Are you asking the right questions to determine how well your vendors will protect your data? Probably not.
Let’s say you own a small business, and you want to get a payroll service to help with withholding taxes and automatic deposits into your employees’ accounts. That’s a very useful, powerful service: You’re giving a third party the right to withdraw funds from your bank account and send them to others.
Being switched on to security, you’d look for a payroll company that supports multifactor authentication (MFA) based on a time-based one-time password (TOTP) application, knowing that SMS-based two-step login is effectively (in the words of Allison Nixon and Mark D. Rasch at Unit 221B Research) zero-factor authentication.
The trouble is, as of about three weeks ago, none of the major online payroll companies offered this feature. If you ask those companies, they’ll say they offer SMS-based two-step login and then assure you they take security seriously.
I found one firm that does support application-based MFA: I’ll call it Payroll Company B. PCB isn’t a payroll company as much as a professional employer organization, but still, it does payroll — for twice the price of the others I just mentioned.
Anyway, you sign up. And after you go through the rigamarole to get the TOTP application working, if you’re attentive, you may discover a seedy backdoor: If you were to forget the Web front end,call PCB’s toll-free support number, and tell the company you need to make an account change, the entire authentication regime falls apart with these dreaded words:
“For security purposes, please tell me your full name and the last four digits of your Social Security number.”
Yes, it verifies your identity by asking you for public information. Once provided, no further authentication is required, and you can request a password change, or the removal of TOTP-based MFA, or, presumably, to send Bob’s paycheck to Alice. You’re in.
And you’re root because it has verified your identity. After all, who else could possibly know your full name and last four digits of your Social Security number?
Without installing, for example, a proper and secure multifactor, telephone-voice-based authenticator capability, these companies are left to improvise methods to hack together a security story to offer to security-conscious customers. After I discovered its glaring password reset vulnerability, I spoke with a helpful PCB supervisor and asked him to disable phone support. He cheerfully (and genuinely) promised to do so, saying he put a note in my account. I waited two weeks, phoned back, authenticated with a different rep using just my name and last four digits of my SSN, then asked the rep to close my account. In the company’s failure to fix the problem, it made liars out of dedicated and creative support staff.
Forget Password Policy. What’s Your Password Reset Policy? This vulnerability is so mind-thwackingly obvious that I cannot believe I need to say this, but it also raises an important issue that is relatively unaddressed by my colleagues in the financial services world: When we do vendor onboarding and qualify the vendor’s security policies, are we asking the right questions?
Or are we sending them a 120-question spreadsheet containing lots of questions about firewall rules and antivirus? As a friend who is a very high-ranking financial services security leader said to me the other day, “Oh, that doesn’t happen. I’ve never sent a spreadsheet like that in the last week … “
This is not a theoretical issue. Recently, there was an attack that worked like this: The attackers had an in at a national mobile carrier and SIM-swapped the phones of some people in a targeted industry. They then used the pirated mobile numbers to call a firm that specializes in outsourced services to that industry, claimed to be the SIM-swapped employees, and requested — verbally — password resets. That worked, as it would have worked at PCB.
This was an attack against a third party that for many firms would have bypassed entirely the security monitoring they have in place to defend their assets. The phone was swapped at the carrier, and the password reset was done at a third party, which also set up the fraudulent transactions when the crooks logged in to that service. The firms that didn’t fall victim to this last phase were those that did transaction anomaly detection fast enough to understand the transaction was weird.
Would your firm have caught it? More importantly, would your vendor procurement process and onboarding have asked the question, “Do you allow password resets via voice call?”
Many companies don’t ask the question. I spoke with colleagues at household names in the financial services space, and many firms are struggling to catch up.
What is clear is that we are all trusting cloud-based companies more often, if not exclusively, to handle those parts of the business we seek to outsource. Looking at the standard questionnaires, I see a lot of question-types missing.
For example, rather than asking lots of questions about endpoint antivirus or whether the vendor’s facility is in a location with little to no risk of natural disaster, terrorism, or civil unrest, it might be good to ask whether the vendor has separate production and nonproduction environments, or how their admins and developers access the environments, or how customer password resets are done.
In other words, we need to ask questions designed to understand the ways someone could subvert the vendor’s authentication and access control regime.
Nick Selby is the Chief Security Officer for Paxos Trust Company, which creates contemporary infrastructure to support global institutional financial transaction settlement. Prior to Paxos, Nick served as Director of Cyber Intelligence and Investigations … View Full Bio
Two decades down under, and the 21st century doesn’t fail to amaze you with its innovation. In fact, the pace of it is so fast, that you inevitably put your hands up and give up keeping track of what is the latest in technology. This phenomenon, in its own ubiquity, manifests itself in Finance, probably more so than anywhere else. One hand to god, let’s admit it, we don’t even refer to Finance as Finance anymore but Fintech (more on that below). While that thought maybe a tad too stretched, Fintech itself is at the cusp of the renovation as if there was a need (Yes Sir)! That flux of change is coming from the headwinds of Blockchain flapping its wings, which happens to be the topic of discussion today:
Blockchain Technology Powering Fintech Revolution
Unless you possess an understanding, be it shallow, of what Fintech is, broadening your viewpoint on the Blockchain (or its implications) would be playing hardball. We’ll limit our definition of the subject so it meets the ends of this blog post.
What is Fintech?
The term that is pushed around, and marketed interchangeably with the now fast-fading term Finance, is a 21 century-incarnate of the latter. Finance, as we all understand, is a domain that deals with the details of money management, more or less. The services revolving around money management are Financial services. Conventional Finance rested on paper bookkeeping until digital transformation hadn’t forced businesses against the wall to modernize legacy systems. When unhindered technological change introduced a way to put legacy systems on fast track mode, that was when Fintech was born.
Finance + Technology = Fintech
In simpler words, when technology finds a way to optimize a traditionally resource-consuming, finance-related task, that comes under the territory of Fintech. We already have a whirlwind of Fintech development that is reshaping Consumer to Business (C2B) interaction and vice versa. The global Fintech microcosm is projected to grow with a CAGR of 24.8%. That estimate cap-sizes the industry’s valuation at $309.98 Billion by 2022.
Blockchain-enabled growth among its service sectors is expected to play a major role in this transformation. If you’re new to the concept of Blockchain, you’ll find our in-depth guide on the topic helpful. For this post, its a touch and go for a Blockchain overview.
What is Blockchain?
Blockchain is an ever-growing list of records run on a network. Its system architecture is no different from a database. The records are called blocks cryptographically linked to one another forming a chain. The credibility of the chain is maintained in that the mathematical hash of the last block will be found in the subsequent block. The blocks are added to the network, depending upon the consensus mechanisms deployed by the Blockchain developers. Further properties attributable to the Blockchain include:
Decentral – No central authority enforces the rules of engagement, placing the trust in the hands of the participating nodes that run the network.
Permissionless – Anyone can join the network with the requisite computational (mining) power in validating transactions and earning rewards as cryptocurrencies/tokens.
Cross-border payments are a chronic pain-point for Banks who’re parallyzed by a lethargic and snail-paced process. In some cases, cross border payments take up to a week to be realized. The middlemen have a crucial foothold on transfer fees charging anywhere in the region of 5-20%. Similarly peer-to-peer fintech applications in the market limit transfers within restricted geography taking their respective slice of transfer fees.
There has to be a better way to stay devoted to regulatory obligations and processing payment transfers faster. Is there?
Financial institutions are analysing the prospect with a Permissioned-style template of the Blockchain technology. They’ll act as the central authority propagating the rules for remittance over the blockchain. As per Deloitte, blockchain based payments from business-to-business and peer-to-peer results in 40% – 80% reduced transaction costs. They’re also settled within seconds. Yes, it would be a paradigm shift but as per a projection by Mckinsey & Co. blockchain could drive $50 – $60 Billion in transcontinental B2B and $3 – $5 Billion in P2P payments respectively.
Westpac and Australian Bank partnered with Ripple, an Enterprise Blockchain company for cross border payments. Wirex is another Fintech company integrating blockchain into its workflow. Its a standalone vendor allowing instant international remittances. Users can avail of the mobile application for purchase orders selecting from 12 (total) fiat and cryptocurrencies. Wirex designed a 2-way Bitcoin debit card with a Visa debit card soon to be released easing point of sale transactions.
2. Stock Exchanges – Real-Time Settlements
There is a lot of conjecture around eliminating third parties from this space but truth be told, Stock markets wouldn’t move a dime without them. An atypical scenario – you sell shares today, but the ownership certificate is not merited until T+2 days, where ‘T’ is the day when you sold the shares. The lag is owing to a few operational bottlenecks such as regulatory approvals, and mandatory clearances. Not to mention the cost of the brokerage eventually levied on the customer in commission fees.
The Fintech Blockchain marriage could wipeout such intermediaries with decentralization where the dystopian exchange runs on nodes dispersed around the globe. They would earn DEX tokens for keeping the network up and running.
The Blockchain technology would assume its pure potential if interoperability is achieved. Once that happens, retail or daily traders with small orders could be stashed in local groups, by partitioning the blockchain into smaller ‘shards’. Order calls will be recorded entirely on the sidechains, running parallelly while only the transfer of certificate will be recorded onto the main blockchain. The result – increased transactional volume and low network redundancy.
DEX, Decentral Cryptocurrency Exchanges like Changhero, Waves Dex and OpenLedger Dex are powering this subset of the Fintech revolution forward. Their algorithms effectuate peer-to-peer trading. Being non-custodial in nature, funds are transferred directly to the users’ wallet, reducing the risk of online heists. The barrier to entry is low for retail customers due to lack of background checks, however, decentralized crypto exchanges often face liquidity issues for pairs with low trading volume.
3. Trading – Automated with Smart Contracts
Like we said in the beginning, conventional Finance is chained to paperwork, perhaps irrevocably. Shipping, for instance, requires client-side formalities like lading bills, invoices, and the letter of credit. The industry has so far leveraged software as a service for internet-enabled settlements, yet the entire process gasps for breath and could be put on Fintech Blockchain Technology steroids.
Smart contracts seem to be the last piece of the puzzle here. They are programmable codes that automate the transfer of tokens (cryptocurrencies) over a blockchain and will ensure the funds move from B2B only when coded preconditions are satisfied. Paperwork could be reduced exponentially, probably to the extent of no use at all, reducing carbon footprints. This requires large scale enterprise migration onto and agreed upon Blockchain protocols the signs of which look promising.
IBM & Maersk collaboration for a global trade platform to find scalable solutions of Blockchain in Fintech. Moreover, Forbes released its report of Top 50 Billion-Dollar companies who’re exploring the scope of implementing blockchain solutions. Over half of them are consulting Ethereum. The Ethereum Virtual Machine (EVM) executes peer-to-peer smart contracts with the networks’ de facto cryptocurrency namesake, Ethereum. Developers can also create decentralized applications over the protocol.
4. Crowdfunding – Regulated Token Purchase For All
Fintech ushered in a new age for raising funds, but Blockchain in Fintech took it a notch up. Fintech savvy people need no reminding of the Initial Coin Offering bubble. They proved a drooling prospect because investors could buy into a venture purchasing tokens instead of shares, non-taxed.
The tokens were not categorized as securities and hence circumvented regulatory oversight. The tokens, tradeable through crypto-exchanges, had utility underpinned as their USP. As with any security, speculation influenced their prices, which soared after a pump of marketing gimmicks. The same tokens were then dumped, by the investor who’d sell on a high or the founders who’d often go absconding. Apparently, 80% of the projects turned out scam.
The market has evolved since. The new-age Fintech Blockchain avatar has rebranded itself as Security Token Coins. They’re every bit the ICOs were in an operational sense, plus the veneer of regulation by the United States Securities & Exchange Commission. STOs will allow fractional ownership of shares, cross-border investment opportunities, and purchase of securities all approved by the government.
Blockchain Capital ran an STO campaign in accordance with the US SEC and raised $10 million. Those buying into the offering will reap dividends just like any other investor, without staking more than their allowance threshold. Were there no STOs, you’d have to be an accredited investor with an annual salary of $200,000 to participate in the fund.
5. Syndicated Lending – Seamless Data Verification
A syndicate is the coming together of companies for a common cause, which in this case is lending capital to individuals. Consider a bank which can take up to weeks if not months, disbursing loans. While the evaluation approach may be multi-pronged and lengthy, all financial institutions are ordained by the government to authenticate identity backgrounds. This begins with a Know Your Customer verification often summing up with the customers complying to Anti Money Laundering guidelines.
Perhaps, we’ve already been through the agony of performing this mechanically repetitive process at one Bank after the other.
Fintech and blockchain could work hand in hand. There could be a standard Blockchain protocol that the syndicate partners, banks, have assented to join. This protocol would store user credentials such as those required by its partners. Upon the completion of a background check by one Bank, others need not follow suit i.e., if the same customer wants to avail a service. Time consumption will be reduced by a factor of the multitude.
Fusion LenderComm is a platform for syndicated loans that’ll run on R3’s open-source Corda Blockchain. They focus on increasing lenders real-time access to information, helping them process loans faster. Syndicate partners get account access to Finastra’s Fusion Loan IQ that shares crucial data points like the position information, credit agreements and accrual balances real time. This simplified agent-to-lender communication will introduce transparency and efficient loan disbursement frequency.
6. Accountancy – Blockchain as an ‘Electronic Notary’
Auditing hinges on time consumption as reconciliation requires both expert manpower input and abides by uncompromisable regulatory protocols. Consider double entry bookkeeping for a moment. For every debit entry made in one register, there ought to be credit in a second register. From record entry to tallying, imagine the hours it would take annual billings to be fact checked and rectified. But how will Blockchain help?
A blockchain is more than just a database. Its architecture and block validation prohibits double spending. Instead of multiple records for every transaction receipt, we can have an integrated trail on a Blockchain, with entries segregated into categories. They’ll have the added protection from cryptography. Auditors could look at a combined array of financial statements whose authenticity can be verified by electronic signatures.
PwC Blockchain Validation Solution. It would be a software that would act as a single node on the Blockchain protocol of the client. Users could customize the same to validate transactions automatically and flag the ones that need further review. Stakeholders with access to the system can build reports from dashboards.
It’s not a question of choosing between Fintech and Blockchain. We know one complements the other. In addition to that, the conversation from yesteryears has switched from whether Blockchains are reliable to integrating them with business legacy systems. Enterprises have a visible interest in the field application of this technology, but the Fintech Blockchain duo has proximity towards startups pioneering innovation in the field. This macro trend unfolding before us testifies to the fact that early adopters will be the greatest beneficiaries in a market that is still in its formative stages.
This blog was written by an independent guest blogger. These days, everyone has passwords. Lots and lots of passwords! When I think of how many user accounts with passwords that I have, I probably have dozens. A few for social media platforms like Twitter and LinkedIn, a few for my favorite media streaming services, one for Nintendo Switch and another for the PlayStation Network, a few for my utilities including electricity and my ISP, a few with Amazon and other online retailers, one with the government to file my personal income taxes, my home WiFi password, a Gmail account for all of my Google and YouTube stuff, accounts to authenticate into a couple of different web browsers, an account for my bank’s website, and there are probably at least a dozen more. And I’m a pretty typical technology user. So chances are, you have many similar…
A ransomware attack with fatal consequences is attracting notice and comment from around the world.
This is a follow-up to yesterday’s story breaking the news of fatal consequences in a German ransomware attack.
Reaction is continuing to the story of what Reuters says may be the world’s first human fatality directly attributed to a cyberattack. According to the news service’s reporting, the attack, which began on Sept. 10, utilized a known vulnerability in a Citrix VPN as its point of entry. As of today, The University Clinic in Duesseldorf remained unable to admit new patients brought in by ambulance.
Because a woman died after being redirected to another hospital, German authorities are investigating possible manslaughter charges against the still-unknown attackers. “If homicide charges are combined with computer crime charges, it could be a sound idea to attempt imposing a lengthy prison sentence for the attackers, and, potentially, to get more international cooperation in the investigation,” says Ilia Kolochenko, founder and CEO of ImmuniWeb. She warns, though, that “the causation element will likely be extremely burdensome to prove within the context: defense attorneys will likely shift the entire blame on other parties spanning from hospital personnel and its IT contractors in charge of network management and security.”
Terence Jackson, CISO at Thycotic, notes: “According to a recent Check Point report, 80% of observed ransomware attacks in the first half of 2020 used vulnerabilities reported and registered in 2017 and earlier — and more than 20% of the attacks used vulnerabilities that are at least 7 years old.”
The pre-existing vulnerability means that “there was time to mitigate the threat in theory, but it illustrates the importance of running vulnerability scans and acting on findings at least every 30 days if not more frequently,” says Mark Kedgley, CTO of New Net Technologies. The potential disruption of those scans, he says, must be weighed against the operational requirements of 24 x 7 organizations like hospitals.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio