finance
monthly
Personal Finance. Money. Investing.
Contribute
Newsletter
Corporate

At stake are our personal data, as well as our monetary possessions. While the concern for the former is a rather new phenomenon, the latter have been guarded by a multi-layered web of intermediaries. And still banks and other financial institutions regularly witness the weaknesses of this set-up. Below Igor Pejic, author of new book ‘Blockchain Babel: The Crypto-Craze and the Challenge to Business’, confronts the question: Is the Blockchain Really Unsinkable?

In recent years a technology hailed for immutability entered the stage: the blockchain. This cryptographically secured, distributed ledger technology was initially designed to bypass the financial system by enabling digital currencies, yet today banks are the most active in blockchain research, trying to reap the benefits of this supposedly tamper-proof ledger. But is the blockchain really unhackable?

In many a head there are probably stories whizzing around about stolen bitcoins and hacked exchanges. Mt. Gox is such a story. In 2014 Mt. Gox was the world’s largest crypto-exchange which processed around 70% of the world’s bitcoin transactions. 850.000 bitcoins were lost (of which around 200.000 were recovered). Further hacks such as the one of the Slovenian exchange Bitstamp followed. Most recently Quadriga, a Canadian exchange, made headlines because its founder Gerald Cotten supposedly passed away on a trip in India. He was the only one to knew the private keys to the wallets of 115,000 customers with funds worth $143m. That funds are thus not accessible and lost.

Yet when commentators use these examples to sow doubt about blockchain-security, they mix up different dimensions of data security, in particular data’s integrity during a transaction with its integrity before or after a transaction. The aforementioned hacks can be attributed to lax security standards aside of transactions such as the storage of private access keys. While parts of the crypto-sphere are reacting – Bitstamp has introduced two-factor authentication to access funds – many wallets and exchanges continue to operate with hair-raising security standards.

But what about the mechanism itself? Can attackers inject bogus transactions or rewrite past ones? This answer depends on the validation mechanism each particular blockchain uses. Let us illustrate this with bitcoin and other chains that work with so-called proof-of-work validation. In this set-up, validator nodes, also known as miners, are investing massive computing power to solve a mathematical puzzle with trial and error mechanisms. They are interested in the “right” solution, because only if they find it first, they are rewarded with freshly minted coins. Once found, the correct value can be verified quickly by the network. The major danger here is that a possible attacker gains control over more than 50% of the hashing power in a network and can vote a wrong truth into reality. The attacker could then submit a transaction to the network, and after getting the good or service he paid for simply use his computing majority to fork the network at a point in time before he sent the money.

Critics will point to the infamous DAO-hack. The DAO (Decentralized Autonomous Organization) was a leaderless organization that issued a token built on Ethereum’s smart contract code. A hacker exploited a cryptographic vulnerability to capture $50m. An ideological conflict of the Ethereum community prevented a soft fork that would have reversed the hack. Thus, a hard fork split the chain into Ethereum (version without the hack) and Ethereum Classic (version including the hack). But even this example was not a hack of the blockchain, but rather a bug that pestered the DAO-code sitting on top of the Ethereum-blockchain. Despite many problematic constellations – e.g. a high concentration of mining pools, as well as a limited number of ISPs hosting large parts of prominent blockchains – the mechanism as such has never been hacked. Attacks are very expensive and the advantages for the most part short-lived.

Does this mean the blockchain is immutable? No. We have to get the fairytale out of our heads that there is something like absolute security. There is always a way to trick the system, even if it is highly unlikely as the aforementioned 51%-attack. The question we should ask instead is whether blockchain is more secure than current systems. What most most critics of new payment technology do not know is that even the SWIFT-network, which enables monetary transactions between 11.000 financial institutions worldwide, has been subject to hacking in the past. In one heist, banks in Bangladesh and Ecuador lost millions. Blockchain technology has proven to be less susceptible to several attack vendors while doing away with intermediaries. This should render the discussion about absolute immutability superfluous.

Now a booming trading market, cryptocurrencies do however create an avenue of risk. Below Schalk Nolte, CEO at Entersekt, discusses said risk and the overall safety of trading Bitcoin and the likes.

It’s official: Bitcoin is now the golden child of the investment community. Following news headlines about becoming instant millionaires, starry-eyed cryptocurrency enthusiasts are flocking to online exchanges to get in on the action. Sign up, transfer funds and trade – the faster, the better. To keep the eager traders’ money and data safe, these exchanges all need to have transaction security in place. And most of them do – except that their security appears to be stuck in the early 2000s.

Nine years ago, Bitcoin didn’t exist. Today, between three and six million people are estimated to have a bitcoin wallet, with over $3 billion worth of the currency traded every 24 hours. Nine years ago, the one-time password, SMS OTP or mobile transaction authentication number (mTAN), represented the apex of transaction security. Today, other technologies have left SMS OTPs in the dust in terms of both user experience and security – and for good reason.

OTPs are typically reliant on mobile network operators for delivery, and they require additional effort from the user without rendering transactions fraud-proof as a reward. They are vulnerable to man-in-the-middle (MITM) attacks for the simple reason that an OTP is never truly out of band, whether it’s delivered via SMS or another route. Because it’s entered into a potentially compromised primary channel, it will always be susceptible to MITM attacks, while the involvement of mobile networks also introduces the possibility of attacks such as SIM swapping and number porting.

In fact, in August 2017, Sean Everett, CEO of artificial intelligence startup PROME, lost a significant cryptocurrency investment with the platform Coinbase as a result of a simple number porting attack made possible by SMS OTP. Soups Ranjan, Coinbase’s head of data science, commented: “I firmly believe we have the hardest payment fraud and user security problem in the world right now.” So how is it possible that the OTP is still the security measure of choice at the majority of cryptocurrency exchanges – and, more importantly, what are the alternatives?

In order to protect its trader members and allow them to match the pace at which cryptocurrency fluctuates, a cryptocurrency exchange needs to do three things:

Minimize risk: This is done by implementing a solution that offers solid app security and strong customer authentication for all transactions.

Make things easy: A convenient and user-friendly trading platform will attract and retain customers. To put it another way, play to a real-world trading scenario: if you were a trader, would you want to open an app, copy an OTP, switch apps, and then paste it? Or would you prefer to simply open an app and scan your fingerprint? The choice isn’t difficult – especially considering that the easier option is also the safer one.

Achieve regulatory compliance: It’s cheap and easy for a trading platform to recommend or require that their traders install a third-party app like Google Authenticator, but this will mess with regulatory compliance – such as with PSD2’s Regulatory Technical Standards on Strong Customer Authentication. Third-party apps often only authenticate logins, not transactions, and as such are not compliant with these requirements. OTPs, needless to say, do not comply either.

If they want to offer winning and secure trading options for cryptocurrency aficionados, it makes no sense for these exchanges to insist on using obsolete, not to mention risky, technology. Instead, exchanges should be employing a more robust and convenient out-of-band authentication solution that does not rely on mobile networks. They should look for a solution that offers PKI-based authentication and transaction signing directly from the mobile phone, which will eliminate fraudulent transactions and build trust in cryptocurrency trading practices – all while providing a user-friendly experience.

On the flip side, cryptocurrency traders should be demanding better security from the platforms they use. It is the only way for them to keep their investments safe and avoid becoming the next cybercrime news headline. After all, if cryptocurrency is at the cutting edge of innovation, shouldn’t the same apply to the protection of its trade?

In force since January, the Second Payment Services Directive (PSD2), aka Open banking, is a regulation that forces the largest of our banks to open up access to their data; a necessity that could change the way many people and businesses bank. Below Jerry Matthews, Commercial Manager & Head of Bridging at KIS Finance, explains everything you need to know, touching on the risks and opportunities therein, and answering the big question: is it safe?

The Competition and Markets Authority (CMA) has started a revolution which encourages consumers to share their financial data to third-party companies, after years of being told to do the exact opposite.

The Open Banking Implementation Entity (OBIE) was created in response to the UK Government’s request for a fairer, more transparent banking and financial services. Transparent is definitely what they got.

What is Open Banking?

Open Banking is a new system which means customers can allow third party providers, other than their bank, to access their financial information.

These providers can be anything from insurance and mortgage companies to shopping sites, mobile phones and broadband providers.

The main idea is to give consumers more control of their financial information and have access to a wider range of products and services. Customers can allow the company to analyse their spending habits and offer them better deals, tailored to them.

There has been a new change in UK law which means that banks must allow FCA regulated businesses to access a customer’s personal and financial information, but the customer must give their permission first. Customers can give and withdraw permission at any time they choose.

The bank can only prevent the business access, on the customer’s behalf, if they suspect that the company is fraudulent, or not regulated by the FCA.

When will Open Banking Start?

Four of the nine largest UK account providers, Lloyds Banking Group, Nationwide, Allied Irish Bank and Danske are ready to start Opening Banking now.

Six weeks maximum has been given to RBS, HSBC, Barclays and Bank of Ireland by the Competition and Markets Authority (CMA). Santander’s Cater Allen has been given another year to prepare.

In order to integrate the new system smoothly, for the first 6 weeks the banks and companies offering Opening Banking services have been asked to only make it available to a small group of selected customers and to limit the amount of instructions processed.

How Will These Third-Party Providers Gain Access to our Information?

There appears to be two methods as to how your information can be accessed;

API’s: New communication technologies have been developed, Application Programming Interfaces, which are designed with customer security at the forefront. API’s are regularly used by various online tools and mobile apps to provide joined facilities, allowing software from numerous companies to, essentially, ‘talk’ to each other. This way, your information will be securely passed between companies with this technology in place.

Log-In Details: Another method may be that third-party providers will request that you share your online bank log-in details directly with the company. Yes, you read that right. A separate piece of legislation, the Payment Services Directive, will allow some companies to do this.

The company can then log in to your online banking account, like they were you, to access your financial data, such as; transaction history, direct debits and standing orders. This means that the company is likely to be able to access a much larger range of information, so really, the one way to withdraw your permission to this company, for certain, is to change your account password and other security details.

Do you Actually Have to Share your Information?

I am glad to say no, this isn’t mandatory.

The new rules state that banks must allow third-parties access to your information, but you have to explicitly give that company your permission – they can’t just look at your account willy-nilly. There will be an option to either switch on or switch off Open Banking on your account.

Once you have given that company permission, it’s not set in stone either. You can withdraw your permission at any time.

So, there is some security in knowing that this isn’t some sort of new binding contract.

So, what are the Potential Risks with Open Banking?

Current surveys suggest that a majority of consumers are reluctant to hand out personal and financial data. But, with the new system, this behaviour is expected to steadily change over time.

However, this does open up massive risks surrounding data privacy and security.

There are worries concerning the fact that by creating more chains of data access, it will be much harder to prove who was at fault if the customer’s information is stolen, making it harder than it already is to be compensated in these situations.

Not to mention how people handing out personal and financial data is like a gold mine to fraudsters.

To name just one potential scam, fraudsters could easily mimic third-party providers, by copying their choice of contact, to trick people into handing over their data which leaves consumers at risk of losing their money, and potentially, their identity being stolen.

Also, giving a company your bank log-in details with the only secure way of knowing that you have cancelled your permission is by changing your password? This is the main thing that consumers are told to never do, to never hand out your bank log-in details. This leaves your details at huge risk, and something just doesn’t make sense to me.

It is absolutely vital that the industry regulators ensure that consumers are wholly protected from any data breaches if they are to use these services with confidence and trust.

The Positives…

Although I think there is a lot at stake for people who decide to go forwards with Open Banking, I do think, for some people, this could be a way to gain much better control over their finances.

With Open Banking, it could be made easier to assess what type of bank account is best for you by analysing how you actually use it. For example, a lot of people can be unsure of how much their overdraft is costing them, but if a company can see your account, they may be able to provide you with a much clearer perspective and give you cheaper alternatives.

Or, for people who want to save money but are struggling to do so, sharing their data with budgeting companies/apps could help them see where and how they can save money.

According to the latest IMB Security report, the finance industry is facing 65% more cyberattacks than the average organisation. In 2016, the finance industry was the most targeted sector of cybercrime, an increase of 937% from the previous year.

What’s more, up to 50% of security breaches remain unreported to the public by the affected organisations in fear of damaging their reputation and people's confidence in investing with them. The result is that most people never realise their data and money are at risk. The recent cyberattack which affected organisations such as Telefonica, Renault and the British NHS, caused turmoil and panic in businesses across all sectors throughout the world. While cybersecurity is the biggest concern for most organisations today, the finance sector is the one mostly affected by cybercrime on daily basis.

The recent attack is a wakeup call for many who may now question if their money is safe and ask how best to protect it.

What makes a secure hedge fund?

Steven Jupp, CEO of Avem Capital says: “Coming from a technology and security sector, when selecting Avem Capital for a worthy hedge fund to lead, it was my priority to ensure we had the best security and protection of all our data. Naturally, when choosing a hedge fund, cybersecurity is not the biggest concern for most of our Clients. Many don’t even consider such matters at all. It is also a very well known fact that both platforms and the regulators are making keen headway during selection and onboarding processes, as well as during the lifecycle.

“However, concerned or not, in terms of cybersecurity I’m confident that we are one of the most secure and safe hedge funds in the market in respect to data and technological infrastructure.”

With the recent data showing how heavily targeted and poorly protected the finance sector is, it is apparent that cybersecurity is often omitted while thinking of a hedge fund. Avem Capital believes that this should be a priority for both Clients and the Hedge Fund Management – an integral part of its DNA. It is so much more than choosing a good antivirus software.

As Jupp highlights, there are numerous things to look out for when thinking of cybersecurity: “We do our best to prevent any possible attacks from any side, we like to be one step ahead of the game. At Avem Capital we introduced some of the most powerful, pro-active security management systems in the world, many of which are proprietary and reduce the potential fingerprint attacks available to commercial world applications.

“Our in-house logical security engineers are constantly monitoring numerous channels both regular web based and deep web based, in order to protect and defend against zero day exploits.” - says Jupp

Furthermore, Avem Capital also uses Data Loss Prevention systems, both in email and in document management, allowing to track the propagation of a document and secure it from intervention from a third party.

Another approach being adopted by Avem is that all infrastructure and mobile connected devices are patched at least weekly. Critical security patches are then tested against software and operating systems before being deployed on the day of notification. To ensure only secure devices enter the corporate network, Traders and Fund Managers are not able to operate any form of buying or selling over any device other than guarded desktop devices. Bring Your Own Device (BYOD) is not permitted to enter the corporate network at any point. To prevent this, Avem utilises a separate infrastructure, capable of detecting any potential threats or rogue devices.

With companies investing billions of dollars and private investors entrusting their life savings to hedge funds, the finance industry needs to step up their game when it comes to cybersecurity. The key is to always assume the worst case scenario and prevent possible threats by utilising all available tools to assure security.

(Source: Avem Capital)

About Finance Monthly

Universal Media logo
Finance Monthly is a comprehensive website tailored for individuals seeking insights into the world of consumer finance and money management. It offers news, commentary, and in-depth analysis on topics crucial to personal financial management and decision-making. Whether you're interested in budgeting, investing, or understanding market trends, Finance Monthly provides valuable information to help you navigate the financial aspects of everyday life.
© 2024 Finance Monthly - All Rights Reserved.
News Illustration

Get our free monthly FM email

Subscribe to Finance Monthly and Get the Latest Finance News, Opinion and Insight Direct to you every month.
chevron-right-circle linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram