In fact, internet crime rates have been rising over the last few years. Part of the reason that cybercrime has been becoming so much more common is that a lot of people are starting internet-exclusive businesses.
With so many businesses operating online, and so much money being processed and handled online, it should come as no surprise to you that criminals are turning to the internet and committing acts of crime.
This post will tell you about how you can protect your business from criminals.
Internet Law
Internet law isn’t going to prevent you from falling victim to fraud, only common sense and this article’s other suggestions can do that. However, hiring an internet lawyer and familiarizing yourself with the many areas of internet law can help you to figure out what you are supposed to do if you ever find yourself in a situation where you need to take legal action against somebody due to their behavior or conduct on the internet. Internet law is a very complex area of law that requires years of study and research. An expert internet lawyer will be able to represent you in court and also advise you on what you should do to protect yourself online. Before hiring one, make sure that you do a little bit of research online and find one with the best reputation and most experience.
Security Service
If you are the owner of a very large business, then you may be able to hire a dedicated security management service that will be able to manage all of your company’s security needs. Security services can be very expensive, however, which is why they aren’t usually an option for small businesses. Make sure that if you are going to hire a security service you find one with a good reputation and good reviews. A company’s reviews help you to get an idea of what it’s like to work with them.
Using Firewall
A firewall is absolutely essential if you want to protect yourself online. Firewalls and anti-viral software are a great alternative to a security service for businesses that aren’t able to pay for their own managed security services. Firewalls block viruses and hackers from being able to access your devices. Anti-viral software is software that you can use to scan your entire computer, looking for any signs or traces of viruses. If anti-viral software does detect a virus, then it will notify you and give you the option to quarantine and then remove it. The only drawback to anti-viral software is that it can be very expensive.
SSL Certificate
An SSL certificate is a great way of protecting the data that’s transmitted through your website. It is also worth noting that most consumers won’t consider doing business with a website that doesn’t have an SSL certificate. An SSL certificate encrypts all of the data and information that passes through your website. You should be aware that if you don’t have an SSL certificate, people’s browsers will highlight your site with a red flag and tell visitors that the website they are visiting isn’t trusted and hasn’t been protected properly, which will deter people from wanting to do business with you.
Password Protection
Take your password security very seriously. A lot of people are frivolous when it comes to their account and device passwords, which opens them up to theft. If you want to keep your website secure, then make sure that you select a password that’s not easy to guess and store it somewhere safe. You should never save device or account passwords on your device. Instead, you should store them on a piece of paper, tucked inside a book, or locked away in a safe or safety deposit box. Locking your password away will keep it safe and prevent people from being able to access it.
Account Access
Lastly, if you want to keep your accounts and devices safe, then limit who can access them. When you own a business, you are going to have to allow some of your employees onto your work devices or accounts. Unfortunately, most data breaches occur from within. Because of this, you need to limit who has access to what. You should prevent new employees from being able to access high-level information. The best way to do this is to give them access to a device or account that isn’t used by you or any of your senior members of staff.
Internet fraud is more common today than it ever has been before. You need to take steps to protect yourself online, or your business could fall victim to fraud. In order to begin protecting yourself online, take the guidance issued in this post.
Liberty Global and Telefonica, the respective owners of Virgin Media and O2, have announced their intention to merge, converging their services into a single telecommunications giant likely to present a major challenge to BT.
O2 is the UK’s largest phone company, with 34.5 million users on its network that covers Tesco Mobile, Sky Mobile and Giffgaff. Virgin Media has around 3 million mobile users and 5.3 million broadband and pay-television subscribers.
The combination of O2’s 4G and 5G infrastructure and Virgin Media’s ultrafast cable network will create a joint venture worth upwards of £31 billion.
Liberty Global’s chief executive, Mark Fries, emphasised the potential that the merger could hold. “Virgin Media has redefined broadband and entertainment in the UK with lightning-fast speeds and the most innovative video platform. And O2 is widely recognised as the most reliable and admired mobile operator in the UK,” he said in a statement.
Jose Maria Alvarez-Pallette, chief executive of Telefonica, described the coming partnership as “a game-changer in the UK, at a time when demand for connectivity has never been greater or more critical.”
[ymal]
Analysts have begun to speculate on other possible motivations behind the merger, and its likelihood of success. Professor John Colley, Associate Dean at Warwick Business School, suggested that the move may be “opportunistic”, stemming from the focus of the Competition and Markets Authority (CMA) shifting its focus towards business survival during the COVID-19 crisis rather than the protection of competitive markets.
“However O2 and Virgin Media are businesses that are benefitting from the present covid-induced state of affairs”, Colley continued. “One suspects that the CMA will take a keen interest in this merger.”
Mike Kiersey, Principal Technologist at Boomi, a Dell Technologies business, commented that the success of the merger will likely hinge on the two companies’ ability to bring their respective infrastructures into harmony with each other:
“To establish an efficient operating state, a clear integration framework must be put in place, whether that means the entities remain separate or embrace a purely integrated approach. In most cases, a symbiosis of both IT departments will be the likely result.”
This is according to research carried out by YouGov on behalf of specialist lender, Pepper Money. The research identified and questioned 600 people who have experienced credit problems, including missed payments, CCJs, defaults, unsecured arrears and secured arrears, in the last three years.
It found that 44% of adults who have experienced adverse credit said they would select a broker based on existing relationships while just over a third (36%) said they would ask for recommendations from family and friends.
Paul Adams, Sales Director at Pepper Money, says: “Our programme of research has shown that there is considerable demand for mortgages from people who have experienced credit blips in the last three years, and many of those people have concerns about having an application declined.
“This presents opportunity for brokers to promote the services they offer to potential clients and, with half of customers in these circumstances saying that they would use online research to find a broker, it’s clear that brokers can benefit from working on their online presence.”
Danny Belton, Head of Lender Relationships at Legal & General Mortgage Club says: “It is no surprise that in today’s world, potential customers start their search online to find an adviser. However, the fact that these customers are seeking advice from an adviser is very encouraging. This demonstrates the need for advisers to make themselves more visible online, and to stay close enough to existing customers so that they can be recommended to friends and family that may need their help.”
The Bank of England and the Financial Conduct Authority have informed the financial services sector that they must meet new standards in operational resilience and cybersecurity in the face of a state of near constant cyberattack.
Reflecting on the ‘attack surface’ of the typical financial sector organisation, Dr Simon Wiseman, CTO with UK Cybersecurity firm Deep Secure, looks at the potentially vulnerable areas and suggests ways to mitigate the risks.
Guarding the Gateway
Many of the cybersecurity attacks initiated against organisations in the financial services sector start with an exploit or threat concealed in seemingly innocent business content arriving into the corporate network via the email or Web gateway. Whatever the vector and whatever the precise nature of the threat, time and again it is business content – documents, spreadsheets, presentations and images - that are used to conceal the attacker’s intent.
Traditionally, the job of combatting threats concealed in business content arriving at the email and Web gateways have been given to detection-based cybersecurity defences, as typified by anti-virus and anti-malware products. The problem now is that these defences are proving wholly inadequate in the face of increasingly sophisticated cybercriminals. Attackers are now employing against commercial targets the kind of sophisticated zero-day, stealthy exploits that were hitherto the province of nation-state intelligence entities.
Fortunately, new ways of combatting this type of threat are emerging, and one of the most effective is called Content Threat Removal. Content Threat Removal doesn’t attempt to detect the presence of a threat in business content arriving at the gateway. Instead, it assumes that all content is potentially bad. Using a process called content transformation, it intercepts every document and image, extracts only the valid business information from it, discards the original and creates a brand new, threat-free copy to deliver to the intended recipient. The content transformation process can’t be circumvented or evaded because it is not interested in trying to detect anything untoward that the bad guy has hidden in the content. It simply eliminates the risk, even when new forms of attack are devised.
Portal Problems
We’re in the age of the self-service portal. Prospects and customers alike are encouraged to upload documents (often in the Adobe Portable Document Format or PDF) in support of everything from personal loans and mortgages to motor insurance applications. The problem is that while the PDF is a versatile and incredibly useful file format, it is also highly complex, easy to subvert and is regularly used by cybercriminals to carry malicious payloads.
A typical response to the threat posed by PDFs uploaded from the Internet or other untrusted sources has been to try and mitigate the risk by scanning them with multiple detection-based anti-virus scanners. The problem as we’ve already noted is that detection-based defences like anti-virus routinely fail to pick up the latest threats and zero-day exploits. Here again, the best way to mitigate this risk is to re-evaluate the security and deploy a technology that doesn’t rely on detection but uses content transformation at the portal boundary to ensure that only PDFs that are completely threat-free are delivered into the network.
The demand for customers to interact with financial service providers by uploading documents via portals is only going to increase, and so is the danger of compromise from malware concealed within those documents. Mitigating this risk to an acceptable level necessitates a rethink of the defences and a willingness to move away from a dependence on detection and towards complete elimination.
Combatting the Undetectable Exploit
When is an exploit undetectable? Well, one answer is when there is no evidence of how the valuables were taken - only the certainty that they’ve gone! For all the millions spent on highly sophisticated cybersecurity products, the fact is that undetectable exploits keep on occurring. Although there is little certainty over how this is being achieved, what evidence has been uncovered points to the use of exploits that conceal information in images using a technique called steganography.
Image steganography is the attacker’s dream tool. It can be used to infiltrate malware, exfiltrate large amounts of value and maintain secret command and control (CnC) channels, all concealed in seemingly innocuous images. Images, of course, are everywhere, and from a simple tweet to the corporate logo in an email signature, each one can be subverted using image steganography. No data loss protection tool can detect whether an image is harmless or dangerous because image steganography is undetectable.
In the face of the threat posed by image steganography, organisations can either decide to ignore the risk (many still do) or address it using a transformative approach whereby every image is intercepted at the boundary and re-created anew before being passed to the intended recipient. This approach doesn’t try to detect the exploit; it assumes every image could be compromised and renders them all safe, preventing hidden malware getting in, stopping covert information leaks and blocking stealthy command and control channels.
A Stronger Screen for SWIFT
Thefts via SWIFT have been under the spotlight. SWIFT, the global provider of secure financial messaging services, is the mechanism by which financial organisations exchange financial messages relating to payments, securities, treasury and trade. Since at least 2013, those that use SWIFT within financial organisations have been targets of concerted attack with many banks across world falling victim and incurring sometimes heavy losses. Many of these exploits have involved gaining access to credentials or exploiting vulnerabilities in ageing network equipment. Addressing these issues is obviously good practice, but there are further steps the organisation can take to build a stronger screen for SWIFT users.
There is some evidence that attempts to target SWIFT users may take the form of so-called ‘sideways attacks’. To elaborate, the initial penetration takes place via email or Web at the boundary into the corporate network. With a beachhead established the criminals can orchestrate a multi-part attack, whereby malware is triggered on the corporate network to distract the security team while the real target, users with access to SWIFT, is hit ‘sideways’ from already compromised workstations internally on the network.
As stated earlier, best practice in combatting this type of activity has to be reviewing the boundary defence (email and Web) and deploying cybersecurity technologies that don’t rely on detection to identify malware carried in documents but instead transform the content. While not the only answer to a stronger screen for SWIFT adopting this approach will ensure that the incoming business content is rendered 100% threat free.
Building a Crypto Currency Fortress
It’s really something of a mistake to think that cryptocurrency security is all down to the cryptography. The real security risk you have to consider is how to keep the coins safe when they are in storage. So you have to think about where the coins are held in the same way as you need to think about where conventional cash is kept.
Ultimately, keeping cryptocurrency coins in a properly designed hardware ‘wallet’ that is not connected to the Internet, ensures you have full control over them, but it’s a manual process and not scalable. Allowing the coins to be controlled by a connected system, means that system has to able to repel all current and future cyberattacks. This kind of ‘failure is unthinkable’ protection has previously only been associated with defence and intelligence systems but is becoming increasingly important to online cryptocurrency systems. The providers of these systems are going to have to deploy the latest security mechanisms, guarding the system that hosts the keys to ensure they are not compromised, and trust in the entire eco-system is not undermined.
Organisations in the financial services sector are rightly concerned about the attack surface they present to the attacker. Going forward, they must be prepared to reduce their reliance on detection based cybersecurity defences and adopt new technologies such as content transformation if they are to improve their overall security posture.
Online fraud against UK citizens has become a topic for widespread discussion as more avenues for data theft are opened to criminals. Below Finance Monthly discusses with experts at Money Guru, the true value of your personal data and the cost of keeping it safe.
Experian places the annual cost of fraud against Brits at £6.8bn and, with more and more of our personal information available online, it’s likely to rise unless proper precautions are taken.
If you aren’t savvy with your data, which includes everything from social media logins to financial details, it could end up being available to malicious actors online through channels like the dark web.
Personal finance experts Money Guru have conducted research on several Dark Web marketplaces to find the average cost of stolen data. Their findings are shocking to say the least.
You could have access to someone’s entire online identity is available for less than £750.
26 of the most commonly used accounts available on the Dark Web, can be purchased for a grand total of… £744.30.
Digging deeper into the online services that each individual Brit is likely to use, it becomes even more shocking with the full details of 16 accounts including finance, travel, entertainment and email credentials, available for £696.90.
Let’s look at each individual data classification to find out how the loss of even one set of account details could seriously affect you.
Financial Information
Scammers can buy credit card and debit card details, online banking logins, passwords and PayPal account information – that’s all of these combined - for £619.40. This not only allows malicious actors access to your funds, but also a wealth of personal data that can be used for identity fraud.
Online Shopping Details
You may not be overly concerned with the security of your online shopping accounts, but they provide a great level of insight into your transactional habits as well as providing criminals the ability to order products through your account via a mail drop.
Travel Account Information
With access to accounts like Uber and Airbnb, malicious actors are given access to a lot of sensitive locational data. Not only can they access the basic details you enter to create an account, they will also be able to monitor your travel habits.
Entertainment Account Information
It’s tough to find someone who doesn’t have a Spotify or Netflix account these days making them a popular target for online criminals. At the less serious end of the spectrum it enables access to free entertainment while on the more sinister side it provides password clues to other associated accounts.
Social Media Account Information
There are few better methods of gaining insight into someone’s life than their social media accounts. These details are frequently stolen to sell to companies with little scruples about targeted advertising. It’s also a fast track to identity theft.
Email & Mobile Account Data
Being able to access emails and mobile account data provides fraudsters with a treasure trove of information about their target. It offers a jump off point for the popular, low-effort practice of spear-phishing – where a malicious actor tries to gain the credentials to more valuable accounts via social engineering and malware.
To compile this study, Money Guru accessed some of the most popular dark web marketplaces (‘Dream Market’, ‘Wall St Market’ and ‘Berlusconi Market’) to find an average price for each piece of personal data.
The big takeaway from their research is that your personal data really isn’t worth a great deal to online criminals. While the average amount stolen from a UK fraud victim is relatively small, 39% of cases result in £250 or more being stolen. In 25% of cases, this amount can vary from £500-£40,000.
The fact that it costs scammers less than £750 to access 26 accounts when it would only take a fraction of this number to potentially access tens of thousands is a frightening one.
PayPal is an American company operating a worldwide online payment system that supports online money transfers and serves as an electronic alternative to traditional paper methods like checks and money orders. PayPal is one of the world's largest Internet payment system companies.
Established in 1998, PayPal had its initial public offering in 2002, and became a wholly owned subsidiary of eBay later that year. In 2014, eBay announced plans to spin-off PayPal into an independent company. Today, PayPal has over 200 million users worldwide. Under the kind patronage of Samuel Patterson.
Nearly 9 in 10 technology professionals believe blockchain technology will be as transformative for business as the internet has been.
New research from Intrinsic Insights commissioned by BTL Group has revealed that after reduced costs, the main benefits of blockchain technology are greater data security and protection against cyber threats.
At a time that concerns over data are at their highest, blockchain technology is considered a very adept way to provide greater privacy.
“In a world of increasing concerns over the security and integrity of our data, individuals and businesses are realising the inherent benefits that applications built on blockchain technology can provide when keeping people’s data private,” said Dominic McCann, CEO of BTL Group. “This research also illustrates just how many businesses are looking at using blockchain and of those that are yet to explore it, there is a significant proportion looking to do so in the next two years.”
After two years of high profile and successful blockchain projects, learning how blockchain can be developed better, on Monday 23rd April, BTL Group will be test launching Interbit its multiple blockchain platform - a next-generation platform that has unique “chain joining” capability specifically created so that developers and businesses can quickly, easily and securely build applications.
Tackling these issues head-on, after two years of development and investment, Interbit’s unique “chain joining capability” has the capacity to inter-connect many thousands of Interbit blockchains per solution, in completely private, secure and horizontally scalable manner, addressing the shortcomings of.
A token-free blockchain platform, Interbit has been developed for ease of use. Whether users be a global enterprise, business innovator or software developer, the platform has been written in JavaScript to produce a level of simplicity that is efficient for users and requires no need to learn new programming languages or tools.
Tom Thompson, CTO of BTL Group Ltd. said: “After two years of successfully completed high profile proof of concepts, significant investment and committed development, we are ready to release our Interbit platform for testing and feedback. What we have built is a next generation blockchain platform that allows users to benefit from our chain joining capability by easily and quickly building fast, scalable and secure blockchain applications. Developers can be up and running on an Interbit blockchain within minutes.”
(Source: BTL Group)
In this clip from 1999, Jack Ma delivers a speech to 17 friends in his apartment to introduce Alibaba and lay out his plan to compete with US internet titans.
The chances are your organisation is adopting cloud computing in one way or another. Moving to the cloud can help you accelerate IT delivery, realize immediate productivity and financial efficiencies, and ultimately, drive business agility. But it can also open up the attack surface, leaving the entire organisation exposed to security threats. Here Andrew Lintell at Tufin explains the ins and outs of cloud security and offers valuable insight on making it as tamper proof as possible.
The adoption of cloud services is continuing its rapid upward trend, and the market is expected to rise 18% this year to $246.8 billion. Networks are becoming more and more complex as the modern IT infrastructure adopts private and public cloud platforms to make better use of an array of cloud services.
Yet public and private cloud services can present many challenges to chief information security officers (CISO) as they struggle to keep up with ever-evolving technologies and enrol multiple vendors to cater to different departmental needs – all in addition to the associated security risks against their businesses. Security leaders are aware that achieving business objectives depends on adopting security best practice across all levels of IT, including the cloud.
However, one of the problems is that some cloud services are being used without the knowledge of the IT department, bypassing security policies, and therefore the reach of enterprise security - otherwise known as Shadow IT. In fact, Gartner has predicted that by 2021, 27% of all corporate data traffic will bypass perimeter security (up from 10% today) and flow directly from mobile and portable devices to the cloud. This causes untold sleepless nights for CISOs and makes their job of managing and securing the use of rapidly multiplying cloud services across an entire, and often global organisation, a continuing battle. And to make things more complicated from a security point of view, many CISOs lack a single pane of glass view into their networks through which they can see and address risks.
With security now top of the agenda for organisations of all sizes, here we consider the primary challenges that CISOs need to address in order to close the security gaps that exist as they move to the cloud.
Improving visibility
While most enterprises have already adopted private, public cloud, and hybrid network technologies, one of the biggest resulting challenges for CISOs is that cloud environments are dynamic, with limited visibility. That lack of visibility is likely the result of ownership over virtual infrastructure in public clouds now being held by central enterprise IT teams. With the inclusion of the public cloud, networks are increasingly large, fluid in change, and complex, and so are the security policies needed to manage across multiple platforms and technologies.
With this in mind, it is no surprise that surveys consistently show that cloud security is an on-going struggle for IT security professionals, with many organisations reporting that it is difficult to get the same level of visibility into cloud-based workloads as they have on their physical network. Good data governance is key, and CISOs need to know where information is being shared and stored, and what cloud services the company might be using. One department might be daily users of Dropbox, for example, and another department might prefer to communicate and share files using collaborative tools such as Slack. Regardless of who is collecting the data, the points of data aggregation and storage need to be well documented and protected given the impending requirements, and penalties of non-compliance, with GDPR.
More often than not, enterprises decide to migrate their on-premises systems over time – a kind of ‘dipping a toe’ approach to public cloud platform adoption. Alternatively, they may also take to migrating to a private cloud (or hybrid network), to maintain a higher degree of control. Regardless of their choice between the public or private cloud – or some cases, both – the problem is that cloud migration adds to the complexity of the network and inhibits visibility across the network when introducing new vendors that bring with them increasing east-west traffic. To seamlessly map and consolidate the management of these platforms to avoid business disruption, enterprises must enrol the help of network security policy management across the corporate network to ensure visibility and consolidate the management of multiple tools.
Without visibility, it’s impossible for CISOs to enforce consistent policies and mitigate risks. Traditional security tools, like firewalls and intrusion detection systems, work effectively within an organisation’s four walls, but continuous manageability becomes difficult when it comes to adding additional tool providers necessary for the cloud. With a centralised view and management over a network through a single console, organisations can overcome the lack of visibility often associated with cloud adoption and simplify the management of security policies across multiple tools, mitigating risk and ensuring compliance across the entire enterprise.
Visibility also benefits from creating a risk ranking of the cloud services in use. This should include an assessment of whether a particular service has been breached recently, whether they encrypt data in transit and if their system has been patched or configured to address high profile threats like the infamous Heartbleed, WannaCry, or ExPetr, for example.
Ensuring compliance
As part of the process of moving data from a company’s internal system to the cloud, organisations are forced to examine closely how that data will be kept so that they remain compliant with laws and industry regulations. This raises a whole range of questions for security professionals. Where will our data be stored? Who is looking after it? Who will be able to see it and can we control that access? How secure is that cloud platform? Have we ensured that our deployments have been effectively and securely configured?
The type of data organisations is storing could be anything from intellectual property, to payment information, to personal data. Each data type has regulatory requirements to comply with. For example, the payment card industry data security standard (PCI-DSS) is a proprietary information security standard for organisations that handle card data, and the upcoming General Data Protection Regulation (GDPR) is the new legal framework in the EU covering personal data.
Data must be classified and organisations must understand what data is allocated to the cloud, and what may require a higher degree of storing in-house. Organisations must also know how - and where - data is being protected and backed up.
Gaining control
The complex IT environment that CISOs have to contend with today includes multiple endpoints subject to the fluctuations brought on by a wide range of mobile devices and desktops. End users are choosing multiple cloud vendors, but many of the features that make cloud-based applications so attractive, such as sync, share, and ease of collaboration, are the very things that put corporations at risk when it comes to cloud usage.
Securing hybrid environments requires CISOs to gain control of their security configurations in the cloud. Best practice revolves around developing a unified security policy with a detailed snapshot of the entire network, defining what type of data is in use and prescribing the appropriate measures for each type. When enterprises can quickly and accurately apply a policy – regardless of the environment – control and business agility is gained.
Finally, organisations need to control who has access to specific data sets. This means that as people come in and out of an enterprise, revoking access credentials is very important for former employees. The danger is that when people leave, they still have access to information stored through cloud providers.
Organisations need a seamless way to bring infrastructure, people, and processes together - a “single pane of glass” that can manage security policies and configuration across the whole network. With cloud infrastructure now increasingly commonplace, it’s important that organisations follow best practice such as this, to make the cloud security experience as safe, sound, and secure as possible. The alternative would leave infrastructures exposed to the security threats that lurk around every corner.
The security of banks’ and other financial institutions’ websites has been in the spotlight recently, notably in the case of NatWest bank which was involved in a public discussion regarding its site. Below Jacob Ghanty, Head of Financial Regulation at Kemp Little LLP, discusses the legal implications of website security, along with the potential consequences and of course some solutions to follow up on.
Importance of bank website security
With the diminishment of the physical branch networks that UK banks have maintained traditionally, banks’ online services are a fundamental means through which they deliver core banking services to their customers.
In the case of NatWest, a security expert identified that the bank was not using an encrypted https (Hypertext Transfer Protocol Secure) connection for a customer-facing website (in contrast with its connection for online banking services). The security expert suggested that hackers could redirect site visitors away from NatWest to other sites using similar names. NatWest stated that it would work towards upgrading to https within 48 hours.
Legal obligation to protect customer data
This type of issue is not new and has affected other banks as well. As long ago as 2007, the Information Commissioner’s Office (ICO) named and shamed 11 banks for unacceptable data security practice.
From a data privacy law perspective, under current legislation (the Data Protection Act 1998 (DPA)) organisations are required to have appropriate technical and organisational measures in place to protect data against unauthorised or unlawful processing, and against accidental loss or destruction of or damage to personal data (data security breach). The DPA does not define "appropriate technical and organisational measures" but the interpretive provisions state that, to comply with the seventh data protection principle, data controllers must take into account the state of technical development and the cost of implementing such measures. Moreover, security measures must ensure a level of security appropriate to both: the harm that might result from such a data security breach; and the nature of the personal data to be protected.
From a financial services regulatory perspective, banks are subject to a requirement in the Prudential Regulation Authority Rulebook to: “…establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question. … a firm must have sound security mechanisms in place to guarantee the security and authentication of the means of transfer of information, minimise the risk of data corruption and unauthorised access and to prevent information leakage maintaining the confidentiality of the data at all times.” Breach of this and related rules (including a requirement to implement adequate systems and controls to monitor and detect financial crime) would leave banks open to disciplinary action.
The importance of an HTTPS connection
Any data sent between a customer’s device and a website that utilises https is encrypted and accordingly unusable by anyone intercepting that data unless they hold the encryption key. Without https protection, hackers could, in principle, alter a bank’s website and re-direct users to a fake or “phishing” website where their data could be stolen. Phishing sites are designed to appear like a bank’s own website to lure customers to disclose their personal data. Many such sites are quite sophisticated (incorporating fake log-in mechanisms, and so on) and present genuine risks to customers’ data.
Legal and financial consequences for banks who fail to protect their customers’ data
From a data privacy law standpoint, the ICO has the power to impose financial penalties on data controllers of up to £500,000 for a serious breach of the data protection principles. For example, in October 2016, the ICO imposed a £400,000 fine on TalkTalk for a breach of the seventh data protection principle.
The EU’s General Data Protection Regulation (GDPR) will take effect from 25 May 2018. The GDPR will impose stricter obligations on data controllers than those that apply under the DPA. The GDPR will significantly increase maximum fines for data controllers and processors in two tiers, as follows: up to 2% of annual worldwide turnover of the preceding financial year or 10 million euros (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers, and data protection by design and default; and up to 4% of annual worldwide turnover of the preceding financial year or 20 million euros (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects’ rights and international data transfers.
Key next steps for banks to protect financial and customer data
There are several obvious steps that banks can take to protect financial and customer data including carrying out a cyber security audit, maintaining adequate detection capabilities and putting in place recovery and response systems to enable them to carry on in case of an unexpected interruption.
There are number of useful sources of information in this area including: the FCA’s speech in September 2016 on its supervisory approach to cyber security in financial services firms; various ICO guides on information security; the FCA’s Financial Crime Guide; and the FSA’s Thematic Review Report on data security in the financial services sector of April 2008.
Mobile shopping in the UK, France and Germany accounted for 28% of online Christmas orders in 2016, according to CJ Affiliates, with the UK bringing in an even bigger proportion at 44%. And these figures are set to grow even more in the lead-up to the 2017 festive period.
According to Keiron Dalton, mobile banking expert from Aspect Software, with the Golden Quarter set to see another boom in mobile payments and complex transactions, the opportunities for fraudsters to make their move on the shopping public is higher than ever. Keiron, head of Aspect’s global digital identity division, also argues that fraud that relies heavily on social engineering and bypassing weak security processes, such as SIM Swap, is seeing an upward trend in the UK and other regions, including Africa. According to Keiron, fraudsters not only take advantage of the upswing in mobile payments activity, but the sentiment surrounding the holiday for a lot of people.
Keiron explained: “SIM Swap fraud occurs when a criminal registers an existing phone number of a victim on a new SIM card by impersonating the victim to the mobile phone provider. Once activated, a criminal will receive all the calls and SMS notifications sent to the victim’s mobile number and can deactivate the original SIM card in the process. Once in control, criminals are able to bypass SMS-based one-time-passcodes, and steal large amounts of money quickly. This often happens before the victim is even aware they have been targeted.”
“We are working closely with the GSMA, as well as with a number of big banks and leading mobile network operators in the UK and in the rest of Europe to build a collaborative effort to fight new types of fraud like SIM Swap, but consumer awareness of the crimes has stayed relatively out of the headlines. If your phone or SIM card has been compromised, there are a number of tell-tale signs to look out for before it gets too far,” Keiron said.
- Phishing messages and suspicious communications asking for information
SIM Swap fraud requires the hacker to have access to a victim’s bank details. These are often obtained through an email phishing attack, unsolicited communications asking for details, or by purchasing that information from online crime gangs. You should never respond to these types of communications or send your bank details on any platform that could be read by someone else. Your bank will never ask for this information so don’t be fooled by fraudsters imitating your bank. This leads to the initial opportunity to get account access or access to a duplicate SIM card; it also could provide criminals with the answers to personal security questions.
- Extended loss of signal
Once SIM Swap fraud has occurred, it is not instantly noticeable to the victim. Extended loss of signal is the initial sign that SIM Swap fraud has taken place, as the control has been switched to a new device. Contact your mobile network provider to check if it is a widely known issue, or isolated to your device.
- Floods of calls and messages
This is a tactic that runs parallel to the extended loss of signal. Criminals will send a flurry of nuisance calls and/or messages in an attempt to get victims to turn their phone off. If you’re suspicious, it’s vital that you don’t turn your phone off as this is used as a distraction to delay you noticing a loss of service when a SIM is swapped.
- Opening links on your phone
Whether the link is sent to a victim via a phishing message or is on an unknown website, mobile phone users should be cautious when opening links on their device, and delete anything suspicious immediately. Hackers can use links that contain application packages that, if installed, will give the people behind the malware administrator rights to the victim's device.
- Be aware of the source of any applications you download
Only download applications or make in-app purchases from approved sources or stores. To prevent suspicious applications from being installed, Android phone users can go to Settings/Security and turn the ‘Unknown Sources’ option off, which will stop the phone installing them from anywhere other than Google Play.
(Source: Aspect)
When it comes to monitoring social media usage in the workplace, just half (50%) of companies have internet guidelines in place despite new research from A&O IT Group revealing that SME staff are spending up to 57%of their day on popular social media channels.
The national review was investigating the potential long-term impact of overlooking IT support including having adequate internet guidelines in place to reduce the risk of cybercrime that can often lead to technology breakdowns.
Despite a third (30%) of SMEs admitting that they had lost at least one full working day due to technology issues and over two-fifths of them (42%) admitting that have lost income due to IT issues, the research highlighted that over half (54%) of SMEs across the UK don’t have annual IT check-ups that could identify and prevent potential system issues.
The survey from the specialist SME and small business IT support service indicated that Facebook is the biggest draw on time for SME business owners employees, with 33% saying their staff accessed it during their working day, compared to 14 per cent for Twitter and 10 per cent Instagram.
The findings follow the launch of A&O IT’s specialist SME and small business IT support service in the UK market. The new technology enables SMEs to tap into the same levels of expertise and experience enjoyed by big businesses across the globe. This includes a complete managed IT service through to crisis recovery, cyber security, remote data back-up, annual IT reviews, hardware management and cloud services.
(Source: A&O IT Group)
