First-mover advantage
Due to the implementation of GDPR, the client data has been substantially enhanced. As a result, there is now more public trust in financial institutions. With this, other nations are also wishing to incorporate more data privacy and protections into their banking systems. UK banks and fintech companies are already leading the way internationally, while countries like China, Brazil, and India consider enacting legislation that would provide protections comparable to those provided by the GDPR. Experts anticipate that this will have an international effect, contributing to the evaluation of standards throughout the world and fostering the expansion of digital banking.

Promoting open banking
The GDPR compelled compliance with tighter data handling and security protocols. Additionally, it placed a strong emphasis on customer control of personal data, shifting power towards consumers. At the time of the GDPR’s implementation, open banking had just been available, which prepared the way for a variety of innovative digital banking products and services from non-traditional providers.

Under GDPR, consumers can control which providers have access to their data, how much information is shared, and how long it can be accessed. Digital banking consumers are thus in an advantageous position as a result of the twin initiatives of GDPR and open banking, enabling them to not only protect their data but also voluntarily share that data with third parties and fintech.

Opportunities for innovation
The GDPR’s public debate has contributed to reinforcing data privacy as a key concern in the financial services industry. Indeed, boards and executives are aware of the importance of data to consumers and businesses, as well as how important data privacy is as a social concern. Business executives have evolved in their understanding of data as a result of it now being frequently mentioned as a top priority for boards.

The GDPR is more than just a new tool in the regulatory toolbox for many financial services companies; it also offers real business advantages. It means making more bolder and creative judgments is possible when data protection is included in fundamental development strategies.

Benefits of ethical data
Many consumers, especially Millennials, now consider ethics when looking to buy new goods and services because of technology, more competition, and consumer protection regulations. This emphasis on ethics has also been seen in the business world, where companies are pledging CSR and paying more attention to environmental, social, and governance issues in their supply chains and investments.

Keeping an ethical approach to data is a big benefit in this atmosphere. Financial institutions have complied with the GDPR thoroughly and prioritized the ethical handling of data. This resulted in a succinct and easily comprehensible data policy that consumers can engage with – which is good for keeping customers happy, as well as boosting corporate reputation.

GDPR: A digital defense
Most financial services companies are aware that a data breach is more likely to happen as hackers and malicious actors are growing more skilled. Any hack or cyber breach carries a certain risk of negative repercussions, but the reputational impact is greatly influenced by how such a breach is managed.

The GDPR has strengthened banks’ data operations and the protocols to follow in the case of a breach, which may be crucial for preventing reputational damage and proving to the regulator that they are reliable practices. The GDPR serves as an additional line of defense in the era of digital and open banking, assisting in ensuring the survival of online banking platforms.

The post 5 impacts of GDPR on digital banking appeared first on International Finance.

Winston Bond

September 16, 2016: It has long been held that the workings of the financial sector are so opaque that the average person is more likely to get a divorce than to switch banking providers. In fact, research from the Independent Commission on Banking found that on average, people are stuck with their provider for a whopping 26 years. This timeframe isn’t borne out of loyalty, but rather because consumers find it so difficult to accurately compare products and services that all but the most determined customers will give in.

This may soon be a thing of the past however, as The Open Banking Standard Group, founded by request of HM Treasury in 2015, seems to be making serious headway in bringing more transparency and openness to the sector.

In August, the Competition and Markets Authority (CMA) announced new rules that would let customers access all of the financial details of different providers through mobile apps, including those of other providers. The new laws, which are currently set to come into force in 2018, aim to make it much easier to compare and contrast different services and products when choosing to move providers, as well as assessing new offers from their current bank.

The mobile boom

The use of mobile apps is a key element of this new era of openness, with the CMA stating that banks should offer the same services via apps as would be available in a branch. It’s well known that the number of branch visits have been plummeting for years as customers switch to more convenient digital services, but even websites have seen a decline more recently.

The British Banking Association found that Internet banking logins dropped by 100,000 a day from 2014 to 2015, from 4.4m to 4.3m. By contrast, mobile apps were used 11 million times a day in 2015, a sharp increase of four million from 2014.

While more access to open information, as well as the flexibility of mobile banking, can only be a good thing for consumers, the drive towards mobile apps has also raised some major concerns. In particular, the use of Application Programming Interfaces (APIs) to share transaction data via apps has raised a red flag with organisations, including the British Chamber of Commerce.

Connecting with APIs

APIs are a set of instructions or routines that complete a specific task or interact with another system, whether it’s a server or application. APIs are increasingly popular with developers because they can be easily integrated into software to complete complex tasks. In this case, APIs would help the various apps access the other banks’ servers. However, while they are ideal for the task of facilitating the data exchange between multiple servers and applications, APIs also introduce a new attack vector that can enable access to the back-end server.

Most API Management Solutions use a simple authentication process to confirm that the client app on a device is genuine and has been authorised to access and utilise server assets – in this case, retrieving customer data for comparison. The challenge-response exchange used for this is generally a cryptographic operation, which means that the mobile client will contain a secret key for an asymmetric cipher, like RSA or ECC.

If an attacker is able to break through the app’s security measures and decompile its code, they can root out these keys and trick the system into recognising them as a legitimate client, enabling them to connect with anything the API was authorised for.

In the case of the proposed universal data access through mobile apps, this would literally be giving cyber criminals the keys to the kingdom, enabling them to potentially pull off a monumental digital bank heist by raiding all of the bank servers connected to the app.

The security risks of financial apps

This comes at a time when cyber security is already a major concern for mobile financial apps. Our 2016 State of Application Security Report tested some of the most popular financial apps around the world. Every app we tested had at least one major security flaw that could be exploited by cyber criminals.

The most common issue is a lack of binary protection, which could allow cybercriminals to tamper with the app and steal personal data, and most apps also lack sufficient protection in the transport layer, potentially enabling thieves to intercept data transmissions.

The lack of binary protection is also a security flaw that can be exploited to access cryptographic keys, and mobile apps are particularly vulnerable as they can be downloaded and attacked indefinitely until a weakness is found.

Alongside mobile apps already providing so many attack vectors, the large number of organisations involved also makes security even more of an issue. With so many banks, as well as ‘approved firms’ set to be sharing data, it is imperative that every single one has top notch security. A single weak link could be enough to infiltrate multiple organisations for a large scale data theft.

Stopping the digital bank robbers

White-box cryptography is one of the most important tools for securely hiding cryptographic keys, shutting attackers out even if they do manage to break into the app. This means the original key material is converted to a new representation in a one-way, non-reversible function. This new format can only be used by the associated white-box cryptographic software, preventing the hacker from finding it and using it for the challenge-response.

Even this can be defeated if the hacker is able to decompile the original application and modify the app or lift out the entire white-box software package, and include it in their cloned version of the application. Attackers that have the advanced capabilities to go this far can still be seen off with anti-tampering techniques that prevent code-lifting attacks or the app being tampered with. These techniques, with RASP (Runtime Application Self-Protection) built in, can respond to runtime attacks with customisable actions and notify the app owner that app is being modified.

While the proposed new era of open banking should make life much easier for the average consumer, the level of interconnectivity and number of players involved creates a huge risk. All organisations should be keenly aware that the cyber criminals of the world will be watching developments with interest. With the right protection in place however, consumers can still get the best deal – while preventing the thieves from celebrating their biggest ever payday.

Winston Bond us EMEA Technical Director at Arxan Technologies

The post Are banks ready for the era of open banking? appeared first on International Finance.

Suparna Goswami Bhattacharya

September 13, 2016: Asian firms are more vulnerable to cyber attacks than their Western counterparts, says a recent report. The findings by Mandiant Consulting, a FireEye company, states that APAC firms are frequently underprepared to identify and respond to breaches.

According to IDC Worldwide Security Market Q1 2016, the network security market in APAC is worth $541 million, which is less than 50% of the US and Canada market, which is worth $1.14 billion. Europe with a market size of $583 million also spends more on network security compared to APAC.

Rob van der Ende, vice-president, Mandiant Consulting, Asia Pacific and Japan at FireEye, states that being unprepared for a breach is business as usual in Asia Pacific. “The region’s governments and boards need to address this further. Organisations must bring together the technology, threat intelligence and expertise necessary to quickly detect and respond to cyber attacks. Firms can benefit by embracing modern response techniques rather than legacy approaches, which often fail to find the attacker’s needle in the haystack.”

Additionally, some attacker tools are used to exclusively target organisations in APAC. For instance, in April 2015, Mandiant Consulting uncovered the malicious efforts of APT30, a suspected China-based threat group that has exploited the networks of governments and organisations across the region, targeting highly sensitive political, economic and military information. “This group appeared to have operated uninterrupted for at least a decade. They likely had little reason to change their operating methods because they were not detected,” states the report.

Interestingly, incident investigation statistics show that organisations in APAC are not up to the challenge of detecting and responding to advanced threat actors. Firms in APAC allow attackers to dwell (time between compromise and detection) in their environments for a median period of 520 days before discovering them, much higher than global median of 146 days.

Chuan-Wei Hoo, CISSP, technical advisor, Asia-Pacific, (ISC)², states that a lot depends on which economy one is looking at. There are economies that have advanced ICT adoption and still suffer from cyber attacks and incidents. It just means with more ICT adoption, we are going to see more attacks and incidents.

“Worse, some of the Asian firms feel that they are not a big target, they need not spend on controls. It is important to note that sophisticated adversaries often target small and medium-size companies as a mean to gain a foothold on the interconnected business ecosystems of larger organisations with which they partner,” says Hoo.

While adoption of technology trends like IoT and cloud computing are increasing, with it the threat of attacks is also on the rise. However, more often than not, organisations continue to rely on security strategies developed a decade ago that can no longer support the ever increasing speed of business.

“A 2015 ZK Research Security Survey revealed that 43% of respondents admit to turning features off in security appliances to improve performance. To successfully compete in this new digital economy, organisations need to implement a tightly coordinated security strategy that can see and govern this data across an entire borderless network without compromising agility or performance,” says Rajesh Maurya, regional director, India & SAARC, Fortinet.

However, Xavier Larduinat, Gemalto, is of the opinion that it is unfair to target companies in APAC for cyber attack vulnerabilities. “It’s a worldwide issue and relates solely on the pro-active actions taken by enterprises. Vulnerability depends on the size of enterprises. Therefore, wherever a specific region has a high density of SOHO (Small offices/Home offices), the absolute number of attacks may be higher,” he says.

Steps to be taken

1. Review network ingress/egress points and use appropriate monitoring on each application service (web browsing, email, remote virtualised desktop solutions, etc.) that crosses the estate boundary

2) Review each security logging device and ascertain how security risks will be identified and alerted when they occur

3) Adopt a behavioural analysis detection approach with log data to identify high-risk security threats (such as APTs) because signature detection will only find known threats

The post Asian firms more vulnerable to cyber attacks appeared first on International Finance.

August 4, 2016: PA Consulting Group Middle East and North Africa has appointed Lydia Kostopoulos, one of the region’s most influential cyber security experts.

Kostopoulos was recently featured in the Middle East Security Awards’ top 100 list of cyber security professionals, and joins PA’s cyber security team with a wealth of unrivalled international experience.

A former assistant professor in intelligence, national security and cyber security at the Institute for International and Civil Security at Khalifa University in Abu Dhabi, Kostopoulos has forged an inspiring reputation within the regional and global information security sector.

In December 2015, she was invited to speak on a cyber security panel at the British Parliament’s House of Commons where she raised the importance of creating a robust security culture and not underestimating the human risk in cyber security.

Based in PA’s Abu Dhabi office, Kostopoulos will work with clients across the Middle East region in a range of sectors to deliver services such as intellectual property protection, proactive counter espionage, and awareness in the areas of security culture, insider threats and social engineering.

Jason Harborow, Head of PA Consulting Group Middle East and North Africa, said: “Lydia is a significant appointment for the region.  There has never been so much emphasis for organisations to implement robust cyber security strategies than now and we believe her skills will deliver outstanding levels of expertise to our clients.”

In 2014, Kostopoulos was awarded the US Presidential Volunteer Service Award for her public service to the cyber community with special service commitment to education.

Harborow added: “The first half of 2016 has seen us bring 30 new members of staff into the regional team which has been vital in delivering the work we are producing for our clients across a variety of industries.  The government services, healthcare, and transport, travel and logistics sectors continue to be major areas of expansion for PA within our region. We are bringing together the best minds in the business to ensure the offering to our current and future clients is unbeatable.”

The post Lydia Kostopoulos joins PA Consulting Group MENA appeared first on International Finance.

Peter Taberner

March 2, 2015: Research by the European Banking Federation (EBF) has revealed that there continues to be a decline in bank robberies. According to the 22^nd edition of their bank robberies report, there were 2,347 heists in 2013. These took place in the 32 European countries represented in the EBF. This represents an 11 percent reduction from the previous year.

There was also a 29 percent reduction in cash-in-transit attacks that were registered, confirming a downward trend on all bank related crimes for the fourth consecutive year. The average amount stolen during bank robberies in 2013 dipped by 42 per cent when compared to 2012. Also, the average of the total losses suffered through robberies fell by five percent, although less positively, there was an increase in attacks on ATMs by 2.2 percent.

To ensure that banks are protected from any future planned attacks, there must be continued efforts to develop the necessary counter measures.

Financial institutions are always facing new dangers. At present, the greater threats are posed by developments in technology. Digital crime, launching attacks or “e-raids” on online banking, plus attempts at personal identification theft, are the main challenges that the industry must face.

A spokesperson for the EBF reflected on the report’s results: “More and more bank branches nowadays are cash-less, while counter-measures have become significantly more effective. That leaves the ATMs as the more obvious target for criminals looking to steal cash. The reduction in the total amount stolen can be attributed to the fact that there is less money around in bank branches. Also, cash amounts in ATM cassettes now are lower, and they hold more bank notes with lower values, such as EUR5, EUR10 and EUR20 notes.”

Last September, the EBF agreed to a Memorandum of Understanding, with Europol’s European Cybercrime Centre, which was set up by the European Commission.

The aim is to intensify the cooperation between law enforcement agencies, and the financial services sector in the European Union (EU).

Preventing increasingly sophisticated phishing techniques, and the proliferation of a multitude of banking malware variations, is what the partnership hopes to achieve. And to disrupt the operations of organised crime networks that carry out illegal online activities, including attacks targeting e-banking, and other online financial activities.

The EU has created structures for its member states to safeguard their internal security, as national law authorities are being supported in the field of police cooperation. This is by enabling access to relevant information, enhancing the training of national law enforcement staff; and providing financial, organisational and instrumental support to cross-border police cooperation.

New legislation has also been adopted by the EU in their directive on attacks against information systems. This has been designed to stop large-scale attacks on information systems of companies, such as banks.

Member states of the EU are required to strengthen their cybercrime laws and introduce tougher punishments for those who flout cyber rules. All EU countries have until September 4, 2015 to transpose the directive in their national legislation.

Other Stories:

Investment in clean cooking can return a profit

ANZ gearing to tap growing potential in Vietnam

The post Bank robberies down, attacks on ATMs up appeared first on International Finance.

Liz Field

February 2, 2015: The opportunities and threats represented by technology are something ever present in our daily lives and no less a cause for thoughtful consideration and handling in the wealth management industry, where it can be criminally utilised to target individuals’ long-term savings. Firms such as those represented by the Wealth Management Association (WMA) are actively vigilant against a constant threat of attacks due to the potential high value stakes for the discerning cyber-criminal.

This is highlighted by the costs suffered in large financial centres, such as the US, from this kind of crime — $100 billion a year according to the Center for Strategic and International Studies. In the UK, GCHQ estimate that the worst breaches cost each organisation on average between £600,000 and £1.15 million. The global annual figure for cybercrime comes in at a staggering $560 billion, according to figures from KPMG.

It’s no wonder this area has been recognised by US and UK authorities at recent talks as needing critical attention. As Prime Minister David Cameron said, “This is an evolving threat, which poses a real risk to our businesses, and that is why we are taking our co-operation with the US to an unprecedented level.”

Resulting plans from these talks include mock cyber attacks on commercial banks later this year as part of tests on the robustness of critical infrastructure. The first tests will focus on Wall Street and the City, followed by others.

If we could have been a fly on the wall of those conversations between Mr Cameron and President Obama, what would they have considered? How could some of these threats impact the financial industry? How is it being fought against by firms?

First and foremost must be the recognition that cybercrime is a big business – high risk and high reward for those criminals diligently applying organised, highly skilled techniques to mount ever increasing attacks on firms. GCHQ are shortly due to publish a report, pointing out the threats faced by British businesses from cyber-attacks.

Cybercrime can no longer be dismissed as the remit of the ‘young geek in the garage’ and while it may be a constant battle for the financial firm, the criminal often needs to only ‘get it right’ once to potentially make off with huge amounts of money or valuable data.

As WMA members heard at the WMA financial crime conference this week, there are many different forms of attack such as Malware Infections, Worms, Data Theft, Denial of Service, Crypto-extortion and Cloud self-provisioning – all motivated by multiple reasons, i.e. greed, hacktivism, espionage, ideology, etc., and this only looks set to continue to increase as criminals become ever more sophisticated.

But it’s important to remember firms are not taking this lying down and are fighting back. A survey by accounting firm EisnerAmper illustrates this, showing 62% of company directors citing cybersecurity and IT risks as an important concern, up from 53%. And a study by PwC for the UK Department for Business, Innovation and Skills shows that the number of security breaches has decreased even as the scale and cost has nearly doubled.

Firms increasing spend on information security internally is a great start, but the problem cannot be answered by entirely digital means – people need to be part of the solution.

Staff need to remain constantly vigilant and, as a representative from the Financial Conduct Authority emphasised at the WMA conference. Another key aspect is ensuring that the senior management at a firm ‘buys in’ to the process and provides the support necessary. Simply buying a protection package is not enough. The work is never ‘done’ and the process is ongoing.  Criminals will keep coming up with new and innovative ways to pose a threat to a financial firm and, therefore, the response needs to be equally flexible and altering to remain resilient.

Education and awareness for the general public is also something that was likely to be high on the agenda as the leaders from the two countries met.  Making people a key part of their own defence is essential — and it’s not just certain parts of society that need to be targeted. While there may be a perception that a younger demographic is more technologically fluent, it is estimated that nearly 2.3 million people aged between 70 and over 100 years old are now using internet banking – assumptions can’t be made and the risk is there for everyone. But there are many ‘common-sense’ things the average person can do to limit their susceptibility, such as securing social media profiles, managing the information publically available about them and ensuring anti-virus software is up to date, to name but a few.

At a governmental level, in the UK there are numerous solutions being worked on such as the Cyber Security Information Partnership (CISP) launched in 2013 and 80 new cyber specialists being hired at the cyber-crime unit of the National Crime Agency (NCA), police forces and regional organised crime units across the UK. In the Wealth Management arena specifically, WMA are leading the way with industry information-sharing initiatives, a dedicated financial crime conference with multiple experts providing practical assistance on the cyber security area, and support material for members firms and their clients.

As reporting requirements come up for changes in 2017 due to new European regulations, there will be bigger penalties for failing to report data breaches, making it more likely for the public profile of this area to come ever more under the spotlight.

So, as the fly on that wall, we can be pretty certain that cybersecurity will be on the agenda for a long time to come as the rate and scale of these attacks shows little sign of abating. More inter-governmental work, such as the cyber games begun this year, is also to be expected as well as sharing of information and best practice to ultimately improve the resilience of UK, US and other firms around the world.

The firms themselves are stepping up to the challenge. With the collective vigilance of the client/individual on the street and governmental support, cyber criminals will have their work cut out for them.

Liz Field is CEO of the Wealth Management Association

Also Read:

Should you trust mobile banking? 

The post Cyber Crime and Security – An ongoing battle appeared first on International Finance.

Tim Ring

October 30, 2014: Our plummeting faith in new technology was starkly illustrated last year by the Russian secret service. In the wake of whistleblower Edward Snowden’s revelations of mass electronic spying by the Americans, the Kremlin agency tasked with protecting Russia’s top officials resorted to buying 20 Triumph Adler manual typewriters to use instead of email, and so guarantee their communications stayed secure.

In the ‘civilian’ world, the same lack of trust has prompted many consumers to question whether they should follow the growing trend of online and mobile banking, or stick to old-school bricks-and-mortar banks and hard cash payments instead?

With tales of exotic-sounding banking malware families like Zeus and Carberp being used by often (ironically) Russian cyber criminals to steal the electronic account details of millions of people worldwide, it’s a valid concern.

The problem with banking via the internet, and now mobile devices, and soon social networking sites like Facebook and Twitter, is that it opens up a bigger and bigger ‘attack surface’ for cyber criminals to target. And crucially, the newer the technology, the less people understand its inner workings and can be certain it is safe and secure.

So what are the benefits and pitfalls of online and mobile banking?

Financial security expert Pierluigi Paganini is worried. “Many banks and financial institutions have a great interest in providing services to customers through mobile and also social networking. But there are a lot of problems that could be linked to the use of these platforms,” he explained.

Paganini, founder of the respected ‘Security Affairs’ cyber security blog and chief information security officer at Bit4Id, says the main problem is not the inherent insecurity of these devices – it’s the way people use them.

Take someone who transacts with their bank via their smartphone or tablet: “If you install defence mechanisms such as anti-virus, if you always visit legitimate websites, if you don’t click or respond to unsolicited emails – if people follow some basic best practices, I am quite confident that they can be secure,” Paganini said. “But in reality, this is what never happens.”

He outlines the Dos and Don’ts: don’t use open WiFi networks (criminals can take control of the transaction); don’t open unsolicited emails purporting to come from your bank (it’s a phishing attack that will infect your device with malware); do use the latest (most secure) version of your Android mobile operating system and banking app; and do install anti-virus and other security software.

But even with these precautions, there’s still no guarantee: no technology is 100% safe. For example, banks typically offer seemingly uncrackable ‘two-factor authentication’ on every mobile transaction. This means that as well as your user name and password, you are sent an SMS with a one-time secure code for that transfer.

But because many banking apps don’t properly manage the security ‘certificates’ that the bank’s computer and your device send each other to prove their identity, malware can mount a ‘man-in-the-middle’ attack to intrude on the exchange, pretend to be the bank, send you a fake code and then siphon off your cash without you realising.

In the face of all that, you might think Paganini would side with those who resist the move to online and mobile. But he doesn’t.

For one thing, electronic banking offers obvious benefits: you can access all your bank’s services, all the time, wherever you are. And physical banking isn’t safe – you might get robbed; and physical credit and debit cards get lost or stolen.

Paganini argues that by using online and mobile technology, you avoid these dangers. “I would suggest to people to move to mobile banking, there are a lot of advantages. Under specific conditions we have a good level of security. It just means the user must be educated to avoid risky behaviour.”

As for the banks, they point out that the move to online, mobile and social networking banking is not directly their doing. “This is not a bank-led revolution, it’s consumer-led,” said Rob Watts of the British Bankers’ Association, who oversaw the BBA’s ‘The Way We Bank Now’ study project. “Banks have been genuinely astonished by just how quickly consumers are doing this.

“Of course it’s not for everyone, but a lot of people are finding it’s easy, it’s fast, it’s convenient, they can bank whenever and wherever they want. They don’t have to take time out to go to the branch.”

Globally, banks are adopting a growing range of innovative technology-based services, Watts said: Kenyan banks pioneered mobile payments made to your contacts list via SMS texts; some US banks offer cheque imaging technology which means you don’t have to take a cheque to the branch, you can email a photo instead; and UK banks are making specialist advisers available via Skype.

It may be a case of: if you can’t beat these benefits, you better join in. Just cut out the risky behaviour – a big ask maybe, but at least online you can’t get mugged.

Also read:

There is no escaping the cyber threat

Home Depot’s payment system breached

The post Should you trust mobile banking? appeared first on International Finance.