By Wolfgang Kandek, CTO, Qualys, Inc.
Online banking has become the default way for us to conduct our money transactions, in business as well as in our private life. It combines two important characteristics: it is more convenient and faster for the customer and it is cheaper for the provider. This combination makes it very attractive for both parties, and explains its popularity.
But legitimate users are not the only group interested in online banking, cybercriminals are also attentive to new developments in areas that they can take advantage of, so it should be no surprise that online banking has seen an increasing volume of successful attacks. Companies have lost millions of Euros lost each year, and the banks have worked to combat this growing tendency by improving their security infrastructure around online banking. For example, they have added mechanisms that analyze money flow and react to new and strange patterns on the server side. At the same time, they have worked on the client interface and have come out with new mechanisms to assure the identity of the person logged in and the integrity of transactions itself. You have probably seen a number of these mechanisms labeled as 2FA, TAN numbers, mTAN, chipTAN, etc. But cyber criminals are hard to stop once they have identified an opportunity as large as online banking. They have continuously improved their tools to make sure they have the technical capabilities to counter each of these mechanisms. So today we are in an escalating action/reaction conflict between banks and cybercriminals with the banks tasked with two contradicting tasks, first secure the transaction, which implies a maximum of controls and checks, and second offer ease of use, which means they cannot be too intrusive in their attempts to affirm identity and integrity.
In my role as CTO for Qualys I have interacted with numerous security professionals and IT administrators at companies that are working on improving their online banking security. It is clear that the endpoints that are used for online banking are high value targets. The users of these endpoints can be enumerated by using Xing, Linkedin and other professional networks, which makes them available to phishing attacks. Fortunately we as IT administrators can do a number of things to stay ahead and not become a victim of the struggle. The most important item is to make sure that the computing equipment that we are using cannot be taken over by the cyber criminals. There are a number of technical options for your company to do secure the endpoints that participate in online banking. I will list them least secure to most secure:
- A Windows PC, also in use for normal office tasks
Windows is by far the most popular operating system for desktop and laptops and used widely for e-mail, web browsing and document editing. Unfortunately it is also the most popular operating system to attack, exposed to phishing attacks that come in through your business and private e-mail and “watercooler” attacks that take advantage of your browsing habits. Every month Microsoft and other software vendors such as Adobe (Adobe Reader and Adobe Flash) release updates to their software that address the critical vulnerabilities sought after by cyber criminals. But even in cases where the IT department maintains the Windows PCs fully patched and an updated security suite installed, we have seen that cyber criminals are able to get access and infect these PCs with malware, capable of logging your usernames and passwords and intercepting and redirecting 2FA and TAN requests. The cyber criminals use so called “0-day” vulnerabilities both in Windows and installed application software. 0-day vulnerabilities are unknown to Microsoft and common security vendors and often stay that way for months while cybercriminals use them in their attack campaigns. With our current technology in the PC area 0-days are extremely difficult to defend against.If you have to use a normal office PC for your online banking you can improve the situation somewhat by using a different browser than Internet Explorer for the banking transactions. By using a different browser you can escape a small part of the infections that focus on Microsoft’s Internet Explorer. I would suggest Google Chrome browser as a robust alternative. In the past few years it has been the most resilient in cyber competitions that focus on browser exploitation. But even with Google Chrome I cannot recommend banking with a Windows machine that is used in normal office tasks.
- PCs running other operating systems
PCs running operating system such as Mac OS X and Linux are less likely to be attacked than their Windows cousins. Both operating systems have their own critical vulnerabilities, for example the recent critical “Shellshock” vulnerability that affected Linux in a way that was quite easy to exploit. Nevertheless we have not seen as much focus on these operating systems by the cybercriminals. Exploitation toolkits that are available in the black market are typically only targeted at the Windows operating system. A PC running another operating system than Windows is a decent choice for your banking needs.
- A Windows PC, that is used solely for banking
A dedicated Windows machine is a good option that is very resistant to attacks by cyber criminals. By keeping the machine updated with patches and security software and maintaining the discipline of not using it for any other tasks, you are reducing the number of possible attacks significantly. The remaining attack vectors are then other infected machines on your network,. There the most critical issue are stolen admin credentials, which need to be controlled by configuring different credentials for each machine. A dedicated Windows PC is good choice for your banking needs. By the way, that is not only my opinion, but European and US banking authorities have repeatedly suggested using a dedicated banking PC as well.
- Mobile platforms, tablets and smartphones
Tablets and smartphones run on operating systems that are a generation younger and better than your normal PC. These operating systems were designed taking into account the experience with the general purpose operating systems such as Windows, Mac OS X and Linux. With general purpose operating systems we do not know the exact use that customers will make of the system and we have to allow for maximum flexibility. Attackers typically abuse this power and flexibility and that got us into the situation where we are today, where we are retrofitting operating systems with security programs, such as automatic updaters, integrity checkers and intrusion detection systems. Tablet and smartphone operating system are purpose written starting with strong security – think back to initial versions of Apple’s iPhone/iOS combo which had such strong separations between applications that cut and paste was not allowed. While some of these limitations have been relaxed over time, the strong security posture continues to be in force and infections numbers in the mobile area are at least two orders of magnitude smaller than in the PC area. In Apple’s iPad and iPhones infections are virtually unheard of. A tablet is an very good choice for your banking needs.
- Chromebase and similar
In its quest to make the browser the universal client side application Google has come out with a new operating system called ChromeOS. ChromeOS is in essence the Chrome browser plus a minimum number of capabilities that are necessary to run the browser, such as networking and user management. That makes ChromeOS more limited in its facilities than even a mobile OS. A number of hardware vendors have licensed the new operating system and have come out with computers that run ChromeOS, laptops (so called Chromebooks) and desktops (Chromebox and Chromebase) . These machines can be much less powerful than your average PC, resulting in a long battery life and low price. They boot up in seconds and keep always updated by using the same tried and true continuous auto update mechanism as the Chrome browser itself. So far security researchers have been unable to break into ChromeOS machines, even though the reward offered was quite significant reaching the US$ 100,000 range. A Chromebase/book/box is an excellent choice for your banking needs (Full disclosure: I have been using a Chromebase for my personal banking for almost one year now and while my credit card has been renewed twice in that time I still feel safe in my choice of platform.)
There you have it, my personal ranking for online banking. I am sure there are other options that I have not covered that might be attractive from a security perspective. I have deliberately excluded running PCs off LiveCD. While it is an excellent way to guarantee the integrity of the operating system because it is loaded from a read-only media (a CD or DVD), I think it is impractical for most users to go through the rather slow process that most LiveCDs require. Your mileage may vary, but I believe it to be too cumbersome for most users.
I believe online banking is a great opportunity to implement security measures adapted to the data usage of the user. Usually it is challenging for IT administrators to judge how much business critical data an end user has access to, but in this case both users and loss potential are pretty clear cut. IT administrators can improve the security of their company’s online banking by implementing any of the options listed above, except for the use of a normal Windows PC. But securing the client is only one of the components for your banking transactions. It makes sense to talk to your end users about securing the configuration on the banking application side. If the bank offers 2-factor authentication (2FA) it should be activated. I favor dedicated devices for 2FA, so I give preference to ChipTAN over mTAN as the possibility of an attacker manipulating the transaction becomes much smaller with a dedicated device. Similarly it makes sense to activate notification options for important transactions. Here I favor SMS notifications over e-mail, simply because SMS tends to have a much higher attention rate than e-mail. Encryption is important to protect your company’s data and transactions in transit, so when your end users are logging into your bank’s website, train them to look for an encrypted connection from the very beginning. This means that the page where they type in the credential information, such as account number and or passwords should already be encrypted. They should verify that they see the green lock in the browser’s URL bar and that the URL matches the name of the bank site that they wanted to contact. They should not accept any exceptions on the certificate that identifies the bank’s site, which will assure that they are actually interacting with the site that they wanted to contact.
Again the ranking is subjective and your business situation may well be more constrained. If your opinion differs, please let me know what you are thinking, either in here in the comments, at Twitter @wkandek or by emailing me at [email protected].
How banks can take on Google in the race for AI talent
By Nicola Sullivan, solutions director at candidate engagement tech firm Meet & Engage
The events of 2020 have made the battle for AI talent more ferocious than ever. In a volatile landscape where innovation is key, multinational firms are rolling up their sleeves for the inevitable scrum ahead.
For incumbent banks, the stakes are intimidatingly high. In one corner stand the fintech startups: the likes of Revolut and Monzo, who are snapping up AI-literate graduates while laying down pressure for capacity in exactly that area.
In the other corner, we find the Silicon Valley contenders of Amazon, Facebook and Google, who have phenomenal pay packages – not to mention glamour and visibility – on their side. And technologists with a finance background loom firmly in their crosshairs (Facebook employs hundreds of ex-banking recruits).
This unsettling picture is intensified by a chronic tech shortage: in a recent study by AI firm Peltarion, 83 percent of AI decision-makers agreed that a deficit of deep learning skills was seriously hampering their competitiveness. But, with the global impact of AI on financial services companies set to hit $140 billion in productivity gains and cost savings by 2025, banks need to find a way to break ahead and secure the AI talent they need. Here’s how:
Fish from a wider talent pool
We tend to think of AI in relation to a very niche set of qualifications. Yet in reality, it’s a fast-moving sphere that also requires a host of soft transferable skills such as problem-solving, agility, great communication and a sound analytical mind. In short, it’s less about what a candidate knows/does, and more to do with what they could know or do.
It’s worth thinking about whether you are being open-minded enough in your interpretation of tech talent. Do the AI roles you’re looking to fill need specific skills and criteria, or are they better suited to people who are inherently curious, intelligent and quick to learn?
Depending on the answer, you may want to expand your search from the bright young things of MIT or Berkeley to other related careers or older candidates with transferable skills. You may even want to look internally for the next generation of tech talent.
For example, if a bank’s customer-facing roles are declining but AI supply is not keeping up with demand, maybe this is a problem that could fix itself. The bank in question could run a two-week internal virtual AI internship to test interest, with the aim of rechanneling internal talent and avoiding redundancies. If AI is as critical as all forecasts suggest to the future of finance, investing in a more comprehensive approach like this may make a lot of sense.
Then there’s also the question of underrepresented groups. The proportion of black or latino people at major tech companies remains depressingly low, while women make up only a quarter of computing roles.
As well as driving equality, this issue of diversity is also a market gap that could be used for competitive advantage by banks. But doing so requires a deep-seated strategy that addresses the root reasons why candidates from these groups are turning away from tech. Issues such as lack of career development and accessible education need to be solved at ground level from the inside-out; an effort that begins before, or in tandem with, recruitment.
Make your recruitment process personal and transparent
When you’re fighting for top AI candidates who have the world at their fingertips, it’s not enough to bundle them through a generic Applicant Tracking System. You have to actively woo them, and get them on-side with your vision and community. This is especially important for millennials and Gen Z recruits, who are more purpose-driven than their predecessors.
Live online chat sessions hosted by high-profile speakers across the business is one tactic our banking clients have seen great success with here. For example, a shortlisted group of technologists get to meet with a bank’s CTO or Chief Human Resources Officer via a group chat (which they can join anonymously if they want to), to ask questions and find out more about a company’s technology roadmap and cultural ethos.
This is a rare opportunity to give candidates real takeaway value; even if they’re not thinking about leaving their current job, few will turn down the chance of time with the person who runs cybersecurity at a major bank. And this person will invariably be able to communicate a much better sense of culture than a third-party recruiter can.
Visibility is also important here: if you want to attract more BAME or female candidates, you need to have lead BAME or female technicians as a vocal part of the recruitment process, showing what success in your company looks like. If you don’t have people to fulfil these roles, you need to go back and address that rather than making empty statements.
Opening the doors to your company in this way is a winning strategy for tech candidates: it’s a “wrapper” to put around them and make them feel wanted, welcome and motivated – even when a recruitment process lasts a little longer than you’d like.
Talk like yourself but walk like a tech expert
Part of the openness needed to recruit key tech talent is about being authentic, too. There’s a tendency among some finance incumbents to “get down with the kids” and appear more like their disruptive competitors than they truly are. If you are a long-established brand in the banking world, with a good track record of developing careers, that alone is enough to attract AI technologists – you have a lot to offer, and you don’t need to put on a guise.
Equally, if you do have work to do in being more accessible to potential candidates, focus on real progression rather than image. This may mean putting through measures to build awareness and role modelling around recruitment diversity, or enhancing employee wellbeing.
With mental health issues on the rise in the workplace, a co-managed wellness programme of fitness and community events can make the difference between which way a candidate sways in a roomful of enticing options. This is especially true since banks – for all their boardrooms traditions – have a reputation amid technologists for a better, less brutal work-life balance than Silicon Valley.
Lastly, banks need to walk the walk when it comes to tech-enabled recruitment. However hard you try to make it personal, most candidate enrollments will involve a degree of automation at some stage – and it’s important to make that process as quick and slick as possible. For a candidate with consumer-grade tech experience, first impressions count: they want to know that this is a place that will recognise and nurture their skill set. So instead of a long, clunky application process, maybe consider a virtual assessment centre or a sophisticated chat bot, which can capture essential information in a fast, engaging way.
Recruiting the world’s top tech talent isn’t a question of magic or even necessarily a huge pay cheque. Instead you need to weave together these “micro-moments” that signal your bank’s character, integrity and technical ambition. Do this, and you stand a good chance of persuading leading AI candidates to skip the queue and come directly to you.
1.4 million customers to stop using bank branches due to COVID
8.4 million customers had already stopped visiting branches in person before lockdown
However, three quarters (74%) of customers will return to banking in branch after the pandemic
Of those who plan to return to branches, over two thirds (69%) will only return when they absolutely need to
A further 1.6 million (3%) said they don’t have an account with a high-street bank, meaning a total of 3 million Brits don’t have a need for physical branches.
This number may rise, as 8.4 (16%) million Brits had stopped using their bank’s branches before lockdown and are not sure if they will ever return.
However, not everyone has gone completely digital as 3 in 10 British banking customers (29%) have already returned to using their bank’s branches, with an additional 44% of customers planning to return soon.
Of these people who plan to return in the near future, over two thirds (69%) will only return when they absolutely need to and their problem cannot be solved online or over the phone.
While a third of those consumers (31%) are waiting for a COVID vaccine or treatment before they go back to their local branch.
This means that eventually, three-quarters of Brits (74%) will return to banking in-branch the way they did before lockdown.
However, they may face a longer journey than they previously did to find a branch. Data from ONS shows 25% of branches have closed in the UK since 2012 and this decline in branches is likely to continue if people follow through with their plans to avoid branches.
Customers in Northern Ireland will go back to banking in branches more so than those in any other region, with 85% of customers here saying they have already returned or plan to do so soon.
Interestingly, a quarter of customers (25%) in the East Midlands had already stopped banking in branches, making this the area with the most customers who no longer use branches.
Those in the North East are set to follow the same path as residents in the East Midlands, with 5% of customers in the North East saying they will stop using branches in the future.
To see the research in full visit: https://www.finder.com/uk/banking-branch-usage
Commenting on the findings, Jon Ostler, CEO at finder.com said:
“Lockdown has quickly changed many aspects of our lives and our banking behaviour was no different. Not being able to visit bank branches in person meant many consumers had no option but to start using online banking and bank’s mobile apps. These are generally easy to use and intuitive so you would expect some of these new converts to stay away from branches going forward.
“While the digital-only banks excel at their app offering, previous research we carried out found that sentiment towards these banks fell almost three times as much during lockdown than towards high street banks. This could be a sign that the quality of apps and online banking from high street banks is catching up.”
Finder commissioned Onepoll on 26 to 28 August 2020 to carry out a nationally representative survey of adults aged 18+. A total of 2,000 people were questioned throughout Great Britain, with representative quotas for gender, age and region.
Liquid Assets of a Bank
Liquid assets are tangible and movable assets which are easily convertible into cash in a crisis situation. Liquid assets are used by lenders to fund their loans. Examples of liquid assets include government bonds and central bank reserves.
To stay alive, financial institutions must have enough liquid funds to pay withdrawals and other immediate financial obligations by depositing holders of checks. But the amount of money they have in liquid form is not enough to cover these short-term obligations and their financial problems will become worse. Liquid assets of the financial institutions should be regularly replenished to make the banking system financially stable. In order to maintain a sufficient amount of money in the economy, the Federal Reserve System will always be in need of additional assets.
There are several ways in which the financial institutions can replenish their liquid assets. One of the ways is by borrowing funds from banks and credit unions. The other way is by issuing debt securities to provide liquidity for the monetary system.
Borrowing from banks and credit unions: Banks can borrow funds from other financial institutions in order to meet their liquidity requirements. However, the rate at which banks borrow funds from other financial institutions is usually very high. This high rate can only be beneficial for the financial institutions because the borrowed funds are used to purchase commercial mortgage-backed securities (CMBS). In return for providing CMBS, the banks can receive interest payments on the principal balance of the loans they have made to other financial institutions.
Issuing debt securities: The assets that a commercial bank or credit union secures as collateral for the loan from other financial institutions can also be used to liquidate its existing liquid assets. Usually, the assets used as collateral to secure loaned funds are Treasury securities, corporate bonds and treasury bills. However, as the value of these securities decreases, the banks’ ability to recover them through the redemption of their treasury bills and the federal income tax on the principal balance of these securities can increase the amount of funds they will have to pay out on short-term debts.
Securing debt securities: As mentioned above, the assets which commercial banks and credit unions can use to liquidate their liquid and non-liquid assets can also be used to secure loans made by them to other financial institutions. But it is important for the banks and credit unions to ensure that the funds they use to secure these loans are not used to purchase more securities. In order to obtain maximum gains from the sale of their assets, they should use a method to redeem the securities before the maturity date of the loan.
In addition to using these methods to secure other financial institutions’ loans, banks and credit unions can also sell their assets in order to raise the funds they need for making short-term payments. For example, if a commercial bank has a large inventory of commercial mortgage-backed securities, it may want to sell some of its assets in order to raise the capital required to make a single payment. If the purchase price of these assets is less than the total loan balance, the bank can sell its securities and cash in order to raise the necessary capital.
Although liquid and non-liquid assets can help the banking system to make its operations more stable, the loss of one type of asset can severely affect the financial condition of a bank or credit union. Therefore, even if there are many types of assets, it is important for the banks and credit unions to maintain a balanced level of liquidity in order to make sure that the economic system is not adversely affected by any one type of loss.
Online jobs soar by 14% in third quarter 2020, Freelancer.com’s Fast 50 reports
Freelancer.com (ASX: FLN), the world’s largest freelancing and crowdsourcing marketplace by number of users and jobs posted, today released the...
One third of money management tools face closure by the end of the year if they do not embrace open banking
New research from Yolt Technology Services shows 35% of Personal Finance Managers aren’t using any open banking technology Imminent screen...
Pivoting growth strategy to rebuild consumer trust and confidence
By Richard Steggall, the CEO of Urban FT Trust is essential to all relationships, whether personal or professional. And in...
Everything you need to know about APIs for business
By Omar Javaid, president, Vonage API Platform, Vonage If your work brings you into close proximity with technology, chances are...
Accountants have become critical to the survival of businesses and their reputations during Covid-19
The opportunity for fraudulent activity to flourish as finance departments operate remotely with less oversight in these extraordinary Covid-19 times...
Unexplained Wealth Orders: Rightly Celebrated or Over-Rated?
By Nicola Sharp of financial crime specialists Rahman Ravelli considers the attention given to unexplained wealth orders – and emphasises...
Taking advantage of the UK’s renovation revolution
By Paresh Raja, CEO, Market Financial Solutions UK property is a popular asset class because of its historical resilience to...
What is a glocal supply chain?
Thanks to rapid advances in communication and information technology, manufacturers are now able to operate at a truly global level,...
Rise in Digital Banking Activities: Should UK Banks Be Wary Of Cyber Attacks?
By Kunal Sawhney, CEO, Kalkine. Cybersecurity in the age of digital banking and technology has had a significant impact. With...
Grey skies ahead – Malta prepares for a gloomy 2021 if they can’t tackle financial crime
By Dhanum Nursigadoo, ComplyAdvantage With the summer drawing to a close, many countries who rely significantly on warm weather tourism...