Connect with us

Technology

CYBER THREATS TO EXPECT IN 2014: SSL AND MOBILE API-BASED DDOS ATTACKS

Published

on

ssl and mobile api-based ddos attacks

In the past holiday season, revenue of online retailers in the US soared to an unprecedented 55.2 billion dollars. This e-commence boom has tremendously benefited the online banking industry, as most transactions are completed via e-banks. However, criminals are increasingly intercepting transaction traffic in order to steal confidential information such as user account information or credit card numbers. In dire cases, customer bank accounts are directly compromised.

ssl and mobile api-based ddos attacks

ssl and mobile api-based ddos attacks

As a counter measure, most online retailers and banks adopt SSL solutions to encrypt traffic containing confidential information. The standard security technology for creating an encrypted connection between a web server and a browser, SSL ensures that all data connections remain private and secure. Implementation of SSL in a HTTPS website is usually indicated by the padlock icon or green address bar in web browsers.

SSL Susceptible to DDoS

SSL is extremely vulnerable to DDoS (distributed denial-of-service) attacks due to the inherent nature of its implementation: the way the system consumes resources is asymmetric.  The encryption key exchange and handshake process of SSL consume more resources on the server-end, at least ten times the resources of a normal connection. An attacker could single handedly challenge high-performance servers through SSL handshake requests, commonly known as SSL renegotiation attacks.

Due to the widespread adoption of SSL, financial companies are the main victims of SSL attacks. Driven by greed, commercial competition or even hacktivism, attackers are causing astronomical financial and reputational losses to the banking industry.

  • In 2012, a Hong Kong gold trading platform was taken down by malicious attackers, accursedly from China for blackmailing purpose, who exploited a flaw in the server’s SSL renegotiations.
  • From 2012 to 2013, Izz ad-Din al-Qassam Cyber Fighters, a Muslim hacker group, launched several waves of DDoS attacks against US-based financial institutions in response to an anti-Islam video. Websites of several financial giants, including Bank of America, Wells Fargo and PNC, were knocked out.
  • In 2013 banks and TV stations in South Korea were hit by debilitating DDoS attacks. Three financial institutions and two insurance firms were partially or completely crippled. North Korea was the culprit.

In recent years the adoption of Bitcoin as a virtual currency has led to huge increases to its market capitalization. The growth in its value has brought about waves of cyber crimes aimed at manipulating prices, camouflaging Bitcoin theft and blackmailing. Similar to the finance industry, virtual currency platforms also use SSL encryptions.

Though SSL has been an essential investment for countless businesses, recent attacks targeting SSL-protected sites have proved the security technique is not ironclad. The once impeccable SSL is a new favorite target for cybercriminals.

Mobile Banking Threatened By Fragile Web APIs

As we move towards a mobile-first world, banks are placing a great emphasis on mobile applications that enhance customer service and loyalty. These apps connect users with the bank’s online infrastructure and consume data via APIs. The next wave of DDoS attacks may very well target APIs in order to disable these mobile gateways.

Malicious attackers can makes excessive connections to APIs under the guise of legitimate users to block normal access. And unlike a web page that’s been taken offline, this kind of attack is rather hidden. Since the app can still be launched on mobile devices, users may simply blame their mobile network and assume they have lost coverage, instead of suspecting that the app has been compromised. Bank customers are increasingly using apps as their main channel for banking transactions, so API attacks may have drastic consequences in the future.

Security in the Year Ahead

Detecting and mitigating SSL and API-based DDoS attacks has long been a headache for security vendors, since there is no sudden traffic spike or obvious signatures. Attacker can easily forge small amounts of requests that trigger SSL handshakes or exploit web APIs to exhaust resources on the target server.

As cyber criminals continue to refine their attack methods and exploit security flaws, financial institutions must regularly audit their systems for weaknesses. It is also imperative they adopt solutions that are proactive in order to anticipate and successfully defend against next-generation attacks.

DDoS Problem Resolved Through Human Identification

  • NexQloud’s answer to the DDoS problem lies within its proprietary human identification engine – Qlo. Qlo’s “identifying the human” philosophy is a simple 3-step process: deny non-humans, eject bad humans, and manage good humans.
  • When SSL traffic is passing through, Qlo first identifies the source of SSL requests and allows only human requests to process. Qlo then further determines the intent of human requesters based on user reputation and behavior patterns; those flooding the server with excessive SSL requests will be flagged as troublemakers, and ejected from the system automatically.
  • Qlo relieves servers of the heavy computational burden from negotiating handshakes of legitimate requests by offloading the decryption process to NexQloud, speeding up SSL handshakes by reusing existing SSL sessions.
  • NexQloud’s virtual API throttling system intelligently implements policies to control access to APIs based on the traffic type and usage patterns; calls to APIs are also rate-limited to assure availability.

When a website protected by NexQloud is overloaded by too many visitors (i.e. holiday season or promotions), NexQloud starts a queuing mechanism automatically before a flash crowd forms and slows down the website.

About NexQloud

NexQloud (http://www.nexqloud.com) is the world’s newest and most innovative cloud-based DDoS mitigation and uptime management platform. Powered by the world’s first Human Identification engine, NexQloud offers fully automated protection with no software or hardware changes required. Our unique human identification approach protects financial institutes against all types of DDoS attacks, including SSL and API-based attacks.

Technology

How to Build an AI Strategy that Works

Published

on

How to Build an AI Strategy that Works 1

By Michael Chalmers, MD EMEA at Contino

Six steps to boosting digital transformation through AI

In the age of artificial intelligence, the way we interact with brands and go about our work and daily lives has changed. No longer blithe buzzwords, AI tools and algorithms are solving real business problems, streamlining operations, boosting productivity, improving customer experience, and creating opportunities for advantage in a competitive marketplace.

However, many businesses struggle to unlock the full benefits that come with its adoption across the whole organisation. Making the most of AI requires a strategic focus, alignment with the specific operating model of the business, and a plan to implement it in a way that delivers real value.

Not all AI strategies are equal. To be successful, businesses need to set out how the technology will achieve objectives and identify the specific assets and case uses that will set them apart from competitors. The process of creating and delivering a successful AI strategy includes the following six essential elements that will help to bake in business success.

  1. Start with your vision and objective

One slip-up companies often make when developing an AI strategy is a failure to match the vision to the execution. Almost inevitably, this results in disjointed and complicated AI programmes that can take years to consolidate. Choosing an AI solution based on defined business objectives established at the start of a project reduces the risk of delay and failure.

As with any project or initiative, it’s crucial to align your corporate strategy with measurable goals and objectives to guide your AI deployment. Once a strategy is set and proven, its much quicker and easier to roll it out across divisions and product teams, maximising its benefits.

  1. Build a multi-disciplinary team 

AI is not an island. Multi-disciplinary teams are best placed to assess how the AI strategy can optimally serve their individual needs. Insights and inputs from web design, R&D and engineering will together ensure your plan hits objectives for key internal stakeholders.

It’s also important to recognise that with the best will and effort, the strategy might not be the perfect one first time around. Being prepared to iterate and flex the approach is a significant success factor. By fostering a culture of experimentation, your team will locate the right AI assets to form your unique competitive edge.

  1. Be selective about the problems you fix first

Selecting ‘lighthouse’ projects based on their overall goals and importance, size, likely duration, and data quality allow you to demonstrate the tangible benefits in a relatively short space of time. Not all problems can be fixed by AI, of course. But by identifying and addressing issues quickly and effectively, you can create beacons of AI capability that inspire others across the organisation.

Lighthouse projects should aim to be delivered in under eight weeks, instead of eight months. They will provide an immediate and tangible benefit for the business and your customers to be replicated elsewhere. These small wins sow the seeds of transformation that swell from the ground up, empowering small teams to grow in competency, autonomy and relatedness.

  1. Put the customer first, and measure accordingly

Customer-centricity is one of the most popular topics among today’s business leaders. Traditionally, businesses were much more product-centric than customer-centric. Somebody built products and then customers were found. Now, the customer is, and should be, at the heart of everything businesses do.

By taking a customer-centric approach, you will find that business drivers determine many technology decisions.  When creating your AI strategy, create customer centric KPIs that align with the overall corporate objectives and continually measure product execution backwards through the value chain.

  1. Share skills and expertise at scale through an ‘AI community of practice’

The journey to business-wide AI adoption is iterative and continuous. Upon successful completion of a product, the team should evolve into what’s known as an ‘AI community of practice’, which will foster AI innovation and upskill future AI teams.

In the world of rapid AI product iterations, best practices and automation are more relevant than ever. Data science is about repeatable experimentation and measured results. Suppose your AI processes can’t be repeated, and production is being done manually. In that case, data science has been reduced to a data hobby.

  1. Don’t fear failure: deploying AI is a continuous journey 

The formula for successful enterprise-wide AI adoption is nurture the idea, plan, prove, improve and then scale. Mistakes will be made, and lessons learned. This is a completely normal – and valuable – part of the process.

Lighthouse projects need to be proven to work, processes need to be streamlined and teams need to upskill. Businesses need a culture of learning and continuous improvement with people at the centre, through shorter cycles, to drive real transformation.

An experimental culture and continuous improvement, through shorter cycles, can drive real transformation. A successful AI strategy acts as a continually evolving roadmap across the different business functions (people, processes and technology) to ensure your chosen solutions are working towards your business objectives. In short, let your business goals guide your AI transformation, not the other way around.

Continue Reading

Technology

Iron Mountain releases 7-steps to ensure digitisation delivers long-term benefits

Published

on

Iron Mountain releases 7-steps to ensure digitisation delivers long-term benefits 2

Iron Mountain has released practical guidance to help businesses future-proof their digital journeys. The guidance is part of new research that found that 57% of European enterprise plan to revert new digital processes back to manual solutions post-pandemic.

The research revealed that 93% of respondents have accelerated digitisation during COVID-19 and 86% believe this gives them a competitive edge. However, the majority (57%) fear these changes will be short-lived and their companies will revert to original means of access post-pandemic.

“With 80% still reliant on physical data to do their job, now is a critical time to implement more robust, digital methods of accessing physical storage,” said Stuart Bernard, VP of Digital Solutions at Iron Mountain. “Doing so can enhance efficiency and deliver ROI by unlocking new value in stored data through the use of technology to mine, review and extract insight.”

Why revert?

When COVID-19 hit, companies had to think fast and adapt. Digital solutions were often taken as off-the-shelf, quick fixes – rarely the most economical or effective. But they are delivering benefits – those surveyed reported productivity gains (27%), saving time (20%), enhancing data quality (13%) and cutting costs (12%).

So what now?

The Iron Mountain study includes guidance for how to turn quick-fixes into sustained, long-term solutions. The seven-steps are designed to help businesses future-proof their digital journeys and maximize value from physical storage:

1)     Gather insights: The COVID-19 pandemic allowed organisations to test and learn. Companies should ensure these insights are fed into developing more robust solutions.

2)     Use governance as intelligence: Information governance and compliance are fundamental to data handling. But frameworks aren’t just a set of rules, they hold valuable insights that can be turned into actionable intelligence. Explore your framework to extract learnings.

3)     Understand your risk profile: A key early step is to analyse where you are most vulnerable. With data in motion and people working remotely, which records are at risk? What could be moved into the cloud? Are your vendors resilient?

4)     Focus where you will achieve greatest impact: To prioritise successfully, you need to know where you will achieve the largest impact. This involves looking beyond initial set-up costs towards the holistic benefits of digitisation, including reducing time spent on manual scanning, and the risk of compliance violations.

5)     Reach out and collaborate: We are all in this together. Your IT, security, compliance and facility management teams are all facing the same challenges. Ensure you collaborate across functions to develop robust, integrated solutions.

6)     Find a provider who can relate to your digital journey: For companies that still rely heavily on analogue solutions, digitisation can be daunting and risky. It pays to find a vendor who has been on the same journey, understands your paper processes and can guide you through the digital world.

7)     Prioritise and evolve communication and training programmes: To reap the full rewards from any digitisation initiative, thorough and continuous communication and training is critical. Encouragingly, our survey found that 81% of data handlers have received training to work digitally which is an excellent step in the right direction, but consider teams beyond data handling to truly succeed.

The research was commissioned by Iron Mountain in collaboration with Censuswide. It surveyed 1,000 data handlers among the EMEA region. It found that the departments that have digitised more due to COVID-19 include IT support (40%), customer relationship management (36%), and team resource planning (34%).

Continue Reading

Technology

3D Secure: Why are fraudsters still slipping through the net?

Published

on

3D Secure: Why are fraudsters still slipping through the net? 3

By Tim Ayling, VP EMEA, buguroo

There is a constant tension between keeping online payments secure, and offering an easy and frictionless user experience. Digital transformation – especially accelerated by the global pandemic – leaves consumers expecting online services to be seamless. Customers are even liable to abandon a process altogether if they encounter a hurdle.

Financial regulation and security protocols exist to help ensure that a balance is maintained between offering customers this frictionless experience, and keeping them and their funds safe from fraud attacks.

What is 3D Secure?

3D Secure is one such protocol. This payer authentication system is designed to keep card-not-present (CNP) ecommerce payments secure against online fraud. The card issuer uses 3D Secure when a card is used to pay for something online, authenticating the customer’s identity based on personal identifiers, such as the three-digit CVV code on the back of a card, as well as the device they’re using to make the payment and their geolocation or IP address.

3D Secure is important because although transactions can be accepted or denied based on the level of risk, it’s not always as clear as ‘risky’ or ‘not risky’. A small number of transactions will have an undetermined or questionable level of risk attached to them. For example, if a legitimate customer appears to be using a new device to buy goods online, or appears to be attempting to make the transaction from an irregular location. In these instances, 3D Secure provides a step-up authentication, such as asking for a one-time password (OTP).

Getting the right balance

3D Secure is a helpful protocol for card issuers, as it allows banks to comply with Strong Customer Authentication as required by EU financial regulation PSD2 as well as increase security for transactions with a higher level of risk – thereby better filtering the genuine cardholders from fraudsters.

Tim Ayling

Tim Ayling

This means that the customers themselves are better protected against fraud, and the extra security helps preserve their trust in the bank to be able to keep their money safe. At the same time, the number of legitimate customers who have their transactions denied is minimised, improving the customer’s online experience.

So why are fraudsters still slipping through the net?

Fraudsters are used to adapting to security protocols designed to stop them, and 3D Secure is no exception. The step-up authentication that is required by 3D Secure in the instance of a questionable transaction often takes the form of an OTP, a password or secret answer known only by the bank and the customer. However, there are various ways that fraudsters have devised to steal this information.

The most common way to steal passwords is through phishing attacks, where fraudsters pretend to be legitimate brands, such as banks themselves, in order to dupe customers into giving away sensitive information. Fraudsters can even replace the pop-up windows that appear to legitimate customers in the case of stepped-up authentication with their own browser windows disguised as the bank’s. Unwitting customers then enter the password or OTP and effectively hand it straight over to the fraudsters.

Even when an OTP is sent directly to a customer’s phone, fraudsters have found a way to intercept this information. They do this through something called a ‘SIM swap scam’, where they impersonate their victim and manage to get the legitimate cardholder’s number switched onto a different SIM card that they own, thereby receiving the genuine OTP in the cardholder’s place.

This is especially an issue for card issuers when taking into account the liability shift that is attached to using 3D Secure. When a transaction is authenticated using 3D Secure, the liability moves to lie with the card issuer, not the vendor or retailer. If money leaves a customer’s account and the transaction was verified by 3D Secure, but the customer says they did not authorise the transaction, the card provider becomes liable for any refunds.

How AI and Behavioral Biometrics can be used to plug the gap

Banks need to find a way to accurately block fraudsters while allowing genuine customers to complete online payments. AI can be used alongside behavioural biometrics as an additional layer of security to cover the gaps in security through continuous authentication of the customer.

Behavioural biometrics can collect and analyse data from thousands of parameters around user behaviour such as their typing speed and dynamics, or the trajectory on which they move the mouse, throughout the entire online session. AI processes are used to dynamically compare this analysis against the user’s usual online profile to identify even the smallest of anomalies, as well as against profiles of known fraudsters and typical fraudster behaviour. AI then delivers a risk score based on this information to banks in real time, enabling them to root out and block the fraudulent transactions.

As this authentication occurs invisibly, the AI technology can recognise if the customer is who they say they are – and that it isn’t a fraudster trying to input a genuine OTP they have managed to steal through phishing or SIM swapping – without adding any additional friction.

Card issuers cannot decline all questionable transactions without losing customers, while approving them without additional checks poses security issues that can result in financial losses as well as losses in customer trust. Behavioural biometrics is a foundational technology that can work simultaneously to 3D Secure to keep customers’ online payments safe from fraud while maintaining a frictionless experience and minimising the risk of chargeback liability for banks.

Continue Reading
Editorial & Advertiser disclosureOur website provides you with information, news, press releases, Opinion and advertorials on various financial products and services. This is not to be considered as financial advice and should be considered only for information purposes. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third party websites, affiliate sales networks, and may link to our advertising partners websites. Though we are tied up with various advertising and affiliate networks, this does not affect our analysis or opinion. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you, or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish sponsored articles or links, you may consider all articles or links hosted on our site as a partner endorsed link.

Call For Entries

Global Banking and Finance Review Awards Nominations 2020
2020 Global Banking & Finance Awards now open. Click Here

Latest Articles

Motivate Your Management Team 4 Motivate Your Management Team 5
Business2 days ago

Motivate Your Management Team

A management team, typically a group of people at the top level of management in an organization, is a team...

The Income Approach Vs Real Estate Valuation 6 The Income Approach Vs Real Estate Valuation 7
Business2 days ago

The Income Approach Vs Real Estate Valuation

The Income approach is only one of three main classifications of methodologies, commonly referred to as valuation approaches. It’s particularly...

How To Create A Leadership Philosophy 8 How To Create A Leadership Philosophy 9
Business2 days ago

How To Create A Leadership Philosophy

A leadership philosophy describes an individual’s values, beliefs and principles that they use to guide a business or organization. Your...

How to Build an AI Strategy that Works 10 How to Build an AI Strategy that Works 11
Technology2 days ago

How to Build an AI Strategy that Works

By Michael Chalmers, MD EMEA at Contino Six steps to boosting digital transformation through AI In the age of artificial...

Leumi UK appoints Guy Brocklehurst to property finance team as Relationship Manager  12 Leumi UK appoints Guy Brocklehurst to property finance team as Relationship Manager  13
Business2 days ago

Leumi UK appoints Guy Brocklehurst to property finance team as Relationship Manager 

Multi-specialist bank announces the appointment of Guy Brocklehurst to its property finance team Guy Brocklehurst has joined London-based Leumi UK...

Three times as many SMEs are satisfied than dissatisfied with COVID-19 support from their bank or building society 14 Three times as many SMEs are satisfied than dissatisfied with COVID-19 support from their bank or building society 15
Banking2 days ago

Three times as many SMEs are satisfied than dissatisfied with COVID-19 support from their bank or building society

More SMEs are satisfied (38%) than dissatisfied (13%) with their COVID-19 banking support Decline in SMEs using personal current accounts...

Tax administrations around the world were already going digital. The pandemic has only accelerated the trend. 16 Tax administrations around the world were already going digital. The pandemic has only accelerated the trend. 17
Finance3 days ago

Tax administrations around the world were already going digital. The pandemic has only accelerated the trend.

By Emine Constantin, Global Head of Accoutning and Tax at TMF Group. Why do tax administrations choose to go digital?...

Time for financial institutions to Take Back Control of market data costs 18 Time for financial institutions to Take Back Control of market data costs 19
Top Stories3 days ago

Time for financial institutions to Take Back Control of market data costs

By Yann Bloch, Vice President of Product Management at NeoXam Brexit may well be just around the corner, but it is...

An outlook on equities and bonds 20 An outlook on equities and bonds 21
Investing3 days ago

An outlook on equities and bonds

By Rupert Thompson, Chief Investment Officer at Kingswood The equity market rally paused last week with global equities little changed...

Optimising tax reclaim through tech: What wealth managers need to know in trying times 22 Optimising tax reclaim through tech: What wealth managers need to know in trying times 23
Investing3 days ago

Optimising tax reclaim through tech: What wealth managers need to know in trying times

By Christophe Lapaire, Head Advanced Tax Services, Swiss Stock Exchange This has been a year of trials: first, a global...

Newsletters with Secrets & Analysis. Subscribe Now