By Ofer Or
The banking industry is no stranger to cyber-attacks. The latest attack uncovered by Kaspersky Labssaw cybercriminals use known malware, Carbanak, to exploit the vulnerabilities found in banks too large to keep all their systems patched.
However , this attack marks a departure from more common attacks directed at banks in so far as the criminals were not after the usual treasure trove of personally identifiable information (PII) belonging to bank customers, but instead targeted the banks’ own systems: internal money processing services and automated teller machines(ATMs).It’s the first instance we’ve seen of a cyber-espionage technique used in nation-state attacks being turned on the private sector for financial gain. And since it was successful – to the tune of $1 billion—we can bet it won’t be the last.
Big Phish: Reeling in the victims
Kaspersky Labs revealed that the initial infections of bank machines by Carbanak malware, possibly linked to Russian or Ukraine cyber groups, were achieved through spear phishing emails that appeared to be legitimate banking communications. Recipients of this email believed the messages were legitimate notices from within the company or from trusted sources such as the Russian Federal Bank, and clicked on email attachments as instructed. Phishing essentially opened the gateway for hackers to exploit known vulnerabilities in commonly used Microsoft Office applications that remained unpatched by large banks due to their cumbersome infrastructures. Once the malware was embedded, the hackers were able to take control of the infected machines and move laterally throughout the banks’ IT network in order to launch the next phase of the attack.
It’s hard to believe that in 2015, we are still seeing spear phishing attacks. But phishing scams aren’t going away anytime soon. In the UK alone, online banking losses attributed to phishing scams cost £30 million, according to a report by banking organisation Financial Fraud Action. In the US, the month of December 2014 saw 46,747 identified phishing attacks, according to the RSA Anti-Fraud Command Center.
The very the nature of a financial organisation’s IT infrastructure makes it easy to launch a phishing campaign. Most banks have a large number of employees spread out across multiple locations, and numerous business applications requiring constant upgrades. But bank IT teams remain focused on protecting customer data and tracking fraudulent behaviour rather than their internal systems due to financial regulations and a number of recent credit card breaches that have put customers’ PII at risk.
A moving target
Historically,cyber attacks have been aimed at the bank’s customers. The common goal: stealing PII such as bank account and credit card numbers, social security numbers, dates of birth and other data that can be used in global identity theft schemes. The target for cyber attacksis shifting from banking customer to the bank itself. As we’ve seen with this Carbanak attack, the payoff of this kind of cyber heist is enormous – far more than cyber criminals could make on credit card or identity theft.
Locking down the vault
Is this far-reaching cyber attack the beginning of a disturbing new trend? What can banking organisations do to mitigate risk and prevent even more devastating theft like this? Here are a few steps.
- Define your organisation’s security policy. In order to truly be able to have an adaptive security architecture or framework, banking IT organisations must have a well-defined security policy in place. A security policy helps the people tasked with protecting systems and data determine the desired, optimal way the network operates with the least amount of risk. This includes approved applications, proper configurations and upgrades, what kind of network connectivity will be allowed, and how often are patches happening. Further, your security policy takes into consideration all regulatory requirements coming from outside your industry, as well as best practices coming from inside. The security policy serves as the organisation’s road map to successful risk mitigation.
- Ensure that your security policy mirrors actual behaviour. While your security policy defines how the IT platform behaves, for many organisations, this is only theoretical. And that can lead to trouble. For example, an unnamed but large UK bank ignored a serious two-factor-authentication (2FA) flaw, as well as 22 other vulnerabilities uncovered by a security consultancy, just months before the Carbanak attack was detected. A good policy is not a static document. Instead, your security policy is a dynamic, constantly evolving approach. It should be updated continuously whenever something has been overlooked. Sometimes there are legitimate reasons for gaps in a security policy, but the bank’s CISO is responsible for reconciling them. A CISO is charged with asking the hard questions and comparing how employees and network activity behaves day-to-day, and what’s desired. This requires collaboration with network operations, security ops, and the CIO to mitigate those gaps, one at a time.
- Assume you have already been or will be breached. While it may be difficult to face it, the smartest thing banking organisations can do is assume that their network defense systems have already been infiltrated by cyber threats. Based on this assumption, which parts of your network would be the worst to fall into the wrong hands? And how easy would it be for cyber criminals to gain access to them? This is where network segmentation comes in as a strategy. When properly executed, network segmentation minimises risk by limiting lateral movement through a compromised network. Enforcing network segmentation is an ongoing effort of updating and reconfiguring, but it’s vital. Segmentation is what keeps cybercriminals from reaching beyond an employee’s infected desktop computer into your system’s ATM network.
Managing network security for today’s financial organisations has become a complex, resource-intensive operation involving hundreds of firewalls, router, switches, applications, regulations and more. Despite all of this complexity, senior management requires an accurate, realistic picture of the organisation’s security posture at all times, and take measures to improve gaps as quickly and efficiently as possible. We’re facing a new era of bank robbers, armed with intimate knowledge of banking systems’ inner workings. The Carbanak attack demonstrates that the industry requires a better approach that is less about prevention of zero-day incidents, and more about mitigation of breaches that may already be happening under the radar.
About the author
Ofer Or is vice president of products for Tufin. Tufin automates and accelerates network configuration changes while maintaining security and compliance for the world’s leading financial institutions. For more information, visit http://www.tufin.com.
How new trends are creating the perfect recipe for rapid digital transformation throughout the world’s oldest institutions
By Wayne Johnson, CEO, Encompass
Digital banking has drastically changed the landscape of financial transactions over the last few years. Technologies used to be limited when it came to banking, however, now they cover every step of banking or investment services, from behind the scenes due diligence checks to customer facing channels. Embracing this change through emerging technologies is the future for the financial industry.
In recent years, financial technology (FinTech) has developed to facilitate online payments, instant banking, trading, lending, and more.
This new era of digital transformation has been driven by technologies such as artificial intelligence (AI), APIs, blockchain, process automation, and internet of things (IoT) technologies, which have provided vital upgrades to the outdated legacy IT systems institutions historically relied on. The aforementioned technologies streamline and enhance processes, consequently generating a much more reliable and pleasant customer experience. These technological advancements have transformed modern banking operations, changing how the banking industry operates today.
Every new advancement in technology in the finance sector, like expanding a financial service offering to business customers, brings with it new risks and compliance obligations, but the latest trends are creating the perfect recipe for rapid digital transformation throughout the world’s oldest institutions.
The acceptance of new-age technologies
Technology is already driving massive changes in the banking landscape as we know it, and it will be an influential contributor to shaping the industry of the future.
Focus on improving customer experience
One of the areas that banks are increasingly trying to improve through digital banking is customer
experience. Customer expectations for online services are constantly being influenced by the experience provided by big tech companies like Google, Amazon, Apple, and Facebook. With their influence, everyone is looking for a similar experience from their own providers. While digitally savvy Millennials are mainly responsible for the rise in expectations across the board, the wide-spread use of digital technologies in most industries has meant that it is more important than ever for banks to be on top of their delivery at all times.
Interactive banking channels
There has been a huge decline in branch visits in recent years, with some re-evaluating their very role, and an increasing shift from just providing transactional services to allowing for a practical banking experience. This was initially done by moving banks to key locations in town centres, investing in video chat services and offering self-service points – all of which has only been possible through the use of digital technologies. Financial institutions have realised that customers, with their busy and demanding lifestyles, like to have a choice and rely on a full range of channels, online access and 24/7 availability.
The rise of open banking
The increased popularity of open banking and rise in API usage is set to drastically change the industry with the flexibility offered by APIs allowing financial institutions and FinTech’s to put innovation at the heart of their service, resulting in improved customer service and enhanced convenience.
The importance of organisational structure transformation
In order to achieve true digital transformation, financial services institutions need to change their organisation functions from the inside out. To reap the greatest rewards, they must promote a “digital first” strategy internally. Only then will they see a positive change and truly release the benefits of digital transformation and the solutions available today.
The market is constantly evolving , and adapting, and whilst the survival of traditional institutions is not under immediate threat, key players are going to have to modernise their processes and ways of working to keep up with developing requirements and customer needs.
Financial institutions are now starting to recognise the importance of digitalisation, which many other businesses realised was a priority years ago. This is demonstrated by the emerging trends mentioned, which indicate a rapid altering of the operating environment, from increased customer expectations and improved processes, back-end technology and newer operating models to organisational priorities shifting with the times. Digital transformation can no longer be ignored, and financial services organisations will have to embrace it if they want to remain competitive
This is a Sponsored Feature.
Standard Chartered Bank partners with Microsoft to become a cloud-first bank
Standard Chartered Bank and Microsoft Corp. on Tuesday announced a three-year strategic partnership to accelerate the bank’s digital transformation through a cloud-first strategy. This partnership marks a significant milestone for Standard Chartered in making its vision for virtual banking, next-generation payments, open banking and banking-as-a-service a reality. Leveraging Azure as a preferred cloud platform, the companies will also co-innovate in open banking and real-time payments to help the bank unlock new banking experiences for clients.
Embarking on a cloud-first strategy
As part of its digital transformation, Standard Chartered will adopt a multicloud approach, where significant applications, including its core banking and trading systems and new digital ventures such as virtual banking and banking as-a-service, will be cloud-based by 2025, subject to regulatory approvals. The bank will also adopt a cloud-first principle for all new software developments and major enhancements.
As technology reshapes the banking industry, Standard Chartered recognizes that a cloud-first strategy is critical to the bank’s ambition to make banking simpler, faster and more convenient. By being digital-first, the bank will be able to meet the demand for seamless banking virtually anytime, anywhere, and make banking more accessible to people across its network.
Michael Gorriz, Group Chief Information Officer of Standard Chartered, said, “Cloud is a cornerstone of Standard Chartered’s strategy to meet the present and future banking needs of our clients. Cloud providers have invested massively in the reliability and automation of infrastructure and platforms. Using cloud services improves our ability to be agile and innovative, while increasing our operational efficiency and resilience. As disruption in the financial industry continues, we can focus on client benefits by deploying our solutions quicker and allowing for faster integration of new business models and partners. To realize our digital ambitions, Standard Chartered has chosen Microsoft as a strategic partner and this partnership marks a major milestone for the bank in adopting a cloud-first approach.”
Bhupendra Warathe, Chief Technology Officer, Cloud Transformation at Standard Chartered, added that “The pandemic has shone a spotlight on the need for businesses and banks to be resilient from a risk mitigation, cost and security perspective. With the increasing trend of an always-on digital economy, commercial and consumer clients are looking for applications and services that empower them to do online banking from anywhere, flexibly and efficiently. The speed and scale of continuous innovation offered by Azure allows us to innovate with the latest AI services to meet evolving client needs. We can pilot new apps in one market and scale them rapidly across others. This is especially important for a bank with a footprint as broad and diverse as ours.”
Standard Chartered will adopt Microsoft Azure as a preferred cloud platform to meet the bank’s need for resilient data centers and cloud services and addressing customers’ security, privacy and compliance requirements across the bank’s global footprint.
The first set of capabilities to move to Microsoft Azure will be Standard Chartered’s trade finance systems, allowing for seamless cross-border trade for the bank’s corporate and institutional clients.
The partnership will also advance the bank’s digital workplace transformation with Microsoft 365 and Microsoft Teams providing modern productivity and collaboration tools to Standard Chartered’s 84,000 employees across its 60 markets.
Co-innovating the future of banking
Standard Chartered will also use Microsoft Azure artificial intelligence (AI) and data analytics capabilities to enhance and automate banking processes as well as deliver hyper personalization of its client products and experiences. Co-innovation in open banking application programming interface (API) and Internet-of-Things-based, real-time payments will also help the bank unlock new banking experiences for clients.
Bill Borden, Corporate Vice President of Worldwide Financial Services at Microsoft said, “Cloud computing is an enabler for financial institutions to modernize their infrastructure and systems, to gain the agility they need to respond to competitive pressures, regulatory environments and customer demand. We are committed to helping Standard Chartered Bank in its ongoing digital transformation journey as it strives to address evolving customer needs and build the next generation of banking experiences.”
Addressing the social needs of communities in the emerging markets
Standard Chartered strives to understand the evolving needs of its communities and be an enabler for change. As a part of the strategic partnership, the bank and Microsoft will explore sustainable finance and business initiatives to expand sustainability across the industry.
What does the future hold for accessing earnings? Introducing the world’s first Earnings on Demand payment and debit card
By James Herbert, CEO & founder, Hastee
Let’s begin by looking at how our brains are wired. Think about the hunter-gatherer mindset: when we expend effort, we expect an immediate reward.
It’s therefore no surprise that over time, different areas in society have adapted to our nature as humans. Almost everything we want, we can get on-demand. Whether it’s instantly streaming movies on Netflix, online shopping from Amazon, or fast-food delivery from the likes of Just Eat. And, because of such technological innovations our expectations have accelerated when it comes to the pace of delivery. This isn’t individual to us as consumers in our day-to-day lives, it’s also reflected in the workplace. We ultimately want work to work for us.
Part of this of course comes down to accessing wages. Workers should be able to access a portion of their earned wages whenever they need it, in advance of the monthly pay cycle – whether to help during challenging times or in day-to-day life. We solved this solutionBut, to take this up a level, ready for the future, we introduced the world’s first Earnings on Demand contactless debit card, powered by Visa – giving users access to their accrued earnings in real-time, with the card’s balance dynamically increasing every day they work.
So what is the card, and how will it change how we access earnings in the future?
The basis is very much the concept of Earnings on Demand. At university I set up a company called Brightsparks to connect students with work opportunities so they could earn money. Yet I noticed a common trend. With students often having to wait for the monthly pay cycle to get their earnings, many were having to turn down work simply because they couldn’t afford the travel day-by-day. It became very apparent that not having £20 today could stop them earning £200 tomorrow.
It struck me that payday itself doesn’t have to be a rigid construct that people have to wait for. But this isn’t specific to students. Liquidity is a widespread issue faced by people in all industries and of all ages, and according to our most recent Workplace Wellbeing Study, 82 per cent of people turn to high-cost methods of financing to tide them over when needed.
The Hastee Card effectively makes wages directly accessible: it simply lets people spend a portion of what they’ve already earned.
Some people might wonder why they’d want to step away from the standard monthly pay cycle. But consider this: the monthly payroll (via a cheque) only came about in the 1960s as an Act of Parliament. Before this, most people were paid weekly in cash. The first major firm that shifted to monthly payments did it for cost-cutting. It worked for the employer more than the employee. In fact, that firm’s employees had rejected their employer’s change of payment type when it was first trialled a decade before (look up ‘Pye Radio’). So the way that workers and organisations interact around pay is not set in stone – it changes as technology and society shifts.
The way we perceive and use money keeps evolving. Apple Pay, Monzo, and PayPal have completely changed the way payments can happen, yet payroll still remains largely unchanged. It’s only a matter of time before disruption becomes more widespread.
Looking at it from the employer side, it has its benefits too. Before the climate changed, businesses were accommodating enhanced workplace benefits such as no-desk policies, flexible or remote working. In all cases by businesses offering more, they tend to see a more engaged, happier and less financially stressed workforce – leading to increased productivity.
Earnings on Demand is ultimately a perk that presents an ethical alternative to high-cost credit options such as payday loans, credit cards and overdrafts. And existing solutions offer zero impact on payroll processes, zero impact on the cashflow of the business and are designed for quick, simple integration.
The Hastee Card is an evolution of this all – preparing for the future. It builds upon and enhances the user experience by reducing friction and offering immediate spending power as well as a path to greater benefits such as cashback and rewards in the not-to-distant future.
The ultimate tech guide to remote working for the casual worker
By Paul Routledge D-Link Country Manager Like many others, you may have grabbed your laptop in the middle of March...
Safeguarding international logistics arrangements during the coronavirus crisis
By Adam Ewart, CEO and Founder of Send My Bag It has certainly been a whirlwind couple of months. The coronavirus...
The Future of Finance Teams: Digitally Transformed
By Simon Bull, Sales Operations & Business Development Manager at Aqilla Finance teams haven’t always been at the forefront of...
High-yield bonds will help, not hinder, businesses’ recovery
By Jesse Chenard CEO of fintech MonetaGo, One of the best indicators of stock market growth is high-yield bonds. The junk...
A holistic view of organisational security
By James Ward, Senior Cyber Consultant at MASS The finance sector is typically more developed than others when it comes...
IDnow: Putting a new face on identity verification
By Charlie Roberts, Head of Business Development UK&I at IDnow Munich headquartered IDnow is an identity verification provider which uses AI-based...
Finance leaders must act against increasing fraud
By David Thorley, Director of Customer Development, FISCAL Technologies The COVID-19 pandemic has resulted in a whole host of increased...
NextGen Communications – the future of customer experience
By Andrew Beatty, Head of Global Next Generation Banking at FIS As software development increasingly resembles push updates in services,...
The UK Property recovery has begun
By Jamie Johnson is the CEO of FJP Investment, The UK property sector will be integral to the country’s economic...
The Derry Group launches new employee engagement and communications app
The Derry Group, a one stop shop for the distribution, storage and order picking of chilled and frozen products has...