By Wolfgang Kandek, CTO, Qualys, Inc.
Online banking has become the default way for us to conduct our money transactions, in business as well as in our private life. It combines two important characteristics: it is more convenient and faster for the customer and it is cheaper for the provider. This combination makes it very attractive for both parties, and explains its popularity.
But legitimate users are not the only group interested in online banking, cybercriminals are also attentive to new developments in areas that they can take advantage of, so it should be no surprise that online banking has seen an increasing volume of successful attacks. Companies have lost millions of Euros lost each year, and the banks have worked to combat this growing tendency by improving their security infrastructure around online banking. For example, they have added mechanisms that analyze money flow and react to new and strange patterns on the server side. At the same time, they have worked on the client interface and have come out with new mechanisms to assure the identity of the person logged in and the integrity of transactions itself. You have probably seen a number of these mechanisms labeled as 2FA, TAN numbers, mTAN, chipTAN, etc. But cyber criminals are hard to stop once they have identified an opportunity as large as online banking. They have continuously improved their tools to make sure they have the technical capabilities to counter each of these mechanisms. So today we are in an escalating action/reaction conflict between banks and cybercriminals with the banks tasked with two contradicting tasks, first secure the transaction, which implies a maximum of controls and checks, and second offer ease of use, which means they cannot be too intrusive in their attempts to affirm identity and integrity.
In my role as CTO for Qualys I have interacted with numerous security professionals and IT administrators at companies that are working on improving their online banking security. It is clear that the endpoints that are used for online banking are high value targets. The users of these endpoints can be enumerated by using Xing, Linkedin and other professional networks, which makes them available to phishing attacks. Fortunately we as IT administrators can do a number of things to stay ahead and not become a victim of the struggle. The most important item is to make sure that the computing equipment that we are using cannot be taken over by the cyber criminals. There are a number of technical options for your company to do secure the endpoints that participate in online banking. I will list them least secure to most secure:
- A Windows PC, also in use for normal office tasks
Windows is by far the most popular operating system for desktop and laptops and used widely for e-mail, web browsing and document editing. Unfortunately it is also the most popular operating system to attack, exposed to phishing attacks that come in through your business and private e-mail and “watercooler” attacks that take advantage of your browsing habits. Every month Microsoft and other software vendors such as Adobe (Adobe Reader and Adobe Flash) release updates to their software that address the critical vulnerabilities sought after by cyber criminals. But even in cases where the IT department maintains the Windows PCs fully patched and an updated security suite installed, we have seen that cyber criminals are able to get access and infect these PCs with malware, capable of logging your usernames and passwords and intercepting and redirecting 2FA and TAN requests. The cyber criminals use so called “0-day” vulnerabilities both in Windows and installed application software. 0-day vulnerabilities are unknown to Microsoft and common security vendors and often stay that way for months while cybercriminals use them in their attack campaigns. With our current technology in the PC area 0-days are extremely difficult to defend against.If you have to use a normal office PC for your online banking you can improve the situation somewhat by using a different browser than Internet Explorer for the banking transactions. By using a different browser you can escape a small part of the infections that focus on Microsoft’s Internet Explorer. I would suggest Google Chrome browser as a robust alternative. In the past few years it has been the most resilient in cyber competitions that focus on browser exploitation. But even with Google Chrome I cannot recommend banking with a Windows machine that is used in normal office tasks.
- PCs running other operating systems
PCs running operating system such as Mac OS X and Linux are less likely to be attacked than their Windows cousins. Both operating systems have their own critical vulnerabilities, for example the recent critical “Shellshock” vulnerability that affected Linux in a way that was quite easy to exploit. Nevertheless we have not seen as much focus on these operating systems by the cybercriminals. Exploitation toolkits that are available in the black market are typically only targeted at the Windows operating system. A PC running another operating system than Windows is a decent choice for your banking needs.
- A Windows PC, that is used solely for banking
A dedicated Windows machine is a good option that is very resistant to attacks by cyber criminals. By keeping the machine updated with patches and security software and maintaining the discipline of not using it for any other tasks, you are reducing the number of possible attacks significantly. The remaining attack vectors are then other infected machines on your network,. There the most critical issue are stolen admin credentials, which need to be controlled by configuring different credentials for each machine. A dedicated Windows PC is good choice for your banking needs. By the way, that is not only my opinion, but European and US banking authorities have repeatedly suggested using a dedicated banking PC as well.
- Mobile platforms, tablets and smartphones
Tablets and smartphones run on operating systems that are a generation younger and better than your normal PC. These operating systems were designed taking into account the experience with the general purpose operating systems such as Windows, Mac OS X and Linux. With general purpose operating systems we do not know the exact use that customers will make of the system and we have to allow for maximum flexibility. Attackers typically abuse this power and flexibility and that got us into the situation where we are today, where we are retrofitting operating systems with security programs, such as automatic updaters, integrity checkers and intrusion detection systems. Tablet and smartphone operating system are purpose written starting with strong security – think back to initial versions of Apple’s iPhone/iOS combo which had such strong separations between applications that cut and paste was not allowed. While some of these limitations have been relaxed over time, the strong security posture continues to be in force and infections numbers in the mobile area are at least two orders of magnitude smaller than in the PC area. In Apple’s iPad and iPhones infections are virtually unheard of. A tablet is an very good choice for your banking needs.
- Chromebase and similar
In its quest to make the browser the universal client side application Google has come out with a new operating system called ChromeOS. ChromeOS is in essence the Chrome browser plus a minimum number of capabilities that are necessary to run the browser, such as networking and user management. That makes ChromeOS more limited in its facilities than even a mobile OS. A number of hardware vendors have licensed the new operating system and have come out with computers that run ChromeOS, laptops (so called Chromebooks) and desktops (Chromebox and Chromebase) . These machines can be much less powerful than your average PC, resulting in a long battery life and low price. They boot up in seconds and keep always updated by using the same tried and true continuous auto update mechanism as the Chrome browser itself. So far security researchers have been unable to break into ChromeOS machines, even though the reward offered was quite significant reaching the US$ 100,000 range. A Chromebase/book/box is an excellent choice for your banking needs (Full disclosure: I have been using a Chromebase for my personal banking for almost one year now and while my credit card has been renewed twice in that time I still feel safe in my choice of platform.)
There you have it, my personal ranking for online banking. I am sure there are other options that I have not covered that might be attractive from a security perspective. I have deliberately excluded running PCs off LiveCD. While it is an excellent way to guarantee the integrity of the operating system because it is loaded from a read-only media (a CD or DVD), I think it is impractical for most users to go through the rather slow process that most LiveCDs require. Your mileage may vary, but I believe it to be too cumbersome for most users.
I believe online banking is a great opportunity to implement security measures adapted to the data usage of the user. Usually it is challenging for IT administrators to judge how much business critical data an end user has access to, but in this case both users and loss potential are pretty clear cut. IT administrators can improve the security of their company’s online banking by implementing any of the options listed above, except for the use of a normal Windows PC. But securing the client is only one of the components for your banking transactions. It makes sense to talk to your end users about securing the configuration on the banking application side. If the bank offers 2-factor authentication (2FA) it should be activated. I favor dedicated devices for 2FA, so I give preference to ChipTAN over mTAN as the possibility of an attacker manipulating the transaction becomes much smaller with a dedicated device. Similarly it makes sense to activate notification options for important transactions. Here I favor SMS notifications over e-mail, simply because SMS tends to have a much higher attention rate than e-mail. Encryption is important to protect your company’s data and transactions in transit, so when your end users are logging into your bank’s website, train them to look for an encrypted connection from the very beginning. This means that the page where they type in the credential information, such as account number and or passwords should already be encrypted. They should verify that they see the green lock in the browser’s URL bar and that the URL matches the name of the bank site that they wanted to contact. They should not accept any exceptions on the certificate that identifies the bank’s site, which will assure that they are actually interacting with the site that they wanted to contact.
Again the ranking is subjective and your business situation may well be more constrained. If your opinion differs, please let me know what you are thinking, either in here in the comments, at Twitter @wkandek or by emailing me at [email protected].
It’s all relative: Older generations feel helping out the family financially is more important since the Covid-19 outbreak
Before Covid, 23% of people prioritised helping younger generations out financially, that increased to a third as a result of the pandemic
A recent survey* conducted by Hodge has revealed that the Covid pandemic has led to more people wanting to help younger family members financially.
A third (31%)** of those questioned said that since the Covid outbreak giving a financial gift to children or grandchildren is more important to them, compared to 23% who said it was a priority before the pandemic.
The traditional “Bank of Mum and Dad” is still very much open for financial help, with parents being responsible for 72% of the gifts, but the study also revealed that financial gifts can come from all corners of the family – including children (14%) and siblings (14%).
The survey also found that a third of people have received a financial gift from family, with those aged between 25-34 as the most likely to receive
The most popular reason for gifting money to family is for special occasions such as a quarter of gifts were given for weddings and birthdays but 11% of people have received money to help with big purchases such as cars and houses. In addition, 19% of people have received help with day to day finances, with around 14% of those receiving a gift have done so to pay off debt.
Emma Graham, Business Development Director at Hodge, said of the research: “Our study showed that, as a nation, we all want to help our family out when it comes to money. And whilst we all think of the Bank of Mum and Dad or Gran and Grandad as a traditional source, we were surprised to see that 14% of brothers and sisters are also helping out.”
The findings come from a recent intergenerational study conducted by Hodge, who interviewed over 3000 people about their attitudes towards finances and their aspirations for the future. The full research findings can be found at https://hodgebank.co.uk/2020/05/19/money-its-all-relative/.
As part of the study, people were also asked about paying back the gift, with 40% of beneficiaries expecting to pay their parents back, but this dropped to 28% if the gift came from grandparents.
From the gift donor’s perspective, 26% expect the gift to be paid back, however just 15% of grandparents expected the money back.
Hodge has produced a set of guides on how families can navigate the tricky subject of giving financial gifts within a family, as well as the considerations and steps that be families should think about taking before a gift is given, such as is it a loan or a gift and thinking about contingencies if the family member’s circumstances change. The guides can be found here: https://hodgebank.co.uk/news/
Emma continued: “It’s clear that families feel strongly about offering financial support to each other if they are able and this has increased since the Covid pandemic. Before Covid, 23% of people prioritised helping their families out financially in the next five years. Since the Covid-19 outbreak that has increased to a third of people saying helping a family member financially had become more important.
“So, it is clear that the Covid-19 lockdown and subsequent predicted economic downturn, has led to more families looking to share wealth to help younger children or grandchildren during this difficult time. Many people may look to Later Life mortgages, where many products have reduced their rates and have flexible lending criteria, to help out a loved during these difficult times.”
New report identifies the factors which will determine SMEs’ chances of a successful COVID recovery
· Analysis of the performance of over 1,000 UK small and medium-sized businesses by Allica Bank provides roadmap for SMEs
· Regular training, an openness to innovation, and a clear vision all contribute heavily to an SMEs’ chances of success
· Allica Bank has launched a programme of free workshops to expand on the findings and support business owners
Business bank, Allica Bank has combined data and insight from over 1,000 UK SMEs with a multiple regression analysis to determine what factors most closely aligned with an SMEs’ chances of success and separated the highest-performing businesses from their peers. These ‘rules for success’ have been compiled from the research data to support British businesses as they look to chart a course to post-Covid recovery.
The full report identifies six behaviours for small and medium businesses to follow, to maximise their chances of a successful COVID recovery. The six top-line rules emphasised by the data were:
Rule 1: SMEs should regularly train staff
Of the top-performing businesses analysed, 47% provided training for employees at least on a quarterly basis, compared to just 32% of other businesses. Regular employee training was linked closely to success by the model.
Despite this, many small businesses have neglected training and nearly half (46%) of the small businesses analysed only provide training for employees about once a year or less often. This included 15% that never provide employer-funded training. This discrepancy could represent a significant opportunity for small businesses to unlock the potential of their employees and thrive in the post-Covid economy.
Rule 2: SMEs need to focus on innovation and technology
Looking again to the best performing businesses, 76% were found to either continually (39%) or often (37%) be considering new opportunities for technology in their business. This is compared to only 51% for businesses considered to be outside of the top ranks, out of which only 27% admitted to continually looking for new technology opportunities.
Rule 3: Small business must have a formal, long-term vision
Nearly two thirds (66%) of the most successful businesses in the survey had a formal, long-term vision, compared to just 50% of businesses outside the top 100. Looking to the businesses that scored the lowest on the SME Performance index, only 37% claimed to have a formal, long-term vision.
Rule 4: SMEs should broaden their customer reach and find new markets
Of the top-performing businesses, 65% of these have overseas customers compared to just 40% of the worst performing businesses. Among the best performing SMEs, over a third (34%) identified international expansion as one of the top three drivers for their success.
Rule 5: SMEs need to develop reinvestment plans
22% of the best performing SMEs reinvested some of their profits into the business in the past three years with an average 9% of profits being redeployed. Tellingly, this is nearly double what other businesses admit to reinvesting in their business (5%).
Rule 6: SMEs should engage with local business organisations and networks
Of the top 100 SMEs, 30% had obtained external credit to expand over the past three years (compared to 24% of other businesses). Meanwhile, only 16% of all other SMEs had engaged with local enterprise partnerships or growth hubs in the past three years (compared to 23% of the top 100 SMEs).
Chris Weller, Chief Commercial Officer, Allica Bank, said:
“All small businesses are different, as are all small business owners, but one trait they share is an innovative resilience. Whilst the coming months and years will undoubtedly continue to present extreme challenges, there is no doubt that small and medium sized businesses across the UK will rise to meet them head on.
“To give them the best chance to succeed, though, they need to be equipped with the right tools. There is certainly no silver bullet or panacea for every small business, but as this study has found, there are a number of common factors found in the most successful businesses that allow small enterprises to thrive and that they can consider individually for their business.
“This research has identified common ‘rules for success’ that speak to every aspect of running a business, not just the financials. Once we saw these results, we wanted to use them to help small businesses begin to re-build and prosper, by outlining common factors and then examining how best they can be practically applied to businesses in all sectors of the economy.
“Small business owners and their employees have been hit hard by the crisis, but they have the drive and resourcefulness to breathe new life into the economy and bring energy to post-Covid Britain. Our commitment at Allica Bank is to give them the support they need to do so, every step of the way.”
The full report contains a wealth of additional data and insight into each of these topics. As part of its mission to empower small businesses, Allica Bank is making the findings freely available and running a series of free online workshops with relevant partner organisations for businesses to attend.
New research finds that financial wellbeing should be at the heart of banks digital experiences as the UK enters recession
MullenLowe Profero have today launched a new report focusing on two communities who will be hardest hit by the recession: 18-25 year olds and small businesses. These communities need financial wellbeing support at the core of an increasingly digital relationship. MullenLowe Profero partnered with Censuswide to survey 1,004 18-25-year-olds and 504 small businesses.
Concern around financial shocks is harming individual’s wellbeing
The survey finds the ability to absorb financial shocks being the critical worry affecting wellbeing and 40% of 18-25-year-olds are sometimes afraid to look at their bank account.
They are seeking financial education to relieve worries
With over two-thirds of respondents demanding financial education in order to find peace of mind and 40% of 18-25-year-olds state that thinking about their money has a negative impact on their wellbeing the report highlights the audience are open to more active support from banks. 60% of the audience feel banks should help them have the capacity to absorb a financial shock.
When our bank is in our pocket reminding us of our anxieties, is there now a duty of care to support our wellbeing?
The survey finds that the digital experience is now the number one reason for choosing a bank for 18-25 year olds.
With this shift in digital preference, people are expecting banks to play a bigger role in wellbeing. 58% of those worried about their money want banks to help them take control.
More than half of 18-25 year olds agree that a bank’s role is now to:
- provide education on money management
- help them keep on top of financial goals
- help them save enough money to cope with the ups and downs of life
People are feeling closer to local communities, but there is a gap in how brands should engage communities in a digital world
Half of 18-25 year olds agree that in the last few months the importance of their local community to them has increased. 40% agree they’ve engaged more with their local community in recent months. There’s a tension between how to engage a community as 60% agree they prefer a bank with better digital tools over a bank that offers more local branches. However, 60% feel banks need a branch presence to support local communities.
The importance of Global Wellbeing rises
Over half of 18-25 year olds agree that the events of the last few months have made them seek out brands that do better for the world. The research findings show that what they want most is to be recognised for their positive behaviours. 56% of the audience highlighted that they would find rewards and benefits for purchasing ethically and sustainably most useful.
Banks digital experience today lack empathy
In this time of reset, the survey found a third of customers and small businesses are considering changing banks in the next year as a result of the impact of the pandemic. The report concludes that brands that will win will champion financial wellbeing in the digital experience through empathy and emotional intelligence.
For the full report, get in touch with MullenLowe Profero at [email protected]
Howard Pull, Head of Digital Transformation Strategy at MullenLowe Profero, said: “Our findings are a wake up call for digital innovation in banking relationships. With digital experience being the number one choice for selecting a bank, there’s a huge opportunity for banks to support individual wellbeing at scale by understanding and responding to our goals and anxieties to build better money habits.”
The research was conducted by Censuswide, with 1,004 18-25-year-old current account holders and 504 small businesses with business bank accounts and annual revenues up to £2m between 23.06.2020 and 29.06.2020. Censuswide abides by and employs members of the Market Research Society which is based on the ESOMAR principles.
Return to work: Flexibility, preparation and communication are key
By Matt Weston, Managing Director, Robert Half UK As lockdown restrictions ease for the foreseeable future, conversations across the business...
How sustainable AI improves the triple bottom line
An investment in green AI enables financial services firms to align people, profit, and planet By Nick Dale, EVP business...
The impact and implications of Covid-19 on financial reporting
By Mark Billington, Regional Director, Greater China & South-East Asia, ICAEW The economic consequences of Covid-19 have been unprecedented, affecting...
Contis enters RBS Capability and Innovation Fund bid seeking £35 million for disruptive SME growth strategy
Leading payments provider, Contis, has applied for two grants from the RBS & BCR Alternative Remedies Package, totalling £35 million. Unlike most applicants who...
Four years of digital transformation in four weeks: UK lockdown puts pressure on brands to digitally deliver
Nearly a third (32%) of consumers would switch providers if a brand’s website is unavailable for more than 24 hours...
Demonstrating the value of collaborative leadership during crises
By Jean Stephens, CEO, RSM International In 2000, a leading expert in behavioural science, Daniel Goleman, outlined the six key...
Empowerment Accelerates Continuous Improvement
By Larry Sternberg, JD, Fellow, Talent Plus, Inc. Empowerment First, let me clarify how I am using the word “empowerment”...
What is loneliness and how can you manage it?
By Iris Schaden Your Business and Personal Coach A mere century ago, almost no one lived alone. Today, many do...
How banks can build digital transformation into business continuity
By Andrew Warren, Head of Banking & Financial Services, UK&I, Cognizant Businesses around the world are falling victim to the...
Akerton Partners S.L. is a Spanish independent mid-market corporate finance advisor founded over a decade ago, in 2008, amid a...