When adopting new payment methodologies, banks must strike a challenging balance between ease of use and access and the need to put in place stringent levels of security. With technology evolving at ever-increasing rates, it’s increasingly difficult to keep on top of that challenge. Below Finance Monthly hears from Russell Bennett, chief technology officer at Fraedom, on this challenging balance.

Banks first need to put in place an expert team with the time, resource and capability to stay ahead of the technological curve. This includes reviewing, and, where relevant, leveraging the security used on other systems and devices that support access into banking systems. Such a team will, for example, need to look at the latest apps and smartphone devices, where fingerprint authentication is now the norm and rapidly giving way to the latest facial recognition functionality.

Indeed, it is likely that future authentication techniques used on state-of-the-art mobile devices will drive ease-of-use further, again without compromising security, while individual apps are increasingly able to make seamless use of that main device functionality.

This opens up great potential for banks to start working closely with software companies to develop their own capabilities that leverage these types of security checks. If they focus on a partnership-driven approach, banks will be better able to make active use of biometric and multifactor authentication controls, effectively provided by the leading consumer technology companies that are investing billions in latest, greatest smartphones.

Opportunities for Corporate Cards

This struggle to find a balance between security and convenience is however, not just about how the banks interact directly with their retail customers. We are witnessing it increasingly impacting the wider banking ecosystem, including across the commercial banking sector. The ability for business users to strike a better balance between convenience and security in the way they use bank-provided corporate cards is a case in point.

We have already seen that consumer payment methods using biometric authentication are becoming increasingly mainstream – and that provides an opportunity for banks. Extending this functionality into the corporate card arena has the potential to make the commercial payments process more seamless and secure. Mobile wallets, sometime known as e-wallets, that defer to the individual’s personal attributes to make secure payments on these cards, whether authenticated by phone or by selfie, offer one route forward. There are still challenges ahead before the above becomes a commercial reality though.

First, these wallets currently relate largely to in-person, point of sale payments. For larger, corporate card use cases such as settling invoices in the thousands, the most common medium remains online or over the phone.

Second, there are issues around tethering the card both to the employee’s phone and the employee. The 2016 Gartner Personal Technologies Study, which polled 9,592 respondents in the US, the UK and Australia revealed that most smartphones used in the workplace were personally owned devices. Only 23 percent of employees surveyed were given corporate-issued smartphones.

Yet the benefits of e-wallet-based cards in terms of convenience and speed and ease of use, and the potential that they give the businesses offering them to establish competitive edge are such that they have great future potential.

One approach is to build a bridge to the fully e-wallet based card: a hybrid solution that serves to meet a current market need and effectively paves the way for these kinds of cards to become ubiquitous. There are grounds for optimism here with innovations continuing to emerge bringing us closer to the elusive convenience/security balance. MasterCard has been trialling a convenient yet secure alternative to the biometric phone option. From 2018, it expects to be able to issue standard-sized credit cards with the thumbprint scanner embedded in the card itself. The card, being thus separated from the user’s personal equipment, can remain in the business domain. There is also the opportunity to scan several fingerprints to the same card so businesses don’t need to issue multiple cards.

Of course, part of value of bringing cards into the wallet environment is ultimately the ability to replace plastic with virtual cards. The e-wallet is both a natural step away from physical plastic and another example of the delicate balancing act between consumerisation of technology and security impacting banking and the commercial payments sector today. There are clearly challenges ahead both for banks and their commercial customers in striking the right balance but with technology continuing to advance, e-wallets being a case in point, and the financial sector showing a growing focus on these areas, we are getting ever closer to equilibrium.

The holidays are upon us, and that means consumers are limbering up their mouse-clicking fingers in preparation to go shopping online. Online shopping is now mainstream and consumers are expected to spend more than £600 billion online this year, up 14% from a year ago. More than three-quarters of mid-sized to large retailers now sell goods and services over the web.

In the wake of the many recent and prominent cyberattacks, it’s reasonable to be concerned about how safe your online shopping experience really is. To check, we analysed a dozen of the UK's largest online retail sites to evaluate their policies and procedures regarding privacy, security and information sharing. The good news: all have good security practices when conducting transactions. The not-so-good news: password policies, information sharing and general disclosure practices are all over the map.

Here are some things to look for, based upon our research.

Secure browsing

HTTPS is a version of the standard HTTP protocol that adds an extra layer of security by encrypting traffic between your device and the server. Some organizations, including Google and the Electronic Frontier Foundation have been pushing website owners to adopt HTTPS for all communications. In light of that fact, it’s surprising how many of the sites we visited don’t use this more secure standard for casual browsing. To be clear, all employ HTTPS for secure checkout, but several don’t make the switch until the customer logs into an account or heads for the checkout aisle.

There are reasons for this. Not all browsers support HTTPS, so requiring its use for simple viewing may lock some customers out of the site. However, the volume of non-HTTPS-compliant browsers is shrinking and the benefits of secure browsing are compelling enough that it’s worth checking when you visit the site. It’s easy to do; simply look at the URL in the address bar. If you see “http://” or nothing at all before the address, then HTTPS isn’t being used. That means that someone who can tap into your communications can see pages you are viewing or information you’re sending. Pay particular note, if you are accessing a shopping site over a public Wi-Fi network.

Privacy policy

Online retailers are required to post privacy policies by law. However, that doesn’t mean all policies are the same. That’s likely to change next May, when the General Data Protection Regulation goes into effect. Those are the rules that define how organizations operating within the EU must store and protect personal information about EU citizens. Enactment of GDPR should create a more level playing field, but in the meantime there are variances in details about the use of your personal data to look for.

A good privacy policy should be easy to find, easy to navigate and written in clear language. We found considerable variations between retailers in this area. Some bury sections of their policies in dense, nested menus or use legalese like Asda’s "By letting us have any sensitive personal data, you expressly consent to us using and telling others about any of your sensitive personal data so we can provide you with the goods or services requested by you in the way set out in this Privacy Policy.” Huh?

Others take time and care to craft a policy that is visually attractive and easy to navigate. Particularly notable is John Lewis, whose security policy amounts to a mini tutorial on good password practices. It even has advice on malware and phishing protection. Tesco also has an outstanding privacy center, with advice on how to protect against social media scams and even keep your gadgets safe.

Information sharing

Most e-tailers pledge not to use your contact information for anything unrelated to a transaction or a related service. However, some will contact you for market research studies or to get your feedback on their services or the website. Look, in particular, for language like "carefully selected third parties may use the information we collect to inform you about offers, products and services.” This means your contact information is being shared with companies or list services other than the one you’re doing business with, most likely for marketing purposes. Most retailers will let you opt out of such communications, but the responsibility to do so is yours.

A variation on this practice is to share information within a family of companies. For example, Marks and Spencer plc also runs its own bank and energy businesses and shares customer information between them. Retailers must disclose these practices in their privacy statements. If you’re uncomfortable with having a company that sells you clothes also pitch you on mortgages, opt out of the deal.

Speaking of opt out, practices also differ on email contact. Most retailers opt you into their email marketing programs and leave it up to you to withdraw. In some cases, you can opt out at the point of payment or registration, but others require you to go into your personal profile and change your preferences, or to unsubscribe once the pitches start arriving.

Payment information

Policies also differ on retention of credit card information. Some companies keep payment number by default, while others ask your permission. This information should be laid out in the privacy policy or stated on the registration page.

The convenience of saving your credit card on a retailer’s website is undeniable, but there’s also a risk involved, as evidenced by the many breaches of prominent brands. A safer course of action is to use a password manager that also stores payment information so that you can control access to this sensitive information. For one-off transactions with retailers you don’t know very well, we recommend against permitting payment information to be stored at all.

Password policies

Retailers love it when you become a member because it open new avenues to market their goods and services. While there are many benefits to membership, be wary of how much information you give up upon joining. We recommend you limit yourself to providing only that which you would be okay with exposing in the case of a breach.

Pay particular attention to password security. Our research found the greatest variation between websites in that area. For example, BooHoo requires only that passwords be at least five characters, despite the fact that the site offers to store payment information. This is unacceptably weak security, in our view. Most sites specify a minimum of six to eight characters with a combination of upper- and lower-case letters and symbols, which is considerably more secure. A few offer strength meters, which assess the security of your password as you type. The more guidance the site offers the better. No matter what the requirement, use at least an eight-character password and avoid easily guessed substitutions, such a “1” for “l.”

Checkout

All the retailers we visited provide secure checkout using the SSL protocol. Most also list multiple secure certifications on their payments page, such as Verified by Visa, MasterCard Secure Code and American Express SafeKey. The more of these badges you see the better.

Some retailers offer to save your payment information at the point of sale. As noted above, we recommend against this practice. Some also use checkout to try to sign you up for their mailing lists or third party offers. If you already receive enough marketing messages, keep an eye out for this practice, since most retailers automatically opt you in and require you to make the effort to remove your name.

Summary

The profusion of recent security breaches should have every retailer on high alert to safeguard customer information. While all the sites we visited do a good job of covering the basics, we found significant variation in attention to detail. That doesn’t mean the more attentive sites are necessarily more secure, but if given the choice, we prefer to spend our money with companies that give protection of our personal data more than just lip service. Enjoy the online shopping season, but be careful to give up no more information than is really needed.

(Source: Keeper Security)

According to ONS’ most recent crime report, “Bank and credit account fraud” was the most common type of fraud experienced (2.5 million incidents or 75% of total fraud) in the UK, followed by “consumer and retail fraud” 6– such as fraud related to online shopping or fraudulent computer service calls (0.7 million incidents or 22% of total fraud). More than half (1.9 million incidents or 57%) were cyber-related.

Below Sundeep Tengur, Banking Fraud Solutions Manager, SAS UK & Ireland, comments on the progress that FS organisations are making on tackling fraud.

“It’s encouraging to see that the financial services industry is starting to give fraud the attention it deserves.

“With increasing instances of the misuse of alternative currencies like Bitcoin and difficulty in securing the electronic payments industry, the financial sector is rising to the occasion. But there is still plenty of work to be done as fraudsters continue to adapt their tactics.

“Whether it is against low-level bank account and card fraud or more serious attacks on organisations, financial services can’t afford to leave their doors open to fraud. They must continue to tighten defences and improve their capabilities to detect and resolve instances of fraudulent activity.

“To stay secure and instate confidence, organisations must derive actionable intelligence from the information available. Spotting the tell-tale signs of improper payments and transactions means they can get one step ahead and stop any financial or personal assets being compromised.

“Advanced analytics will be at the core of these efforts, crucial for helping firms mine their ever-increasing datasets for these invaluable insights. At the same time, artificial intelligence and machine learning will prove to be just as beneficial as more and more financial institutions are automating the process of fraud detection, improving the speed and efficiency of their response.

“The fraud factor is never going to go away. Yet those businesses that are proactively interrogating data will have a better chance of preventing fraud’s most devastating effects.”

Here Charlie Abrahams, Senior Vice President of MarkMonitor, a brand of Clarivate Analytics, discusses with Finance Monthly the problems behind cybercrime, in particular phishing and fraud.

While internet commerce has enjoyed exponential growth over the past 15 years, it has also created a significant opportunity for bad actors to indulge in cybercrime. It not only affects a brand’s revenue stream, but more importantly its reputation. As a result, organisations are investing in brand protection technology and processes – not just to prevent brand abuse and counterfeiting, but also prevent other forms of cybercrime. Keeping your intellectual property safe requires a multi-layered approach, regardless of the size of the business or the type of information you hold.

While it’s true that cyber criminals are targeting all industries, the financial services industry is particularly at risk. Firms within this sector have many high-value assets that make them an attractive target for cyber criminals — including significant intellectual property relating to their business processes and transactions, Las Vegas Immigration Lawyer and the financial records and customer data. Financial services companies stand to lose a lot more than money should cyber criminals be successful. Brand reputation would suffer, customer trust would be irrevocably damaged, and there may well be wider consequences such as fines from financial regulation bodies, especially with the deadline for compliance with the new European Union General Data Protection Regulation (GDPR) fast approaching. As a result, the financial services segment is one of the biggest buyers of enterprise security technology.

However, all that investment in enterprise security technology does not offer any protection for one of the most popular methods that is being used to take advantage by cyber criminals - phishing. The reason is that phishing attacks don’t target the enterprise, but directly their consumers, and this is where brand protection technology comes in. Phishing has been around in some form for the past few decades and are essentially emails — sent from what appears to be a legitimate source — asking for personal information, such as login details, passwords, payment card details, etc.

Over the years, phishers have evolved in the way they carry out their cyberattacks. They are creating phishing websites to collect passwords, conduct identity theft schemes and carry out online advertising scams. Despite being a relatively low-tech method of cyberattack, it remains one of the most effective. Research conducted by a German university found that 78% of respondents admitted to opening unknown emails and clicking the links within, despite also claiming that they were aware of the dangers of phishing. This shows there is still work to be done in raising awareness around how to avoid being caught out by these cyber criminals.

Given the continually threatening nature of phishing, protecting and proactively defending organisations has never been more important within the financial services industry.

The first crucial step for businesses is to be fully prepared and adopt a ‘when’ rather than an ‘if’ approach, with the aim of preventing the attacks in advance. Organisations can set up early warning systems alerting them of new domain registrations — that may misleadingly read like their brand name and may target that brand to host malicious content — before it impacts their customers, for example.

Fraudulent activity can also be detected using the right intelligence, as well as proactively monitoring and analysing key intelligence sources to detect phishing and malware activity across email and other digital channels. Fintech businesses need to shut down or restrict access to phishing sites, and should consider partnering with an anti-fraud (brand protection) vendor to share their phishing alerts with Internet Service Providers (ISPs), browsers, email providers and security vendors, helping them block malicious sites at the Internet gateway.

Lastly, all businesses — not just those within the fintech sector — should draw up an online brand protection strategy, which outlines the actions that should be taken in the instance of any particular cyberattack, including phishing. A brand protection strategy essentially means that you’re covered and ready to counter any of these infringement acts should they ever happen. Without a strategy, businesses are likely to either make snap decisions that might harm the brand, or spend precious time considering the multiple options available, by which time the damage has been done.

In this day and age, companies, regardless of the industry in which they operate, simply cannot afford to leave themselves vulnerable to phishing attacks. The risks are simply too great, and as public awareness of such cyberattacks continues to increase, the reputational damage that comes as a result is only likely to get worse. Therefore, brands must be more proactive in fighting the cyber threat, while each business should be backed up by a comprehensive brand protection strategy.

Where do cyber threats begin? What is the root of the issue and how can we eradicate the source of any risk? What does this look like when you’re a maturing startup compared to a global corporation? Thomas Parsons, Sr. Director of product management at Tenable Network Security here takes to Finance Monthly back to the basics and gives his thoughts on the current global cyber situation.

Ransomware had previously been considered just another piece of nuisance malware that largely targeted unsuspecting consumers. However, the recent uptick of new variations, and their drastic impact in restricting access to enterprise systems and data, has catapulted this threat firmly into the spotlight. Events in the last few months have established ransomware as one of the most impactful and persistent global cyber threats.

Ransomware on the global stage

Increasingly in recent years, we’ve seen a shift from hackers using ransomware to target individual users to much larger attacks on enterprises. Top of mind is WannaCry, which wormed its way into networks around the world and encrypted data, closely followed by ‘Petya’ and also ‘NotPetya.’

Ransomware operates by compromising a system, infecting it with malware and encrypting data using a private key, preventing users from accessing the system. Hackers then send a message demanding payment to provide the key and restore the user’s data. Weaponising ransomware with worm capabilities, i.e. EternalBlue, has given hackers the opportunity to maximize the damage as the malware spreads from system to system. When ransomware latches onto systems that contain valuable company data, the systems become inaccessible, effectively bringing business to a halt.

For any organisation, the breach of personal data can not only impact the bottom line, but it can also cause irreversible reputational damage.

To pay or not to pay

WannaCry and Petya/NotPetya represent the new normal of today’s sophisticated threat environment. And with ransomware now impacting the global community, organisations must grapple with whether to pay the ransom.

Unfortunately, there is no guarantee that an organisation, which has its data held hostage by cyber criminals, will get a decryption key by paying the ransom – after all you’re dealing with criminals.

Paying the ransom also further funds the criminals’ antics, validating the business model and encouraging repeat infections – a practice that doesn’t benefit anyone in the long run, except perhaps the criminals.

However, the debate as to whether to pay cyber ransom shouldn’t be the focus, given that these attacks can be preventable.

Rather than a sophisticated attack or zero-day exploit, ransomware often takes advantage of well-known software vulnerabilities that organisations have failed to patch or update. The truth is attackers would much rather gain entry to the network by exploiting a known, but unpatched vulnerability, or a phishing email, because these techniques have a much higher return on investment.

But patching isn’t always that simple. Security teams can't control everything, and while it has become increasingly easy to deploy changes into environments, there are some mission-critical systems that can’t be updated with a click of a mouse or a simple script. For those systems that can’t be taken offline without disrupting business operations, security teams must implement compensating controls and make proper, risk-based decisions to mitigate the threat.

Cyber 101: Back to the basics

If we’re to leave ransomware in the past, organisations must get back to the basics, focusing on the foundations of strong cybersecurity.

To start, organisations need to implement security controls that prevent untrusted or unknown applications from being installed, while not impeding end-user productivity. This means security teams should use application whitelisting, blacklisting, dynamic listing, real-time privilege elevation and application reputation.

Organisations should also consider adopting the principle of least privilege, which gives privilege to users according to job necessities. In the event of an accidental link click or attachment opening that attempts to execute an application requiring elevated privileges (such as encrypting a hard drive, network share or folder), the user privileges would not allow those actions to be performed, stopping the attack immediately.

Even more important is end-user security training and awareness, backed by a solid understanding of attack methods used to gain information from users. Educating users on how to spot a phishing email and the dangers of sharing personal information and installing software from unknown sources can benefit them both at work and home.

In the modern computing environment, which now spans cloud, on-premises, IoT and operational technology, continuous visibility into the vulnerability status of every asset is critical to understanding the business impact of ransomware attacks and to fundamentally improve how organisations think about cybersecurity.

Here is a simple mantra to help focus the mind - If you can’t patch it, then you must protect it. And if you can’t do either, then you should prepare for the consequences.

When it comes to monitoring social media usage in the workplace, just half (50%) of companies have internet guidelines in place despite new research from A&O IT Group revealing that SME staff are spending up to 57%of their day on popular social media channels.

The national review was investigating the potential long-term impact of overlooking IT support including having adequate internet guidelines in place to reduce the risk of cybercrime that can often lead to technology breakdowns.

Despite a third (30%) of SMEs admitting that they had lost at least one full working day due to technology issues and over two-fifths of them (42%) admitting that have lost income due to IT issues, the research highlighted that over half (54%) of SMEs across the UK don’t have annual IT check-ups that could identify and prevent potential system issues.

The survey from the specialist SME and small business IT support service indicated that Facebook is the biggest draw on time for SME business owners employees, with 33% saying their staff accessed it during their working day, compared to 14 per cent for Twitter and 10 per cent Instagram.

The findings follow the launch of A&O IT’s specialist SME and small business IT support service in the UK market. The new technology enables SMEs to tap into the same levels of expertise and experience enjoyed by big businesses across the globe. This includes a complete managed IT service through to crisis recovery, cyber security, remote data back-up, annual IT reviews, hardware management and cloud services.

(Source: A&O IT Group)

Businesses are pressing ahead with their digital transformation plans, despite fears of being hit by a cyberattack or data protection regulations. This is according to a new independent research report from Advanced, which questioned over 500 senior executives in UK organisations about their attitudes to using the cloud as part of their digital transformation plans.

Most organisations surveyed are concerned about security (82%) and data protection (68%) in the cloud but, perhaps surprisingly, 80% of them are not put off from adopting the cloud following recent high-profile cyberattacks such as WannaCry. A third (33%) of organisations admit to being experienced in the cloud and continue to consider it for all new projects, while 37% have recently launched cloud computing projects for the first time.

Although positive, these findings should not negate the common concerns and challenges. The survey also found that businesses want better support if they are to execute their digital transformation plans effectively. Security is the biggest barrier, with 76% saying that governments should do more to protect businesses and their customers from a cyberattack.

Meanwhile, 82% of organisations want to see cloud providers do more to build confidence among those looking to adopt a digital transformation strategy, of which the cloud is fundamental. When asked what they look for in a provider, most say financial stability (69%), data held in a UK location (65%) and local support (58%) – above typical benefits touted by providers including scalability (46%) and the breadth of application offerings (38%).

Jon Wrennall, CTO at Advanced, says: “It’s encouraging to see businesses are undeterred from using the cloud, which is fast becoming the right choice for many to drive efficiencies, innovate and grow. Sadly we are seeing the same concerns around security and data protection reported over and over again. It’s right to be concerned about security; it’s time that all of us as cloud services providers take a reality check.

“As an industry and profession, we all need to proactively give clear guidance on security responsibilities and support organisations in being better protected, ensuring devices and applications are properly patched and secured – those writing the software are clearly best placed to provide this. With General Data Protection Regulation (GDPR) coming into force next year we also have a duty of care to provide clarity on how data is being stored and secured in the cloud.

“There’s still a job to be done in creating trust in the cloud and helping customers use the cloud in the right way for the digital transformation that’s right for them. Our survey shows most organisations want financially stable providers and prefer those that store data locally and offer local support; this will become even more pertinent as Britain leaves the European Union. They will trust the providers that offer certainty in an uncertain market and those with a vested interest in the UK and the cloud.”

The independent research was carried out following the results of the general election, during week commencing 12^th June. Over 500 participants took part in the survey, which was carried out by Techmarketview.

(Source: Advanced)

IBM (NYSE: IBM) Security recently announced it has completed the acquisition of Agile 3 Solutions. The software is used by the C-Suite and senior executives to better visualize, understand and manage risks associated with the protection of sensitive data. IBM Security had previously announced it had entered into a definitive agreement to acquire Agile 3 Solutions. Financial terms were not disclosed.

The company, now known as Agile 3 Solutions, an IBM Company, joins the IBM Security business unit and will be part of the IBM Data Security Services portfolio of offerings. The acquisition also builds on the growth of IBM's end-to-end Guardium data security and protection platform, which helps to analyze the risk associated with sensitive data, monitor and protect sensitive data at rest, and in motion.

Agile 3 Solutions marks the 20th security-related company IBM has acquired as part of a series of investments to deepen its expertise as one of the world's largest enterprise security companies. IBM Security has hired approximately 1,900 security experts since 2015, and has invested in innovative new programs to help the industry collaborate to battle cybercrime, including IBM's X-Force Exchange and the IBM Security App Exchange. IBM has also closed the acquisition of Ravy Technologies, a subcontractor to Agile 3.

(Source: IBM Security)