By Frans Labuschagne, United Kingdom and Ireland country manager, Entersekt
The rise of SIM swap fraud and the number of headline-making vulnerabilities exposed in recent weeks, putting over one billion mobile users at risk, provide overwhelming evidence that the technology is outdated
When the news broke in mid-September that over one billion mobile phone users are potentially at risk from a SIM card vulnerability that is currently being exploited by cybercriminals, it came as no surprise to me. Rather, I found myself despairing that so many financial institutions are still, despite numerous warnings, persisting with one-time passcodes (OTPs) sent – and therefore easily intercepted by bad actors – via SMS messages.
The so-called SimJacker flaw, identified by researchers at AdaptiveMobile Security, is yet another alarming example that lays bare how at-risk SIM cards and SMS messages are to hackers. This latest glitch has been exploited for two years by “a specific private company that works with governments to monitor individuals”, according to AdaptiveMobile Security.
“SimJacker has been further exploited to perform many other types of attacks against individuals and mobile operators,” continues the researcher’s report, “such as fraud, scam calls, information leakage, denial of service and espionage.”
Since Entersekt’s inception, in 2010, our position has been that SMS OTP is not secure, and the revelation about SimJacker further emboldens that position. There was more evidence to strengthen our case only two weeks before the SimJacker flaw was discovered, when a server containing an unprotected database of over 419 million phone numbers linked to Facebook accounts was exposed.
The leak of phone numbers could potentially open a huge number of users to SIM swap-type fraud. Organised crime groups trade digital files packed with personal data and account details sourced in mass data breaches and malware attacks. The fraudster will buy this data and use it to open a parallel account in their chosen victim’s name.
Other details in the file or gained separately through social engineering and searches online provide them with enough information to answer security questions at the relevant mobile network operator and register a new SIM. The victim’s SIM is deregistered in turn, and the answers to security questions changed in order to frustrate the victim’s attempts at rectifying the situation.
If more proof was needed to ditch SMS OTPs, earlier in the year Metro Bank became the first major financial institution to be named as a victim of hackers who were able to steal OTPs by hijacking customers’ text messages. It is understood that other banks have also been damaged by cybercriminals exploiting flaws in a set of protocols established over 40 years ago, called Signalling System No7 (SS7). Developed in 1975, SS7 is used by telecoms companies to coordinate how they route calls and SMS messages around the world. The age and open nature of SS7 makes it vulnerable to cybercriminals pretending to be network providers. It was clear when Metro Bank was called out in February that SIM swap fraud was on the rise, meaning OTP texts were no longer enough protection. That was almost eight months ago.
At the time, back in February, a National Cyber Security Centre (NCSC) spokesman said: “We are aware of a known telecommunications vulnerability being exploited to target bank accounts by intercepting SMS text messages used as 2-Factor Authentication.” The NCSC’s understated verdict was: “Text messages are not the most secure type of two-factor authentication.”
The truth is security experts have known about SMS technology flaws for some time and have regularly warned organisations about them. Indeed, as long ago as 2015, in the Strong Authentication Requirements for internet payments, as issued by the European Banking Authority (EBA), SMS-based authentication was listed as a method “to be avoided”.
Regulatory bodies in the financial industry are slowly beginning to heed these black-and-white warnings, as SMS OTPs’ risks to consumer security overtake the cost benefits. In spite of all this, digital banking security has a long way to go. It is business critical for organisations using SMS OTPs to move on – and fast – if they want to avoid falling prey to the inevitable risk inherent in relying on such out-of-date methods.
Financial institutions should be providing customers with the services they want and what’s good for them, and not sacrificing one over the other. Moreover, risk-based “Band-Aid” approaches to security, such as risk-based algorithms, are problematic because they fail to provide a complete security solution.And, if breached or the wrong decision is made, it can often end up costing orders of magnitude more than an up-to-date cyber defence.
There is good news, though: while SMS may not be secure enough to deliver OTPs, the mobile device itself can be used to authenticate financial transactions. Leveraging the ubiquity, computing power and connectivity of the mobile device not only provides the potential to bank anywhere, anytime, but allows banks to authenticate and secure interactions of all kinds at speed.
In order to protect against SIM swap attacks, it is advisable that service providers make strong user authentication available and users elect to use it. This will combine knowledge factors like a password or PIN with either a strong possession factor like a mobile phone, FIDO keys, or an inherence factor such as facial or fingerprint recognition biometrics. These can all be facilitated through any mobile phone less than a decade old.
It’s important for financial institutions to be aware that there are a range of alternatives to SMS OTPs, including digital signing and biometric enablement. A secure mobile app, for instance, creates a secure channel between the user and the bank, rather relying on the telecom’s provider.
Essentially, the customer makes a connection to the bank and then uses their mobile device as authentication which opens a completely separate, secure connection to the bank. The user will receive a pop-up notification asking: “Is this you making the transaction?” The customer will then answer “yes” or “no” with one click on their smartphone. Because it is a secure and separate channel, it means it can’t be intercepted and is not vulnerable to SIM-swap fraud.
Most experts in the cybersecurity industry can’t understand why in late 2019 banks are still using SMS OTPs to fight financial fraud. They have been rendered ineffective, inconvenient for users, and are susceptible to SIM swap or number-porting attacks, fake caller IDs, and call forwarding scams operated by dishonest customer service representatives at mobile carriers. Worse, OTPs do not guarantee protection from phishing attacks and malware-enabled account takeover fraud. Banks need to move with the times, ditch the SMS OTPs and invest in alternative cyber security solutions – before it’s too late.
Local authorities and business networks play a key role in small business success, and must be protected during COVID rebuild
- 23% of UK’s top performing businesses have been supported by local enterprise partnerships and growth hubs
- Similarly, 30% of Britain’s strongest businesses have obtained external finance in the last 3 years
- New findings come as part of an independent, holistic study into small business success, commissioned by Allica Bank to support British businesses
A new study, commissioned by business bank, Allica Bank, shows that a high level of engagement and interaction with external institutions and resources, is central to SMEs’ prospects of success.
The study analysed data from over 1,000 companies and ranked their success on a scale that evaluated factors including productivity, growth, consistency and outlook. To measure SMEs’ external engagement, survey respondents were asked whether or not they had engaged with local enterprise partnerships, growth hubs, or external financial advisers, as well as whether they had obtained credit or sought re-financing advice, in the last three years.
The benefit to small businesses in making the most of external resources are clear to see, with a quarter (23%) of the UK’s top performing SMEs – those in the top tenth percentile – actively engaging their local enterprise partnership or growth hub in the last three years. This compares to just 16% of all other small businesses. With such a clear benefit to businesses, these external networks must not only be protected but prioritised by any Government plans to rebuild the economy post-COVID.
Similarly, of the top performing SMEs in the country, 30% have obtained external credit in the past three years, compared to less than a quarter (24%) of all other businesses. This figure drops even further for the weakest performing businesses – those in the ninetieth percentile – where just 12% of businesses have obtained external financial support in recent years.
Chris Weller, Chief Commercial Officer, Allica Bank, said:
“At Allica Bank we understand that no two businesses are the same. We also know that no-one knows a business as well as its owners and managers. But they can’t be expected to be experts on everything.
“In the UK there is a wealth of external advice and support for small businesses and we urge each and every business out there to tap in to the external resources around them. Third-parties, such as business clubs, chambers of commerce, local enterprise partnerships and trade bodies, can be invaluable sources of advice and further resources. And although they have excelled in their given field, business owners may still lack knowledge in many other areas of running and growing a business. Therefore, engaging with third parties can give business owners the kinds of insight – and fresh perspectives – they need to succeed.
“As the economy and the country comes to terms with the impact of the COVID-19 pandemic, it is important these vital SME resources are protected and given the funding they need to continue providing invaluable insight and support to small businesses up and down the country.”
Allica Bank’s SME Guide to Success identified six ‘rules to success’ that were more likely to be displayed by top-performing SMEs compared to their counterparts. The full report contains a wealth of additional data and insight into each of these topics.
As part of its mission to empower small businesses, Allica Bank is making the findings freely available and running a series of free online workshops with relevant partner organisations for businesses to attend.
Do we really need banks? Yes, but digital transformation industry-wide is vital
By Charley Cooper is Managing Director at enterprise blockchain firm, R3
The Coronavirus crisis has taught us that we are capable of going digital quickly when we need to. As the banking sector faces a second wave, the ability for individual firms to grow and succeed will be reliant on better connectivity and efficiency at the industry-level, writes R3’s Charley Cooper.
The sudden and dramatic pace of change has been seen globally over the last six months. Decades of paper-based practices are being updated, digitised and overhauled as the whole word adapts to working online. As of today, countries are accepting “alternative arrangements” for original paper export certificates, New York is allowing notary services by video, and global banks are accepting “original” documents and acceptances by email.
Over the coming months, we will see this digital transformation extend from individual use cases and firm-level deployment to entire industries. And perhaps in no other industry is this more critical than in financial services, where the role of banks continues to be challenged because of the inefficiencies they face as a result of decades of siloed technology deployment.
While unquestionably an improvement over reliance on manual processes, regular “digital transformation” as implemented by a single bank has limited benefits. These typically include greater automation of business processes, acceleration in adoption of electronic channels, elimination of manual processes, standardisation of non-value-adding business practices and a focus on driving up data quality and speed of information flows.
Now consider achieving digital transformation at the level of the entire market, rather than on a bank-by-bank basis. Whilst a digital transformation project for a single bank might automate a business process between a front and back office, a digital industry transformation project might optimise the trading and settlement of the asset between buyer and seller and their custodians too.
Of course, such things have been attempted before. But there have been many failures and the successes are notable by how they have resulted in new dominant centralised providers – for example for market data, messaging or settlement. The advent of blockchain architectures showed us there was a new way to tackle the problem, one that worked with the grain of existing markets.
Done right, the prize is a huge “productivity dividend” as entire markets are unshackled from their analogue histories.
Tackling interbank reconciliation at the industry level
The Italian financial services industry provides a pertinent use case of digital industry transformation. 32 banks in Italy went live in March with one of the first real-world deployments of enterprise blockchain technology in interbank financial markets. 23 more banks went live in May, with further institutions scheduled to go live this autumn. Built by the Italian Banking Association, ABI, the Spunta Banca DLT app on R3’s Corda Enterprise platform tackles the market-wide issue of interbank reconciliation.
The traditional reconciliation process for interbank transactions in Italy—formerly governed by the “spunta” process— is notoriously complex. Resolving mismatches in transactions is a labour-intensive process, hampered by a lack of standardisation, fragmented communication and no “single version of the truth.” The Spunta Banca DLT app automates the reconciliation process and enables banks to pinpoint mismatches in interbank transactions quickly by sharing common data in a secure way.
Connecting such a large and diverse group of banks in a live environment to tackle a shared problem is a major milestone for digital transformation in the Italian banking sector, providing a glimpse into a brighter, more efficient and interconnected future for all financial markets.
The current crisis has accelerated the launch of digital technology for many use cases across a diverse range of sectors, but those that stand the test of time will be developed with an industry-level mindset, not firm-level.
It is now clear that the age of inter-bank optimisation is over – the path forward from this crisis will be paved by software that focuses on adding real value for entire markets, connecting banks to overcome the biggest challenges they share as an industry.
Banks must adapt and start thinking about technology in new and innovative ways if they are to retain their critical role in the global economy.
How open banking can drive innovation and growth in a post-COVID world
By Billel Ridelle, CEO at Sweep
Times are pretty tough for businesses right now. For SMEs in particular, a global financial and health crisis of the sort we’re currently witnessing represents a truly existential risk. Yet there is hope of a brighter future. Digital transformation is already helping organisations in countless sectors, with everything from building supply chain resilience to rolling out potentially life-saving contact-tracing schemes. Yet it’s not just delivering transformative benefits in grand projects like this.
Thanks to open banking rules, a new wave of fintech innovation is sweeping the globe, offering business leaders a new launchpad for success. Even something as simple as corporate expenses can be transformed by the power of open data — to help firms cut costs, reduce fraud risk and become more productive.
Opening up data to innovation
It’s easy to get bogged down in the technical details of open banking, and the slew of new acronyms it has ushered in: Third Party Providers (TPPs), Account Information Service Providers (AISPs), Payment Initiation Service Providers (PISPs), and Application Programming Interfaces (APIs). Yet at the heart of the open banking revolution is a simple concept: the idea that forcing banks to open up their customers’ financial data will create more competition, and fresh opportunities for market entrants to create innovative new services.
This was at the heart of the UK government’s world-leading strategy when it was introduced back in 2016. A revised EU payment services directive (PSD2) gave it legal teeth, mandating that all payment account providers in the region provide third-party access for customers that want it. The push is also about reducing banking fees and enhancing financial inclusion, of course, but it’s in competition and innovation that the benefits really shine for businesses.
Access to real-time financial data via open APIs has already resulted in a range of new services which are helping businesses ride out the current economic storm. Whether it’s capabilities that can help freelancers prove loss of income to receive targeted loans, or services designed to streamline business processes to reduce costs and fraud — examples of innovation are endless.
What’s more, it’s already global. Aside from the PSD2, open banking rules are taking shape in Australia, New Zealand, Japan, Singapore, Hong Kong, Mexico and elsewhere. According to frequently cited Gartner predictions, regulators in around half of the G20 countries will create an open banking API regime over the coming year.
In the UK alone this is set to create a £7.2 billion revenue opportunity by 2022, with 71% of SMBs and 64% of adults expected to adopt it by then, according to PwC.
Making expenses pay
Corporate expenses and travel management might not be an area one immediately associates with high levels of innovation. But here too, open banking is having a profound impact. By combining automation, in-app approvals, integration with corporate policy and secure open banking APIs, companies like Sweep are offering new ways to solve old problems.
Part of the legacy challenge relates to productivity. Managing corporate travel costs and expenses was cited last year as the biggest concern of the UK’s small and mid-sized firms. Separate research claimed that SMBs are estimated to lose over £8.7 billion annually due to the time it takes employees and managers to complete these menial tasks. By automatically integrating real-time corporate bank account information into an easy-to-use app, we can save up to 15 hours a month on data input and travel administration per employee. That’s all time they could be spending on growing the business.
Another key area of concern is fraud. According to some estimates, fraudulent expenses claims could be costing UK firms £1.9 billion each year. In the US, the figure could be approaching $3 billion annually. Whether it’s the result of submitting expense claims for personal purchases, claiming for additional mileage on work trips, or over-claiming for other items, it all adds up. What’s more, fraud tends to spike particularly during times of recession, when normally diligent employees look for ways to supplement their income.
In this use case too, there are benefits to be had from open banking-powered solutions. Traditional manual processes offer too many gaps that can be exploited by fraudsters. Submitting paper receipts to finance departments — which must then input the information into spreadsheets or accounting software — is slow, error-prone and lacks accountability. However, with modern digital systems, transactions are automatically fed through from bank account to expense management platform. Here they are seamlessly checked according to policy and automatically approved, rejected or flagged for further investigation.
The future’s open
Thanks to the power of open banking, innovative fintech use cases like this are transforming operational challenges into opportunities to cut costs and fraud risks, improve employee productivity and become more strategic. With real-time data fed through from corporate bank accounts, finance directors can better understand spending patterns, react with greater agility and gain the insight they need to run their businesses more efficiently.
So what of the future? The good news is that open banking is only just getting started. As more sophisticated machine learning algorithms are developed, it has the potential for even greater disruption by empowering SMEs with predictive analytics and forecasting tools, or more accurate fraud checks, for example. Those in Europe may benefit most as PSD2 allows businesses to use tools that work seamlessly and securely across markets, without requiring any duplication of work.
In fact, open banking is not just good for individual SMEs, it’s important for Europe as a whole if we are ever to nurture successful digital unicorns to compete with those coming out of the US and China.
Open banking been described in the past as a quiet revolution. With the right buy-in from business and the continued innovation of digital platforms, it may soon become a full-throated roar.
Half of UK’s finance sector confirms diversity should be more of a priority in the workplace, with calls for action across the industry
Almost half (45%) of Britain’s banking/financial services workforce think their employer could do more when it comes to diversity, according to a...
American Express and Amazon Business Launch Co-branded Credit Cards for Small Businesses in the UK
The co-branded Cards offer flexible benefits and payment optionality by allowing small businesses to decide between earning rewards or adjusting...
Go Global To Expand Your Revenue Stream
By Christian Spaltenstein, Managing Director, AFEX Americas Banking and financial operations have evolved immensely in the past few years. Innovation...
Local authorities and business networks play a key role in small business success, and must be protected during COVID rebuild
23% of UK’s top performing businesses have been supported by local enterprise partnerships and growth hubs Similarly, 30% of Britain’s...
What Does the FinCEN File Leak Tell Us?
By Ted Sausen, Subject Matter Expert, NICE Actimize On September 20, 2020, just four days after the Financial Crimes Enforcement...
Investment Roundtable: Live with Jim Bianco
With Q4’s macro picture still looking grim amid the return of exponential coronavirus waves in Europe and the U.S. and...
Equity markets react to a rise in Covid-19 cases, uncertain Brexit talks and the upcoming US election
By Rupert Thompson, Chief Investment Officer at Kingswood Equity markets had another choppy week, falling for most of it before...
October furlough changes – what you need to know
By Alan Price, employment law expert and CEO of BrightHR The Job Retention Scheme is coming to an end on...
Do we really need banks? Yes, but digital transformation industry-wide is vital
By Charley Cooper is Managing Director at enterprise blockchain firm, R3 The Coronavirus crisis has taught us that we are...
Turning a Critical Eye on Impersonation Scams
By Mike Kiser, security strategist and evangelist at SailPoint “The criminal is the creative artist; the detective only the critic.”...