finance
monthly
Personal Finance. Money. Investing.
Updated at 16:06
Contribute
Premium
Awards

The majority (80%) of organisations have expressed interest in using cryptocurrencies - such as bitcoin - for business transactions, despite widespread fears of being compromised by associated DDoS attacks, according to new research from the Neustar International Security Council (NISC).

While 48% highlighted alternative forms of currency as a way to generate income through potential increased value, 26% of businesses also pointed out the heightened risk of currencies being used as an alternate form of ransom.

This ongoing fear has encouraged the majority of organisations to focus heavily on increasing their ability to respond to DDoS (41%), ransomware (40%) and targeted hacking (39%).

This new data has been revealed as part of a bi-monthly research series from the NISC, which has polled 255 IT security CTOs, VPs, senior directors, business managers and other professionals with a security remit across Europe.

The NISC research findings have also been used to calculate a unique Cyber Benchmark Index, which measures the level of concern in the NISC community of security professionals about the current international cybersecurity landscape. Based on the latest set of data, the index figure has reached 10.5, a considerable increase from the 6.5 rating in May last year, and 0.4 points higher than the last report in November.

From November to December, DDoS was seen to be the greatest concern to businesses at 22%, with financial and ransomware following close behind. However, ransomware was most likely to be perceived as an increasing threat to organisations, with 45% listing it as their greatest concern moving forward.

Rodney Joffe, Head of NISC and Neustar Senior Vice President and Fellow, commented on the findings: “Ransomware and DDoS attacks continue to be seen as the leading threat to companies due to the sheer volume, complexity and potential severity of an attack. That said, not too far behind as the second greatest concern to businesses moving forward is financial threat,” he said.

“Armed with plenty of tools, such as compromised IoT devices, it’s likely that we’ll see hackers make use of ransomware and DDoS attacks to cause major distractions. At the same time, we’ll likely see them put a focus on stealing large amounts of financial data, which may include traditional currencies, or the increasingly popular cryptocurrencies - such as Bitcoin. By developing a more cohesive security strategy, organisations can hone in on their most vulnerable data, processes and models, protecting their critical information in the short and long term.”

Participants also noted that - due to the quickly evolving cyber-threat landscape - increasing their ability to respond to DDoS, ransomware and targeted hacking was a main priority, with 9 out of 10 (90%) agreeing that a WAF (Web App Firewall) was an essential component of their company’s security infrastructure, a figure that increased the survey average by a significant margin.

(Source: Neustar International Security Council)

Why be content with almost $2 billion when your net worth can be multiples more simply by moving your company from one stock exchange to another?

Chatbots are quickly becoming the interface of choice for many organisations. In fact, a recent survey conducted by Oracle revealed that 80% of businesses want chatbots by 2020. While the advances in Artificial Intelligence (AI) and mobile technology have created a new set of tools for brands to communicate with, the technology itself has yet to reach a mature state, and is consequently strongly vulnerable to cyberattacks. This is according to Simon Bain, the cybersecurity expert and CEO of BOHH Labs.

Current bot solutions are not entirely secure and can create open passages for cyber criminals to access the data flowing through chatbot’s interface. In essence, this gives cyber attackers direct access to an organisations’ network, applications and databases.

Bain explains: “While bot technology has improved drastically in recent years, for maximum security, chatbot communication should be encrypted and chatbots should be deployed only on encrypted channels. This can be easily set up on an organisation’s own website, but for brands that use chatbots through third-party platforms such as Facebook, the security features are decided by the third party’s own security branch, which means the organization does not have as much control over the security features on the chatbot. Until public platforms offer end-to-end encryption in their chatbots, businesses should remain cautious.

“One of the biggest advantages in using chatbots is that they are a cheaper solution to customer service. They can serve and reach customers in a way that would otherwise require a tremendous amount of time and resources. This is an area where chatbots are gaining momentum, but instead of bots replacing entire customer service teams, organisations are working with them in tandem to improve customer satisfaction. However, as chatbots collect information from users, the information that is stored and the metadata must be properly secured. When running a chatbot, organisations must consider how the information is stored, how long it’s stored for, how it’s used, and who has access to it. This is especially important for highly regulated industries, such as finance, that will deal with sensitive customer information.”

“While there are clear advantages to integrating chatbot technology as a new communication tool, if companies aren’t made aware of the potential security risks, confidential data will be accessible by any determined hacker. Additionally, attackers may be able to repurpose chatbots to harvest sensitive data from unsuspecting customers.” Bain concludes.

(Source: BOHH Labs)

The need for financial institutions to be prepared against cyberattacks is doubly pressing this year, following a raft of new regulations. These have shifted the mandate from one of annual compliance exercises to an ongoing assurance that IT systems are prepared and secure.

Hiscox recently published its Cyber Readiness Report, surveying how prepared major institutions are to face cyber-attacks. Last year the report found many businesses underprepared for cybersecurity threats.

A variety of products offer security for financial services companies’ critical applications. But the growing complexity of banks’ systems means that the approach to cyber security products is not fit for purpose, warns systems integrator World Wide Technology.

Nick Hammond, lead advisor for financial services at World Wide Technology, comments: “The Hiscox report will serve as an important reminder to financial services firms about the importance (and difficulty) of securing against the cyber threats.

“This kind of protection is all the more necessary this year, in the wake of new regulations such as MiFID II, PSD2 and GDPR. Unlike older rules that only required yearly tick-box compliance exercises, these new regulations require continued assurance of critical applications.

“But with the complexity of existing IT systems, which have been built with different and sometimes opposing metrics over the years, this is easier said than done. Legacy infrastructures are often formed from an extremely complex patchwork of applications, which communicate with each other in convoluted ways.

“This web of opaque interdependencies is creating problems for cyber security. Without a clear view of how the system is plumbed together, there can be knock-on effects downstream when one application is prevented from sharing data with another system or user.

“To meet changing regulatory requirements, companies in the financial space need to access infrastructural expertise, to generate a working, real-time picture of the entire framework. Only after gaining this level of visibility can the right security policies be fitted to each application in a way that fits within the functioning of the existing system, allowing components to communicate as they need to whilst closing them off from external threats.”

(Source: World Wide Technology)

Now a booming trading market, cryptocurrencies do however create an avenue of risk. Below Schalk Nolte, CEO at Entersekt, discusses said risk and the overall safety of trading Bitcoin and the likes.

It’s official: Bitcoin is now the golden child of the investment community. Following news headlines about becoming instant millionaires, starry-eyed cryptocurrency enthusiasts are flocking to online exchanges to get in on the action. Sign up, transfer funds and trade – the faster, the better. To keep the eager traders’ money and data safe, these exchanges all need to have transaction security in place. And most of them do – except that their security appears to be stuck in the early 2000s.

Nine years ago, Bitcoin didn’t exist. Today, between three and six million people are estimated to have a bitcoin wallet, with over $3 billion worth of the currency traded every 24 hours. Nine years ago, the one-time password, SMS OTP or mobile transaction authentication number (mTAN), represented the apex of transaction security. Today, other technologies have left SMS OTPs in the dust in terms of both user experience and security – and for good reason.

OTPs are typically reliant on mobile network operators for delivery, and they require additional effort from the user without rendering transactions fraud-proof as a reward. They are vulnerable to man-in-the-middle (MITM) attacks for the simple reason that an OTP is never truly out of band, whether it’s delivered via SMS or another route. Because it’s entered into a potentially compromised primary channel, it will always be susceptible to MITM attacks, while the involvement of mobile networks also introduces the possibility of attacks such as SIM swapping and number porting.

In fact, in August 2017, Sean Everett, CEO of artificial intelligence startup PROME, lost a significant cryptocurrency investment with the platform Coinbase as a result of a simple number porting attack made possible by SMS OTP. Soups Ranjan, Coinbase’s head of data science, commented: “I firmly believe we have the hardest payment fraud and user security problem in the world right now.” So how is it possible that the OTP is still the security measure of choice at the majority of cryptocurrency exchanges – and, more importantly, what are the alternatives?

In order to protect its trader members and allow them to match the pace at which cryptocurrency fluctuates, a cryptocurrency exchange needs to do three things:

Minimize risk: This is done by implementing a solution that offers solid app security and strong customer authentication for all transactions.

Make things easy: A convenient and user-friendly trading platform will attract and retain customers. To put it another way, play to a real-world trading scenario: if you were a trader, would you want to open an app, copy an OTP, switch apps, and then paste it? Or would you prefer to simply open an app and scan your fingerprint? The choice isn’t difficult – especially considering that the easier option is also the safer one.

Achieve regulatory compliance: It’s cheap and easy for a trading platform to recommend or require that their traders install a third-party app like Google Authenticator, but this will mess with regulatory compliance – such as with PSD2’s Regulatory Technical Standards on Strong Customer Authentication. Third-party apps often only authenticate logins, not transactions, and as such are not compliant with these requirements. OTPs, needless to say, do not comply either.

If they want to offer winning and secure trading options for cryptocurrency aficionados, it makes no sense for these exchanges to insist on using obsolete, not to mention risky, technology. Instead, exchanges should be employing a more robust and convenient out-of-band authentication solution that does not rely on mobile networks. They should look for a solution that offers PKI-based authentication and transaction signing directly from the mobile phone, which will eliminate fraudulent transactions and build trust in cryptocurrency trading practices – all while providing a user-friendly experience.

On the flip side, cryptocurrency traders should be demanding better security from the platforms they use. It is the only way for them to keep their investments safe and avoid becoming the next cybercrime news headline. After all, if cryptocurrency is at the cutting edge of innovation, shouldn’t the same apply to the protection of its trade?

The chances are your organisation is adopting cloud computing in one way or another. Moving to the cloud can help you accelerate IT delivery, realize immediate productivity and financial efficiencies, and ultimately, drive business agility. But it can also open up the attack surface, leaving the entire organisation exposed to security threats. Here Andrew Lintell at Tufin explains the ins and outs of cloud security and offers valuable insight on making it as tamper proof as possible.

The adoption of cloud services is continuing its rapid upward trend, and the market is expected to rise 18% this year to $246.8 billion. Networks are becoming more and more complex as the modern IT infrastructure adopts private and public cloud platforms to make better use of an array of cloud services.

Yet public and private cloud services can present many challenges to chief information security officers (CISO) as they struggle to keep up with ever-evolving technologies and enrol multiple vendors to cater to different departmental needs – all in addition to the associated security risks against their businesses. Security leaders are aware that achieving business objectives depends on adopting security best practice across all levels of IT, including the cloud.

However, one of the problems is that some cloud services are being used without the knowledge of the IT department, bypassing security policies, and therefore the reach of enterprise security - otherwise known as Shadow IT. In fact, Gartner has predicted that by 2021, 27% of all corporate data traffic will bypass perimeter security (up from 10% today) and flow directly from mobile and portable devices to the cloud. This causes untold sleepless nights for CISOs and makes their job of managing and securing the use of rapidly multiplying cloud services across an entire, and often global organisation, a continuing battle. And to make things more complicated from a security point of view, many CISOs lack a single pane of glass view into their networks through which they can see and address risks.

With security now top of the agenda for organisations of all sizes, here we consider the primary challenges that CISOs need to address in order to close the security gaps that exist as they move to the cloud.

Improving visibility

While most enterprises have already adopted private, public cloud, and hybrid network technologies, one of the biggest resulting challenges for CISOs is that cloud environments are dynamic, with limited visibility. That lack of visibility is likely the result of ownership over virtual infrastructure in public clouds now being held by central enterprise IT teams. With the inclusion of the public cloud, networks are increasingly large, fluid in change, and complex, and so are the security policies needed to manage across multiple platforms and technologies.

With this in mind, it is no surprise that surveys consistently show that cloud security is an on-going struggle for IT security professionals, with many organisations reporting that it is difficult to get the same level of visibility into cloud-based workloads as they have on their physical network. Good data governance is key, and CISOs need to know where information is being shared and stored, and what cloud services the company might be using. One department might be daily users of Dropbox, for example, and another department might prefer to communicate and share files using collaborative tools such as Slack. Regardless of who is collecting the data, the points of data aggregation and storage need to be well documented and protected given the impending requirements, and penalties of non-compliance, with GDPR.

More often than not, enterprises decide to migrate their on-premises systems over time – a kind of ‘dipping a toe’ approach to public cloud platform adoption. Alternatively, they may also take to migrating to a private cloud (or hybrid network), to maintain a higher degree of control. Regardless of their choice between the public or private cloud – or some cases, both – the problem is that cloud migration adds to the complexity of the network and inhibits visibility across the network when introducing new vendors that bring with them increasing east-west traffic. To seamlessly map and consolidate the management of these platforms to avoid business disruption, enterprises must enrol the help of network security policy management across the corporate network to ensure visibility and consolidate the management of multiple tools.

Without visibility, it’s impossible for CISOs to enforce consistent policies and mitigate risks. Traditional security tools, like firewalls and intrusion detection systems, work effectively within an organisation’s four walls, but continuous manageability becomes difficult when it comes to adding additional tool providers necessary for the cloud. With a centralised view and management over a network through a single console, organisations can overcome the lack of visibility often associated with cloud adoption and simplify the management of security policies across multiple tools, mitigating risk and ensuring compliance across the entire enterprise.

Visibility also benefits from creating a risk ranking of the cloud services in use. This should include an assessment of whether a particular service has been breached recently, whether they encrypt data in transit and if their system has been patched or configured to address high profile threats like the infamous Heartbleed, WannaCry, or ExPetr, for example.

Ensuring compliance

As part of the process of moving data from a company’s internal system to the cloud, organisations are forced to examine closely how that data will be kept so that they remain compliant with laws and industry regulations. This raises a whole range of questions for security professionals. Where will our data be stored? Who is looking after it? Who will be able to see it and can we control that access? How secure is that cloud platform? Have we ensured that our deployments have been effectively and securely configured?

The type of data organisations is storing could be anything from intellectual property, to payment information, to personal data. Each data type has regulatory requirements to comply with. For example, the payment card industry data security standard (PCI-DSS) is a proprietary information security standard for organisations that handle card data, and the upcoming General Data Protection Regulation (GDPR) is the new legal framework in the EU covering personal data.

Data must be classified and organisations must understand what data is allocated to the cloud, and what may require a higher degree of storing in-house. Organisations must also know how - and where - data is being protected and backed up.

Gaining control

The complex IT environment that CISOs have to contend with today includes multiple endpoints subject to the fluctuations brought on by a wide range of mobile devices and desktops. End users are choosing multiple cloud vendors, but many of the features that make cloud-based applications so attractive, such as sync, share, and ease of collaboration, are the very things that put corporations at risk when it comes to cloud usage.

Securing hybrid environments requires CISOs to gain control of their security configurations in the cloud. Best practice revolves around developing a unified security policy with a detailed snapshot of the entire network, defining what type of data is in use and prescribing the appropriate measures for each type. When enterprises can quickly and accurately apply a policy – regardless of the environment – control and business agility is gained.

Finally, organisations need to control who has access to specific data sets. This means that as people come in and out of an enterprise, revoking access credentials is very important for former employees. The danger is that when people leave, they still have access to information stored through cloud providers.

Organisations need a seamless way to bring infrastructure, people, and processes together - a “single pane of glass” that can manage security policies and configuration across the whole network. With cloud infrastructure now increasingly commonplace, it’s important that organisations follow best practice such as this, to make the cloud security experience as safe, sound, and secure as possible. The alternative would leave infrastructures exposed to the security threats that lurk around every corner.

The security of banks’ and other financial institutions’ websites has been in the spotlight recently, notably in the case of NatWest bank which was involved in a public discussion regarding its site. Below Jacob Ghanty, Head of Financial Regulation at Kemp Little LLP, discusses the legal implications of website security, along with the potential consequences and of course some solutions to follow up on.

Importance of bank website security

With the diminishment of the physical branch networks that UK banks have maintained traditionally, banks’ online services are a fundamental means through which they deliver core banking services to their customers.

In the case of NatWest, a security expert identified that the bank was not using an encrypted https (Hypertext Transfer Protocol Secure) connection for a customer-facing website (in contrast with its connection for online banking services). The security expert suggested that hackers could redirect site visitors away from NatWest to other sites using similar names. NatWest stated that it would work towards upgrading to https within 48 hours.

Legal obligation to protect customer data

This type of issue is not new and has affected other banks as well. As long ago as 2007, the Information Commissioner’s Office (ICO) named and shamed 11 banks for unacceptable data security practice.

From a data privacy law perspective, under current legislation (the Data Protection Act 1998 (DPA)) organisations are required to have appropriate technical and organisational measures in place to protect data against unauthorised or unlawful processing, and against accidental loss or destruction of or damage to personal data (data security breach). The DPA does not define "appropriate technical and organisational measures" but the interpretive provisions state that, to comply with the seventh data protection principle, data controllers must take into account the state of technical development and the cost of implementing such measures. Moreover, security measures must ensure a level of security appropriate to both: the harm that might result from such a data security breach; and the nature of the personal data to be protected.

From a financial services regulatory perspective, banks are subject to a requirement in the Prudential Regulation Authority Rulebook to: “…establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question. … a firm must have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.” Breach of this and related rules (including a requirement to implement adequate systems and controls to monitor and detect financial crime) would leave banks open to disciplinary action.

The importance of an HTTPS connection

Any data sent between a customer’s device and a website that utilises https is encrypted and accordingly unusable by anyone intercepting that data unless they hold the encryption key. Without https protection, hackers could, in principle, alter a bank’s website and re-direct users to a fake or “phishing” website where their data could be stolen. Phishing sites are designed to appear like a bank’s own website to lure customers to disclose their personal data. Many such sites are quite sophisticated (incorporating fake log-in mechanisms, and so on) and present genuine risks to customers’ data.

Legal and financial consequences for banks who fail to protect their customers’ data

From a data privacy law standpoint, the ICO has the power to impose financial penalties on data controllers of up to £500,000 for a serious breach of the data protection principles. For example, in October 2016, the ICO imposed a £400,000 fine on TalkTalk for a breach of the seventh data protection principle.

The EU’s General Data Protection Regulation (GDPR) will take effect from 25 May 2018. The GDPR will impose stricter obligations on data controllers than those that apply under the DPA.  The GDPR will significantly increase maximum fines for data controllers and processors in two tiers, as follows: up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default; and up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects’ rights and international data transfers.

Key next steps for banks to protect financial and customer data

There are several obvious steps that banks can take to protect financial and customer data including carrying out a cyber security audit, maintaining adequate detection capabilities and putting in place recovery and response systems to enable them to carry on in case of an unexpected interruption.

There are number of useful sources of information in this area including: the FCA’s speech in September 2016 on its supervisory approach to cyber security in financial services firms; various ICO guides on information security; the FCA’s Financial Crime Guide; and the FSA’s Thematic Review Report on data security in the financial services sector of April 2008.

Anomali recently released a new report that identifies major security trends threatening the FTSE 100. The volume of credential exposures has dramatically increased to 16,583 from April to July 2017, compared to 5,275 last year’s analysis. 77% of the FTSE 100 were exposed, with an average of 218 usernames and password stolen, published or sold per company. In most cases the loss of credentials occurred on third party, non-work websites where employees reuse corporate credentials.

In May 2017, more than 560 million login credentials were found on an anonymous online database, including roughly 243.6 million unique email addresses and passwords. The report shows that a significant number of credentials linked to FTSE 100 organisations were still left compromised over the three months following the discovery. This failure to remediate and secure employee accounts, means that critical business content and personal consumer information held by the UK’s biggest businesses has been left open to cyber-attacks.

The report, The FTSE 100: Targeted Brand Attacks and Mass Credential Exposures, executed by Anomali Labs also reveals that:

“Our research has uncovered a staggering increase in compromised credentials linked to the FTSE 100 companies. Security issues are exacerbated by employees using their work credentials for less secure non-work purposes. Employees should be reminded of the dangers of logging into non-corporate websites with work email addresses and passwords. While companies should invest in cyber security tools that monitor and collect IDs and passwords on the Dark Web, so that staff and customers can be notified immediately and instructed to reset accounts,” said Colby DeRodeff, Chief Strategy Officer and Co-Founder at Anomali.

The Anomali research team also analysed suspicious domain registrations, finding 82% of the FTSE 100 to have at least one catalogued against them, and 13% more than ten. In a change to last year the majority were registered in the United States (38%), followed by China (23%). With the majority of cyber attackers using gmail.com and qq.com (a free Chinese email service) to register these domains to mask themselves. With a deceptive domain malicious actors have the potential to orchestrate phishing schemes, install malware, redirect traffic to malicious sites, or display inappropriate messaging.

For the second year, the vertical hit hardest by malicious domain registrations was banking with 83, which accounted for 23%. This is double that of any other industry. To avoid a breach, organisations have to be more accountable and adopt a stronger cyber security posture, for themselves and to protect the partners and customers they directly impact.

“Monitoring domain registrations is a critical practice for businesses to understand how they might be targeted and by whom. A threat intelligence platform can aid companies with identifying what other domains the registrant might have created and all the IPs associated with each domain. This information can then be routed to network security gateways to keep inbound and outbound communication to these domains from occurring. No one is 100% secure against actors even with the intent and right level of capabilities. It is essential to invest in the right tools to help secure every asset, as well as collaborate with and support peers in order to reduce their risks to a similar attack,” continued Mr. DeRodeff.

(Source: Anomali)

When adopting new payment methodologies, banks must strike a challenging balance between ease of use and access and the need to put in place stringent levels of security. With technology evolving at ever-increasing rates, it’s increasingly difficult to keep on top of that challenge. Below Finance Monthly hears from Russell Bennett, chief technology officer at Fraedom, on this challenging balance.

Banks first need to put in place an expert team with the time, resource and capability to stay ahead of the technological curve. This includes reviewing, and, where relevant, leveraging the security used on other systems and devices that support access into banking systems. Such a team will, for example, need to look at the latest apps and smartphone devices, where fingerprint authentication is now the norm and rapidly giving way to the latest facial recognition functionality.

Indeed, it is likely that future authentication techniques used on state-of-the-art mobile devices will drive ease-of-use further, again without compromising security, while individual apps are increasingly able to make seamless use of that main device functionality.

This opens up great potential for banks to start working closely with software companies to develop their own capabilities that leverage these types of security checks. If they focus on a partnership-driven approach, banks will be better able to make active use of biometric and multifactor authentication controls, effectively provided by the leading consumer technology companies that are investing billions in latest, greatest smartphones.

Opportunities for Corporate Cards

This struggle to find a balance between security and convenience is however, not just about how the banks interact directly with their retail customers. We are witnessing it increasingly impacting the wider banking ecosystem, including across the commercial banking sector. The ability for business users to strike a better balance between convenience and security in the way they use bank-provided corporate cards is a case in point.

We have already seen that consumer payment methods using biometric authentication are becoming increasingly mainstream – and that provides an opportunity for banks. Extending this functionality into the corporate card arena has the potential to make the commercial payments process more seamless and secure. Mobile wallets, sometime known as e-wallets, that defer to the individual’s personal attributes to make secure payments on these cards, whether authenticated by phone or by selfie, offer one route forward. There are still challenges ahead before the above becomes a commercial reality though.

First, these wallets currently relate largely to in-person, point of sale payments. For larger, corporate card use cases such as settling invoices in the thousands, the most common medium remains online or over the phone.

Second, there are issues around tethering the card both to the employee’s phone and the employee. The 2016 Gartner Personal Technologies Study, which polled 9,592 respondents in the US, the UK and Australia revealed that most smartphones used in the workplace were personally owned devices. Only 23 percent of employees surveyed were given corporate-issued smartphones.

Yet the benefits of e-wallet-based cards in terms of convenience and speed and ease of use, and the potential that they give the businesses offering them to establish competitive edge are such that they have great future potential.

One approach is to build a bridge to the fully e-wallet based card: a hybrid solution that serves to meet a current market need and effectively paves the way for these kinds of cards to become ubiquitous. There are grounds for optimism here with innovations continuing to emerge bringing us closer to the elusive convenience/security balance. MasterCard has been trialling a convenient yet secure alternative to the biometric phone option. From 2018, it expects to be able to issue standard-sized credit cards with the thumbprint scanner embedded in the card itself. The card, being thus separated from the user’s personal equipment, can remain in the business domain. There is also the opportunity to scan several fingerprints to the same card so businesses don’t need to issue multiple cards.

Of course, part of value of bringing cards into the wallet environment is ultimately the ability to replace plastic with virtual cards. The e-wallet is both a natural step away from physical plastic and another example of the delicate balancing act between consumerisation of technology and security impacting banking and the commercial payments sector today. There are clearly challenges ahead both for banks and their commercial customers in striking the right balance but with technology continuing to advance, e-wallets being a case in point, and the financial sector showing a growing focus on these areas, we are getting ever closer to equilibrium.

Mobile shopping in the UK, France and Germany accounted for 28% of online Christmas orders in 2016, according to CJ Affiliates, with the UK bringing in an even bigger proportion at 44%. And these figures are set to grow even more in the lead-up to the 2017 festive period.

According to Keiron Dalton, mobile banking expert from Aspect Software, with the Golden Quarter set to see another boom in mobile payments and complex transactions, the opportunities for fraudsters to make their move on the shopping public is higher than ever. Keiron, head of Aspect’s global digital identity division, also argues that fraud that relies heavily on social engineering and bypassing weak security processes, such as SIM Swap, is seeing an upward trend in the UK and other regions, including Africa. According to Keiron, fraudsters not only take advantage of the upswing in mobile payments activity, but the sentiment surrounding the holiday for a lot of people.

Keiron explained: “SIM Swap fraud occurs when a criminal registers an existing phone number of a victim on a new SIM card by impersonating the victim to the mobile phone provider. Once activated, a criminal will receive all the calls and SMS notifications sent to the victim’s mobile number and can deactivate the original SIM card in the process. Once in control, criminals are able to bypass SMS-based one-time-passcodes, and steal large amounts of money quickly. This often happens before the victim is even aware they have been targeted.”

“We are working closely with the GSMA, as well as with a number of big banks and leading mobile network operators in the UK and in the rest of Europe to build a collaborative effort to fight new types of fraud like SIM Swap, but consumer awareness of the crimes has stayed relatively out of the headlines. If your phone or SIM card has been compromised, there are a number of tell-tale signs to look out for before it gets too far,” Keiron said.

  1. Phishing messages and suspicious communications asking for information

SIM Swap fraud requires the hacker to have access to a victim’s bank details. These are often obtained through an email phishing attack, unsolicited communications asking for details, or by purchasing that information from online crime gangs. You should never respond to these types of communications or send your bank details on any platform that could be read by someone else. Your bank will never ask for this information so don’t be fooled by fraudsters imitating your bank. This leads to the initial opportunity to get account access or access to a duplicate SIM card; it also could provide criminals with the answers to personal security questions.

  1. Extended loss of signal

Once SIM Swap fraud has occurred, it is not instantly noticeable to the victim. Extended loss of signal is the initial sign that SIM Swap fraud has taken place, as the control has been switched to a new device. Contact your mobile network provider to check if it is a widely known issue, or isolated to your device.

  1. Floods of calls and messages

This is a tactic that runs parallel to the extended loss of signal. Criminals will send a flurry of nuisance calls and/or messages in an attempt to get victims to turn their phone off. If you’re suspicious, it’s vital that you don’t turn your phone off as this is used as a distraction to delay you noticing a loss of service when a SIM is swapped.

  1. Opening links on your phone

Whether the link is sent to a victim via a phishing message or is on an unknown website, mobile phone users should be cautious when opening links on their device, and delete anything suspicious immediately. Hackers can use links that contain application packages that, if installed, will give the people behind the malware administrator rights to the victim's device.

  1. Be aware of the source of any applications you download

Only download applications or make in-app purchases from approved sources or stores. To prevent suspicious applications from being installed, Android phone users can go to Settings/Security and turn the ‘Unknown Sources’ option off, which will stop the phone installing them from anywhere other than Google Play.

(Source: Aspect)

The holidays are upon us, and that means consumers are limbering up their mouse-clicking fingers in preparation to go shopping online. Online shopping is now mainstream and consumers are expected to spend more than £600 billion online this year, up 14% from a year ago. More than three-quarters of mid-sized to large retailers now sell goods and services over the web.

In the wake of the many recent and prominent cyberattacks, it’s reasonable to be concerned about how safe your online shopping experience really is. To check, we analysed a dozen of the UK's largest online retail sites to evaluate their policies and procedures regarding privacy, security and information sharing. The good news: all have good security practices when conducting transactions. The not-so-good news: password policies, information sharing and general disclosure practices are all over the map.

Here are some things to look for, based upon our research.

Secure browsing

HTTPS is a version of the standard HTTP protocol that adds an extra layer of security by encrypting traffic between your device and the server. Some organizations, including Google and the Electronic Frontier Foundation have been pushing website owners to adopt HTTPS for all communications. In light of that fact, it’s surprising how many of the sites we visited don’t use this more secure standard for casual browsing. To be clear, all employ HTTPS for secure checkout, but several don’t make the switch until the customer logs into an account or heads for the checkout aisle.

There are reasons for this. Not all browsers support HTTPS, so requiring its use for simple viewing may lock some customers out of the site. However, the volume of non-HTTPS-compliant browsers is shrinking and the benefits of secure browsing are compelling enough that it’s worth checking when you visit the site. It’s easy to do; simply look at the URL in the address bar. If you see “http://” or nothing at all before the address, then HTTPS isn’t being used. That means that someone who can tap into your communications can see pages you are viewing or information you’re sending. Pay particular note, if you are accessing a shopping site over a public Wi-Fi network.

Privacy policy

Online retailers are required to post privacy policies by law. However, that doesn’t mean all policies are the same. That’s likely to change next May, when the General Data Protection Regulation goes into effect. Those are the rules that define how organizations operating within the EU must store and protect personal information about EU citizens. Enactment of GDPR should create a more level playing field, but in the meantime there are variances in details about the use of your personal data to look for.

A good privacy policy should be easy to find, easy to navigate and written in clear language. We found considerable variations between retailers in this area. Some bury sections of their policies in dense, nested menus or use legalese like Asda’s "By letting us have any sensitive personal data, you expressly consent to us using and telling others about any of your sensitive personal data so we can provide you with the goods or services requested by you in the way set out in this Privacy Policy.” Huh?

Others take time and care to craft a policy that is visually attractive and easy to navigate. Particularly notable is John Lewis, whose security policy amounts to a mini tutorial on good password practices. It even has advice on malware and phishing protection. Tesco also has an outstanding privacy center, with advice on how to protect against social media scams and even keep your gadgets safe.

Information sharing

Most e-tailers pledge not to use your contact information for anything unrelated to a transaction or a related service. However, some will contact you for market research studies or to get your feedback on their services or the website. Look, in particular, for language like "carefully selected third parties may use the information we collect to inform you about offers, products and services.” This means your contact information is being shared with companies or list services other than the one you’re doing business with, most likely for marketing purposes. Most retailers will let you opt out of such communications, but the responsibility to do so is yours.

A variation on this practice is to share information within a family of companies. For example, Marks and Spencer plc also runs its own bank and energy businesses and shares customer information between them. Retailers must disclose these practices in their privacy statements. If you’re uncomfortable with having a company that sells you clothes also pitch you on mortgages, opt out of the deal.

Speaking of opt out, practices also differ on email contact. Most retailers opt you into their email marketing programs and leave it up to you to withdraw. In some cases, you can opt out at the point of payment or registration, but others require you to go into your personal profile and change your preferences, or to unsubscribe once the pitches start arriving.

Payment information

Policies also differ on retention of credit card information. Some companies keep payment number by default, while others ask your permission. This information should be laid out in the privacy policy or stated on the registration page.

The convenience of saving your credit card on a retailer’s website is undeniable, but there’s also a risk involved, as evidenced by the many breaches of prominent brands. A safer course of action is to use a password manager that also stores payment information so that you can control access to this sensitive information. For one-off transactions with retailers you don’t know very well, we recommend against permitting payment information to be stored at all.

Password policies

Retailers love it when you become a member because it open new avenues to market their goods and services. While there are many benefits to membership, be wary of how much information you give up upon joining. We recommend you limit yourself to providing only that which you would be okay with exposing in the case of a breach.

Pay particular attention to password security. Our research found the greatest variation between websites in that area. For example, BooHoo requires only that passwords be at least five characters, despite the fact that the site offers to store payment information. This is unacceptably weak security, in our view. Most sites specify a minimum of six to eight characters with a combination of upper- and lower-case letters and symbols, which is considerably more secure. A few offer strength meters, which assess the security of your password as you type. The more guidance the site offers the better. No matter what the requirement, use at least an eight-character password and avoid easily guessed substitutions, such a “1” for “l.”

Checkout

All the retailers we visited provide secure checkout using the SSL protocol. Most also list multiple secure certifications on their payments page, such as Verified by Visa, MasterCard Secure Code and American Express SafeKey. The more of these badges you see the better.

Some retailers offer to save your payment information at the point of sale. As noted above, we recommend against this practice. Some also use checkout to try to sign you up for their mailing lists or third party offers. If you already receive enough marketing messages, keep an eye out for this practice, since most retailers automatically opt you in and require you to make the effort to remove your name.

Summary

The profusion of recent security breaches should have every retailer on high alert to safeguard customer information. While all the sites we visited do a good job of covering the basics, we found significant variation in attention to detail. That doesn’t mean the more attentive sites are necessarily more secure, but if given the choice, we prefer to spend our money with companies that give protection of our personal data more than just lip service. Enjoy the online shopping season, but be careful to give up no more information than is really needed.

(Source: Keeper Security)

Whilst recent cyber-attacks have highlighted the need for all organisations to review their IT security, many business owners remain unaware how vulnerable reliance on mobile devices can leave them to cybercrime.

According to a recent report, two thirds (64%) of SMEs currently rely on mobile phones for business purposes, with an increasing majority of these (49%) being smartphones. However, recent reports indicate that iOS devices such as iPhones are no longer immune to malware attacks and Android-powered phones remain especially susceptible to malicious mobile apps. As a result, A&O IT One Solution (www.aoitgroup.co.uk) is urging small businesses to minimise their corporate security risk by a full audit to assess their threat levels.

With 66% of SMEs having experienced cybercrime, the worldwide IT support and technology services specialist recognises that smartphones are not always covered within their computer and internet usage guidelines. As a result, employees may not realise that mobile malware could allow hackers to access sensitive information, from downloaded work files and confidential emails to login details.

Rod Moore, chairman of A&O IT One Solution, said: “As mobile devices continue to blur the lines between traditional phone and IT devices, it can be all too easy to overlook how smartphones are an extension of your IT equipment. However, with cyber-related attacks having the potential to bring small businesses to their knees, it’s essential that SMEs ensure any phone being used for work purposes has the same level of antivirus software installed on it as office computers.”

(Source: A&O IT)

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free weekly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every week.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram