The Financial Services Club is a unique service designed for Senior Executives and Decision Makers from any firm interested in understanding and planning strategies for the future of banking and finance.
… stealing over £30 million in a lengthy criminal spree of
robbing cards and retailers of goods and services.
Easily done, as it turned out.
And you can see why when you listen to this phone call.
This is Tony pretending to be a bona fide customer sales person from a retailer who
the customer visits regularly.
Tony’s got their details by using a man-in-the-middle
attack.
This is pretty easy to do. For example, in Tony's presentation, he harvested this customer information by creating a wifi hotspot called “Starbucks wifi”.
The customer therefore thinks they’ve safely logged on to Starbucks
wifi in their local café when, in reality, they’re logged onto Tony’s wifi
hotspot.
As the customer entered their card details to the superstore, Tony stole them.
He also did a lot more that I could tell you about, but you
need to join the Financial Services Club if you want to know about that.
What I will share with you is this phone call.
As mentioned, Tony knew the customer used this store for shopping
and that they used a certain card regularly.
So, here goes, this is Tony trying to get a little more out of the customer.
The thing is that Tony is using basic social engineering skills
to achieve this and, as he pointed out regularly in his presentation, the
problem we have is that most people believe people are honest.
Whether you are working in a bank or getting services from a
bank, you think they and the people who work there are honest.
Not all of them are.
So Tony’s murky past and honest present – he advises banks
and retailers on how to avoid fraud today – is all about preying upon people’s
honest.
Then imagine if you had a hoard of people using such skills.
I was wondering what to blog about today, as it’s grey and
cold and wet and miserable and … then I realised, I should blog about Russia.
Here in London, we’ve gradually seen a takeover of some of
our key financial and national assets by billionaires from the former Soviet
Union states.
Some of these are glamorous, such as Roman Abramovich with
his Chelsea dreams and billion-dollar yacht, and some are a little bit more odorous, such as Vladimir Antonov.
I was just surfing the BBC news for information about the new Governor of the Bank of England and found this as the #1 most viewed video clip today.
The story is about a Romanian fraudster who admitted to stealing
£3 million from a card-skimming scam. He
couldn’t exactly deny it, as he was caught red-handed on CCTV when he returned
to collect his high-tech skimmer.
After his arrest, police discovered he had
obtained about 9,000 bank card PIN numbers.
The only thing that gets me is that I’ve
seen these skimmers for years, and would have thought that the ATM technology would have developed far
enough by now to stop such fraud happening.
I’ve blogged often
about the issues of identity, passwords, lack of security and the whole gamut
of how mobile internet combined with social media changes everything. Now it’s hit the mainstream media when
British Airways magazine has its main front page
talking about cybercrime.
The first line gives away the rhythm of the article: “How do
hackers crack a corporation? Their top tool is you.”
The article talks about everything from using a USB
stick, which immediately creates an opportunity for hijacking, to the
vulnerabilities of copying corporate work to your private gmail account.
Derek Wylde, Group Head of Fraud at HSBC,
presented at the Financial Services Club last week.
He talked about many aspects of fraud and risk,
and presented quite a few numbers
related to the issue.
One of the charts raised questions in my
mind. It related to the total cost of payment card fraud. According to Derek, payment card fraud costs
an average of six to eight basis points on sales. For those who don’t use the terminology of basis points, a basis point
is 1/100th of a point, or 0.01 if you prefer. So fraud costs between 0.06% to 0.08% of the
total sales in payment cards.
The converse of KYC and AML is identity management.
If we had effective identity management where everyone could
be identified as a unique person with certainty and securely, we would not have
the issue of AML and KYC given to the banking system.
The issue with identity is that no-one wants to own the
problem.
Governments give us passports and driving licences; banks
give us accounts based upon these identifiers PLUS utility bills; and these are
the two key identifiers in our lives.
But they are not sufficient, as both can be easily
compromised.
Passports can be copied and bank accounts can be hacked.
We were discussing transaction processing with one of the banks,
when the head of transaction processing
turned to me and said: “Chris, you know what?
We now have more people checking what we are doing than we have doing
what we are doing!”
I think I was supposed to be surprised, but I didn’t quite
get it and asked what he meant.
“Well, now we have all these rules and regulations on Know
Your Client (KYC), Anti-Money Laundering (AML), tracking and tracing
Politically Exposed Persons (PEPs) and identifying and notifying authorities of
suspicious transactions with SARs (Suspicious Activity Reports) means that we
have more people employed in money laundering, compliance, audit and control
than we have employed in the actually business of running the bank.”
The real challenge for the banking system is how to protect
their firewalls from attack by hacktivists, goverworms and cybercriminals and,
conversely, how to deliver easy access to online banking for their clients and
customers.
It’s a real dilemma.
On the one hand, everyone wants mobile access to his or her
account balances and to make payments; on the other, no-one wants to consider
the issue of haemorrhaging losses if they don’t protect their account properly.
Standard Chartered paid off the new Sheriff of New York City, Benjamin Lawsky, to the tune of $340 million to get rid of the pest. As Investec's commentator Ian Gordon said yesterday, they “acted with pragmatism and integrity in the face of extreme provocation”.
So, unlike my prediction of just yesterday, the Diamond geezer has gone.
Like a revolving door Marcus Agius, the Chair of Barclays Bank, resigned on Monday.
Now, two days later, Bob Diamond has resigned and Agius is back.
What is going on?
Well, first there has been a massive public and political backlash against Barclays Bank over this culture of corruption, exposed through the LIBOR crisis.
Worse than this though Bob Diamond, as one of the UK’s highest paid CEOs, is seen as directly accountable for this.
He could have withstood such a backlash, as demonstrated by the Board accepting that Agius could go and Diamond could stay.
So why did Bob Diamond resign?
All the media pressure got to him?
No, he’s far more thick-skinned that that.
All the political pressure got to him?
No, same.
The Board got to him?
Has to be.
But the Board got to him after the political and media backlash.
Remember, the Board got to him after accepting that he would stay and Agius would go.
So why did the Board change their mind?
Because Bob Diamond starting threatening to spill the beans on all the skeletons in the UK Banking sector’s closet.
Specifically, yesterday, he threatened to expose the Bank of England’s role in the LIBOR scandal.
There’s the rub.
That changed all as now, it was Bob Diamond trying to save his skin potentially at the bank’s own reputation with the new lead UK regulator.
So Bob had to go.
It will be interesting to see what he says to the Treasury Select Committee tomorrow.
Meanwhile, I would stop blogging about it but this story is a critical change in the history of UK and possibly global banking, so it’s too important to ignore.
A short while ago, I mentioned that the Financial Services Club were to debate: This house believes that The City is full of greed and corruption.
We had the debate last week, and it was excellent with Ian Fraser and Nick Kochan, two enigmatic investigative journalists of our time, proposing the motion.
Ian Fraser (left) is an award-winning journalist, commentator and broadcaster who writes about business, finance, politics and economics. His work has been published by among others The Sunday Times, The Economist, Financial Times, BBC News, Thomson Reuters, Dow Jones, Daily Mail, Mail on Sunday, Independent on Sunday, the Herald, Sunday Herald, The Scotsman, Accountancy, CA Magazine and CityWire.
Since 2008 he has been consulting editor and blogger on Bloomsbury Publishing’s QFINANCE and also blogs for Naked Capitalism, a leading US website for economic and financial views. Some blogs are cross-posted on other sites including The Economic Populist and Seeking Alpha.
Since March 2009 he has been making programmes about the global financial crisis for the BBC. These have included a File on 4 documentary for BBC Radio 4 about HBOS, Trust Me I’m A Banker for BBC Scotland and Carry on Banking for BBC 1 Panorama.
Nick Kochan (right) is a commentator on banking and financial services on compliance and regulation, emerging markets, political and forensic topics.
His work on banking, financial services and the economy has appeared in The Financial Times, the Economist, the Banker and Euromoney magazines. He is regularly consulted by the BBC and Sky for commentary on economy and financial services.
In particular, Nick has established his leadership in the field of compliance and regulation with the publication of his book on money laundering (The Washing Machine, 2006) and more recently on Bribery and Corruption (Corruption: The New Corporate Challenge, 2011).
These two formidable beasts were set up for opposition by two equally formidable characters: Brian Mairs and Colin Slight.
Brian Mairs leads the Strategic Communications area of the British Bankers’ Association (BBA), and writes, commission and edits articles working with colleagues in the BBA’s Communications team.
A former journalist and HM Treasury press officer, Brian's City career has included heading communications for APCIMS (the Association of Private Client Investment Managers and Stockbrokers) and for CFA Institute across Europe.
Colin Slight is Managing Partner with the Realization Group, and leads the official charity for the Financial Services Club, MAG:NET, where I will be speaking on 5th July alongside Martin Bell, the white-suited independent politician and former war reporter.
The arguments began with Ian putting forward the case that the City used to be run on the basis of people who were interested in appropriate steerage of the City.
They had ethics, morals, judgement and values.
That changed over the past two decades to allow people to now run the City who have no sense of altruism. They just want to get rich quick.
If people are purely motivated by greed with no sense of ethics, then they rapidly move to abuse, as demonstrated by the recent letter about Goldman Sachs calling their clients muppets.
Various cases were cited from BCCI to Barings, RBS to HBOS, but most of this is under the Chatham House Rule so I cannot repeat word for word what was said.
What I can do is cite Ian Fraser’s blog where he regularly uncovers stories about rogue actions in the financial system, such as:
As you can see, Ian is not a huge fan of the banks, or rather of the banks’ shenanigans, and works tirelessly to expose their misdoings and misdeeds.
It also intrigued me that he mentioned various folks, such as Rowan Bosworth-Davies. Rowan is an old mucker of mine and will be speaking at the Club in Q4, along with David Bermingham (one of the NatWest Three).
Ian’s thrust of dialogue is that banks were allowed to get away with a lot of greed, through the failure of regulators and government and the lack of appropriate auditing controls.
In fact, he is pretty darned livid that an auditor is now the top regulator, and believes this is where we have the major issue.
I quote this, as Ian blogged about the debate, stating that William K Black, associate professor of economics and law at the University of Missouri, Kansas City, gave testimony to the Federal Crisis Inquiry Commission in September 2010 saying as much:
By the time this crisis began economists (Akerlof & Romer 1993), regulators (Black 1993); and criminologists (Calavita, Pontell & Tillman 1997; Black 2003; Black 2005) had developed effective theories explaining why combining financial non-regulation and modern executive and professional compensation produced criminogenic environments that led to epidemics of accounting control fraud.
We also explained why these were near perfect frauds and explained how control frauds used their compensation and hiring and firing powers to create a “Gresham’s” dynamic that allowed them to suborn the “independent” professionals that were supposed to serve as “controls” and transform them into allies. (This is similar to HIV’s ability to infect the immune system.)
So there you have it. Extrapolating from Black, the ‘Big Four’ accountancy firms Deloitte, Ernst & Young, KPMG and PWC, whose duties as auditors are supposed to be to the shareholders not to the management of a company, have been behind the creation of a “Gresham’s” dynamic.
By this, I mean they have provided a cover for ‘white collar’ crime, in exchange for inflated audit fees (or what are increasingly being termed by the accountancy professor Prem Sikka and others as “bungs for silence”).
If true this makes them dangerous institutions, whose imprimatur should increasingly be seen as a negative rather than a positive by investment management firms with a genuine interest in safeguarding their investors money.
Hmmmmm ….
Ian’s seconder Nick was equally diligent in delivering his powerful mantra about City greed and corruption, opening with a video clip that was particularly amusing and engaging:
The video is from some years ago, and shows Saudi Prince Bandar bin Sultan talking about corruption charges.
Prince Bandar is son of the late Crown Prince Sultan bin Abdulaziz Al Saud.
Prince Bandar was ambassador to Washington between 1983 and 2005, and is Secretary General of the Saudi National Security Council.
He is thought to have fallen out of favour with other princes due to overzealous diplomatic efforts in recent years although, looking at a transcript of the video above, I am not sure he is that diplomatic, just honest:
The way I answer the corruption charges is this. In the last 30 years, we have implemented a development program that was approximately ... close to $400 billion worth, OK? Now, look at the whole country, where it was, where it is now. And I am confident after you look at it, you could not have done all of that for less than, let's say, $350 billion.
If you tell me that building this whole country, and spending $350 billion out of $400 billion, that we misused or got corrupted with $50 billion, I'll tell you, "Yes." But I'll take that any time. There are so many countries in the Third World that have oil that are still 30 years behind. But, more important, more important -- who are you to tell me this? ... What I'm trying to tell you is, so what? We did not invent corruption, nor did those dissidents, who are so genius, discover it. This happened since Adam and Eve. ... I mean, this is human nature. But we are not as bad as you think. ...
Nick then went through a litany of bank failures, corroborating Ian’s view that the City is rife with corruption and greed .
Answering such accusations is hard, but Brian and Colin proved to be more than up for the job.
Brian went through a long list of reasons why it is not pandemic to banks, but hard wired into the way in which humanity works.
From the ancient Greek and Roman times through to today, corruption and greed exists anywhere and everywhere it is allowed, and the banking system positively supports the regulation and governance of greed and corruption by being one of the only places where it can be traced, tracked and found.
In fact, the City is an excellent place to stop corruption and greed as this is where it ends up. That is why the laws around tracing Politically Exposed Persons (PEPs), Money Laundering and more are so integral to the banking system and this is where the governments can find those activities.
So greed and corruption is not rife in the City, but in life, and the City is a machine that can temper, trace, track and eradicate these activities, rather than being the place where it ends up.
Colin was even more offended by the notion that corruption and greed even go together in the same line, as they are totally unrelated.
Greed is programmed within all of us, which is why it is one of the seven deadly sins, but corruption is completely separate and if anyone thinks all of the thousands of people who work in banking are corrupt, then they are wrong.
Sure, there are a few bad apples to spoil the barrel, but that’s true of any industry – politics, religion, business, you name it. There will always be some rogues and scallywags, but the majority are good, honest, decent hard working people, and so calling all those people corrupt is inherently wrong.
Arguments well upt and well placed, but they did not wash with the audience who voted overwhelmingly in favour of the motion.
My take on it was that the motion was carried more on the emotion of the topic than the facts however, and personally see greed and corruption as being part of the makeup of humanity – along with lust, gluttony, wrath, pride, sloth and envy.
The Seven Deadly Sins have nothing to do with ‘The City’ as they exist within all of us, as part of humanity.
The only issue being that if the governance, regulation and politics allow excess in such sins then that is the issue and, yes, that has been the issue of the last decade.
In summing up, it was the allowance of greed through corruption that has been the concern shared by all and, for that motion – This House believes that the control system has allowed the City to over-indulge in greed and corruption – I, along with many others, would probably concur.
In conclusion, a video Ian presented sums up the case, and is worth half an hour of your time if you have the interest:
The story proves to be an intriguing in-depth analysis (4,000 words) and is not an indictment of Citigroup per se, but of the corporate mentality of any global business today.
You may disagree with that statement so, if you can’t be bothered reading 4,000 words, here are 1,000 in summary:
Sherry Hunt ran the Quality Control department for Citi's Mortgage Unit for eight years.
She joined the bank in November 2004, as a vice president in the mortgage unit. Her team were responsible for protecting Citigroup from fraud and bad investments by checking prospective loans to see whether they met the bank’s standards, e.g. properly signed paperwork, verifiable borrower income and realistic appraisals.
At the time, investor demand was so strong for mortgages packaged into securities that Citigroup couldn’t process them fast enough.
As a result, it had an army of people working to process them.
Those people worked in different teams.
One team bought loans from brokers and other lenders.
Another team made sure loan paperwork was complete.
Yet another group did spot-checks on loans already purchased.
It was such a high-volume business that one group’s assignment was simply to keep loans moving on the assembly line.
Still another unit sold loans to Fannie Mae, Freddie Mac and Ginnie Mae, the government-controlled companies that bundled them into securities for sale to investors.
Workers had a powerful incentive to push mortgages through the process: compensation.
The pay of CitiMortgage employees all depended on a high percentage of approved loans.
By 2006, the bank was buying mortgages from outside lenders with doctored tax forms, phony appraisals and missing signatures.
Shelley Hunt reported such discrepancies regularly to her bosses who buried her findings before, during and after the financial crisis, and even into 2012.
Hunt’s team was processing $50 billion in loans a year and, because her unit couldn’t possibly review them all, they checked a sample.
When a mortgage wasn’t up to federal standards -- an unsigned document, a false income statement or a hyped-up appraisal -- her team labelled the loan as defective.
In late 2007, Hunt’s group estimated that about 60 percent of the mortgages Citigroup was buying and selling were missing some form of documentation.
Hunt says she took her concerns to her boss, Richard Bowen III.
Bowen alerted Citigroup executives in an email dated November 3rd 2007.
Citigroup’s response was to move Bowen from managing 220 people to overseeing two. By January 2009, Bowen no longer worked for Citigroup.
Meanwhile, Hunt was transferred to the quality-control group on April 1, 2008. She went from supervising 65 people to managing none.
She found even worse dealings in her new role.
For example, the Fraud Prevention and Investigation Group were supposed to investigate the mortgages for fraud and notify the Federal Housing Authority (FHA) within a month if it found any.
In November 2009, Hunt came across a list of about 1,000 loans that the quality-control team had identified for possible fraud.
The Fraud Prevention and Investigation Group left some of the mortgages in the queue for more than two years and not one notification went to the FHA before July 2011, when the U.S. Attorney’s Office issued a subpoena.
In November 2010, Ross Leckie, a senior director of CitiMortgage’s retail bank mortgage unit, sent an e-mail ordering his staff to meet its goal of a maximum 5 percent defect rate on home loans (at the time, the level was over 7 percent).
CitiMortgage defect rates did plummet, but not because there were fewer bad mortgages.
The culture led to Hunt studying the new federal whistle-blower rules under Dodd-Frank in late 2010 and followed them after a meeting with Jeffrey Polkinghorne, an executive who was three levels above her in the chain of command, on March 22, 2011.
That’s when Polkinghorne called her and a colleague aside and told them their “asses were on the line” if the mortgage defect rates didn’t fall.
Hunt says it was clear what Polkinghorne was asking – for her to ignore the defective loan book - and she wanted no part of it.
On March 29th 2011, she followed the first step in the Dodd-Frank regulation: formally complaining to the company.
Hunt walked into CitiMortgage’s human resources department and told them everything: how the bank had been routinely buying and selling bad mortgages for years, how the fraud unit wasn’t doing its job and how the quality-control people were being pressured to change their ratings.
She also reported her concerns to the SEC (Dodd-Frank states you must do this within 90 days of filing your complaint internally) and hired a lawyer.
On August 5th 2011, she sued the bank, filing a false-claims complaint in U.S. District Court.
She knew her chances of winning were slim, because she couldn’t match the resources of a big bank, and just hoped the government would join her action (only 20 percent of whistle-blowers get help from government prosecutors and, without that, success is rare).
On January 3rd 2012, the Justice Department decided to join her in the case.
There was no testimony and no trial. Citigroup admitted wrongdoing and, on February 15th, paid the $158.3 million to settle.
In a press release Citi said it was pleased to resolve the matter: “we take our quality-assurance processes seriously and have proactively undertaken process improvements to ensure that they are as robust as possible.”
If Citigroup has learned anything from Sherry Hunt, it’s not clear from the comments of CitiMortgage CEO Sanjiv Das:
“This is a complex industry. It’s a complex process. It takes time. We’re heading down a trajectory that I’m incredibly proud of. Is there something that is systemically wrong? Absolutely not. Absolutely not.”
As a reward for blowing the whistle on her employer, Hunt got a $31 million out of the settlement paid by Citigroup.
Postscript: Citigroup isn’t the only bank held accountable for processing bad mortgages in the USA ... but what sets them apart is that the bank approved flawed loans well past the 2008 financial crisis.
I downloaded the app and started playing it just to make sure it’s real.
The game opened with the story detail:
Planet Shred was once the finance capital of the galactic empire Holyrood until the banking mogul Sir Derf stripped it of all resources. With banks riddles with toxic debt, Derf ignored all signs fo the CREDIT CRUNCH.
Bailey has just beamed onto Shred from off world as he wants to find Derf’s secret vault containing the security codes that will stop Derf’s disastrous expansions into B.N.ORMA.
If Bailey is successful he will stop the spread of toxic debt, dethrone Derf and prevent inter galactic financial ruin.
There is then a choice of three game types.
In ‘Stop Derf’ you must save planet Shred and the finance capital Holyrood from Toxic Debt by defeating Sir Derf Goodwin.
Fighting your way past the Hornby Lizard guards you must find Derf’s hidden vault and get to his plans for expansion into B.N.ORMA. Success will prevent a disastrous Credit Crunch.
If you win, Derf will be stripped of his knighthood.
In other game types you can practice your shooting in target practice mode or fight off the hordes of Hornby Lizards and rack up points as you battle your way to the various flag objectives.
The only shame of the matter is that the game is a bit too challenging as, on the iPhone, it is pretty hard to follow so I'd recommend getting the iPad version.
But feel free to download it if you enjoy donating $1.99 (£1.49) towards feeling some sense of beating up Fred Goodwin (no longer Sir Fred) over his disastrous RBS expansion into ABN AMRO, whilst fighting off Andy Hornby (former CEO of HBOS).
So I just had a meeting with a couple of heavyweights in the cybersecurity field.
These guys are bank defenders, and very good at their jobs.
Their mission: to keep cyberattacks to an acceptable level.
Acceptable is a few basis points of total credit, let’s say under 0.7%.
Fine.
But it’s getting harder every day, when attacks come from all levels.
They therefore issue tokens, keys and software to make sure that customers are protected.
The only thing is that the tokens, keys and software aren’t liked by most customers as they are unwieldy, difficult to use and hard to remember.
Why is that?
Because most bank systems were built for the branch era, when the internet was just a wee idea in the back of someone’s head.
Now that all this crap is out there offering remote access that’s convenient, it’s creating a real headache for everyone.
So the result is an overlay of bulky security processes that no-one likes, but the sticking plaster works (albeit with effort).
Then we get into a dialogue about how security has changed as, just a few years ago, 80% of the threat was from physical attack and 20% virtual; now it’s switcheroo’d with 80% remote and 20% direct, ignoring the internal attacks of course.
This is well illustrated by the latest stats from Symantec, who announced that there were over 5.5 billion malicious attacks on systems last year – an increase of 81% - with over 403 million different versions of 'malware' out there.
Times are hard.
We got into a chat about the fact that, with so many events that could compromise out there, how do you protect the bank.
They said that they knew the bank would get compromised on an irregular basis – you cannot predict every attack – but it depends on what the attack is and how you handle it.
A denial of service attack that brings down the website is far easier to deal with than one that compromises customer data or funds.
Equally, the key for the bank is not the compromise risk but the reputational risk: get hacked once, and no-one hears about it is far more desirable than get hacked and customers know about it. Even worse, if you get hacked more than once and customers know about it.
True, true.
So it’s all about minimising risk, managing compromises and ensuring everything is kept at a nice level below the eyeline of the client.
I finished the chat by asking why it was that we no longer hear much about identity theft anymore, as that was a big topic just a few years ago.
“Oh that”, they said, “that’s those darned yanks stirring up the pot”.
What?
“There is no such thing as identity theft”, they said.
What?
“The yanks call everything identity theft, whether it’s a card not present card issue for a singular transaction or an account takeover”.
Oh.
“So we only refer to account takeover as identity theft, which is when someone gets hold of the bank access of a customer and uses that for their own purposes.”
Oh.
“And that’s where the issue arises”, they said.
Really?
“Well, if we have a totally new customer to the bank, never seen before, we have three groups who start to look at the customer onboarding: risk, compliance and security:
Risk are typically looking at whether the person is bankable and appropriate to the account offer (credit and market risk);
Compliance are looking to ensure that all the regulatory tick boxes are ticked (AML, KYC); and
Security are trying to ensure that the person is not setting off security alarms when they are onboarded (fraud, cybercrime, terrorism, etc).”
OK.
“And the challenge is to make sure that all three groups work in tandem, as often the cogs can be out of kilter.”
Oh dear.
I guess that tells you why cybercrime, bank security and all the layers of keys, tokens and passwords, AML and KYC processes are so darned annoying but necessary.
Technology viruses like trojans and man-in-the-middle look mild today, when you see the tsunami of malware that’s out there.
Just a year ago, I was saying that banks should offer advice to consumer about security and privacy policies related to the use of social media and mobile media.
Now it’s ten times worse, with the names of the day being the honey for the pot.
And it’s far easier to trick someone in this socially connected world into a viral malware than ever before.
Think about it.
Some things you get used to.
You are locked out of your PayPal account. It is urgent that you re-enter your details or your account will be deleted by close of business Friday.
I am Unga Bunga, the grandson of Great Unga Bunga, who died leaving $5,236,456,123.05 in his estate. Please help me get it out ..
OMG, have you seen what they have been saying about you over here?
I get used to all of these as a heavy social mobile net user.
But some are more tricky.
For example, Lauren Vis is the Managing Director of KAS Bank and will be speaking at the Financial Services Club in June.
When looking for his profile details, I found this scam email:
Re: From L. Vis
KAS BANK. Suite 560 Salisbury House London Wall Broadgate London EC2M 5NU,United Kingdom Tel: +447011137826 Dear Friend,
Dear Friend
I am Mr. Lauren Vis I work with KAS Bank here in London. In my department, being the Private Banking Manager (Greater London Regional Office), I discovered an abandoned sum of £19,500,000 GBP (Nineteen million five hundred thousand pounds) in an account that belongs to one of our foreign customers …
Nothing too clever about the Nigerian 419 scam here, except that the name and address details for the bank are all correct and bona fide. Slightly more intelligent.
Or take the one that had me click the other day.
Doing the usual stuff on the iPhone a note came through that a FEDEX parcel could not be delivered and to click on the order details.
Now I was expecting a FEDEX order and so I clicked … and immediately had a computer infection.
These days, regular airline bookings and related orders come through and I just ignore them, but many wouldn’t.
Or not for the first time.
For these reasons, consumers may rightly fear being compromised in their online dealings.
For example, 63% of webmasters whose websites get hacked don't know how the compromise occurred, and only six percent detect the compromise themselves.
Twenty percent of all households have at least one bot-infected computer, and 5% of all enterprise 'assets' are infected.
A recent study conducted by Websense, and the Ponemon Institute found that 53 percent of organizations experience data breaches due to insecure mobile devices.
No wonder another study by the US Federal Reserve found that, among users of mobile phones who haven’t yet adopted mobile banking, about half said they were “concerned” about security.
And rightly so, you may feel, as 70% of mobile banking apps are not secure according to a study by myprivatebanking.
Add on to this that cybercrooks have worked out how to get around OTP and other mobile bank security systems and, in a more luddite Skinner moment, I’m thinking about going back to using cheques, branches and cash only in the future.
We have seen a great deal of activity from the activist online community called Anonymous in the last year.
They first hit my radar when they closed down the websites of PayPal, Visa and MasterCard in retaliation for the arrest of Julian Assange and closure of Wikileaks funding accounts.
This resulted in a co-ordinated Distributed Denial of Service (DDoS) attack by the Anonymous group, which anyone was able to join if they followed the group on twitter.
They then reappeared on my radar when they successfully hacked the most prestigious American cybersecurity company. They not only hacked them, but it happened to be the cybersecurity company hired by Bank of America to track them down.
Then they got heavily involved in the Occupy movement, and much of the Wall Street and St Paul’s protest had their trademark V for Vendetta masks as part of the protest.
They led the Bank Transfer Day in America last November 5th, and have been mooted around many other discussions, such as those related to bitcoin usage and more.
Finally, we had the big deal of their hacking the ‘private’ conference calls between the FBI and Scotland Yard.
Big deal.
But how long can you stay ‘anonymous’.
Not that long as several members have been ousted in recent times.
This is because their identities are easily traceable if they post stuff all over facebook and twitter.
For example, anonymous post bank transfer day details on facebook and then invited over 600,000 to join in …
… that’s not very anonymous.
The arm of the law is also cracking down on Anonymous, with 25 arrests at the end of February in Argentina, Chile, Colombia and Spain thanks to Interpol's Latin American Working Group of Experts on Information Technology Crime.
And the big news in the UK this week has been the Anonymous group member who hacked into the British Pregnancy Advisory Service (BPAS) and leaked the names of women seeking abortion advice.
Something that isn’t popular with the group at large, and that led to his arrest when he broadcast the whle thing on twitter.
It seems strange that whilst being against abortion on the one hand, the rest of the group is cracking into the Vatican’s accounts, calling the Catholic church "corrupt" and "retrograde".
What all of this demonstrates is that there is a real and present danger from cyberattacks. When amateurs can crack the accounts of the FBI, Scotland Yard, Vatican and more, there’s an issue.
The issue is that the hackers are combining forces with the leakers and that creates a powerful voice of the activist opportunity.
So forget the co-ordinated cyberattacks between governments, such as the regular Israeli-Iranian spats or the idiots at NATO who gave all their personal information to a fake facebook account set up by China, I’m more worried about Anonymous bringing down my bank.
Anonymous supporters who willingly enlisted their personal computers to launch denial-of-service attacks against the groups' enemies may have unwillingly donated their personal banking information in the process.
Biometrics isn’t discussed that much at banking conferences these days.
Most of the time, when I raise the topic, there’s a groan from the banking audience.
“Oh, been there, done that.”
The usual view is that biometrics doesn’t work. It’s too flakey. Too many false positives and false negatives, as in it doesn’t read the finger, eyeball or voice correctly.
And yet, we now have things like Siri voice recognition on the iPhone and fingerprint PC access that is commonplace.
Voice and fingerprint recognition has come a long way.
India has now identity tagged every citizen with a biometric ID, and most governments are doing the same via passport and cross-border programs.
So why are banks so reticent about biometrics for identity?
Because of the past trials or the future costs?
Probably a mixture of both.
Certainly, the idea of biometrics in banking has been around for a long time.
I was involved in rolling out iris recognition ATMs in the 1990s and engaged actively with the Japanese program of deploying palm reading ATMs in the 2000s.
At airports, I regularly pass through the fast track line with an eyeball to a screen, banks have rolled out iris recognition on smartphones and Apple has even patented a fingerprint recognition as you swipe your iPhone to unlock it.
Yet I still look for biometrics in banking and find it hard to uncover anything worthwhile.
“It seems like an innocuous piece of kit to have inspired such annoyance, but the new HSBC ‘secure key’ has already garnered six Facebook pages plotting its demise, while Twitter is all aflutter with people explaining just why they don't want to use it. So why has the bank decided to introduce this seemingly unpopular gadget.”
No, they don’t like it one bit.
Things will change and biometrics will be deployed instead of additional tokens and devices over time.
Much of this market increase will come from large government ID and security programs, which will then ripple over into financial applications.
For example, Companies and Markets predicts that the global biometrics market will hit $12 billion by 2015, up from $5 billion in 2010, thanks to these government security programs.
The report believes fingerprints will see the major focus, although citizens don’t’ like fingerprint recognition.
The reason is that fingerprints are mucky.
Wiping your finger over a terminal touched by hundreds or thousands of others, with no cleansing or wipe in-between.
Yeuch.
That’s why the Japanese moved into palm or vein reading, as you don’t actually need to touch the terminal.
But the most intuitive of all biometrics has to be voice surely?
With mobile being so ubiquitous, voice makes sense as it’s something you can easily verify via mobile.
Voice is a proven technology and voice recognition is resilient, accurate and reliable enough to overcome accents or influenza.
With voice you don’t even realise you’re being biometrically read necessarily, and you can even use voice to detect lies.
This is why Opus Research predicts that the global number of registered voiceprints will increase from 10 million today to over 25 million in 2015, and much of this will be driven by the payments markets.
Mind you, you need to beware of voice a little bit.
Talking about iris recognition and passwords recently, I got a note from Spanish Bank, Bankinter, which has just launched an app that identifies clients through iris recognition on the phone.
The way it works is that customers access their brokerage accounts by blinking into their smartphone’s camera.
The app has algorithms built-in that look for eye movement, to ensure it's not just some picture of the eye, and there is no need for any additional hardware or external sensors.
The technology is new and was developed for Bankinter by Mobbeel Solutions, a Spanish start-up based in Caceres, Extremadura, Spain.
Today, it works with just the iPhone4 – over half (55%) of Bankinter’s customers have an iPhone – but could be extended to Android in the future.
Bankinter is also thinking about using this as an authentication mechanism for other remote channels, such as ATMs, internet and mobile banking.
Recent Comments