You’ve seen a lot of content, articles, warning and advice on cybersecurity, with hundreds of firms trying to sell you next level cyber protection. So, before you do anything else, you need to know what exactly it is you’re protecting yourself against. Below Suid Adeyanju, Managing Director of RiverSafe, lists 10 threats you need to be aware of.
In early July IBM Security and the Ponemon Institute released a new report titled ‘Cost of a Data Breach Study’. In this study it was reported that that the global average cost of a data breach and the average cost for lost or stolen information both increased. The former is up 6.4% to £2.94 million while the latter increased by 4.8% year over year to $112.57. This shows that cyberattacks on enterprises continue to rise. In particular over the last two years there has been a continual stream of concerning data security breaches.
One of the ways that organisations can defend against attacks is to ensure staff understand and are educated about the cyber threat landscape.
Understanding Threats to your Business
Getting the right technology, services, and security professionals is only a part of tackling the cyber security problem. It is also important that companies get a clear understanding of the cyber threat landscape. This means knowing where these types of attacks can come from and in turn, who is leading the attack (whether it be an individual or group). Often, knowing the answer to these types of questions leads to an understanding of the motive and makes countering the attacks easier. So, in this article, I wanted to highlight the areas of the cyber threat landscape that enterprises should be aware of.
By understanding all the different types of attacks in the cyber threat landscape it can help you build your cyber defence by identifying a motive and being able to trace what kind of opponent your business is facing, as well as if this is an attack aimed primarily at an individual, an organisation or a national-level threat where the solution would be to work with other companies to stop the attack as a team.
Mobile phone security is still a blind spot for some CFOs, CEOs and investors. Business strategies to prevent cyber-attacks often focus on servers, computer systems and the cloud, yet it is smartphones and tablets that are the new end point. Below Peter Matthews, CEO at Metro Communications, discusses six simple ways CFOs can make the most of their own and their employees’ phones, without compromising on security.
Research from Gartner shows that 27% of corporate data traffic will bypass perimeter security by 2021 and flow directly from portable devices to the cloud.
These mobile gadgets may have increased productivity immeasurably, but their escalation has also increased the risk. There is much more valuable data held on mobile phones than most users would credit. Documents, chat messages, videos, voice calls, texts, address book, calendar and location are all data, all valuable, and - to the right criminal – all worth stealing.
The uncomfortable truth is that with 72% of large UK companies experiencing a cyber breach in 2017, all business leaders have to take action to increase their awareness, secure all of their communications and ensure they can quickly recover from any damaging action. The key question is how?
The proliferation of mobile devices, wireless internet, insecure apps and the Internet of Things, aided and abetted by cheap hacking tools, means that any approach to cyber security should include an assessment of mobile security to keep pace with emerging threats. For CEOs and CFOs in the UK and beyond, doing nothing is not an option.
There used to be a certain romance about a classic bank robbery - the outlandish plots, the intricate planning and the ingenious strategies (often involving digging tunnels) designed to get criminals into the vault and out with the cash. In the 21st century, though, the digital banking revolution means that instead of cracking the vault, cybercriminals are concentrating on cracking the network and moving laterally within it to get their hands on the goods. This doesn’t make for such great movie plots but it does mean that banks are facing a far more relentless threat to their security systems. Below Finance Monthly hears from Rick McElroy, Security Strategist of Carbon Black, to find out how today’s would-be bank robbers are targeting the digital vault.
It’s no surprise that the financial sector is constantly under attack as criminals pursue financial gain directly, or via the theft and sale of valuable customer data. The number of material cyber incidents reported to the Financial Conduct Authority rose 80% in 2017 and that trend is only likely to continue. More specifically, what we found when talking to CISOs is that the threat has undergone considerable evolution in the past three years and the last six months have seen still greater innovation from cybercriminals as they adopt new techniques, tactics and procedures to thwart banks’ attempts to keep them at bay.
The invisible invasion – fileless attacks on the rise
Instead of leaving a gaping hole in the door of the vault, cybercriminals would rather banks didn’t know they’d got in at all. Fileless or non-malware attacks are increasing as actors “hide in plain sight” using legitimate tools, such as PowerShell and Windows Management instrumentation, to gain illegitimate access to networks and facilitate lateral movement without detection. 90% of the CISOs we talked to had seen PowerShell being used during an attempted attack on their network. This awareness is actually a good thing, because with 97% of Carbon Black customers suffering non-malware attacks in the last year, if our CISOs hadn’t spotted an attack of this kind it would simply have meant that the attacker had succeeded in getting in unseen.
Ransomware remains a tactic of choice for cybercriminals with 90% of financial institutions reporting that they were targeted by a ransomware attack in 2017. The commoditisation of ransomware, which now sees it offered on an “as-a-service” basis, and the lack of expertise needed to carry out attacks means that it has become the lowest common denominator of cybercriminal activity and with financial gain being the primary motivation of most cybercriminals, it’s not surprising that banks are a regular target.
Criminal masterminds are getting smarter
So far, so familiar, but a most interesting and concerning development uncovered by our survey was that a quarter of CISOs had experienced counter-incident responses when defending their networks. Attackers have realised that network defence is often based on simple indicators of compromise that launch an automated or manual incident response playbook. By going off-script after their initial attempt, they can find another way in while security teams think they have thwarted the original threat. Tactics include mutating code, targeting security analysts and engineers in separate but coordinated attacks, deleting logs from endpoints to obscure their activities and launching DDoS attacks on critical defence systems. As attacks grow in sophistication, cyber security becomes a high stakes game of digital chess, where the attacker only has to be lucky once, but defenders need to get it right every time.
The weakest link – third party providers
It’s not just their own security banks need to consider. The security of third party technology service providers is becoming an increasing concern as attackers seek out the weakest link in the chain. They use suppliers’ privileged credentials with the banks’ networks as a stepping stone to gain access to their real target. 44% of CISOs at financial institutions said they’re concerned about this issue and as more incidents come to light the scale of the problem will be more clearly revealed.
To combat the twenty-first century thief, we need to remember that we’re talking about human assailants here. It’s logical that attacks will grow more sophisticated as attackers learn more about companies’ defences – the potential loot is well worth the effort of innovation. Security teams are locked in a cycle of reactivity which needs to be broken if they are to gain the upper hand. So far, only 37% of financial institutions say that they have established threat hunting teams which means that, far from keeping thieves out of the building, 63% are still having to wait until they hear them knocking on the door of the vault before they can act. With an average of 220 days between intrusion and detection a lot of digital gold can leave the building before anything is done about it!
By actively threat hunting, teams look for signs of abnormal activity on endpoints that could indicate compromise well before any alerts are generated. To quickly detect and respond to threats, suppress intrusion and prevent lateral movement, financial institutions need to collect and analyse endpoint data in near-real-time. By doing this they can build up a ‘sight picture’ of attacker behaviour relating to internal movement and external command and control channels. Once these anomalies have been detected and analysed they can be communicated to existing control mechanisms and action taken to disrupt and contain the attacker’s kill chain.
In the age of the digital bank heist a proactive threat hunting strategy is far more effective at stemming the network invasion, capable of evolving alongside the TTPs used by assailants and stopping their digital tunnelling towards the vault. It won’t make such a classic movie, but it will put a bit of star power in the hands of CISOs and security teams who really are the lead actors in the fight against cybercrime.
Below Dave Orme, SVP, IDEX Biometrics, discusses the challenging landscape of payments and fraud, the fight against scammers and the obstacles the future will find in a cashless society.
Clearing up the mess left behind by fraudsters is a serious challenge and sees financial institutions having to absorb the monetary and logistical damage of card payment fraud daily. Meanwhile, consumers are left with a feeling of dread when they see transactions, that they know they haven’t made, on their payment card accounts. Finding themselves needing to take time away from work or home, to report stolen cards, cancel cards and wait for new ones. Not only is this frustrating for cardholders, it takes a huge amount of time investment by banks to resource this process. Payment card fraud is a serious problem that affects every one of us.
In fact, card fraud is a serious and increasingly urgent problem. Financial Fraud Action UK (FFA UK) reports that in 2016, fraud across payment cards, remote banking and cheques totalled an astonishing £1.38 billion, an increase of 2% on the previous year. The overwhelming majority (80%) of this fraud involved payment cards; there was a particularly large (30%) increase in the proportion of cards lost and stolen, and these alone accounted for losses of £96.3 million.
There is no single reason for these figures; impersonation and deception scams, as well as data breaches, have all played their part. But the UK is becoming an increasingly cashless state — debit card payments overtook cash payments for the first time recently — so we have no real option but to stop the fraudsters. The obvious question is, how?
Financial institutions currently bear much of the impact of card fraud, and in response are investing heavily in machine learning, predictive analytics and other cutting-edge technologies to beat the criminals. These are having some effect; in 2017, fraud losses on payment cards fell somewhat (which contrasts with 2016, as we have seen), but even so there was still £566 million lost to payment card fraud alone and seven pence in every £100 spent was fraudulent — a very worrying statistic in a society that is rapidly increasing its reliance on cards.
In other words, payment card fraud has been a huge problem for a sustained period of time and the steps currently being taken to stop it are not effective enough.
In a society that relies more and more on technology, payment cards are the weak link; or rather, the behaviours of the people who own and use payment cards are the weak link. It is human nature to make the mundane administration of life easier — but we all know how dangerous writing down your PIN because you keep forgetting it (and worse, keeping the card and the PIN together) can be. Many people are also guilty of sharing their PIN and card with their friend/partner/relative to enable transactions without the need to be present. Others give out cards and PINs to trusted people because they are elderly or have mobility problems and getting the necessities of life is so much easier that way. All these behaviours are very common, but they are also making card crime very easy.
People fail to keep their PINs or other card details safe not because they are inherently foolish or lazy, but because PINs are simply unfit for purpose. To be effective they demand a far higher standard of discipline and security from human nature than human nature is ever likely to give. The result is a massive headache for individuals, financial institutions and businesses all over the world.
But if not PINs, then what?
Giving the finger to fraudsters
Biometrics, including fingerprint recognition, is a field increasingly recognised as holding the key to card fraud prevention as such fraud becomes a more and more urgent problem. And while financial services may be looking at large-scale use of biometrics now, in other security-conscious sectors this has already happened. For example, many smartphones (which are themselves fast becoming the twenty-first century replacement for the wallet) are protected via fingerprint authentication, usually via a sensor on the lock screen. Passports are also routinely issued with biometric authentication built in, as are government ID cards. Biometrics are used where security is non-negotiable.
Until recently, including biometric authentication in a payment card was very difficult. This is because it required a sensor to be incorporated in the card and for many years those sensors were too large and inflexible to make that viable. However, there have been breakthroughs in this technology recently and we are now able to deliver a very thin, flexible fingerprint sensor that is easy to add to a standard card, so the major barrier to using biometrics with payment cards has now been overcome.
Biometrics companies are now working in partnership with banks and other financial institutions, smartphone manufacturers and payment processing firms, to make gold standard authentication affordable, practical and available for payment card users and issuers. This is very good news for those in financial and security businesses, because the roll-out of biometrics in those fields will relieve much of the pressure of fighting what is, frankly, now a losing battle. With the arrival of simple, secure and personal authentication for all, hopefully we will see the demise of that twenty-first century pickpocket that is the payment card fraudster.
Online fraud against UK citizens has become a topic for widespread discussion as more avenues for data theft are opened to criminals. Below Finance Monthly discusses with experts at Money Guru, the true value of your personal data and the cost of keeping it safe.
Experian places the annual cost of fraud against Brits at £6.8bn and, with more and more of our personal information available online, it’s likely to rise unless proper precautions are taken.
If you aren’t savvy with your data, which includes everything from social media logins to financial details, it could end up being available to malicious actors online through channels like the dark web.
You could have access to someone’s entire online identity is available for less than £750.
26 of the most commonly used accounts available on the Dark Web, can be purchased for a grand total of… £744.30.
Digging deeper into the online services that each individual Brit is likely to use, it becomes even more shocking with the full details of 16 accounts including finance, travel, entertainment and email credentials, available for £696.90.
Let’s look at each individual data classification to find out how the loss of even one set of account details could seriously affect you.
Scammers can buy credit card and debit card details, online banking logins, passwords and PayPal account information – that’s all of these combined - for £619.40. This not only allows malicious actors access to your funds, but also a wealth of personal data that can be used for identity fraud.
Online Shopping Details
You may not be overly concerned with the security of your online shopping accounts, but they provide a great level of insight into your transactional habits as well as providing criminals the ability to order products through your account via a mail drop.
Travel Account Information
With access to accounts like Uber and Airbnb, malicious actors are given access to a lot of sensitive locational data. Not only can they access the basic details you enter to create an account, they will also be able to monitor your travel habits.
Entertainment Account Information
It’s tough to find someone who doesn’t have a Spotify or Netflix account these days making them a popular target for online criminals. At the less serious end of the spectrum it enables access to free entertainment while on the more sinister side it provides password clues to other associated accounts.
Social Media Account Information
There are few better methods of gaining insight into someone’s life than their social media accounts. These details are frequently stolen to sell to companies with little scruples about targeted advertising. It’s also a fast track to identity theft.
Email & Mobile Account Data
Being able to access emails and mobile account data provides fraudsters with a treasure trove of information about their target. It offers a jump off point for the popular, low-effort practice of spear-phishing – where a malicious actor tries to gain the credentials to more valuable accounts via social engineering and malware.
To compile this study, Money Guru accessed some of the most popular dark web marketplaces (‘Dream Market’, ‘Wall St Market’ and ‘Berlusconi Market’) to find an average price for each piece of personal data.
The big takeaway from their research is that your personal data really isn’t worth a great deal to online criminals. While the average amount stolen from a UK fraud victim is relatively small, 39% of cases result in £250 or more being stolen. In 25% of cases, this amount can vary from £500-£40,000.
The fact that it costs scammers less than £750 to access 26 accounts when it would only take a fraction of this number to potentially access tens of thousands is a frightening one.
According to new research from leading payment provider MasterCard, biometric technology is set to become an integral part of all online shopping, as tighter regulations concerning online fraud are introduced. For instance, new EU regulations come into effect next September, which will increase the number of transactions subject to two factor authentication, known as “Strong Customer Authentication” (SCA).
MasterCard has been a board member of The Fast IDentity Online (FIDO) Alliance since 2013. FIDO is a global non-profit trade association developing technical standards and certification programmes for simpler, stronger authentication.
Andrew Shikiar, CMO of The FIDO Alliance, comments: “MasterCard is spot on in its assessment; the use of passwords is woefully outdated as a means of online authentication. The problem has long been overreliance on yesterday’s approach and a reluctance to embrace the ways in which technology has transformed both our habits and the options available to us. It’s encouraging to see that the tide is finally turning, thanks in large part to evolving regulatory requirements in response to escalating levels of online fraud. Far more secure methods of authentication, including biometrics, are now readily available at our fingerprints, which can greatly improve security and privacy for consumers accessing online services, while improving the user experience into the bargain.
“As the range of activities we undertake online using mobile devices continues to rise, the more sensitive transactions – such as payments and money transfers – can be facilitated using device-enabled strong authentication. However, its success hinges on the industry’s ability to offer this at internet scale. Biometric modalities deliver a number of user experience benefits, but not all biometric systems are built on secure, tried-and-true public key cryptography. Biometric authentication relies on matching an input to a held piece of original data, and how that matching process is managed - and in particular how identifying data is stored - raises a host of security and privacy questions. For instance, if data is held in an online central database, a breach of that data could be catastrophic.
“On the contrary, a decentralised approach allows users to authenticate by using a private key on their personal device to sign a cryptographic authentication challenge from the service provider’s server. With this approach, the service provider only stores a public key associated with that user’s account, which cannot be leveraged by a hacker having infiltrated a database. This is one of many reasons why leading service providers like Google, Facebook, Microsoft, Dropbox and many more have deployed FIDO Authentication to protect hundreds of millions of consumers around the world, while reducing the outdated reliance on passwords.”
(Source: The FIDO Alliance)
Positive Technologies recently released a new report, ‘Bank Attacks 2018’, detailing that banks have built up formidable barriers to prevent external attacks, yet fall short in defending against internal attackers. Whether by puncturing the perimeter with social engineering, vulnerabilities in web applications, or the help of insiders, as soon as attackers access the internal network, they find friendly terrain that is secured no better than companies in other industries.
With access to the internal network of client banks, Positive Technologies testers succeeded in obtaining access to financial applications in 58% of cases. At 25% of banks, they were able to compromise the workstations used for ATM management—in other words, these banks fell prey to techniques similar to ones used by Cobalt and other cybercriminal gangs in actual attacks. Moving money to criminal-controlled accounts via interbank transfers, a favorite method of the Lazarus and MoneyTaker groups, was possible at 17% of tested banks.
Also at 17% of banks, card processing systems were poorly defended, which would enable attackers to manipulate the balance of card accounts. Such attacks were recorded in early 2017 against banks in Eastern Europe. The Carbanak group, notorious for its ability to attack nearly any bank application, would have been able to steal funds from over half of the tested banks. On average, an attacker able to reach a bank's internal network would need only four steps to obtain access to key banking systems.
The new report notes that banks tend to do a better job than other companies of protecting their network perimeter. In the last three years, penetration testers could access the internal network at 58% of all clients, but only 22% of banks. However, this number is still concerning, considering the high financial motivation of attackers and failure of many banks to audit code security during the design and development stages. In all test cases, access was enabled by vulnerabilities in web applications (social engineering techniques were not used). Such methods have been used in the wild by such groups as ATMitch and Lazarus.
Banks are at risk due to remote access, a dangerous feature that often leaves the door open to access by external users. The most common types are the SSH and Telnet protocols, which are present on the network perimeter of over half of banks, as well as protocols for file server access, found at 42% of banks.
However, the weakest link in bank security is the human factor. Attackers can easily bypass the best-protected network perimeter with the help of phishing, which offers a simple time-tested method for delivering malware onto a corporate network. Phishing messages can be sent to bank employees both at their work and personal email addresses. This method for bypassing the network perimeter has been used by almost every criminal group, including Cobalt, Lazarus, Carbanak, Metel, and GCMAN. In tests by Positive Technologies, employees at 75% of banks clicked on links in phishing messages, and those at 25% of banks entered their credentials in a fake authentication form. Also at 25% of banks, at least one employee ran a malicious attachment on their work computer.
The report also describes the organizational arrangements of these groups, with examples of announcements on hacker forums offering the services of bank insiders. Experts state that in some cases, the privileges of an employee with mere physical access to network jacks (such as a janitor or security guard) are enough for a successful attack. Another method for infecting banks is to hack their business partners and contractors, who may poorly secure their networks, and place malware on sites known to be visited by bank employees, as seen with Lazarus and Lurk.
After criminals obtain access to the bank's internal network, they need to obtain local administrator privileges on servers and employee computers. To continue their attack, the criminals rely on two key "helpers": weak password policies and poor protection against recovery of passwords from OS memory.
Almost half of banks used dictionary passwords on the network perimeter, but every bank had a weak password policy on its internal network. Weak passwords are set by users on roughly half of systems. In an even larger number of cases, testers encounter default accounts left behind after use for administrative tasks, including installation of databases, web servers, and operating systems. A quarter of banks used the password "P@ssw0rd". Other common passwords include "admin", keyboard combinations resembling "Qwerty123", blank passwords, and default passwords (such as "sa" and "postgres").
Once inside the network, attackers can freely roam about by using known vulnerabilities and legitimate software that does not raise red flags among administrators. By taking advantage of flaws in protection of the corporate network, attackers quickly obtain full control of the bank's entire digital infrastructure.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies outlined recommendations for banks: "The good news is that it's possible to stop an attack and prevent loss of funds at any stage, as long as the attack is detected in time and appropriate measures are taken. Attachments should be scanned in a sandbox, without depending on endpoint antivirus solutions. It's critical to receive and immediately react to alerts with the help of an in-house or contracted 24/7 security operations center. In addition, SIEM solutions substantially simplify and improve the effectiveness of incident management."
(Source: Positive Technologies)
Rising fears of cybercrime are prompting financial services firms to increase their spend on security, according to new research from Lloyds Bank Commercial Banking, which canvassed the views of the world’s largest financial institutions.
The research found that six out of seven (85%) financial services firms have spent more on tackling cyber risks in the past 12 months, with one in seven (14%) having significantly increased their spend.
Over the same period, almost nine in 10 (87%) have become more concerned about cyber-risks, with nearly a quarter (23%) becoming significantly more concerned.
Priorities and risks
When asked about what they wanted to achieve from their technology investment in the coming year, one in seven (14%) financial firms cited improved cyber-security as their top priority. It was the third highest priority area flagged behind reducing operating costs (17%) and revenue growth (26%).
The picture was similar when firms were asked about risks to their UK operations for 2018. Respondents said cyber security was one of the most significant risks, alongside increased market competition and geopolitical uncertainty, but behind macro factors such as the effects of Brexit and economic uncertainty.
Robina Barker Bennett, Managing Director, Head of Financial Institutions, Lloyds Bank Commercial Banking, said: “The pace of technological advancement continues to offer tremendous opportunities to financial institutions, but this has been mirrored by the rising threat of attacks from increasingly sophisticated cyber criminals. As a Group, we work closely with businesses across the UK to help build their digital skills, so it’s encouraging to see the UK’s financial sector is alive to the issue and responding with increased investment.”
Preparing for the worst
Despite firms prioritising investment in new technology to safeguard against cybercrime for the year ahead, one in 10 (10%) are still not insured against a cyber-attack.
A similar number (nine%) said they have taken no steps to arrange contingency funding, and seven% have made no contingency arrangements with banking providers, such as to guarantee payments, for example.
However, almost all (95%) firms questioned did say they were confident their finance and treasury functions were suitably prepared to recover from an attack, with one in five (20%) saying they were very confident.
Robina Barker Bennett added: “While reassuring overall, there are still a small minority of organisations that aren’t mitigating risk with insurance or contingency measures.
“The financial and reputational impact of a successful cyber-attack is becoming more severe. Investment in proactive, preventative cyber security measures should go hand-in-hand with robust planning for the worst-case scenario.”
(Source: Lloyds Bank Commercial Banking)
Positive Technologies has announced its latest report from its own audits of web application security: Web Application Vulnerabilities in 2017. The results, collated through the security firm’s automated source code analysis through the PT Application Inspector, detected vulnerabilities in every single web application tested in 2017. Among the key findings, 94% of applications had at least one high-severity vulnerability, demonstrating that websites are a critical weakness for organizations.
Breaking down the detected vulnerabilities by severity level, most (65%) were of medium severity, with much of the remainder (27%) consisting of high-severity vulnerabilities.
Leigh-Anne Galloway, Cyber Security Resilience Lead at Positive Technologies said: “Web applications practically have a target painted on their back. A large number of unfixed, exploitable vulnerabilities is a windfall for hackers, who can use these flaws to steal sensitive information or access an internal network. Fortunately, most vulnerabilities can be discovered long before an attack ever happens. The key is to analyze application source code.”
Financial services are at greatest risk
As expected by Positive Technologies experts, finance web applications (46% of all tested web applications) were at the greatest risk, with high-severity vulnerabilities found in 100% of tested banking and finance web applications.
In fact, web applications at banks and other financial institutions, as well as governments, draw the most attention from hackers, as confirmed in a series of Positive Technologies reports.
Denial of service is especially threatening for e-commerce web applications, because any downtime means missed business and lost customers. High-profile e-commerce web applications receive large amounts of daily visits, increasing the motivation for attackers to find vulnerabilities to turn against users.
Attacks targeting users are the most dangerous
Positive Technologies assessed the potential impact of every detected web application vulnerability and compiled a list of the most common security threats. The number-one threat is attacks that target web application users. Alarmingly, 87% of banking web applications and all government web applications tested by Positive Technologies were susceptible to attacks against users. Users of government web applications in particular tend to not be security-savvy, which makes them easy victims for attackers.
The most common vulnerability across the board was Cross-Site Scripting (affecting 82% of tested web applications), which allows attackers to perform phishing attacks against web application users or infect their computers with malware.
Other critical vulnerabilities also find their way into government web applications. For example, security assessment of a web application for a Russian local government revealed SQL Injection, a critical vulnerability that could allow attackers to obtain sensitive information from a database.
(Source: Positive Technologies)
Diversifying any investment assets sounds like a likely success in the long term, but what are the risks when it comes to cryptocurrencies? Levi Meade, Investment Analyst at Columbus Capital, provides some insight for Finance Monthly.
Diversification and its benefits is an area that has been covered many times in prominent financial literature and is something that is both well understood and commonly practiced amongst the traditional investment committee. Therefore I will not seek to reiterate the theoretical advantages of a diversified investment strategy.
However, investing into crypto-assets, as an asset class up till now purely based on speculative value of experimental technology, is a discipline that can prove to be extremely dangerous over the long term without diversification; diversification as a risk reduction strategy is imperative when risk is so high that success of an individual asset is improbable.
Crypto-assets are early stage start-ups offering a product completely as open-source software utilising techniques, security models and incentive structures that are largely unproven and at best no more than ten years on the market. This provides two major sources of risk.
Firstly, start-ups mostly fail due to a number of reasons. In general at such an early stage there are an enormous amount of barriers that a founding team need to get past in order to remain in business which are usually disproportionately harder to overcome than problems at later stages of a businesses life cycle. For instance, gaining traction amongst a large enough customer base for survival, in a situation where customers may be reasonably satisfied with existing solutions, can be difficult when human nature tends to be resistant to change. A start-up has to contend with this friction, which is embedded into human behaviour with a significantly superior solution.
Secondly, crypto-assets are pieces of open-source software that harness a variety of concepts from different disciplines which at their intersection requires highly trained experts to build and understand the technology. This creates a much larger probability of there being unknown unknowns regarding the inherent risks of a piece of a technology and on its limitations.
Risk to Reward of a Diversified Crypto Strategy
How does creating a diversified portfolio across the asset class as opposed to a more concentrated portfolio affect the overall risk reward? What is of particular importance is that with such high risk investments come the potential for massively outsized returns. For example, since its inception on the market, Bitcoin has returned over 100,000%. When creating a diversified crypto portfolio, like a venture capitalist, the aim of the game is to increase the likelihood that you are exposed to such outsized gains experienced by the winners. Even in a landscape where the majority of assets experience unfavourable returns over the long term and perhaps go to zero, the outsized gains experienced by a good investment can still lead to above average investment returns.
Also, with regards to the technical risk and the ability for us as investors to assess this technical risk, diversification works as a financial engineering tool to mitigate the affects of unknown unknowns, which may be specific to individual assets. By taking smaller positions in a greater amount of assets you can limit your exposure to such technical risks, which may be difficult to identify or predict.
Why Diversification in Crypto Could Fail
Diversification however does not help to protect against technical risks that affect the entire asset class. Another aspect of investing into experimental technology are the potential risks regarding the foundation of the new technology which could directly affect the entire asset class. One particular risk, which the space is aware of, is the incoming threat of quantum computing. The majority of crypto-assets are secured by some cryptographic problems, which would require an insane amount of computing power to break, which is simply not economically viable given the current technological constraints. However breakthroughs in quantum computing could make it possible to break such cryptographic problems, and in the process rendering Bitcoin and other similar blockchains useless at that point unless they had developed quantum resistance before such an attack occurs. Diversification therefore change the risk profile of the portfolio such that investors are more exposed to broader investment themes or even the some key risks affecting the assets class as a whole in comparison to more asset specific risks.
The Cambridge Analytica revelations have put the issue of data privacy front and centre in the minds of consumers, policy-makers and businesses. Facebook has taken up much of the media’s attention but with other recent and notable data breaches involving many millions of customer credentials, companies are being scrutinised for their data-handling practices like never before. Below Finance Monthly gains expert insight from Nick Caley, VP of Financial Services and Regulatory at ForgeRock, who delves deep into the implications of the data scandal on open banking.
In this era of heightened privacy awareness, it’s clear that there will be implications for businesses across all sectors.
This all raises significant questions for the financial sector. At a time when the banking industry is seeking to open up and encourage data sharing as part of the Open Banking initiative how should banks react to growing concerns from consumers about the risks and realities of online data sharing?
Firstly, UK banks need to prepare for their data management capabilities to be put under extra scrutiny. Banks are already well underway with their preparations for the EU General Data Protection Regulation, which comes into effect in May, and this provides them a solid foundation to work from.
However, the flurry of headlines around data protection and privacy will certainly make consumers more nervous about how and where their data is being used and, as a result, banks must be extra vigilant in order to maintain and grow customers’ trust.
For those already familiar with these issues, the reaction to the Cambridge Analytica story will not have come as a surprise. In a survey commissioned by ForgeRock before the Facebook revelations, only a third (36%) of UK consumers said they would be happy to share data in order to get a more personalised service. Yet over half (53%) said they would not be comfortable for their personal information to be shared with a third party under any circumstances at all. At the same time,
57% of UK consumers said they were worried about how much personal data they have shared online and 63% admitted that they know little or nothing about their rights regarding their own data.
Although this presents a challenge, incumbent banks do hold a considerable advantage over fintech companies and challenger banks when it comes to asking customers to share data: they are already trusted entities with a long track record of safely storing and managing customer data. As such, the demands of securing API access to high value customer data has been the focus of most Bank’s security teams for years. Investment in security expertise, well defined security operations and the latest technologies being tested ‘under fire’ and ‘at scale’ on a continuous basis lead to much greater levels of assurance. Standards such as OAuth 2, Open ID Connect and User Managed Access, which authenticate and authorize only trusted third parties, reinforce this access control model.
Our research shows that consumers do tend to trust banks and financial services companies to handle their personal data responsibly, especially when compared to more digitally native companies. ForgeRock’s survey found that banks and credit card companies were amongst the most trusted holders of personal data, with over 80% of UK consumers saying they trusted banks and credit card companies to store and use their data responsibly. In comparison, just 63% said they would trust social networks with the same data. This is very positive news for the UK banking sector particularly at a time when Open Banking is set to unleash a new wave of competition from digital-first competitors.
Why are banks considered trustworthy? Our research revealed a clear correlation between how in control of their data consumers feel, and how much they trust companies. Banks and credit card companies were ranked among the organisations that gave users most control over their data. This suggests that, particularly at a time when attention is being paid to data policies and privacy controls, banks must continue to invest in systems and processes that put control over data firmly in the hands of users.
The management of customer consent must be central to this strategy as it will only be possible to maintain and build trust if customers know they can turn data sharing on and off at their convenience. Putting consumers more in control of their data through consent and giving users transparency and control over how and under what circumstances their information can be used will allow banks to not only ensure compliance with Open Banking and GDPR, but also establish a basis on which they can build trusted relationships with their customers. They will then be well-placed to offer additional, more personalised services to their existing customers, allowing them to add valuable real time, context-based insights and offers for users, that in turn will create new revenue opportunities.
The Cambridge Analytica scandal combined with the regulatory changes that GDPR and Open Banking will bring appears to mark a turning point in how businesses approach issues around data sharing. The good news for banks is that they are already starting from a strong position as trusted holder of personal data. They now have a real opportunity to build on this and become true leaders in the next era of digital finance - by giving customers greater visibility, choice and control over their own data.
From AI to all things IoT, Russell Bennett, Chief Technology Officer at Fraedom, discusses with Finance Monthly the top five technologies that are already making waves in the banking sector.
Over the past five years, technology has fundamentally changed how the financial services sector operates. Many retail banks already successfully cater to customers’ digital needs. Business banking is now beginning to follow retail’s lead – and here we outline five of the top technologies transforming commercial banking today.
When adopting new payment methodologies, banks must strike a balance between ease-of-use, ease-of-access, and security. We’ve already seen that consumer payment methods using biometric authentication becoming mainstream and it won’t be long before corporate clients expect the same.
Extending this functionality into corporate cards has the potential to make commercial payments more seamless and secure. Mobile wallets that defer to personal attributes to make secure payments on cards offer a potential route forward.
Automation is dramatically increasing the number of financial transactions in an organisation. However, while it can track and store more processes than humans can – and more accurately – it currently can’t provide the next level service many clients are coming to expect of their financial partners: planning and modelling.1
AI is rapidly establishing itself as the missing piece of the puzzle that takes the data flows created by automated transactions and knits them together to discover patterns. All this is important to commercial banks because patterns in spending and efficiency can potentially deliver valuable insights to help clients improve their financial health.
Customers’ demands, and expectations are moving rapidly, so there is growing pressure on the banking industry to provide new, easy-to-use, frictionless digital services fast.
Application programming interfaces (APIs) provide the technology to exchange customer data with other parties in a simple and secure way2, facilitating rapid innovation in products and services. Creating new applications such as voice banking, P2P, loan processing and risk management and using APIs as building blocks, is now seen as the best way to keep up with the innovation challenges facing the financial industry.
Fintechs have dominated the API landscape by creating apps that have challenged and often surpassed solutions made by the banking industry.
To keep pace, banks now need to either invest heavily to develop this technology themselves or partner with fintechs in a bid to be more effective and efficient.3 By working together and taking advantage of APIs, banks and fintech firms can enhance the customer experience much more than either entity could do on its own.
The use of different payment types is partly a response to the consumerisation of our financial experience. Corporate clients can’t understand why payments should still be a laborious process of raising invoices and purchase orders, requesting printed cheques or bank transfers and creating lengthy payment terms.
Instead, the immediacy of a card – real, virtual or embedded in an app – ties all the above elements together. It gives unsurpassed traceability and is easy to add to financial management software.
Historically, paying by using a card has been seen as a debt generator. However, using payment cards as a substitute for invoice terms makes them a useful tool both to enhance a company’s working capital positions and to improve traceability, security and the level of control that can be placed on business spend.
An Expense Management Systems (EMS) is just one of many tools that can be brought together into a single financial view, helping businesses gain greater control over expenditure. Unlike written expense policies and separate transactional management software, an EMS embeds expense policies into the technology, allowing real-time reconciliation and approvals to take place.
Up to now, retail banking has been ahead of the game in embracing new technologies and digital disruption but corporate banks are now grasping the need to take advantage of the latest technologies to ensure commercial clients reap the same rewards - from workflow efficiencies through to intuitive, mobile first experiences, a trend that is only likely to accelerate in the future.