By Wolfgang Kandek, CTO, Qualys, Inc.
Online banking has become the default way for us to conduct our money transactions, in business as well as in our private life. It combines two important characteristics: it is more convenient and faster for the customer and it is cheaper for the provider. This combination makes it very attractive for both parties, and explains its popularity.
But legitimate users are not the only group interested in online banking, cybercriminals are also attentive to new developments in areas that they can take advantage of, so it should be no surprise that online banking has seen an increasing volume of successful attacks. Companies have lost millions of Euros lost each year, and the banks have worked to combat this growing tendency by improving their security infrastructure around online banking. For example, they have added mechanisms that analyze money flow and react to new and strange patterns on the server side. At the same time, they have worked on the client interface and have come out with new mechanisms to assure the identity of the person logged in and the integrity of transactions itself. You have probably seen a number of these mechanisms labeled as 2FA, TAN numbers, mTAN, chipTAN, etc. But cyber criminals are hard to stop once they have identified an opportunity as large as online banking. They have continuously improved their tools to make sure they have the technical capabilities to counter each of these mechanisms. So today we are in an escalating action/reaction conflict between banks and cybercriminals with the banks tasked with two contradicting tasks, first secure the transaction, which implies a maximum of controls and checks, and second offer ease of use, which means they cannot be too intrusive in their attempts to affirm identity and integrity.
In my role as CTO for Qualys I have interacted with numerous security professionals and IT administrators at companies that are working on improving their online banking security. It is clear that the endpoints that are used for online banking are high value targets. The users of these endpoints can be enumerated by using Xing, Linkedin and other professional networks, which makes them available to phishing attacks. Fortunately we as IT administrators can do a number of things to stay ahead and not become a victim of the struggle. The most important item is to make sure that the computing equipment that we are using cannot be taken over by the cyber criminals. There are a number of technical options for your company to do secure the endpoints that participate in online banking. I will list them least secure to most secure:
- A Windows PC, also in use for normal office tasks
Windows is by far the most popular operating system for desktop and laptops and used widely for e-mail, web browsing and document editing. Unfortunately it is also the most popular operating system to attack, exposed to phishing attacks that come in through your business and private e-mail and “watercooler” attacks that take advantage of your browsing habits. Every month Microsoft and other software vendors such as Adobe (Adobe Reader and Adobe Flash) release updates to their software that address the critical vulnerabilities sought after by cyber criminals. But even in cases where the IT department maintains the Windows PCs fully patched and an updated security suite installed, we have seen that cyber criminals are able to get access and infect these PCs with malware, capable of logging your usernames and passwords and intercepting and redirecting 2FA and TAN requests. The cyber criminals use so called “0-day” vulnerabilities both in Windows and installed application software. 0-day vulnerabilities are unknown to Microsoft and common security vendors and often stay that way for months while cybercriminals use them in their attack campaigns. With our current technology in the PC area 0-days are extremely difficult to defend against.If you have to use a normal office PC for your online banking you can improve the situation somewhat by using a different browser than Internet Explorer for the banking transactions. By using a different browser you can escape a small part of the infections that focus on Microsoft’s Internet Explorer. I would suggest Google Chrome browser as a robust alternative. In the past few years it has been the most resilient in cyber competitions that focus on browser exploitation. But even with Google Chrome I cannot recommend banking with a Windows machine that is used in normal office tasks.
- PCs running other operating systems
PCs running operating system such as Mac OS X and Linux are less likely to be attacked than their Windows cousins. Both operating systems have their own critical vulnerabilities, for example the recent critical “Shellshock” vulnerability that affected Linux in a way that was quite easy to exploit. Nevertheless we have not seen as much focus on these operating systems by the cybercriminals. Exploitation toolkits that are available in the black market are typically only targeted at the Windows operating system. A PC running another operating system than Windows is a decent choice for your banking needs.
- A Windows PC, that is used solely for banking
A dedicated Windows machine is a good option that is very resistant to attacks by cyber criminals. By keeping the machine updated with patches and security software and maintaining the discipline of not using it for any other tasks, you are reducing the number of possible attacks significantly. The remaining attack vectors are then other infected machines on your network,. There the most critical issue are stolen admin credentials, which need to be controlled by configuring different credentials for each machine. A dedicated Windows PC is good choice for your banking needs. By the way, that is not only my opinion, but European and US banking authorities have repeatedly suggested using a dedicated banking PC as well.
- Mobile platforms, tablets and smartphones
Tablets and smartphones run on operating systems that are a generation younger and better than your normal PC. These operating systems were designed taking into account the experience with the general purpose operating systems such as Windows, Mac OS X and Linux. With general purpose operating systems we do not know the exact use that customers will make of the system and we have to allow for maximum flexibility. Attackers typically abuse this power and flexibility and that got us into the situation where we are today, where we are retrofitting operating systems with security programs, such as automatic updaters, integrity checkers and intrusion detection systems. Tablet and smartphone operating system are purpose written starting with strong security – think back to initial versions of Apple’s iPhone/iOS combo which had such strong separations between applications that cut and paste was not allowed. While some of these limitations have been relaxed over time, the strong security posture continues to be in force and infections numbers in the mobile area are at least two orders of magnitude smaller than in the PC area. In Apple’s iPad and iPhones infections are virtually unheard of. A tablet is an very good choice for your banking needs.
- Chromebase and similar
In its quest to make the browser the universal client side application Google has come out with a new operating system called ChromeOS. ChromeOS is in essence the Chrome browser plus a minimum number of capabilities that are necessary to run the browser, such as networking and user management. That makes ChromeOS more limited in its facilities than even a mobile OS. A number of hardware vendors have licensed the new operating system and have come out with computers that run ChromeOS, laptops (so called Chromebooks) and desktops (Chromebox and Chromebase) . These machines can be much less powerful than your average PC, resulting in a long battery life and low price. They boot up in seconds and keep always updated by using the same tried and true continuous auto update mechanism as the Chrome browser itself. So far security researchers have been unable to break into ChromeOS machines, even though the reward offered was quite significant reaching the US$ 100,000 range. A Chromebase/book/box is an excellent choice for your banking needs (Full disclosure: I have been using a Chromebase for my personal banking for almost one year now and while my credit card has been renewed twice in that time I still feel safe in my choice of platform.)
There you have it, my personal ranking for online banking. I am sure there are other options that I have not covered that might be attractive from a security perspective. I have deliberately excluded running PCs off LiveCD. While it is an excellent way to guarantee the integrity of the operating system because it is loaded from a read-only media (a CD or DVD), I think it is impractical for most users to go through the rather slow process that most LiveCDs require. Your mileage may vary, but I believe it to be too cumbersome for most users.
I believe online banking is a great opportunity to implement security measures adapted to the data usage of the user. Usually it is challenging for IT administrators to judge how much business critical data an end user has access to, but in this case both users and loss potential are pretty clear cut. IT administrators can improve the security of their company’s online banking by implementing any of the options listed above, except for the use of a normal Windows PC. But securing the client is only one of the components for your banking transactions. It makes sense to talk to your end users about securing the configuration on the banking application side. If the bank offers 2-factor authentication (2FA) it should be activated. I favor dedicated devices for 2FA, so I give preference to ChipTAN over mTAN as the possibility of an attacker manipulating the transaction becomes much smaller with a dedicated device. Similarly it makes sense to activate notification options for important transactions. Here I favor SMS notifications over e-mail, simply because SMS tends to have a much higher attention rate than e-mail. Encryption is important to protect your company’s data and transactions in transit, so when your end users are logging into your bank’s website, train them to look for an encrypted connection from the very beginning. This means that the page where they type in the credential information, such as account number and or passwords should already be encrypted. They should verify that they see the green lock in the browser’s URL bar and that the URL matches the name of the bank site that they wanted to contact. They should not accept any exceptions on the certificate that identifies the bank’s site, which will assure that they are actually interacting with the site that they wanted to contact.
Again the ranking is subjective and your business situation may well be more constrained. If your opinion differs, please let me know what you are thinking, either in here in the comments, at Twitter @wkandek or by emailing me at [email protected].
ECB plans closer scrutiny of bank boards
FRANKFURT (Reuters) – The European Central Bank plans to increase scrutiny of bank board directors and will take look more closely at diversity within management bodies, ECB supervisor Edouard Fernandez-Bollo said on Friday.
The ECB already examines the suitability of board candidates in a so-called fit and proper assessment, but rules across the 19 euro zone members vary, so the quality of these checks can be inconsistent.
The ECB plans to ask banks to undertake a suitability assessment before making appointments, and they will put greater emphasis on the candidates’ previous positions and the bank’s specific needs, Fernandez-Bollo said in a speech.
The supervisor also plans more detailed rules on how it will reassess board members once new information emerges, particularly in case of breaches related to anti-money laundering and financing of terrorism, Fernandez-Bollo added.
Fernandez-Bollo did not talk about enforcing diversity quotas, but he argued that diversity, including diversity in gender, backgrounds and experiences, improves efficiency and was thus crucial.
“Supervisors will consider furthermore all of the diversity-related aspects that are most relevant to enhancing the individual and collective leadership of boards,” he said.
“Diversity within a management body is therefore crucial … there is a lot of room for improvement in this area in European banks,” he said.
(Reporting by Balazs Koranyi, editing by Larry King)
Where are we with Open Banking, and should we be going further?
By Mitchel Lenson, Non-Executive Chairman, Exizent
Open Banking has the power to revolutionise the way we manage our money, but most (65%) consumers are still not aware of it, while many financial institutions continue to treat it as an obligation rather than an opportunity.
For Open Banking to truly reach its potential, consumers need to have more trust in its benefits. However, this will only happen if banks and other financial institutions start to embrace it, rather than simply accept it.
Covid-19 has proven to banks that digital banking and open finance innovation is not simply a ‘nice to have’. It is vital for their own survival. With so many challenger banks now coming into the market, many of whom have entirely digital models and therefore invest heavily in technology, banks are starting to become aware that if they don’t embrace it, they’ll get left behind.
So, fuelled by a mixture of competition and Covid-19, banks are starting to realise that Open Banking is not about giving away valuable data, but it is about collaborating with third party fintechs to explore the endless opportunities data sharing can bring – to all sides.
By making open finance easier for developers, banks can not only save time and money by improving their own services but help create useful solutions that add real value for their customers.
Open Banking for all?
There is one, yet untapped area of consumer finance that could be immeasurably improved by Open Banking, and that is estate administration.
Recent research from Which? found that many executors contend with delays, errors and poor knowledge from their banks during the probate process. Our own research shows that most legal professionals admit the process does not work as it should, and the time it takes to complete probate is unacceptable.
Like the Which? survey, we found that the main issue is the administration involved, with most legal professionals saying that the time it takes for financial institutions to get back to them with the information they need is the main cause of delays.
Given that the system is not working for consumers, something clearly needs to be done. The good news is that the technology and data is already available – we just need to harness it to create a better system.
That is why we are developing the first ever platform to connect executors, legal professionals, and financial institutions to create a better, quicker, and more secure probate experience for everyone.
Our first release of the platform – a bespoke cloud-based solution to enable legal services firms to integrate directly with financial institutions making information gathering and processing more straightforward – was released in 2020. We are now building on that foundation to accelerate our development work with financial institutions to deliver additional value for all sides.
We also see huge potential in working with banks to utilise the digital financial infrastructure, powered by Open Banking, to improve things even further. But there is one, fairly sizeable issue – currently, Open Banking consent ceases at the point of death.
Is it time for legislative change?
Open Banking is not as open as is should be for those who can give consent, so we are certainly some way off from Open Banking for the deceased. However, the more that banks acknowledge Open Banking and its potential and are prepared to collaborate with third party fintechs to develop better experiences for consumers, the more likely we are to get to a point where we can tap into that potential to improve things for the bereaved.
Many of the problems – highlighted by Which? – that consumers face when managing someone’s estate could be reduced significantly if open finance continued to apply to the deceased.
Open Banking provides a huge opportunity to speed-up and reduce friction for loved ones faced at some of the hardest moments of their lives, and there is a strong argument here for the current position to be reviewed to enable better access to a deceased person’s assets.
With our current platform, we are showing how technology is playing an incredibly significant role in dealing with the complex, tangled process that is probate and the potential of open finance in radically enhancing what we are already doing cannot be understated.
What will become of our banks and their channels in 2021?
By Mark Aldred, banking specialist at Auriga
As we embark on the new year, 2020 will hopefully become distant but sobering memories, it is time to step back and consider the lessons learnt and look to the trends likely to emerge in the banking sector in the year ahead. To stay relevant and to differentiate themselves in the current digital age, banks need to demonstrate a solid understanding of the current landscape and stay aligned with customers’ changing habits and expectations. COVID-19 may have accelerated trends that were already in play but whether they continue at the same pace is yet to be decided. It will be those that evolve rapidly that will get ahead and stay ahead. More than ever, it is not only about competitive advantage but, for some, it may be about survival.
Sharing ATM infrastructure
ATM infrastructure sharing is an active trend in markets such as the Netherlands, Belgium, Sweden, Finland, and Indonesia. In Belgium, an initiative known as Batopin, means that a network of bank-neutral ATMs, previously managed by its four biggest banks will from 2021 run on a single software platform. In the Netherlands, a similar exercise started two years earlier. There the major banks have merged their ATMs under the ‘Geldmaat’ label. These bank-neutral ATM estates are one of the responses to challenges of owning ATM and branch estates in a world where banking is more accessible and competitive than ever. This is one way banks can guarantee continuous access to cash to their customers without the cost burden of running channels, which their new competitors do not even offer. Through pooling, the industry landscape is changing, and banks’ costs are reducing.
Other technology-led approaches are delivering value, including increasing adoption of cloud-based technologies, removing the need to rely on massive on-premise infrastructure, skills, and services. The pooled ATM business model provides many benefits and as discussions progress in different markets, banks, and ATM deployers will certainly be watching with interest the progress made in Indonesia and Belgium, when considering next steps. There needs to be more use cases that prove this model can indeed reduce costs while maintaining access and improving customer experience.
Cashback for all?
Loss of access to cash when ATMs disappear has the potential to be a national scandal and an embarrassment to ATM deployers. Offering cashback at retailers of all sizes is one way of softening the blow. In Germany cashback limits and the requirement to make a purchase have long been lifted. Whilst in the UK new schemes to address this are on their way as we move into 2021, the government revealed that consumers received £3.8 billion of cashback when paying for items last year – making it the second most used method for withdrawing cash in the UK behind ATMs. This suggests that properly implemented cashback, with support from retail, could help reverse the unwelcome reductions in the accessibility of cash in remote and rural communities in particular.
That said, it is important not to fall into the trap of shifting the burden onto small businesses. They are already under their own pressure because of changing consumer behaviours and, of course, the pandemic. The benefits to the retailer should be more footfall and lower costs of cash handling. Small stores full of consumers only wanting access to cash for which the retailer cannot charge is an outcome that will not help revive communities.
Bank branch closure rates and ATM losses keep on accelerating but we have not reached peak yet. It is predicted that there will be a continued decline in the penetration of UK branches over the next four years.
To compensate for the loss of ATMs, LINK (UK’s national switch, owned by the ATM deployers themselves) has founded a delivery fund to enable all communities to request help with accessing cash. Any member of the public can get in touch directly with LINK or via their MP or local council to argue the case for an ATM to be sited (or re-sited) in their area. This is bringing out the best in some communities and several have already successfully argued that they need an ATM.
Equally, there are regional and national initiatives aimed at re-banking areas where legacy banks cannot profitably operate a branch (or even an ATM). Many of these are attracting interest and investment but the road is long, and the re-opening of branches or ATMs in many remote communities will be made to wait while some of these bodies build their alternative banks. The barriers to entry are vast, not least the requirement for a banking licence, which means the model favoured by many cannot be expected to be live much before 2024.
So, while bank branch closures continue, and alternate providers build their propositions, the only way to mitigate and manage this is to consider new, lean, and agile models. The next generation bank branch must be cheaper to run, smarter, smaller, automated, full-service, and available 24/7 to pay its way in the community.
A great example of how this could look is the way Millennium BCP in Portugal has deployed new model branches built around their MTM devices (Millennium Teller Machine). As part of its long-term plan to modernise its business and balance the books, Millennium recognised that many branches built on the legacy model could not support themselves. They recognised that consumer behaviours and habits meant that new sites should be considered for their new branch models. So, it created a new kind of customer-centric branch format for the future – a 24/7 branch supported by remote banking overnight. This resulted in greater footfall and, before COVID-19, the new style branches delivered productivity gains and increased deposits. As transactions were managed by personnel by day and remote teller assistant by night, the branch was cheaper to run – this model is now deployed around cities in Portugal to improve customer loyalty and retention score. As we emerge from the pandemic, further development of this model to accommodate new behaviours are expected to achieve great results for Millennium and its customers, who rate in the best for customer service in Portugal.
If banks do not produce lean, smart, remote, around the clock branches somebody else will – whether it be community-based or even independent ATM deployers – the principle of white labels is absolutely part of this new future. If this model is adopted, then in future it is also possible that we will see branch sharing.
In the UK there are already Business Banking Hubs set-up, a shared space providing business and corporate customers more flexibility to manage their day-to-day finances. In shared branches the user experience can “follow the customer”. Sharing the space with a third party commercial or community enterprise should lead to an upswell in community hunger for this.
AI continues to thrive
Artificial intelligence will continue to be a key business investment as financial institutions seek out amplifications of the technology. In 2021, expect the continuing slow adoption of AI to do repeatable and predictable processes. Already AI is deployed to provide cash predictions to forecast when and where cash is needed. Predictive tools are time and cost-effective, they can also be used for preemptive equipment maintenance. This facilitates the scheduling of engineering calls before a failure, improving availability, and reducing costs. We may also begin to see AI being used to monitor the mood of customers using facial recognition. This could allow banks to determine how to address the customer, what services they should promote, and when.
What next for tele-banking?
As has always been the case, the customer journey cannot be neglected. Banks need to have a good channel mix; a digital platform is not enough as they are susceptible to IT disruptions and failures. Tele-banking has always proven to be an important lifeline and back-up. Without it, customers could become disenfranchised.
Over the years, the banking experience has changed through the adoption of technologies designed to reduce costs and increase efficiencies. In fact, the unintended consequence has been that they have become more and more impersonal. Over 50 years ago, ATMs took us outside the branch. Tele-banking provided customers with remote interaction. Most recently, internet and then mobile banking mean that some demographics never engage in person with their bank and the distance between the supplier and customer even during engagement can literally be thousands of miles. This lack of human touch has reduced customer loyalty.
On the topic of channels, like many others, a first in and first out policy is seldom the right one. Banks need to evaluate each channel and see its value to customers and provide choice. Older channels, such as tele-banking, should not be the first to disappear, and in fact it could see a revival alongside video-banking in the new 24-hour branch model.
In fact, as online banking gives way to a mobile banking one could argue the case that this is the channel that might start to disappear sooner. Channel choice will differ by generation, demographic, and other factor but it remains key that choice is available and that there is always a reliable alternative available.
Branch and ATM, marriage, or divorce
Legacy ATM infrastructure needs an upgrade. Without it, the channel will not be able to modernise and play a role in the next generation of delivery channels. ATMs and assisted service devices offering a full range of banking services, not just cash, need to be in the mix. Automating all teller functions using self-service technologies, supported by video- and tele-banking, is likely to accelerate.
2021 is all about making consumers’ lives easier as they decide for themselves how they want to engage safely with their banks. Each customer journey should be able to become bespoke. Access to cash is an on-going issue but the stakeholders will need to work harder than ever to find viable solutions given the impact of COVID-19 across all industries.
The potential of Open Finance and the digitisation of tax records
By Sudesh Sud, Founder of APARI The world is undergoing huge changes at the moment. Between coronavirus pushing the economy...
ECB plans closer scrutiny of bank boards
FRANKFURT (Reuters) – The European Central Bank plans to increase scrutiny of bank board directors and will take look more...
Where are we with Open Banking, and should we be going further?
By Mitchel Lenson, Non-Executive Chairman, Exizent Open Banking has the power to revolutionise the way we manage our money, but...
Oil extends losses as Texas prepares to ramp up output
By Ahmad Ghaddar LONDON (Reuters) – Oil prices fell from recent highs for a second day on Friday as Texas...
What will become of our banks and their channels in 2021?
By Mark Aldred, banking specialist at Auriga As we embark on the new year, 2020 will hopefully become distant but...
Three ways payment orchestration improves financial reconciliation
By Brian Coburn, CEO or Bridge, When Luca Pacioli, the 15th century Venetian monk, invented double-entry account keeping, managing financial...
Circular Economy must be top of the business agenda in 2021
By Andrew Sharp, CEO of CDSL, the UK’s leading appliance spare parts distributor The last year has been one in...
Analysis: Carmakers wake up to new pecking order as chip crunch intensifies
By Douglas Busvine and Christoph Steitz BERLIN (Reuters) – The semiconductor crunch that has battered the auto sector leaves carmakers...
Bitcoin steams to new record and nears $1 trillion market cap
By Tom Wilson and Stanley White LONDON/TOKYO (Reuters) – Bitcoin hit yet another record high on Friday, and moved within...
What does cybersecurity look like for the financial sector in 2021?
By Neill Lawson-Smith, managing director at CIS The landscape is changing incredibly fast, with cybercriminals using the most up-to-date technology...