanding plagues our society. Most people have very little understanding of finances, which...

Business23 hours ago

A new beginning for financial services B2B marketing

Financial services B2B marketing is dead. A bold statement with B2B ad spend set to pass $30bn next year in...

Finance1 day ago

Boosting Blockchain Security with Graph Technology

Dan McGary is Senior Sales Executive for Mid-Market Enterprise East at graph database leader Neo4j   As blockchain-backed cryptocurrencies become...

Business1 day ago

Need a business broadband package? Here’s what you need to know

Author: Kerry Fawcett, Digital Director at Radius Payment Solutions   Does your business have a broadband supply that is speedy,...

Finance1 day ago

Double and triple extortion tactics cornering financial services organisations

By Ian Wood, Senior Director and Head of Technology, UK&I at Veritas Technologies   Ransomware continues to keep those in...

Banking1 day ago

How are Variable Recurring Payments set to revolutionise the future of banking?

Sean Devaney, Vice President of Banking and Financial Markets at CGI UK   The adoption of Variable Recurring Payments (VRP)...

Top 101 day ago

Energy Storage Represents Latest Investment Opportunity in the Clean Energy Transition

Alan Greenshields, Director of Europe The ongoing transition to clean energy has spurred new technologies, new markets and new opportunities...

Business2 days ago

Innovate UK £25 million up for grabs: July deadline approaching

By Emma Lewis, Myriad Associates   The latest instalment of Innovate UK’s SMART grant competition was launched in April and...

Business2 days ago

Is telephone Hot Desking really needed anymore?

By Simon Horton, VP of International Sales at Sangoma   The world of work has totally transformed as we all...

Finance2 days ago

Mass crypto adoption: are seamless card payments the missing link?

By Justin Fraser, SVP Enterprise Sales, at Paysafe   Cryptocurrency awareness is at an all-time high and after more than...

Finance5 days ago

Hey, Gen Y and Gen Z do you think you can retire comfortably?

By Penelope Gregoriou, technical investment specialist at Alexforbes   Millions of South Africans rely on the money saved in their...

Uncategorized5 days ago

GDPR: data security four years on

Bruce Penson, the managing director of cyber security and IT support company Pro Drive IT, outlines how GDPR has changed...

Banking5 days ago

The importance of Customer Experience (CX) for retail banks today

By James Isaacs, President, Cyara   Today’s retail banks face considerable challenges. Open banking initiatives –  that make it easier...

Finance5 days ago

Getting ready for VAT digitisation: automation is key

Christiaan Van Der Valk, Vice President for Strategy and Regulatory at Sovos, says technology will power real strategic success for...

Banking5 days ago

Challenging the challenger: Why the digital transformation of traditional banking is key for competing with challenger banks

By Sam Schofield, Senior Vice President: Global Enterprise at Udacity   Monzo and Revolut are only seven years old. Starling,...

Wealth Management5 days ago

Green with Envy – an Environmentally Conscious Data Center

Mark Fenton, Product Manager, Future Facilities   Environmental considerations are at the top of every business leader’s agenda and an...

Technology5 days ago

How Digital Adoption Platforms can enhance digital transformation and customer experience in the insurance industry

By Vara Kumar, CPTO & Co-founder, Whatfix   Like many industries, the insurance sector was prematurely hastened towards digitalisation due...

Business6 days ago

Why do Traders Need a Managed Service Partner?

Jeff Mezger, Vice President of Product Management, Financial Markets, TNS   Does your financial institution have the understanding, resources, talent...

Business6 days ago

The FCA will take immediate action on customer vulnerability; here’s how firms can prepare.

Author: Jonathan Barrett, CEO and Co-Founder at Comentis   Identifying and supporting vulnerable clients has become a priority for financial...

The Green Revolution In Investing - Sustainable Investing The Green Revolution In Investing - Sustainable Investing
Business6 days ago

How fintech is key to empowering climate action

Attributed to: Rory Spurway, CEO & Founder of CarbonPay   As human activity continues to have a significant impact on...

Trending