Shane Neagle explores what DeFi is and what it means for the future of the financial services sector.
Throughout humanity's long history, there were not that many thresholds after which nothing remained the same. The first major threshold represented a shift from hunter-gathering to agriculture, which led to the formation of cities, inevitably leading to metallurgy and the industrial revolution. In turn, after each threshold has been crossed, we have seen greater acceleration of innovation and economic growth.
Our modern era has been marked by the most important threshold of them all – digitisation – transforming real word assets into fungible and infinitely replicable bits. As a result, a book can be almost instantaneously downloaded at the speed of light to whoever needs it, effectively for free. This alone represents a far cry from the revolutionary Gutenberg printing press.
However, the world of finance has been missing the key ingredient to fully undergo digitization. Having electronic payment systems to move around representations of money is one thing, but having natively digital money is altogether another problem. One that many believe has been solved by the pseudonymous Satoshi Nakamoto, who ushered in blockchain technology manifested through the world’s first cryptocurrency – Bitcoin (BTC).
Blockchain Tech as a Digital Recreation of Money
Before blockchain came along in 2009, what would it have meant to digitise money? How could it retain value without being attached to some externality? We measure value with money because it is fungible, but how would we make money digital, fungible, and incorruptible? Otherwise, a string of numbers as a digital code would fail to render any meaning, or value.
Blockchain provides those boundaries that wall off potential corruptibility by relying on a decentralized digital record. Spread across a network of computers, blocks represent records of transaction, cryptographically (SHA-256 encryption) linked into chains. Therefore, when a single block is added – transaction conducted - it has to be verified across a majority of the network of thousands of computers holding the complete blockchain ledger.
In turn, every transaction is traceable. Most importantly, with constant verification of the entire network by Bitcoin miners, it is virtually impossible to be hacked. If someone generates a fake transaction, it would fail to generate a solvable hash, which would reveal it to miners. Although this has the effect of consuming electricity comparable to Argentina, it simultaneously made it so that Bitcoin grew to over $1 trillion in market capitalisation, as a leaderless, decentralised, unassailable and deflationary digital money, aka “digital gold”.
Bitcoin (BTC) price over one year, March 2020 - March 2021. (Source: TradingView)
Decentralised Finance as the Final Piece of the Digital Money Puzzle
Bitcoin, as a native digital currency, turned into a massively successful proof of concept. It continues to onboard institutional investors, from MicroStrategy to Tesla, both as a hedge against inflation and as a payment method. However, Bitcoin still exists squeezed within a centralised financial system, dependent on the on/off ramp of fiat currency.
What if the entire financial infrastructure, from banks to clearinghouses and exchanges, can also be digitised in a decentralised manner? Although blockchain technology made digital money possible, not all blockchains are created equal. Bitcoin’s blockchain was designed as secure and conservative, while others are more flexible.
Ethereum is one of them, launched in 2015 by Vitalik Buterin. While Ethereum’s native cryptocurrency (token) – ETH – doesn’t have a hard cap supply like Bitcoin, its value proposition is in utility. Thanks to its programmable blockchain, Ethereum hosts almost the entirety of dApps – smart contracts that are executed when conditions are triggered. This makes it possible to create blockchain games, NFT marketplaces, decentralized exchanges (DEX), and most importantly – DeFi – Decentralised Finance.
Total locked value (TLV) in DeFi, as of March 22, is $43.35 billion. (Source: DeFipulse.com)
Digital Recreation of Financial Products and Services
The scandal involving Citadel hedge fund and Robinhood trading app demonstrated in no uncertain terms the foibles of a financial system dependent on intermediaries.
- Robinhood is free, in large part, because it sells its order flow to hedge funds.
- Citadel constitutes a major source of income for Robinhood.
- Robinhood intercepts the trading of GameStop (GME) stock at the same time as retail investors short squeezed Citadel, most of which were using Robinhood as a “democratising” stock trading app.
Whether you want to trade with large market cap blue-chip stocks or dubious stocks like GME, such a system doesn’t inspire confidence if its underlying mechanisms can be upended with a pulling of hidden levers. Thanks to smart contracts - dApps - decentralised finance eliminates such risks. This means that you can engage in:
- Earning interest rates by lending staked tokens – Yield Farming. (Maker, Compound)
- Borrow assets against a collateral.
- Swap cryptocurrencies on decentralized exchanges. (Uniswap)
- Trade in non-fungible tokens (NFTs) – artworks and digital collectibles.
Alongside smart contracts, the underlying constructs powering DeFi are:
- · Automated Market Makers (AMMs) – As you must be aware, market makers in traditional, centralised finance provide multiple functions – providing liquidity, price stability and serving as sellers and buyers. In turn, market makers gain profits from ask-bid spreads, ending up oiling the entire financial market. In DeFi, AMMs use liquidity pools instead of hedge funds and large exchanges like NYSE.
- · Liquidity Providers (LPs) – smart contracts that act instead of hedge funds and exchanges by using liquidity pools. Any trader who stakes their cryptocurrency into a liquidity pool becomes a liquidity provider. In turn, they gain interest rates based on the stake of locked assets, which generates so-called ‘Yield Farming’.
Moreover, DeFi no longer presents an isolated system reserved for altcoins. The defining trait of DeFi is constant innovation, befitting such advanced digital technology. Just last month, the Synthetix platform made it possible to connect traditional assets like stocks and equities to the DeFi ecosystem. In the coming months, you will start to hear more about such assets - synths or synthetic stocks.
The growth of Bitcoin (BTC) is accompanied by many utility altcoins serving DeFi. (Source: TradingView)
Such bridging assets means that one could start trading with stocks on a DeFi protocol, and even engage in shorting. This was made possible by Chainlink (LINK) – a decentralised oracle protocol that feeds smart contracts with off-blockchain data, including those from the banking infrastructure and stock markets.
DeFi Shortcomings and Outlook
Given that DeFi exploded in value since last summer, it would be more accurate to frame DeFi’s current flaws as birthing pains. As you would guess, much of it stems from security issues – hackings and exploits. CipherTrace estimated that the DeFi market lost $2.7 billion last year due security breaches.
This largely originates from Ethereum’s flexibility as a programmable blockchain. Like smart contracts, it is entirely open-source, which is good for the growth of the space as it allows viable alternatives to emerge, Polkadot being one of the more rapidly growing ones. Although all major smart contracts are regularly audited by professional security companies, they too can miss exploits, as we saw with Yearn.Finance.
However, that doesn’t mean that insurance too cannot be decentralised. Indeed, such solutions are already in full swing: Nsure.Network, CDx, Cook Protocol, Etherisc, and the most popular one so far – Nexus Mutual.
Outside of these technical issues, DeFi has all it takes to fully tokenize and decentralize the world’s financial system if it is allowed to evolve. This may collide with governmental interests, but if we take into account 1.7 billion unbanked adults, and the growing threat of deplatforming in the developed world, this should serve as a strong force to drive DeFi across the new threshold.
Finance Monthly hears from Wayne Parslow, Executive Vice President for EMEA at Validity, as he explores what the financial services sector stands to gain from better handling of its data.
Financial firms face an increasingly complex minefield of regulations when it comes to handling data. The sector has so many acronyms that it’s often difficult for a layperson to wrap their head around them. Unfortunately, finance companies don’t fare that much better, and can be overwhelmed by seemingly infinite customer data management requirements.
Whether it’s ensuring appropriate customer data storage under GDPR or securing payments processes under PSD2 and PCI-DSS, there’s a host of regulatory pressures for managing the financial customer relationship chain.
Regulatory bodies are certainly not toothless when it comes to enforcing punitive measures, either. At the end of 2020, the ICO issued fines to both OSL Financial Consultancy Limited and Pownall Marketing Limited for misusing personal data.
Data Management Difficulties
Ensuring data held by finance firms is accurate, up to date and, equally importantly, used appropriately is a shared goal for both the regulator and financial institutions. However, with the pressures put on financial firms by the pandemic, there’s a good chance that data management best practice has taken a back seat in favour of ensuring business continuity.
This is a misstep, as the two key fundamentals of data – data quality and data governance – should be tied into the basic operations of a financial services firm. With strong data foundations, financial services firms will be in a far stronger position to navigate the upcoming uncertainty of a post-pandemic world.
Ensuring data held by finance firms is accurate, up to date and, equally importantly, used appropriately is a shared goal for both the regulator and financial institutions.
Having data quality and governance work in concert to support one another does not simply ensure regulatory compliance, though. The value of data for driving successful business outcomes has already been proven, and businesses which employ a data-driven strategy are growing 30% year-on-year. Higher data quality also delivers stronger customer relationships and greater engagement.
Curating Quality
Data quality is not a once and done operation. For financial services in particular, it’s a complex, continuous network of processes and actions that must be continuously maintained as new data is collected, augmented and edited by the organisation.
First and foremost, a finance firm must take stock of the current state of its data. Given the rapid changes that have occurred over the past year, it’s essential to reassess data for accuracy, completeness, duplicates and inconsistencies. Firstly, data needs to be housed correctly so that it can be profiled accurately. Profiling their data enables financial organisations to ensure it is right for the business’s current needs, can be easily analysed and reported on, as well as being able to more easily check whether it is up to date.
Deduplication
A common barrier to data quality are duplicates. Many regulations require data to be up to date, and for customer data to be removed under certain circumstances (i.e. when a contract is terminated). Whilst a firm might believe it has done its due diligence under these circumstances, leaving duplicate data behind poses a significant compliance threat and risks inappropriate or even illegal communication. To have a consistent, complete view of its customer data, a financial firm must be proactive with the management of deduplication. It’s a simple yet effective process that can make a huge impact, but requires an investment in the appropriate tools.
Leaving duplicate data behind poses a significant compliance threat and risks inappropriate or even illegal communication.
Security and Enhancing Data
The end user is typically identified as the weakest link in the security chain, and many breaches reported to the ICO stem from simple user error, whereby an employee downloads a confidential document to a laptop which is then lost or stolen, for example.
With the move to remote working last year, many businesses wisely took the step to upskill their now remote workforces with additional security best practice training to help mitigate the additional cybersecurity risks.
Organisations can take additional steps to ensure errors that create vulnerabilities, such as the laptop example above. Employees will often adopt methods that help them get their jobs done most efficiently, even if these deviate from security best practice. Standardising data is a crucial step to enabling it to move through the organisation in the correct, and secure, way – regardless of location.
For example, if finance needs to produce reports based on the outgoings of a few different international teams, putting best practice standards in place as basic as how titles and regions are entered means this can be completed more efficiently, easily and securely across the board.
Alongside profiling, deduplication and process standardisation, verification needs to be a top priority, and should take place as data is collected. Using external sources, both prospect and existing client data should be verified (provided, of course, that consent has been given for these external sources to be used in this way). Enriching data in this way ensures finance firms get a better ROI from marketing and sales.
Adopting a Data Mindset
Data is constantly changing, and a continuous monitoring regime is the only way to keep track as it waxes and wanes. A simple way to keep up with the health of your data as it changes is to set up dashboards and alerts that track data quality automatically.
[ymal]
That said, it’s not just about technology. There’s no getting away from it – a comprehensive cross-functional approach is needed to implement a successful data governance programme. For finance firms, team members must be subject matter experts who understand the complex industry standards and regulations and know what to do if they don’t. Many finance organisations will already have an executive level representative responsible for company-wide data management, such as Chief Data Officer (CDO).
A core aspect of a CDO’s responsibilities should be simplifying processes with the help of the right technologies. However, it’s unlikely there’s a single tool that will do everything a financial organisation needs, and every governance strategy should be bespoke for the organisation that will follow it. Companies should be aiming for a “data quality by design” mindset, where the checks and processes that ensure top-quality data is maintained become second nature.
Jake Madders, Co-director of Hyve Managed Hosting, weighs the pros and cons of the two distinct types of crypto exchange hosting.
Cryptocurrency has boomed in recent years, helped by people like Elon Musk joining the conversation and increasing the trust in its value, helping it to reach the mainstream. As the number of investors placing their money in cryptocurrency continues to grow, finding a reliable trading platform has never been more important. Hence, the need for crypto exchanges.
The ongoing growth of interest in cryptocurrency and the demand for technological development and maintenance has generated the need for different exchanges. According to a recent study conducted by crypto market data provider cryptocompare.com, cryptocurrency exchanges have increased their market share by 13% since October 2020. Bitcoin gained 13% of the market share from October 2020 to January 2021, going from 61% (USD$347 billion) to 74% (USD$ 1.41 trillion). The study pointed to crypto exchanges increasing their transparency by providing data as well as improved security as reasons for this growth.
Whilst the world of digital currencies continues to bloom, the issue around crypto exchange hosting becomes a challenge. Choosing between cloud vs on-premise hosting might not be an easy decision to make as it depends on the investors' needs. Nevertheless, with exchanges sites having to be active 24/7 in order to offer optimal performance, the cloud could be the ideal option.
Cloud vs on-premise benefits
When it comes to crypto exchanges, performance has always been a key factor. However, there’s a bigger picture that individuals need to look at. With the industry always evolving and technology developing constantly, flexibility is crucial in order for crypto exchanges to adapt. Moving an exchange to another location can be a long and costly process but on the cloud, this process can be done in a matter of hours and at a much lower cost. Speed on the cloud is clearly a valuable benefit, allowing crypto exchanges to set up the infrastructure on a cloud system much faster than on-site hosting.
When it comes to crypto exchanges, performance has always been a key factor.
Customisation is essential in order to meet the requirements of the ever-changing marketplace. The cloud offers the option to scale and implement storage, security and developer tools when required to meet the demands of the market and investors quickly and efficiently. Another benefit that is important to keep in mind when choosing the right hosting is latency. Users using a cloud hosting provider can opt for a data centre near their end-users which will reduce the latency, allowing an exchange to provide instant information directly from the market or from a transaction.
There’s also the environmental aspect of the cloud, which is a benefit that is often overlooked. As the adoption of cryptocurrencies continues to expand, a sustainable and eco-friendly hosting choice feels like something important to consider.
Choosing on-premise hosting
Whilst the cloud seems to tick all the boxes as the perfect space for crypto exchanges, many of these platforms still use on-premise hosting. A key aspect offered by on-premise is the option to have full control and responsibility. For some, this might sound like a great advantage and the reason why on-premise can be the right choice. Still, there are other points to consider. Having full responsibility means being accountable for managing and maintaining the software which can require a fair amount of knowledge and also time. Some users might not have the right level of expertise to manage their cryptocurrencies and might require a specialist to do it for them resulting in an extra cost. On-premise hosting also means that servers could be more vulnerable, whereas data centres are secure environments with 24/7 security and cooling and fire protection measures.
Security, the deciding factor
It is not surprising that, over the last few years, cybercriminals have developed an interest in cryptocurrency. With hundreds of billions of dollars being traded daily on crypto exchange platforms, they are the perfect target for hackers. Cryptocurrencies are not easy to hack, but crypto exchanges are. This is one of the reasons why cryptocurrency owners have worried about choosing the cloud over on-premise hosting. Nonetheless, the cloud has become a safer environment for crypto exchanges. Risks have been minimised thanks to security being increased and improved on the cloud, helping mitigate issues concerning the protection of cryptocurrencies.
[ymal]
When deciding between cloud and on-premise hosting, there are numerous factors to examine. On top of that, individuals need to keep in mind their investment plan and take into consideration what the future of the market could look like. With technology evolving and cryptocurrencies gaining popularity, finding the right crypto exchange hosting option will continue to be a challenging yet very important decision.
Simon Pamplin, technical director at Silver Peak, explores what public cloud is and what its implications are for financial services firms.
Adoption of cloud by financial institutions has risen dramatically over the past five to ten years. Yet this has largely been private cloud rather than the more flexible and scalable public cloud.
In January, however, European financial institutions formed the European Cloud User Coalition (ECUC) to drive public cloud adoption and ensure consistency and enforcement of security standards of cloud’s use. Allied Irish Bank, BAWAG Group, Belfius Bank, Commerzbank, Deutsche Börse, EFG Bank, Erste Group Bank, Euroclear, ING, KBC Bank, Swedbank and UniCredit have all signed up to the ECUC and are participating in the initiative.
This widespread push displays the desire for public cloud in the finance industry, and there are persuasive arguments for the transition from private to public. Although the desire is clearly there for greater use of public cloud, there are key factors that will determine the speed and success of this transition.
Public versus private: an industry ready to shift
The difference between public and private cloud is that, as the name suggests, private cloud is managed internally by an organisation – all the dedicated infrastructure, including the data centre, is managed by a single, owning organisation. Conversely, public cloud is offered to multiple companies by a public cloud provider that runs and maintains the supporting shared infrastructure.
That the finance industry has been cautious in its uptake of public cloud highlights the essential need for top security for banks and other financial service organisations. The industry in particular is subject to strict compliance legislation across Europe, and organisations may choose private clouds as a means to ensure they are indeed complying.
Adoption of cloud by financial institutions has risen dramatically over the past five to ten years.
Another issue is that of vendor lock-in, as companies may worry of their complex cloud infrastructures being guaranteed by a single cloud provider – this reliance can hurt market competition, as it prevents companies easily switching between vendors.
It is these concerns that the ECUC seeks to address by defining and communicating what requirements have to be met in Europe for public cloud to become a feasible option for financial organisations. There are, after all, some clear benefits.
The first and foremost benefit of transitioning to public cloud is cost. Supporting cloud infrastructure is an expensive and labour-intensive process – smaller, newer organisations in the industry may find the possibility of private cloud beyond their resources, especially given the stringent cybersecurity standards that the financial world requires.
Adding to this, public cloud providers do offer a top rate service uniquely tailored for organisations – they are excellent at what they do, and a multitenancy business model allows them to allocate resources in a distilled and highly efficient manner. By delegating cloud to an expert third party, finance organisations free themselves from the operational headaches of enterprise IT administration.
The network must facilitate financial public cloud use
A key criterion for the use of public cloud is that when implemented, financial organisations can be sure their data is safe. However, the secure use of public cloud services lies in infrastructure and vitally the wide-area network (WAN).
Before the public cloud transformation in the industry can advance, organisations must transform their networking infrastructure. In essence, traditional WAN architectures have been obsoleted by the cloud, and private cloud security can only be guaranteed through advanced WAN solutions, such as an SD-WAN.
[ymal]
The drive towards public cloud will enable the financial industry to enjoy its full benefits – greater accessibility, lower cost, and increased market competition. However, first, coordination with European public cloud providers and transformation of the organisational network must be accomplished to assure success.
Finance Monthly hears from Nic Sarginson, Principal Solutions Engineer at Yubico, on emerging trends in data security that may soon be coming to financial services.
This past year has prompted a rise in take-up of digital banking services. As people stayed at home they went online to work, shop, stay in touch and manage their money. While this shift to online banking presents an opportunity to service providers with a digital-first approach, it also presents a target for cybercriminals intent on profiting from data breaches and account takeovers. Banks and their customers are adapting to a new, remote, relationship; as they do, the strength of online security protection will become a greater talking point and, for some institutions, even a source of competitive advantage.
According to some reports, as many as six million people in the UK made the switch to digital banking in March/April last year. Customers setting up their accounts will have created a password/PIN to use with a user ID to gain access. This form of authentication will be familiar from other log-in services; what may be less so is the additional strong customer authentication (SCA) check, such as a one-time passcode generated by a card reader or sent as a text to a registered mobile phone.
Password weaknesses
This second line of defence is incredibly important for financial services, as passwords are notoriously weak at preventing bank account takeovers. Reused passwords render multiple accounts vulnerable should a data breach put this information into the hands of cybercriminals. Passwords can also be guessed with a range of common word and number combinations in use, and bank details are some of the most coveted data breach spoils.
Additional ID checks therefore boost security, but not all forms of stronger authentication are completely resistant to security threats. Mobile-based one-time codes that are so popular with banks, for example, can be vulnerable to SIM-swap and modern man-in-the-middle (MitM) and phishing attacks.
According to some reports, as many as six million people in the UK made the switch to digital banking in March/April last year.
During a MiTM attack the innocent party believes they are communicating with a legitimate organisation, such as their bank, but in reality information is being intercepted and relayed by a malicious third party. It isn’t easy to recognise this type of attack, even for the cyber savvy, as attackers create personalised and convincing communications to trick their targets. Routes in can include unprotected Wi-Fi and manipulated URLs.
In the more widely known phishing attack, people are tricked into parting with personal information such as login details. Phished credentials are then used to gain access to the user’s account and may be tried against other services as part of a multiple account takeover.
Managing the customer experience
For financial services, the strongest possible authentication to protect data and accounts does not always marry with the best customer experience. Each additional check can add time and frustration to the log-in experience, preventing customers from accessing their accounts whenever they want to – if, for example, they are in a mobile-restricted location.
Strong authentication therefore must meet the dual requirement of protecting account details and financial and personal information, while also providing a convenient, preferably frictionless, user experience. Added to that is another consideration - how simple it is to integrate additional authentication into back-end systems for both the existing product portfolio and future innovations. With the rate at which financial services are digitising, and payments moving cashless, this is a challenge most banks will find concerning. The finance industry is also faced with the critical need to ensure compliance with various industry regulations including GDPR, PCI DSS and PSD2 mandates that govern access to sensitive data.
Protecting corporate infrastructure
Financial institutions must also protect access to their own systems and applications. Here, the challenge is exacerbated by the fact that most banking infrastructures are a mix of legacy on-premise systems, and private or public cloud-hosted services. They must all be protected against unauthorised access, a challenge that has been heightened by the rapid transition to large-scale homeworking of the past year.
[ymal]
Finance teams and employees working from unfamiliar locations expand the potential attack surface with home networks and personal devices suddenly a part of a bank’s corporate IT estate. Seamless, convenient and high-assurance multi-factor authentication (MFA) must be in place to protect data and corporate assets so that employees can securely access systems remotely without introducing new risks and vulnerabilities.
Financial services are starting to embrace hardware-based tools such as security keys as a route to strong authentication, which protects business and customer data without inconveniencing increasingly impatient financial customers. When it comes to their financial data, users appreciate authentication devices being something they have, as opposed to something they know, to protect against phishing attacks. For customers, they provide protection for accounts, while in the corporate setting they can secure access to systems and applications. Whether tasked with upgrading a bank’s legacy infrastructure, or a new generation of fintech developers operating solely in the cloud, such an approach can offer seamless integration with operating systems, and conformance with global authentication standards.
If the finance industry is to effectively protect customers and customer data while providing the user experience that today’s consumers expect, they must look beyond basic protection methods to provide strong yet frictionless authentication. It’s shocking that social media accounts are often more secure than bank accounts as of today. Since consumers are increasingly exposed to better protection elsewhere, they'll soon be demanding the same security assurances for their bank account.
Philippe Alcoy, Security Technologies for NETSCOUT, describes the cybersecurity threat facing the financial services sector, the damage it has done and how it can best be safeguarded against.
In 2020, for the first time in history, the annual number of Distributed Denial-of-Service (DDoS) attacks exceeded 10 million. These attacks took place at greater frequency, speed, and strength, enabling attackers to knock out their targets faster than ever before. Now, NETSCOUT is seeing threat actors re-targeting companies who were previously able to prevent being attacked, focusing particularly on the finance industry.
Before looking at DDoS attacks in relation to the financial sector, it is important to understand what a DDoS attack is. DDoS attacks can be described as malicious attempts to make online services unavailable, which is achieved by overwhelming the service with traffic from multiple systems. The industries targeted by these attacks are wide-ranging, from telecommunications and eCommerce to finance and healthcare.
In 2020, the financial sector emerged as a prime target for cybercriminals. NETSCOUT observed that there were more DDoS attacks against the finance industry in the month of June than there were from January to May 2020. In fact, from June to August 2020, there were more attacks against the industry in this period than were seen in total between April 2016 and May 2020. There was also an increase in the speed of attacks that were taking place against the financial sector, with the total throughput of attacks increasing by roughly 4.5 times worldwide.
DDoS extortion campaign
This campaign of DDoS attacks targeting the finance industry was taking place worldwide, with banks, exchanges and other financial services organisations all being hit. But there was something unusual about these DDoS attacks: they were part of an extortion campaign. This involves extortionists demanding a payment via Bitcoin within a specified amount of time prior to or following a demonstration DDoS attack. In most scenarios, when the demands of the attackers aren’t met, the ensuing attack that was threatened does not end up taking place.
In 2020, for the first time in history, the annual number of Distributed Denial-of-Service (DDoS) attacks exceeded 10 million.
More recently however, NETSCOUT has discovered that the same attackers are returning to previous targets. The organisations that were successfully able to mitigate the first DDoS extortion attack are now being retargeted in follow-on attacks, months after the original attacks took place.
The impact of the campaign
The financial sector is a prime focus for this DDoS extortion series and the more recent retargeting campaign because they are perceived to have access to large amounts of money, as well as vast swathes of private data, making them an obvious target for those behind the campaign.
It should be noted that the attackers claim to be part of well-known attack groups, such as ‘Lazarus Group’, ‘Fancy Bear’, and ‘Armada Collective’ to try and boost their credibility and scare their targets into paying up. As such, NETSCOUT has given the attackers the nickname ‘Lazarus Bear Armada’ (LBA).
Unlike other threat actors, these LBA attackers have carried out extensive research into identifying the appropriate email inboxes that are regularly checked and used, to make sure their threats are read by the right people. The increased accuracy of the extortion emails has the potential to cause serious damage to those in the financial sector. It has the capability to disrupt a large number of services used by finance organisations, from online banking platforms and website access to internal systems that help the organisations to operate and fulfil the needs of customers.
A DDoS extortion campaign can lead to institutions losing a large amount of money, even without a ransom being paid, because the initial demonstration DDoS attack results in downtime for part of the company.
An indirect consequence of a DDoS extortion attack is the reputational damage that it can cause. For example, when financial organisations are hit by a DDoS attack, customers may be unable to access their money and financial information, and may feel put off or let down by the organisation not having the appropriate DDoS countermeasures in place.
[ymal]
In order to mitigate the risk posed by DDoS extortion campaigns, financial services organisations must have a solid plan of action in place. It is vital that when organisations are attacked, they know who to contact and notify. This should include key stakeholders, security providers and local regulators. Financial institutions should also learn from previous DDoS extortion campaigns that targeted the industry. For example, there are clear similarities between the DD4BC series of attacks that took place from 2014-2016, and the current extortion campaign, with both targeting the financial sector.
While a DDoS extortion attack can be devastating for those organisations in the financial services sector, providing they have the right protection and plan of action in place, the damage caused by the attack can be kept to a minimum.
Ilia Sotnikov, VP of Product Management at Netwrix, looks at the state of cybersecurity in financial services and the external factors that drive it forward in 2021.
The past year has required financial teams and organisations to review many of their technical processes, especially as employees were forced to work remotely almost overnight. Research shows that 30% of financial organisations feel they are now at greater cybersecurity risk now than they were pre-pandemic. The majority (64%) are concerned about both more frequent cyberattacks and the security gaps caused by remote work – but despite this increased concern about malicious activity, the most reported incidents for financial firms involved human errors.
As a result, 2021 will certainly see financial organisations reassessing their data security policies to be fit for purpose in a post-pandemic digital world. However, given the wide range of financial services emerging, financial organisations today are on very different security maturity levels. Some have consistent ongoing risk management, established processes and dedicated IT security teams. Others just expect IT operations to handle security as part-time assignment. Many financial organisations from the less technically mature side of the spectrum or still heavily rely on legacy systems simply don’t have internal motivation to adopt better security practices.
External pressures for financial services
The good news is that moving into 2021, these organisations will be driven to increase security maturity by external factors: cyber insurance and privacy regulations. With 2021 bringing both new privacy laws and stricter enforcement of existing regulations to minimise the risk of incurring steep fines for compliance failures, businesses will turn to cyber insurance.
The bad news is those policies will come with their own security standards and requirements, such as regular risk assessment and effective detection and response capabilities.
Many financial organisations from the less technically mature side of the spectrum or still heavily rely on legacy systems simply don’t have internal motivation to adopt better security practices.
In 2020, many privacy-related bills were pushed down in priority due to more urgent tasks related to global pandemic. However, this isn’t an issue that will go away. Any British or European businesses that deal with local or international markets have to comply with GDPR – and with Twitter’s recent fine of approximately €500,000 for failing to promptly declare and properly document a data breach marking the first cross-border GDPR ruling, there will be a renewed vigour in the finance industry to ensure compliance. Furthermore, payments-related legislation such as PCI-DSS and PSD2 will face further strains given that a huge consequence of the pandemic has catalysing the move of payments becoming cashless.
A balancing act to compliance and security
This renewed focus on privacy laws require financial organisations to pay more attention to what data they have on hands, how they handle this data, and who is accessing it and why. Failing to document this or to follow documented policies can result in significant fines in case of consumer complaints or a data breach. This may force finance firms to adopt security and data governance practices they did not have in place this year.
The other driving factor for financial firms to revamp their data security measures is cyber insurance. The cyber insurance market is growing rapidly at an impressive 26% CAGR. This growth is fueled by the surge in cyberattacks and businesses seeking to offset their risks, and executives and board members recognising potential breaches or ransomware threats as business risks.
Finance companies are more likely to turn to insurance as an option to deal with the potential cost of these new risks. However, cyber insurance is not a “pay-and-forget” thing. To lower the risks that their customers will be breached, cyber insurance carriers are requiring them to comply with their own security standards, such as regular risk assessment and effective detection and response capabilities. This way, cyber insurance carriers contribute to the growth of security solutions that provide such functionalities. Finally, they force companies to cover security fundamentals and regularly reevaluate their IT risk programs and carrier’s policy changes to ensure adequate coverage, as insurance is not a panacea for a weak or inconsistent security programme.
[ymal]
The long view
It's safe to say that in the coming year, insurance and legislation will drive mass adoption on fundamental security practices for finance firms and teams. However, given the particular data pressures they face, financial services will be faced with a balancing act of meeting insurance criteria as well as complying with the regulatory standards themselves. While this may throw up some data management challenges, in the long run, it will certainly prove beneficial in helping financial services improve their cyber security posture.
Finance Monthly hears from Jay Floyd, Senior Principal Financial Crime Consultant at ACI Worldwide, on the threat faced by banks and countermeasures they can employ against it.
Fraudsters are natural opportunists and extremely innovative with their methods. Whether through authorised push payment (APP) fraud scams, phishing attacks or even targeting vulnerable people during the COVID-19 crisis, they will always find new ways to make money with no remorse.
Making the task of protecting consumers and companies from fraudsters relentless activities an increasingly challenging one for banks. Especially during a time of global crisis and uncertainty along with growing payment channels through Open Banking.
However, by thinking seriously about how they (banks) can embrace strategic anti-fraud technologies and ensuring that their Open Banking platforms are secure by engaging with QTSPs (Qualified Trust Service Providers), banks can protect their customers against fraudsters both today and tomorrow.
Fraud is constantly evolving and growing
A decade ago, deploying malware was the easiest and most common method of getting into someone’s account. But as banks have strengthened their technical defences, fraudsters have increasingly turned to social engineering. Whether via email or telephone, many criminal gangs now impersonate a victim’s bank or other authorities like the police, persuading the victim to hand over account authentication codes or even make fraudulent transactions themselves.
Taking this one step further, some fraudsters are even combining remote access trojans with social engineering. Persuading victims to install malicious software on their device so they can carry out their fraudulent activity without needing to engage with the victim in the future. With such scams constantly evolving, it is increasingly difficult for banks to combat fraud.
Fraudsters are natural opportunists and extremely innovative with their methods.
As such, instant payments fraud is growing at an alarming speed. And while it should be acknowledged instant payments have revolutionised banking – in an era of pandemics, it’s no exaggeration to say we are dealing with a payments pandemic.
Recent figures from UK Finance add stark colour to this picture. Card fraud (both debit and credit) accounted for £288 million in the first half of 2020 – an 8% decrease compared to the same period in 2019. However, cases of remote banking fraud and APP fraud both increased – by 59% and 15% respectively. When combined, this amounts to £287.5 million lost to remote banking and APP fraud in the first half of 2020 – almost on par with card fraud. Though there are industry initiatives such as ‘Confirmation of Payee’, in the very near future, it is expected that remote banking and APP fraud will overtake card fraud across Europe and UK. And this is worrying.
Engage with QTSPs to mitigate fraud
The rise in remote banking fraud may further be accentuated by the proliferation of open banking services. But despite the fact fraudsters will look to exploit weakness in Open Banking, this relatively new service should be embraced. Its benefits cannot be underestimated or denied. In fact, recent OBIE data suggests 50% of UK small businesses now use open banking services to see their accounts in real time, forecast their cashflow and issue paperless invoices to clients. But banks do need to think seriously about weakness and loop holes and how they protect customers from fraud in the coming months and years.
Fraudsters are already exploiting the vulnerabilities around open banking, especially when it comes to Account Information Service Providers (AISPs). Authorised to retrieve account data provided by banks and financial institutions, AISPs are a critical piece of the open banking infrastructure jigsaw. However, it is believed criminals are starting to create fake AISPs. In some cases, pretending to be legitimate AISPs, much like doxing, to gain access and data to customers’ accounts.
[ymal]
To mitigate this risk, banks need to think seriously about how they engage with Qualified Trust Service Providers (QTSPs) to certify and validate AISPs and PISPs. QTSPs provide banks the digital certificate for AISPs and PISPs, and are themselves regulated under the eIDAS directive. But while they have been around since early 2019, QTSPs still remain largely invisible in the financial community. Banks must configure their anti-fraud technology to monitor AISP and PISP activities and also establish a process to validate eIDAS certificates via QTSP’s to ensure that they only release access to customers’ accounts to the right people. Not only will this help banks mitigate the risk of fraudulent AISPs and PISP’s or man in the middle attacks, it will also enable them to meet a range of other electronic security requirements as well.
Real time payments bring a sense of urgency for both the fraudster and the victim of the bank. And while instant payments and open banking have undoubtedly brought countless benefits, the rising levels of fraud are real cause for concern. Fraudsters will always find new ways to make money illegally. But by ensuring they have the right fraud technology and aligning that technology to integrate with Open Banking messages and with QTSPs, banks can put themselves in the best position to detect fraudulent AISPs / PISP’s and prevent as much fraud as possible.
A number of the world’s biggest private equity firms, including Silver Lake Partners LP, Thoma Bravo LP and Blackstone Group Inc, have seen their stakes in software firms greatly devalued following a wide-reaching hack on software provider SolarWinds Corp.
SolarWinds stock has slid 20.8% from last week’s close after reporting on Sunday that suspected Russian hackers had inserted malicious code into software used by the company to carry out updates, allowing the operatives to access sensitive systems undetected.
The “Sunburst” operation, remarkable for its size and sophistication, constitutes the biggest cyberattack against the US government in more than five years. Around 300,000 companies and agencies use systems provided by SolarWinds, with around 18,000 believed to have used compromised versions of its software since the attack began in March.
SolarWinds’ customers include most US Fortune 500 companies, all of the top 10 US telecom providers, the US military and various other government branches. The UK government and the NHS are also listed among the company’s clients.
Silver Lakes holds a stake of nearly 40% in SilverWinds. Following the plunge in the value of its shares, this stake is now worth $2.3 billion, and Thoma Bravo’s 33% stake is now worth $1.9 billion.
Blackstone’s $400 million November donation in cybersecurity firm FireEye Inc also suffered from the hack, as the company’s shares fell 11% after hackers stole a collection of hacking tools used to test clients’ cyber defences. FireEye, which has contracts across the US national security sector and with its allies, uncovered the SolarWinds breach while probing this attack.
[ymal]
Regulatory filings showed that, following the theft of its tools, FireEye amended its deal with Blackstone and co-investor ClearSky to make it more favourable to the private equity companies. The firm opted to convert the FireEye-preferred shares that the investors stood to receive to common stock at $17.25 rather than the initially agreed $18.
FireEye shares traded at around $13.58 on Tuesday afternoon.
Annie Button outlines the most common financial failures of SMEs and how they can be averted.
Running a business is tough, regardless of what sector you work in. But if you’re not careful where your finances are concerned, you could be making the situation harder than it needs to be. These are some of the common financial pitfalls that many businesses slip into and how to avoid them.
Failing to have a budget in place
A business budget is vital for managing future expenses and controlling your finances. But so many businesses operate month to month without any plan for the business’s earnings.
To ensure that you’re not spending where you can’t afford to, or paying too much in one category, you should have a budget in place that is conservative – in other words, keep your income estimates on the low end of the scale and your expenses on the higher side, so that you’re not caught out at the end of the month.
Too many people on the payroll
As a business, you want to grow and scale up – it’s a sign that you’re doing well and, for most businesses, it’s the ultimate goal. But having too many people on the payroll too soon could mean you’re overspending where you can’t afford it. Many entrepreneurs find themselves in need of help and they hire too many people too fast, which causes problems where the budget is concerned.
A compromise to ensure you’re not doing everything yourself is to look into hiring people on a part-time basis or contractors. Freelancers are also an alternative that can help you save money without compromising on your business, as you will only be paying for the work they carry out rather than a full-time salary.
A compromise to ensure you’re not doing everything yourself is to look into hiring people on a part-time basis or contractors.
Suffering from a cyber attack
A cyber attack can impact your business in multiple ways, from its finances and operations to the reputation of your brand. Cybercrime can be incredibly costly to resolve, not just because of the remediation work required to clean up the system but also because of the reputational damage it can cause.
There’s also the issue of compliance and adhering to GDPR regulations that could mean your company is fined for failing to protect customer information.
It’s vital that you secure your network and make sure that staff have cyber awareness training, and by investing in proactive rather than reactive cybersecurity technologies. You should also enforce secure password policies across the business and use firewalls to protect data. It’s also a wise decision to back up your data regularly and have protocols in place should an attack occur.
Failing to separate personal and private finances
A common mistake that can be detrimental to businesses is merging personal and private finances. It’s important to consider your business a completely separate entity from yourself from the start, as it can cause complications in the future if you don’t.
You should set up a separate bank account where all money earned from the business is paid into and any business expenses are paid out of. Likewise, if you require a credit card, ensure that your business has a separate one so that it’s easier to track payments.
Not saving for a rainy day
Issues with cash flow can be a real problem, even for successful businesses, if payments aren’t managed properly. And while it’s nice to believe that everything will run smoothly from day one, chances are there will be unexpected events or emergencies in the future that require funds to keep the business afloat. 2020 has possibly reinforced this point even more for so many businesses.
[ymal]
To ensure you’re never in a difficult situation, it’s important to have money tucked away for such situations that you can lean on when times are tough, without having to resort to credit cards and loans. A good rule to follow is to assess what your basic responsibilities are and average out the cost, then put three months’ worth aside in a contingency fund.
Final thoughts
There are so many potential risks when running a business and it’s all too easy to assume that your business won’t suffer if you cut a few corners. But ultimately, in order for your business to thrive and stay in good financial shape, it’s critical that you consider all eventualities and prepare for them accordingly, whether that’s having savings in place, protecting data from threats or being savvy about how you hire staff.
Rob May, Managing Director and founder of ramsac, looks at some emerging trends in cybercrime and how firms can best defend themselves.
Security, for financial clients, has had to adapt to many forms in the last decade. The most recent, and urgent, line of defence has come in response to the unexpected, novel threat of a global pandemic. But as more clients onboard their operations to digital platforms, that risk grows and becomes ever complicated. Remote operations, for example, opens a place of business to both insider attacks and outside ones.
While the financial service industry has always been one of the “most-breached sectors” (accounting for 35% of all data breaches), cyberattacks have become even more widespread and sophisticated during the global pandemic. This is, arguably, because operations have had to quickly onboard their business digitally. And, with new digital models, there are troubled spots, or weaknesses.
With more financial companies seeking to create new digital customer experiences, investing in a wealth of technology innovations, and working remotely, this could result in a new wave of extreme cyberattack scenarios leaving companies vulnerable to serious data breaches or worse.
To gain deeper insights and help guide financial companies in their decision-making when it comes to cybersecurity, we’ve rounded-up the emerging cyber threats, how they could evolve in the future, and solutions to address them during these challenging times.
Be Watchful of Malware
Cyber-risk management should be watchful and vigilant of the most common cyber-risks. Malware will breach systems and ransom, corrupt, or steal data. Even though it’s common, over the years, several US states and counties (including Texas) have observed a growing intelligence about how these attacks are delivered. One scenario noticed several malicious ransomware attacks at once, effectively a multiparty attack, reaching across jurisdictional boundaries to result in the first cybercrime event of its kind.
Cyber-risk management should be watchful and vigilant of the most common cyber-risks.
The solution, a suitable line of cyber-defence, would include early planning and preventive measures for multiparty attacks and disruptive threats. Oftentimes awareness is a helpful starting point. But defence and security measures alike need to anticipate more complicated, organized cybercrime as it becomes increasingly sophisticated.
For those in finance, a defence plan could include trial simulations to measure internal response times and mock scenarios to help security teams shape their reactions for real future attacks. Likewise, building cross-sector peers and contacts, can be helpful in organising a defence to a larger cyber-risk.
Misinformation Can Deceive
This has been one of the largest threats throughout COVID-19 and has rallied a shared, collective attempt to cull the flow of misinformation online. Many known bodies, including NASDAQ, have predicted a possible spike in market manipulation on the heels of COVID-19, where attention is split between a global pandemic response and economic recovery.
Misinformation can conflate what seems like harmless advice on stock investments, but is actually driving malicious activity. These disruptive attacks tend to prey on market volatility and flagging economic confidence. In the past, these attacks have been known to use fraudulence as sleight of hand to conflate stock values.
A reasoned solution to this issue would require financial firms to conduct extra due diligence and caution when navigating the market and instructing their clients on financial manoeuvres. As surface information could be corrupted, extra research and investigation can steer financial decisions away from malicious foul play.
Data Manipulations Are Disruptive
Traditionally, data was duplicated or destroyed. Whilst this was harmful to firms, the next evolutionary stage of cyber-crime, since the latter half of 2019, has moved onto data manipulation. There have been scenarios where data hacks can be twisted to manipulate or encrypt it. This has led to increased scrutiny for cloud security, which has known vulnerabilities.
[ymal]
Before onboarding new digital solutions for your business, ensure it can be securely bridged. New technologies can be helpful in expanding a business’s productivity, but this should be approached cautiously.
There are a range of emergent threats that result from cyber-risks. The best, more reasoned, solution is to prepare for cybercrime by having a prepared line of defence and the right security tools. The booming of digital businesses, and those migrating online, creates a greater urgency than ever to prepare security to handle a new universe of threats.
The world’s biggest work-at-home experiment has now shifted into a more permanent structural change, leaving companies grappling with the next operational challenge – intensifying cybercrime. Prior to the pandemic, businesses typically over-relied on in-office cybersecurity systems to protect data, because they rarely had to worry about threats to data outside of the workplace. Fast forward to March 2020, and companies had to quickly recalibrate their entire operations or face their business model being rendered redundant. Since the crisis took hold, approximately 90% of banking and insurance workers worldwide transitioned to a work-at-home set-up[1], the majority of whom are accessing corporate and customer data online on insecure devices.
The scope for cybercriminals to exploit the vulnerabilities of remote technologies to commit financial crimes has increased exponentially for customers being onboarded, and having their financial matters dealt with online. While safeguarding customers remains at the top of the corporate agenda, providing a seamless, omnichannel digital experience cannot be compromised. In this fast-evolving FinTech landscape, financial services must seek to leverage technology that can meet both increasing expectations for an elevated customer experience, whilst fighting internal and external cybercrime. The industry has an important opportunity to leverage Artificial Intelligence (AI) solutions, used in the front-office, to prevent and react to threats, potentially saving billions in lost funds – not to mention protecting brand reputation.
Fast-evolving threat landscape
According to a recent report, the financial services sector fell victim to over half (51%) of all opportunistic cyber-attacks during the crisis[2]. Fraudsters have been launching sophisticated attacks to impersonate financial organisations, by luring in customers with fake emails or phone calls offering financial assistance, only to extract customer data. In fact, impersonation scam cases in the UK were up a staggering 84% in the first half of the year compared to the same period last year[3].
As financial services companies expand their omnichannel offerings, to meet the demand for real-time access to services, so too does the opportunity for potential vulnerabilities. Interacting with customers requires access to their personal information on a granular level, with each interaction involving a traditional phone call, but likely to also include a communication via chat, email, SMS, social media, or all channels combined. Out of 5.2bn financial transactions in the first half of the year in the UK, 84% of these are through mobile devices, broadening the number of access points and the opportunity for exploitation.
Safeguarding data with AI
Customer-facing AI chatbots present an affordable solution in fraud detection and payment protection –capable of identifying anomalous activity that could be easily missed by human agents. This helps to rectify a staggering 90% of data breaches in the UK that were down to human error last year[4]. Used to assist customers in a number of financial transactions, such as reviewing accounts and making payments, chatbots allow users to handle simple tasks on their own, but in a highly secure manner.
Leveraging deep Machine Learning (ML) capabilities, AI-powered chatbots are programmed to learn patterns of work across multiple banking channels. By monitoring vast datasets that have been collected from past incidents, companies can recognise inaccuracies in payment information or unusual behaviours of users to continuously improve detection capabilities. Alleviating pressure from IT teams in the process, security analysts can refocus their time and resources toward actual cases of fraud and strengthen trust with affected customers. Lessons learned can then be quickly communicated and translated into targeted training for affected work groups and used to tailor customer experiences accordingly.
By prioritising AI for risk reduction systems, financial services can avoid hefty fines for failing to detect fraud and improve acquisition and retention. Customers are more likely to choose or stick with trustworthy banks that have a good track record of preventing cyber-attacks.
Banking on an AI-enabled future
It has fast become table stakes for financial institutions to build and implement robust security software and include fraud prevention and detection tools at a keystroke level. Leveraging technologies that are already used on consumers’ digital channels, and using these to secure each point of interaction, can help build an ecosystem of trusted devices while maintaining a consistent user experience. As a self-learning solution, AI-powered chatbots can assume future attack scenarios in the uncertain post-pandemic world – keeping the internal infrastructure running smoothly for employees, whilst maintaining consistent and safe online transactions for customers.
[1] https://www.bis.org/fsi/fsibriefs7.pdf
[2] https://uk.finance.yahoo.com/news/covid-19-leads-to-surge-in-cyberattacks-144142232.html
[3] https://www.ukfinance.org.uk/covid-19-press-releases/impersonation-scams-almost-double-in-first-half-of-2020
[4] https://www.infosecurity-magazine.com/news/90-data-breaches-human-error/
