Web page isolation ensures secure access to the Internet, and in its most advanced form it is transparent to the users in terms of appearance, performance and responsiveness
Jason Steer, EMEA CTO Menlo Security explains
How to avoid phishing attacks? The first advice was to avoid responding to e-mails that looked dodgy and were full of spelling and grammatical errors. Then the e-mails became more sophisticated: they looked and read like genuine corporate announcements. So the next defense was to look at the browser’s address bar to check that the loading web page was served over a valid HTTPS site. Now we have Punycode phishing attacks that create fraudulent addresses that appear almost identical to trustworthy ones.
The problem is that computers can process non-Latin alphabets using a huge library of Unicode characters, and some of the different characters look almost identical. For example the Unicode characters U+0430 and U+0061 both look like a small “a” in a Chrome, Firefox of Opera browser address bar. So even an innocent looking address like “apple.com” might take you to a fraudulent page.
Can we protect critical business?
With serious and wide-ranging vulnerabilities such as Punycode and ApacheStruts being announced within the past two months, fears are being raised about the extent to which businesses of all kinds now rely on the use of Internet.
Could the financial sector continue to operate without regular Internet access? Whether it is a quick Google search, keeping up to date with news or financial data, downloading a research paper or checking messages – the web browser is among the most vital applications in any business today. And yet browsers are highly vulnerable. The simple act of loading a malicious web page can compromise a computer or endpoint device so that malware can steal private data, or force an entry point into an organisation’s entire network. In 2015 alone (NIST) over seven hundred new browser vulnerabilities were reported, and Google’s recent report claims that website hacks rose a further
30% between 2015 and 2016 – boosted by the rise of cyber-crime and an ever-increasing range of browser features that attackers can exploit.
So what can you do if your business is utterly depended on Internet content, and the work is so sensitive that you dare not risk any form of attack, data leak, or compromise? A simple solution would be to make sure that all the data, websites or documents needed are printed out and distributed purely in hard copy format. That way critical staff get full and utterly safe access to the Internet content, without any of the dangerous “active content” that lurks beneath those harmless-looking pages. What is lost, is immediate responsiveness, and business agility so necessary today.
A “greener” and more nimble solution could be to save paper by not physically printing but scanning the image of the required pages and securely transmitting a facsimile of those the pages to the desktop. If that facsimile could also mimic active links to allow the reader to navigate the pages but without any of the risky stuff going on underneath, this would offer a real, workable solution.
This approach is called “browser isolation”, because it logically & securely separates the real browser getting the content from the end user’s browser permitting only a “clean” version to reach their browser. But can it be made to work well enough to deliver a good response to the user while maintaining high security and preserving the user experience?
The nature of the risk
These vulnerabilities are well known, and today’s browsers & operating systems do include built-in defenses against such straightforward browser exploits. But this does not stop more determined attackers from bypassing these defenses with sophisticated, multi-stage attacks. For every layer of built-in defense, there will be someone looking for ways to work around these barriers, and the damage will be done before a new patch can be developed and installed.
Browser isolation takes the radical step of assuming that any page – however innocent it seems or however reputable its source – may become infected. So we should never trust the native web page, but only work with its sterile reproduction. This is an emerging technology that is making rapid strides and is fast catching on with banking and financial organisations, as well as government, military, healthcare and other critical operations.
Its success depends on being able to offer the user as good an experience as an ordinary Internet browser. If it fell short by being slow, lower definition or relatively unresponsive, then productivity would suffer and users would simply risk using the original version. Any change in the appearance or behavior that forced users to change the way they work would be counter-productive: they expect everyday operations such as copy-paste and printing to work just as normal.
Equally customers want no extra software, hardware or endpoints to manage
– preferring their existing desktop browser to surf the web. A clientless cloud solution means that it can be easily and quickly rolled out across the organisation, including personal devices, kept constantly up-to-date and centrally managed without adding to the IT burden.
A progressive approach
How can the above conditions be achieved? We began with the obvious suggestion of either printing the pages or scanning and reproducing them as an image. This inspired an initial approach, called “pixel mirroring”, that treats the page as an array of pixels to be reproduced at the endpoint. The result is a one-size-fits-all approach that makes no allowance for the actual content – whether text, image or video – whereas the hidden active content is specifically designed to improve the user experience by adapting the rendering to suit the content. So pixel mirroring tends to slow down page loading, reduce responsiveness and elaborate common operations such as printing and copy-paste.
Some pixel mirroring solutions try to get round these problems by using specialized browsers, plugins and additional software at the end point. This can work for certain business environments, but it means losing the management advantages of a clientless solution.
A better approach must take into account the actual content type and the dynamic manner it is represented in the browser – ie the “Document Object Model” (DOM). “DOM Mirroring” means that the isolated browser actively monitors the currently loaded page tab for changes, translates those changes into DOM commands (without the underlying active content) and sends those commands to the end user’s device, so the safe page automatically updates in sync with the original. So, for example, instead of sending a Flash video to the end point, the same movie will be sent as crisp, suitable quality HTML5, while non-active safe elements are simply transmitted as they are. All the natively available fonts and images can be safely transmitted to the end-user‘s browser whilst being sanitized to prevent font & image exploits to be used. The whole page looks, feels and behaves just as it should but its now safe.
But is it secure?
The simplicity of handing out printed pages lay in the fact that hard copy has no underlying technology or hidden software that some very clever hacker might find a way to manipulate. How can we be sure that the DOM Mirrored web page cannot itself become infected? In a sophisticated DOM Mirroring solution there are several layers of defense against this.
Firstly the link between the isolated browser and the endpoint safe page must be secure, and this is protected with high-grade encryption and served by a secure web proxy. Secondly “active content blocking and transcoding” makes sure that all DOM elements are checked against a white list in both the isolated browser and the safe page so that, for example, no on-click attributes or script elements are allowed. At the same time the strictest Content Security
Policy reinforces the ban on active content in the safe page. Thirdly “protocol checking and enforcement” places strict limits on the format of all DOM updates so that no channel is left open for probing for vulnerabilities or leaking data.
Finally there is the risk that the isolated browser might become deliberately infected in some manner that would allow it to generate or pass on a malware attack to the safe page. Because this is theoretically possible, the best DOM mirroring solution will constantly rebuild its isolated browsers and destroy old ones. As one user put it: “like being given a brand new laptop every time you go to a new website”.
A vision or a reality?
The idea behind browser isolation is as clear to most people as the idea of only working from printed paper. What they find hard to believe is that it could be possible to mirror the browsing experience securely in real time without affecting the user experience – surely there must be a performance penalty?
The only sure answer is to try it and see for oneself, and the response has been uniformly positive – notably in the highly critical and time conscious financial sector. The latest DOM mirroring isolation platform was itself developed in collaboration with JPMorgan Chase & o, so that its features and capabilities were from the start developed with financial services in mind. According to their Chief Information Security Officer, Rohan Amin, the platform was deployed “with zero impact to users, providing a seamless user experience for our employees”
In just two years the same DOM mirroring isolation technology has been successfully adopted by organisations in other critical sectors, including government, technology, healthcare, oil and gas, and it is already supported by teams in the United States, UK, Germany, Japan, Singapore and Australia to meet the growing demand.
The common factor among all the early adopters has been the need for constant Internet access, combined with serious concern about the attendant risks. They find that a cloud-based isolation service is easily and quickly deployed, without any disruption of normal working patterns. The user response has been overwhelmingly positive, and the reduction in risk is boosting both morale and productivity.
Punycode phishing could even fool a trained typographer – but DOM mirroring would automatically remove its sting.
Jason Steer Solutions Architect – EMEA
Jason is an engineer at heart and has built and broken computer and networks since 1996. Jason has worked at a number of successful technology companies over the past 15 years, including IronPort, Veracode & FireEye. Jason has worked as a cyber-expert with CNN, Al Jazeera & BBC and has worked with the EU and UK Government on Cyber Security Strategy. Jason has spoken at numerous industry events such as ENISE. You can follow Jason @verylongbloke on Twitter.
New TransUnion Study Finds Smooth Digital Transactions “Essential to Business Survival” During and After Pandemic
Economist Intelligence Unit report for TransUnion highlights the crucial role emerging technologies will play in balancing fraud prevention and customer experience to help build consumer trust
A new global and UK study by the Economist Intelligence Unit for information and insights provider TransUnion has overwhelmingly found the key to whether or not companies go out of business hinges on providing consumers friction-right digital transactions. More than eight out of 10 executives, both in the UK and globally said they believe smooth transactions are “essential to business survival” rather than merely a competitive edge.
“Digital transformation has been rapidly accelerated by COVID-19, with over half (52%) of UK executives, and an even higher number globally (61%), saying they have changed their digital processes as a result of the pandemic,“ said Shail Deep, chief product officer at TransUnion in the UK. “That’s not surprising when we consider some of the changes that have come about as a result of social distancing, with reports of over a fifth (21%) of UK consumers shopping online[i] for the first time during the COVID-19 pandemic. Delivering a smooth customer journey is essential to building trust, yet over two thirds (69%) of UK businesses that made changes to their digital transaction process as a result of the pandemic experienced glitches.”
The global report, “New Dimensions of Change: Building Trust in a Digital Consumer Landscape,” is based on a study with 1,610 executives across 12 countries and five continents, including 180 senior executives from the UK. The research uncovered how technologies like artificial intelligence (AI), national digital IDs[ii] and super-apps[iii] can help overcome challenges to building digital trust.
Artificial Intelligence (AI) and Biometrics Will Play an Increasingly Important Role in Fraud Prevention and Customer Experience
Overwhelmingly global respondents answered that: 1) biometrics[iv] will be the dominant payment customer authentication method, 2) improved fraud detection and security is the greatest benefit to using AI, and 3) a national digital ID system can help prevent consumer fraud.
About three quarters (74%) of UK executives say biometrics are likely to be used to authenticate the vast majority of payments in the next 10 years, although the global response was even higher, at 85%. Approximately four in 10 UK and global respondents noted that improved fraud detection and security is the greatest benefit to using AI. This was the top selection by far worldwide and in the UK, with smoother customer experience coming second at about three out of 10, both in the UK and worldwide.
Furthermore, about seven out of 10 executives in the UK and globally think national digital IDs can help fraud prevention in consumer transactions. This comes at a time when the UK government has recently outlined steps to boost secure use of digital identity, with six guiding principles[v] published in September 2020. These are intended to strengthen consumer rights around digital identity to enable wider use across the country and reports say it could ultimately help boost GDP by 3% by 2030.
John Cannon, managing director of Fraud and ID at TransUnion in the UK said: “Protecting consumers and minimising the risks of fraud they face is crucial to earning their trust, and our research shows that biometrics, AI and digital IDs are seen by businesses as the key to trusted digital commerce going forward. Implementing the right tools and technology, alongside robust policies and processes, can help businesses strike the right balance when it comes to combining fraud prevention with a seamless customer experience. As this research shows, that’s no longer just desirable, it’s going to be critical for survival.”
Digital Identification Technology is at the Core of New Benefits
Authentication and verification are essential in building digital trust and new, cutting-edge solutions can combine a range of technologies to deliver instantaneous verification of customers and reduce fraud risks, whilst still supporting great customer experiences.
TransUnion recently introduced its Document Verification and Facial Recognition solution in the UK to help businesses meet this challenge, by providing customer document and selfie capture to enable real-time, online verification through the customer’s device. Near-field communication (NFC) reading of chip-enabled passports is built into the solution, to strengthen checks on ePassports. This is important given that 65% of UK executives stated that traditional authentication factors, such as birth certificate and passport in digital fraud and identity can overly inconvenience customers who value smooth digital transactions.
In order to fully embrace the new digital solutions available, such as ePassports, businesses need to have the right technology in place. And with identity fraud on the rise – up by nearly a third (32%) in the UK over the past five years, according to Cifas[vi]– the urgency for such tools is clear.
The impact of COVID-19 has fast-tracked the move to digital commerce, with nearly two-thirds of UK consumers[vii] reporting in a separate survey that they are using contactless payment technology more due to COVID-related health and safety concerns, and 61% saying they are happier using contactless payments now than they were in 2019.
In this context, with potential fraudsters seizing the opportunities that ‘faceless’ transactions present, there’s an even greater pressure on businesses to know who their customers are and carry out the right checks, keeping pace with the latest innovations. Only by doing so can they build the digital trust they will need to succeed.
Find out more about the UK report, “New Dimensions of Change” at TransUnion’s website.
How technology has made us communicate better in crisis
By Pete Hanlon, CTO of Moneypenny
COVID-19 has taught us a lot. We have embraced technology, some might say, survived so far because of it, yet also craved that human interaction. Working hand-in-hand, these two elements will shape our future.
The impact of COVID-19 has been immense, not just health-wise but also economically. To date, people have shown their resilience, adapting quickly to a remote way of working and through the use of technology.
We have embraced working remotely, using video conferencing tools, for example to give us some contact, some ‘normal’. We have proven we can do it, so the question is will this new normal we have adapted to, be sticking around?
Pre-pandemic, Moneypenny was operating in thrive mode and we rapidly had to switch to survival mode. The first challenge was arranging for our 1,000 employees to all work from home during the initial lockdown whilst offering a near seamless service to our customers. No mean feat for a company that had always been office based for our front line people.
Luckily for us, the first Covid lockdown happened 3 weeks after we’d just finished an 18 month long tech project to move our telephony system from on premise to the cloud. This meant we had some options but we did need to work tirelessly to get everyone home without missing any customers call.
We spent February and March trialing solutions and coming up with a plan and then we moved people to home working, team by team to assess call quality. Three weeks later everyone was working from home and it was service as normal for our clients.
This wouldn’t have been possible without a little strategizing and a lot of tech, not to mention a superb team that worked tirelessly to make it happen. Using our already brilliant tech as well as working with tech giants including Microsoft Teams, Twillio, Workplace by Facebook and Amazon Workspace, for example, who have all reported record levels of usage, we were able to look after our customers and our people. Our weekly mindfulness sessions took place online instead of in the office, team meetings happened virtually with vouchers for pizza, chocolate brownies were delivered to employees doors as a well-earned treat and our management teams shared their business and personal experiences via video conferencing.
Maintaining communication was, and remains, key. The very nature of our business gave us a head start in helping businesses, large and small, manage their calls throughout this, specifically tailoring our systems to their specific needs at any given time. Yet, we have embraced further new tech to work alongside our people for our clients: We quickly integrated Microsoft Teams into our systems so that our PAs could keep a track of their clients’ availability and efficiently manage calls whilst clients were working from home; We developed new online screening bots for clients to use in order to give them piece of mind that customers were symptom-free before any necessary meetings and using the same innovations to ensure social distancing and wellbeing to those who come into the office when restrictions allow. It seemed a very natural extension to the support we provide for businesses.
We are also finding that our customers are using our in-depth analysis systems to get a better understanding of call duration and patterns in calls and so on, as well as for reporting. And we are using them alongside deep learning technologies to identify common requests and common themes so that we can better serve our clients.
Before the pandemic there was significant movement towards more of a conversational and interactive experience when it comes to digital assistant technologies. This has only been heightened as natural language processing is advancing exponentially.
This demand for digital switchboard and new innovations has been a growth area during lockdown as companies were looking at ways to manage all their calls without in-house receptionists and switchboards.
As part of our business model, we offered digital switchboard for free to businesses for three months to help them at the start of lockdown allowing people to engage with an automated assistant by simply talking. Through this use, we’ve found that a voice-controlled switchboard is really gaining in popularity following the widespread adoption and acceptance of technologies like Alexa and Google in people’s homes.
A key area of focus for us, is the area of natural language processing (NLP), bridging the gap further between how we communicate and what a computer can understand. The field is advancing rapidly, and we are actively leveraging pre-trained transformer-based models such as BERT, RoBerta, Longformer to analyze and summarize live chat content. We are also monitoring and testing emerging deep learning models, such as Bigbird from Google and GPT-3 from OpenAI, to help advance our chat and digital switchboard offerings further.
Speech detection continues to get stronger. Currently the technology does not outperform our brilliant people, in my opinion, but it is starting to get closer to the matched experience. For us, however, our tech works hand-in-hand with our people enabling them to deliver brilliant and highly efficient customer service. I can’t see technology replacing people anytime soon. I do see it super-charging people in a way to be even better at what they do so we will just have to watch this space.
We always put trust at the heart of our tech roadmap and ask ourselves ‘Do our customers or our customers customers’ benefit from this tech innovation and does it improve the overall customer experience’. If the answer is yes, we progress
And finally, linking back to the relationship between humanity and tech, I believe that the future will be in video-based communication. It is increasingly important to us and we are investigating how deep learning can be applied to real-time video in order to power the future.
Why cybercriminals have ‘Gone Vishing’ during the COVID-19 Pandemic
- More than 215,000 vishing attempts in the last year alone
As new coronavirus restrictions look set to confine much of the UK population to their homes this winter, cybersecurity specialists Panda Security are warning consumers to be on guard for an explosion in ‘Vishing’ attempts by cybercriminals.
Vishing, or voice phishing, is a social engineering technique used by fraudsters posing as someone from an IT helpdesk or support services, in order to obtain personal information from a victim. They will then look to use this information to hack into secure systems and defraud victims.
Vishing has increased as hackers are taking advantage of employees working remotely. Since August last year, HM Revenue and Customs (HMRC) has received reports from the public of more than 215,000 vishing attempts. These scams often offer fake tax refunds or help with claiming Covid-19 related financial support.[i]
The hacker can be very convincing and will often have done a lot of research into the company and the person they are contacting, to make what they are asking you for sound plausible. At times they even spoof phone numbers, so it looks like the caller ID is authentic and the same number as the real business.
European Cybersecurity Month: Keeping the ‘Vishers’ at bay
During European Cybersecurity Month, Panda Security is raising awareness of the dangers of vishing and is calling on consumers and businesses alike to take some simple measures in order to protect their data. Hervé Lambert, Global Consumer Operations Manager at Panda Security, gives his top tips to avoid being a victim of a vishing attempt this winter.
- Never give out your personal details: You should never give anyone your personal details such as bank details or passwords verbally over the phone or via email. Hackers will often find data about you on the internet and through social media networks and use this to convince you they are legitimate
- Be suspicious: It is right to be apprehensive of unknown callers, particularly if you are not expecting the phone call. Ask the caller questions or give deliberately false statements, and if you do not feel comfortable with their answers, hang up and phone the company or person back directly
- Don’t always trust caller ID: Hackers can often spoof legitimate phone numbers and make you believe that the phone call is coming from a credible source. Remember that legitimate businesses will never ask for your personal details unsolicited over the phone
- Install security measures: While internet security will not completely protect you from fraud, installing measures such as antivirus software will help protect your digital identity and make the job of the hackers much more difficult
- Keep calm: Often the hacker will try to panic you into reacting very quickly and scare you into providing them with your information. Take a moment to breathe and slow the conversation down
Commenting on the raise in vishing attempts, Hervé Lambert, Global Consumer Operations Manager at Panda Security says: “Vishing is not a particularly new or sophisticated technique, and yet the “new normal” of working from home has been a boon for cybercriminals looking to exploit vulnerable people in this way. Hackers will scour the Internet and social media networks for any information they can glean about a potential victim before making a call. Once they have secured the victims trust they are then in a position of power to defraud them.”
Lambert continues: “It is essential that consumers take preventative measures to protect their digital identity, while remaining vigilant and question anything that seems unusual. Our key piece of advice remains: never give out your personal details over the phone.”
New TransUnion Study Finds Smooth Digital Transactions “Essential to Business Survival” During and After Pandemic
Economist Intelligence Unit report for TransUnion highlights the crucial role emerging technologies will play in balancing fraud prevention and customer...
How technology has made us communicate better in crisis
By Pete Hanlon, CTO of Moneypenny COVID-19 has taught us a lot. We have embraced technology, some might say, survived...
Futureproofing Your Credit Management Now
By Marieke Saeij, CEO, Onguard The pandemic has forced a shift in day-to-day operations for the majority of businesses. In...
Will covid-19 end the dominance of the big four?
By Campbell Shaw, Head of Bank Partnerships, Cardlytics Across the country, we are readjusting to refreshed restrictions on our daily...
Why cybercriminals have ‘Gone Vishing’ during the COVID-19 Pandemic
More than 215,000 vishing attempts in the last year alone As new coronavirus restrictions look set to confine much of...
Risk Mitigation vs. Risk Avoidance: Why FIs Need to Maintain Risk Appetite and Not Place All Bets on De-Risking
De-risking aims to protect financial institutions from the increasing pressures placed by regulators and threats, associated with clients operating in...
Using AI to identify public sector fraud
When it comes to audits in the public sector, both accountability and transparency are essential. Not only is the public...
Five golden rules of recruitment
Former investment banker and entrepreneur, Connie Nam, discusses five ways in which basing your recruitment process around understanding a candidate’s...
Using data analytics to improve SME cash flow and treasury management
The pressure facing SMEs this year is widely known, and they are looking for ways to improve their cash flow...
Why dependency on SMS OTPs should not be the universal solution
By Chris Stephens, Head of Banking Solutions at Callsign In our day-to-day lives, SMS one-time passwords, also known as OTPs, have...