24.11.17

New reality in European banking looming large: the lowdown


As Europe is on the cusp of what some see as a sea change or an earthquake to the payment services landscape and banking in general, the time is ripe to provide a bird’s eye view of the EU's revised Payment Services Directive (known as ‘PSD2’) and, from this vantage point, allow the reader to gauge just how much of a shake-up the new law, going live in weeks, may be.
(R)evolution?
Following in the footsteps of PSD’s first iteration adopted in 2007, PSD2 is upping the ante by aiming to further unify electronic payment systems across the EU while fostering competition, innovation and the safety and security of payments – all in the name of ‘open banking’ and to the ultimate benefit of consumers.
In a bid to iron out the legislative wrinkles from PSD1 and keep up with the rapid pace of technological change, EU lawmakers are seeking to improve the level playing field between different payment service providers (PSPs) and allow for new market entrants. The EU is also extending the directive’s geographic reach, as ‘one-leg-out’ transactions where only one of the PSPs is located within the EU now also fall under the scope of the legislation.
EU countries have until 13 January 2018 to incorporate PSD2 into national law, although in some countries there have been some bumps in the road to the directive’s implementation. Belgium, Sweden and the Netherlands all reportedly anticipate delays in the transposition of the legislation into their respective national bodies of law. In addition, recent probes that the European Commission has conducted in the Netherlands and Poland also indicate that not everything may go swimmingly with the actual application of the new rules.
At the heart of the regulation is the requirement for banks to allow licensed third-party providers (TPPs) of financial services to access securely their customer-account data, as long as the customer has given their prior consent. With this access, which is set to be provided by digital links known as application programming interfaces (APIs), TPPs will receive a wealth of customers' financial data, including on income, histories, spending habits and profile, which will give them a 360-degree view of the customer, and enable them to offer the customers a range of innovative and à la carte services.
The legislation introduces two previously unregulated categories of players to the game – payment initiation service providers (“PISPs”) and account information service providers (“AISPs”).
PISPs will be able to trigger payments on behalf of the account holder by creating a software ‘bridge’ between the payer’s account and the payee’s account, without the customer needing to directly access their bank account or use a debit or credit card.
AISPs, for their part, will receive access to bank customers’ account information and will be able to analyze a customer’s spending patterns and to aggregate information from the customer’s multiple accounts in different banks.
Whither banks?
Unlike, say, retailing, taxi and hotel trades, European banking has so far been largely spared the effects of the digital disruption. In the post-PSD2 era, however, banks will be thrust into the middle of a crowded field, surrounded not only by other banks (both traditional and ‘challenger’), but also by tech behemoths and agile fintech upstarts, which are poised to act as third-party providers of financial and payment services. Tech titans, many of which already have their own digital payment services in place, are believed to entertain plans to “launch their full arsenal come January 2018”.
In addition to the risk of losing out on payment revenues, banks may run the risk of losing customer touch points and becoming a mere utility service used by TPPs. But as Albert Einstein said, “in the middle of difficulty lies opportunity”.
Indeed, the new opportunities ushered in by the advent of PSD2 could be used by banks to recapture some of the projected lost revenues from payments and to grow new revenue streams. There is nothing preventing banks from acting also as AISPs or PISPs, after all.
In other words, the incumbents could either chafe at the challenge and act defensively or embrace the new opportunities by enhancing their product and service offerings to customers and, in so doing, stave off the challenge from disruptors. A number of banks are nimble about change, having already adapted to the new reality by starting their own fintech firms or buying upstarts.
If recent surveys conducted in the UK are any indication, banks may find some encouragement in the fact that, when it comes to their personal financial details, customers appear to trust banks more than retailers and social media.
On the other hand, and perhaps worryingly for banks, a global survey showed that close to one-third of consumers said that they would be willing to switch to Google, Amazon or Facebook for banking if any of them provided such services.
Either way, customers are set to benefit from greater choice of offerings, lower costs, improved convenience, and enhanced security.
Security
With extra convenience come considerations of security, as clearly anything to do with electronic payments has profound implications for security, doubly so in times of ever-evolving cyberthreats.
PSD2 introduces strict security requirements for the initiation and processing of electronic payments by mandating what is termed as “strong customer authentication (SCA)”. Authentication is strong if at least two of these three possible authentication elements are involved:
  1. Knowledge: something only the user knows (such as a password).
  2. Possession: something only the user possesses (such as a card).
  3. Inherence: something the user is (such as a fingerprint or voice recognition).
These elements must be independent of each other so that the breach of one element does not compromise the reliability of the others.
In addition, the European Banking Authority (EBA) has developed, in close cooperation with the European Central Bank (ECB), draft Regulatory Technical Standards (RTS) on strong customer authentication and secure communication. These, EBA believes, are “key to achieving the objective of the PSD2 of enhancing consumer protection, promoting innovation and improving the security of payment services across the European Union”.
Citing the need to allow for future developments, PSD2 mandates “technology and business-model neutrality”, which is why the RTS final draft pins down the requirements in a rather neutral way. The few requirements that are described include the use of appropriate encryption for data exchange, the shortest possible communication processes, and clear references for the data exchanged.
The RTS proposal was subject to a consultation process during which a great number of questions were raised, ultimately resulting in delays to the submission of the final draft. In addition, the EBA and the European Commission have been at loggerheads over several aspects of the RTS, with the latter asking for several substantive changes. The EBA acknowledged and agreed with the Commission’s aims, but disagreed with three of the four proposed changes.
Fast forward and the final draft of the RTS is now awaiting approval by the European Commission. If greenlighted, the RTS “will be applicable 18 months after its entry into force”. According to EBA, the intervening time (not until the spring of 2019 at the earliest) gives the industry “time to develop industry standards and/or technological solutions that are compliant with the EBA’s RTS”.
Times they are a-changing
That whether a change is revolutionary is only manifest in hindsight, so a judgment is better withheld at this time. At any rate, PSD2 and concomitant changes are shaping up to be a major step in the evolution on our journey of technology-driven transformation. PSD2 presents a host of unprecedented opportunities and challenges and, once the dust settles, we’ll see whether it turned out to be a boon or bane for banks. Prediction is very difficult after all, especially if it's about the future.


22.11.17

Only…zero days left until the holiday shopping season!

The holiday shopping season starts earlier and earlier each year, beginning with Black Friday and Cyber Monday and running through the to end of December.
So it’s important to have these tips ready for safe shopping and cybersecurity for online use.
WeLiveSecurity has offered safe online shopping advice each year since 2011, with articles specific to the cybersecurity trends occurring at the time.
Family and friends working together for a safer online world
For the 2017 holiday shopping season we are focusing on how friends and families (parents and children) can work together to not only ensure a safer holiday shopping season, but also to secure their digital devices and protect their online activity.
Holiday shopping season has started…now!
The year over year trend shows that holiday shopping spending is increasing each year, with a new record predicted again for 2017. People are also starting their holiday shopping earlier.
Since people are starting their holiday shopping earlier this year, we wanted to provide some tips to help keep your online shopping experience safer as well as your digital devices more secure.
Cybersecurity is a shared responsibility
The holidays are a time when people purchase gifts for their friends, families, and yes, even for themselves. Increasingly, children are using and accessing more and more digital devices — making it important for everyone to work together to secure these devices. The non-profit organization Securing Our eCity (SOeC) works tirelessly to provide cybersecurity education for individuals and families. Cybersecurity is a shared responsibility, and everyone should do their best to practice good cyber hygiene.
Holiday tips for you
The Executive Director for SOeC, Liz Frauman, recently spoke on the eCity CyberTalk radio show. She offered five tips for online shoppers, as well as the following acknowledgment that you can shop safely online.
These tips come from Liz Frauman’s first-hand experience of over eight years of working with people in cybersecurity.
Tip 1: Make sure children don’t have access to an unattended device where purchases can be made.
Parents need to work with children on their “Wish List.” In the past, children used to dog-ear pages of the Sears catalog, but now it’s online. There are stories of children putting items on wish lists, and then accidentally or on purpose (it depends on whom you ask!), the item is purchased.
Recently, a friend posted a picture of an ironing board that arrived unexpectedly on their doorstep, as it was accidentally added to their account from their child’s wish list. They took an “unexpected purchase selfie” with it on their porch—this is actually a thing, “unexpected purchase selfie!”
Tip 2: Have a separate account for online shopping credit cards that’s not connected to your primary accounts.
Or, even better, buy yourself gift cards. Using gift cards also helps you stick to a budget.
Tip 3: Change passwords before the holidays and then change them again after.
Or even better, use a password manager.
Choosing your password is perhaps one of the easiest, yet most challenging security measures that you can do. The objective is to remember it without writing it on a post-it that you keep next to your computer, but also making it complex enough that it is not easy for hackers to gain access to your computer. Avoid some of the following pitfalls and consider a “pass-phrase” like “mybirthdayis1970Jan15.”
Tip 4: If you’re buying computers or other digital devices, make sure to get products to protect them as well, and make sure to install and configure them before the devices go online!
If you have new digital devices planned for holiday gifts, don’t forget the security products to help protect them. Unprotected devices can be infected in less than five minutes.
Use family-safe software and tools. No single technology solution meets the needs of every family, so explore the many different tools that can help you keep your children safe online.
A few more digital device tips:
·         Use an internet firewall at all times. The firewall is your first line of defense in protecting your computer because it helps to obscure your devices to online attackers and many types of malicious software.
·         Keep your operating system up to date; enable its automatic update features. Cybercriminals are constantly at work devising new ways to attack your computer and invade your privacy.
·         Maintain antivirus and antispyware software. Antivirus and antispyware software help to protect your computer by scanning email, applications, and data that resides on your computer. Strong antivirus and spyware programs can detect and remove viruses and spyware before they have a chance to damage your devices.
Tip 5: Update your products (security and firmware updates that are available between the time the product is made and when you set it up), patches, etc.
If you remember to keep your software and firmware up-to-date, you can help protect your computer and digital devices and keep your computer and digital devices more secure.
For information for how families can work together with technology for a more secure digital world, see Cyber Security Tips for Family SOeC basic tip sheet for families.

19.11.17

One-third of internet pounded by DoS attacks

“A third of the internet is under attack.”
This blunt and sobering statement comes from a team of researchers who recently explored the threat landscape populated by denial-of-service (DoS) attacks worldwide. What they report finding is nothing short of, to use their own words, an eye-opening statistic.
However, before we dig our forks into the meat of their research summed up in a paper [PDF] called “Millions of Targets Under Attack: a Macroscopic Characterization of the DoS Ecosystem”, a quick explanation of DoS attacks, as well as their highly-amplified big brother, distributed denial-of-service (DDoS) attacks, is in order.
Both of these kinds of attacks are most commonly effected by inundating the target with a barrage of bogus traffic, ultimately with an eye to bringing it down and denying access to the service for legitimate users. Simple DoS attacks, which are a one-on-one affair, have been all but supplanted by DDoS attacks. The latter involve concerted campaigns from armies of devices conscripted into botnets which, as if lined up and marching in lockstep, aim to knock the unlucky target offline.
In a nod to the magnitude of the problem that DDoS attacks represent for internet stability and reliability, the six-strong team of researchers carried out a longitudinal analysis of the DDoS ecosystem “by introducing and applying a new framework to enable a macroscopic characterization of attacks, attack targets, and mitigation behaviors”. The findings of their research, which draws on data covering the period from March 2015 to February 2017, were unveiled at the Internet Measurement Conference in London earlier this month.
“One-third of all /24 networks recently estimated to be active on the internet have suffered at least one denial-of-service (DoS) attack over the last two years,” reads the number-one takeaway from the study conducted by researchers from University of Twente, the Netherlands; University of California, San Diego; and Saarland University in Germany. The suffix ‘/24’, or ‘slash 24’, indicates the number of fixed bits in a network ID.
Figures
After dissecting the two years’ worth of data, the study’s authors counted 20.9 million attacks targeting 6.34 million unique IP addresses. They observed a total of 2.19 million unique /24 network blocks that host at least one target. To put that into perspective, this makes up to just over a third of recent estimates of the actively used IPv4 address space. IPv4 is the fourth (and still prevalent) version of the Internet Protocol that enables users to connect their devices to the internet.

Across this two year span, a daily average of nearly 30,000 attacks were observed, which one of the study’s authors, Alberto Dainotti, described as “staggering, a thousand times bigger than other reports have shown”.
And yet, fellow co-author Anna Sperotto voiced concern that this still may not paint the full picture. “Although our study employs state-of-the-art monitoring techniques, we already know we do not see some types of DoS attacks,” she is quoted as saying.
To detect attack events, the team delved into two mutually complementing raw data sources – the UCSD Network Telescope, which captures evidence of DDoS attacks involving randomly and uniformly spoofed IP addresses; and the AmpPot DDoS honeypots that track reflection and amplification DDoS attacks, which involve specific, spoofed IP addresses. Assailants use IP spoofing to disguise their identities in cyberattacks.
Targets
As might have been expected, web servers were found to be the prime targets. [M]ost DoS attacks (e.g., about 69% for TCP-based attacks) targeted Web servers,reads the study.
An average of 3% of web sites ending in .com, .net, and .org, were victims of attacks daily due to their being hosted on targeted IP addresses.
A number of “large parties”, including organizations providing web hosting services, were identified as frequent targets, most notably GoDaddy, Google Cloud and Wix.
Meanwhile, the by-country target ranking is largely consistent with internet address usage patterns, albeit with some notable exceptions. Using the Telescope data, the US was found to be home to over 25 percent of the targeted IP addresses. For reflection attacks, the share climbs to 29 percent, with both figures roughly on a par with the country’s address space usage. China comes second on around 10 percent for both kinds of attacks, which is also commensurate with statistics of internet address space utilization.
By contrast, Japan, while being 3rd in the number of internet addresses, is placed 14th and 25th, respectively, in DoS target numbers. On the other hand, Russia and France endure more attacks than their estimated Internet space usage would predict.

Where do we go from here?
Looking beneath the surface, the researchers gave us a taste of the breadth and scale of the DoS problem, which clearly goes beyond the supremely crippling attacks that grab the headlines. The team also noted the increasing onslaughts spurred on by the rise of the DoS-as-a-Service phenomenon (aka “stressers” or “booters”), which enables any ill-intentioned netizen to orchestrate powerful attacks. The study clearly serves to highlight the need for staying ahead of the rising tide of threats emanating from DoS attacks.
The extent of damage that denial-of-service attacks may inflict courtesy of botnets was exemplified in October 2016, when a series of DDoS attacks were unleashed against systems operated by Domain Name System (DNS) provider Dyn. The attack, which made a host of high-profile online services unavailable, was enabled by utilizing thousands of compromised, inconspicuous Internet-of-Things devices in a botnet called Mirai and should serve as a stark warning of harm that denial-of-service attacks can cause.