Connect with us

Technology

Combating Cyber-Attacks Against the Financial Community

Published

on

Bala-Ven

How Banks Can Maintain Information Security by Bolstering Internal Controls

Bala-VenBy Bala Venkatramani –
Marketing Manager
at ManageEngine Password Manager Pro
www.passwordmanagerpro.com

News media in the U.S. are abuzz with stories about cyber-attacks on top banks as financial institutions emerge as the prime targets of cyber-criminals. Reports suggest that since September 2012, cyber-attacks on bank networks have exploded.

Actually, banking and other financial institutions have always been a top target of hackers. During the past few years, renowned banking organizations across the globe have fallen prey to criminal hacks. Beyond huge financial losses, the victims suffer irreparable damage to their trust and credibility, the hallmarks of financial institutions.

The hackers’ predominant activities include spreading malware infections, syphoning of login credentials and denial of service attacks that disrupt service to legitimate users. The traditional security attack channels include viruses, key logger trojans and cross-site scripting. The Trojans monitor keystrokes, log them to a file and send them to remote attackers. Scripting, on the other hand, enables malicious attackers to inject client-side script into web pages viewed by other users and exploit the information to bypass access controls.

Evolving Attack Patterns

Perimeter security software and traffic analysis solutions help in combating traditional attack vectors. However, hackers are starting to change their modus operandi. Cyber-criminals are now siphoning off login credentials of employees and administrative passwords of IT resources, using techniques that include spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT).

Once the login credential of an employee or an administrative password of a sensitive IT resource is compromised, the institution is vulnerable. The criminal can initiate unauthorized wire transfers, view the transactions of customers, download customer information and/or carry out sabotage.

Another emerging threat is sabotage caused by the insiders at the financial institutions. Disgruntled staff, greedy techies and sacked employees have all been involved in cyber security incidents. Clearly, breaches of trust can occur anywhere, leading to grave consequences.

In internal and external attacks alike, unauthorized access and misuse of privileged passwords — the ‘keys to the kingdom’ — have emerged as the main activities. Administrative passwords, system default accounts and hard-coded credentials in scripts and applications have all become the prime targets of cyber-criminals.

Overlooking Privileged Passwords

While internal and external hackers are exploiting administrative passwords with increasing frequency, many financial institutions fail to recognize the importance of this crucial aspect of privileged password management. Passwords of enterprise IT resources are often stored in spreadsheets, text files, homegrown tools, papers or even in physical vaults. Yet these volatile sources are inherently insecure and do little to enhance data security or business reputation.

Passwords are further compromised in IT divisions that deal with thousands of privileged passwords, which are used in a ‘shared’ environment. This is a standard practice, which leaves a group of administrators to use a common privileged account to access a given resource.

Apart from the ‘officially shared’ passwords, users also tend to reveal administrative passwords to their colleagues, unofficially, for some reason or other. The most common reason for unofficial sharing of a password is to handle an emergency, e.g., an IT manager may reveal the password to a senior member when the manager is on vacation.

Developers, help desk technicians and even third-party vendors may require access to privileged passwords purely on a temporary basis. The passwords are often supplied via email or over the phone, both of which are highly insecure media. Worse, there is no process to revoke access and reset the password after the temporary usage, leaving an even bigger security hole.

Privileged password negligence often proves costly. Haphazard password management makes the enterprise a paradise for hackers inside and outside the financial organization. Many security breaches stem from inadequate password management policies, access restrictions and internal controls.

Tightening Internal Controls

Combating sophisticated cyber-attacks demands a multi-pronged strategy incorporating an exhaustive set of activities. Financial institutions need to deploy security devices, enforce security policies, control access to resources, monitor events, analyze logs, detect vulnerabilities, manage patches, track changes, ensure compliance and monitor traffic among other activities.

Of all the combat measures, bolstering internal controls holds special significance in light of the recent attack trends. Access to IT resources should strictly be based on job roles and responsibilities. But access restrictions alone are not enough and must be supplemented with clear-cut trails that reveal ‘who’ accessed ‘what’ and ‘when.’ Likewise, password sharing should be regulated, and a well-established workflow should be in place for release of passwords of sensitive resources. Standard password management policies, including usage of strong passwords and frequent rotation should be enforced.

One of the effective ways to bolster internal controls is automating the entire lifecycle of privileged access management and systematically enforcing best practices. Privileged password managers like ManageEngine’s Password Manager Pro replace manual practices and automatically assist with securely storing privileged identities in a central vault, selectively sharing passwords, enforcing policies and above all, restricting access to and establishing total control over privileged identities. Enterprise-class password managers offer advanced protection of IT resources by helping establish access controls to IT infrastructure, and seamlessly video recording and monitoring all user actions during privileged sessions, providing complete visibility on privileged access.

Bolstering internal controls as detailed above will ensure that privileged identities will not be compromised — even if a hacker manages to penetrate the perimeter. Similarly, the threats due to attacks by malicious insiders are greatly mitigated.

Staying Vigilant

Once internal controls have been tightened, financial institutions must remain vigilant and keep an eye on activities going on inside and around them. Logs from critical systems carry vital information that could prove effective in preventing security incidents. For instance, monitoring activities like user logons, failed logins, password access, password changes, attempts to delete records and other suspicious activities could help identify hacking attempts, malicious attacks, DoS attacks, policy violations and other incidents. Monitoring network activity to establish real-time situational awareness is essential to enterprise security.

Of course, not all security incidents can be prevented or avoided. Nor can privileged password management thwart all cyber security incidents. However, too many security incidents occur as a result of lax internal controls — poor password management, in particular — and those violations can certainly be prevented. It’s time for IT organizations to take the bull’s eye off of the financial community networks and data and enforce some enterprise-class password protection.

ManageEngine is exhibiting at Infosecurity Europe 2012, the No. 1 industry event in Europe held on 24th – 26th April 2012 at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk

 

 

Technology

Iron Mountain releases 7-steps to ensure digitisation delivers long-term benefits

Published

on

Iron Mountain releases 7-steps to ensure digitisation delivers long-term benefits 1

Iron Mountain has released practical guidance to help businesses future-proof their digital journeys. The guidance is part of new research that found that 57% of European enterprise plan to revert new digital processes back to manual solutions post-pandemic.

The research revealed that 93% of respondents have accelerated digitisation during COVID-19 and 86% believe this gives them a competitive edge. However, the majority (57%) fear these changes will be short-lived and their companies will revert to original means of access post-pandemic.

“With 80% still reliant on physical data to do their job, now is a critical time to implement more robust, digital methods of accessing physical storage,” said Stuart Bernard, VP of Digital Solutions at Iron Mountain. “Doing so can enhance efficiency and deliver ROI by unlocking new value in stored data through the use of technology to mine, review and extract insight.”

Why revert?

When COVID-19 hit, companies had to think fast and adapt. Digital solutions were often taken as off-the-shelf, quick fixes – rarely the most economical or effective. But they are delivering benefits – those surveyed reported productivity gains (27%), saving time (20%), enhancing data quality (13%) and cutting costs (12%).

So what now?

The Iron Mountain study includes guidance for how to turn quick-fixes into sustained, long-term solutions. The seven-steps are designed to help businesses future-proof their digital journeys and maximize value from physical storage:

1)     Gather insights: The COVID-19 pandemic allowed organisations to test and learn. Companies should ensure these insights are fed into developing more robust solutions.

2)     Use governance as intelligence: Information governance and compliance are fundamental to data handling. But frameworks aren’t just a set of rules, they hold valuable insights that can be turned into actionable intelligence. Explore your framework to extract learnings.

3)     Understand your risk profile: A key early step is to analyse where you are most vulnerable. With data in motion and people working remotely, which records are at risk? What could be moved into the cloud? Are your vendors resilient?

4)     Focus where you will achieve greatest impact: To prioritise successfully, you need to know where you will achieve the largest impact. This involves looking beyond initial set-up costs towards the holistic benefits of digitisation, including reducing time spent on manual scanning, and the risk of compliance violations.

5)     Reach out and collaborate: We are all in this together. Your IT, security, compliance and facility management teams are all facing the same challenges. Ensure you collaborate across functions to develop robust, integrated solutions.

6)     Find a provider who can relate to your digital journey: For companies that still rely heavily on analogue solutions, digitisation can be daunting and risky. It pays to find a vendor who has been on the same journey, understands your paper processes and can guide you through the digital world.

7)     Prioritise and evolve communication and training programmes: To reap the full rewards from any digitisation initiative, thorough and continuous communication and training is critical. Encouragingly, our survey found that 81% of data handlers have received training to work digitally which is an excellent step in the right direction, but consider teams beyond data handling to truly succeed.

The research was commissioned by Iron Mountain in collaboration with Censuswide. It surveyed 1,000 data handlers among the EMEA region. It found that the departments that have digitised more due to COVID-19 include IT support (40%), customer relationship management (36%), and team resource planning (34%).

Continue Reading

Technology

3D Secure: Why are fraudsters still slipping through the net?

Published

on

3D Secure: Why are fraudsters still slipping through the net? 2

By Tim Ayling, VP EMEA, buguroo

There is a constant tension between keeping online payments secure, and offering an easy and frictionless user experience. Digital transformation – especially accelerated by the global pandemic – leaves consumers expecting online services to be seamless. Customers are even liable to abandon a process altogether if they encounter a hurdle.

Financial regulation and security protocols exist to help ensure that a balance is maintained between offering customers this frictionless experience, and keeping them and their funds safe from fraud attacks.

What is 3D Secure?

3D Secure is one such protocol. This payer authentication system is designed to keep card-not-present (CNP) ecommerce payments secure against online fraud. The card issuer uses 3D Secure when a card is used to pay for something online, authenticating the customer’s identity based on personal identifiers, such as the three-digit CVV code on the back of a card, as well as the device they’re using to make the payment and their geolocation or IP address.

3D Secure is important because although transactions can be accepted or denied based on the level of risk, it’s not always as clear as ‘risky’ or ‘not risky’. A small number of transactions will have an undetermined or questionable level of risk attached to them. For example, if a legitimate customer appears to be using a new device to buy goods online, or appears to be attempting to make the transaction from an irregular location. In these instances, 3D Secure provides a step-up authentication, such as asking for a one-time password (OTP).

Getting the right balance

3D Secure is a helpful protocol for card issuers, as it allows banks to comply with Strong Customer Authentication as required by EU financial regulation PSD2 as well as increase security for transactions with a higher level of risk – thereby better filtering the genuine cardholders from fraudsters.

Tim Ayling

Tim Ayling

This means that the customers themselves are better protected against fraud, and the extra security helps preserve their trust in the bank to be able to keep their money safe. At the same time, the number of legitimate customers who have their transactions denied is minimised, improving the customer’s online experience.

So why are fraudsters still slipping through the net?

Fraudsters are used to adapting to security protocols designed to stop them, and 3D Secure is no exception. The step-up authentication that is required by 3D Secure in the instance of a questionable transaction often takes the form of an OTP, a password or secret answer known only by the bank and the customer. However, there are various ways that fraudsters have devised to steal this information.

The most common way to steal passwords is through phishing attacks, where fraudsters pretend to be legitimate brands, such as banks themselves, in order to dupe customers into giving away sensitive information. Fraudsters can even replace the pop-up windows that appear to legitimate customers in the case of stepped-up authentication with their own browser windows disguised as the bank’s. Unwitting customers then enter the password or OTP and effectively hand it straight over to the fraudsters.

Even when an OTP is sent directly to a customer’s phone, fraudsters have found a way to intercept this information. They do this through something called a ‘SIM swap scam’, where they impersonate their victim and manage to get the legitimate cardholder’s number switched onto a different SIM card that they own, thereby receiving the genuine OTP in the cardholder’s place.

This is especially an issue for card issuers when taking into account the liability shift that is attached to using 3D Secure. When a transaction is authenticated using 3D Secure, the liability moves to lie with the card issuer, not the vendor or retailer. If money leaves a customer’s account and the transaction was verified by 3D Secure, but the customer says they did not authorise the transaction, the card provider becomes liable for any refunds.

How AI and Behavioral Biometrics can be used to plug the gap

Banks need to find a way to accurately block fraudsters while allowing genuine customers to complete online payments. AI can be used alongside behavioural biometrics as an additional layer of security to cover the gaps in security through continuous authentication of the customer.

Behavioural biometrics can collect and analyse data from thousands of parameters around user behaviour such as their typing speed and dynamics, or the trajectory on which they move the mouse, throughout the entire online session. AI processes are used to dynamically compare this analysis against the user’s usual online profile to identify even the smallest of anomalies, as well as against profiles of known fraudsters and typical fraudster behaviour. AI then delivers a risk score based on this information to banks in real time, enabling them to root out and block the fraudulent transactions.

As this authentication occurs invisibly, the AI technology can recognise if the customer is who they say they are – and that it isn’t a fraudster trying to input a genuine OTP they have managed to steal through phishing or SIM swapping – without adding any additional friction.

Card issuers cannot decline all questionable transactions without losing customers, while approving them without additional checks poses security issues that can result in financial losses as well as losses in customer trust. Behavioural biometrics is a foundational technology that can work simultaneously to 3D Secure to keep customers’ online payments safe from fraud while maintaining a frictionless experience and minimising the risk of chargeback liability for banks.

Continue Reading

Technology

Track and Trace and Other Lost Data

Published

on

Track and Trace and Other Lost Data 3

By Ian Smith, General Manager and Finance Director at Invu 

You, like me, were probably amazed by the now infamous loss of the over 16,000 positive test results in the track and trace system due to an Excel spreadsheet error.

You, like me, probably wondered how the Government could get something so important so wrong?

But perhaps we should ask are we standing in a greenhouse launching stones?

Data risks from software

Today we are spoilt with software offerings that help us with both our personal and our work lives.

Microsoft Excel is a powerful application and offers many functions now that required moderately complex macro writing in the past, seducing all of us into submitting more data for it to analyse. In finance, we tend to solve all those problems our applications cannot address using Excel.

In finance, we also know the risks of formula errors, and if we have relied on it enough, we will have our own war stories to go with these risks. Yet, we often continue to use the tool for operations that make those folks with an information technology background shake their heads.

These Excel files nowadays may find themselves resident on a local file server or one of the many file servers in the cloud (like those from the big three, DropBox, Google Drive and Microsoft OneDrive or other less well-known file sharing applications). Many of us use these in multiple ways.

Vulnerable programmes

Beyond finance and Excel, there are now many applications that we run our data through and leave data stored in the form of documents, comments and notes.

The long-standing example is email. We today receive many documents via email, with content in the body often providing context. Email systems then become the store for that data. While this works from a personal point of view, for a business working at scale, the information stored this way can be lost to the rest of the business. Just like data falling off a spreadsheet when there are not enough rows to capture the results.

More recently, we have seen easy to consume applications develop in many areas like chat and productivity. Take for example task management apps, my own preference being Monday.com (I am sparing you the long list of these). The result of the task and how we got there, in the form of attachments or comments, are often stored in the application. Each application we touch encourages us to leave a bit of data behind in its store.

Data proliferation

Many of these applications can have a personal use and an initial personal dalliance is what sparks up the motivation to apply the application to a business purpose. Just like the “Track and Trace System”, they can often find themselves being used in an environment where the scale of the operation overwhelms their intended use.

In our business lives, combining the use of applications in this way by liberally sprinkling our data across multiple systems often stored in documents (be they Microsoft Word, email, scans or comments and notes) puts us on the pathway to trouble.

Imagine how Matt Hancock felt explaining to Parliament that the world-class track and trace system depended on a spreadsheet.

Can you imagine a similar situation in your business life? Say, for example, that documents or data in some form was lost because of the use of disparate systems and/or applications that were not really designed for the task you assigned to them.

Who would be your Parliament?

Now you can see yourself in the greenhouse, you may not want to reach for that metaphorical stone.

If these observations create some concerns for you, you may want to consider the information management strategy at your business. You have a strategy, even if it is not addressed specifically in documents, plans or thought processes.

Action plan

These steps may help figure out where you are and where you want to go.

  1. Assess your current environment.

Are you a centraliser, with all the information collected in one place? Or is all your data spread across multiple stores, as identified above? Are you storing your key business information on paper documents, or digitally or a mix of both.

  1. Assess your current processes.

Do your processes run on a limited number of software applications? Or do you enable staff to pick their own tools to get things done? The answer to this question is often a mix of both where staff bridge the gaps in those applications using tools like MS excel. A key application to think about is how the data in email, particularly the attachments, is made available to the business.

  1. Design a pathway for change and implement it.

Start with the end in mind. I suggest the goal is to enable the right people to have the right access to the information they require to do their job in real-time. I believe the way to effectively do this is to go digital. The fork in the road is then whether to centralise your information store or adopt a decentralised approach.

My own preferred route is to centralise using document management software that enables all your documents to be stored in one place. Applications like email can be integrated with it, significantly reducing the workload required to file and store the data. The data can then be used in business applications using workflows. Thinking these workflows through will help you assess the gaps between your key business applications and consider whether tools like excel are being stretched too far.

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Call For Entries

Global Banking and Finance Review Awards Nominations 2020
2020 Global Banking & Finance Awards now open. Click Here

Latest Articles

The ever-changing representation of value 4 The ever-changing representation of value 5
Finance5 hours ago

The ever-changing representation of value

By Vadim Grigoryan, Partner, Lunu Solutions Ask a selection of people about cryptocurrencies and you’ll likely receive a wide range...

Revolut Junior introduces Co-Parent - teach children about money together 6 Revolut Junior introduces Co-Parent - teach children about money together 7
Finance5 hours ago

Revolut Junior introduces Co-Parent – teach children about money together

Premium and Metal customers can invite a team mate to jointly manage their child’s Revolut Junior account Setting Tasks, Goals...

The Next Evolution in Banking 8 The Next Evolution in Banking 9
Banking5 hours ago

The Next Evolution in Banking

By Young Pham, Chief Strategy Officer at CI&T Everything we know about banking is about to change. A new industry...

Equity Sharing – How do you choose the right plan for you? 10 Equity Sharing – How do you choose the right plan for you? 11
Investing5 hours ago

Equity Sharing – How do you choose the right plan for you?

By Ifty Nasir, co-founder and CEO of Vestd, the share scheme platform In a survey of 500 SMEs, nearly half...

Cash was our past, contactless is our present, contextual payments are the future 12 Cash was our past, contactless is our present, contextual payments are the future 13
Top Stories5 hours ago

Cash was our past, contactless is our present, contextual payments are the future

By Jason Jeffreys, founder of FETCH $6tn in the next five years, this is how much the world will spend...

Iron Mountain releases 7-steps to ensure digitisation delivers long-term benefits 14 Iron Mountain releases 7-steps to ensure digitisation delivers long-term benefits 15
Technology6 hours ago

Iron Mountain releases 7-steps to ensure digitisation delivers long-term benefits

Iron Mountain has released practical guidance to help businesses future-proof their digital journeys. The guidance is part of new research that found...

3D Secure: Why are fraudsters still slipping through the net? 16 3D Secure: Why are fraudsters still slipping through the net? 17
Technology6 hours ago

3D Secure: Why are fraudsters still slipping through the net?

By Tim Ayling, VP EMEA, buguroo There is a constant tension between keeping online payments secure, and offering an easy...

Banks talk a good game, but are bankrupt when it comes to change and innovation 18 Banks talk a good game, but are bankrupt when it comes to change and innovation 19
Banking6 hours ago

Banks talk a good game, but are bankrupt when it comes to change and innovation

By Erich Gerber, SVP EMEA & APJ, TIBCO Software You hear all the time about the incredible pace of change...

Vietnamese National Citizen Bank Rises to Excellence with Three Global Financial Awards 20 Vietnamese National Citizen Bank Rises to Excellence with Three Global Financial Awards 21
Banking6 hours ago

Vietnamese National Citizen Bank Rises to Excellence with Three Global Financial Awards

Hanoi, Vietnam – Global Banking & Finance Review is proud to announce the sweeping victory of National Citizen Bank in...

The Rise of Contactless Payments 23 The Rise of Contactless Payments 24
Top Stories8 hours ago

The Rise of Contactless Payments

By Bilal Soylu, CEO of XcooBee Today, banks involved in the issuances of credit cards, and companies at the nexus...

Newsletters with Secrets & Analysis. Subscribe Now