Smart Contracts to Streamline KYC: A Big Leap in FinTech
The advent of online transactions has brought in improved convenience, speed, and cost advantages across various aspects of our lives. KYC processes, online shopping, insurance premium payments, internet banking, and a host of financial functions have witnessed a drastic transformation with the adoption of FinTech solutions.
However, these digital advancements have also taught us that a person’s online identity is not always what it appears to be. Identity theft, phishing schemes, and money laundering are just a few examples of digital scams that have wreaked havoc in the finance sector. Shockingly, a report by PwC stated that “in 2020, the average US organization experienced six incidents of fraud in the last 24 months and customer fraud ranks first among them.” The total loss suffered by the US companies from the frauds is close to $6.5B (over the past two years).
As many of us know, the KYC (know-your-customer) process was designed to eliminate the risk of customer fraud. Various companies use KYC to verify their customers’ credentials with the ultimate aim to confirm that they are not fraudulent or engaged in any criminal activity. However, KYC is a labor-intensive, repetitive process that is prone to human error. This blog explains how smart contracts for KYC can solve problems related to customer fraud and identity theft. Before that, let’s consider what smart contracts are and how they work.
What are smart contracts?
Most industries are eagerly adopting blockchain technology for smart contracts. According to Statista, “in 2021, global spending on blockchain solutions is projected to reach 6.6 billion dollars and is expected to reach 19 billion US dollars by 2024.”
Investopedia defines a smart contract as a self-executing contract that entails an agreement between the buyer and the seller. A smart contract encodes the agreement/ transaction between two parties and exists across a distributed, decentralized blockchain network. Smart contracts eliminate the need for an external party or an intermediary to enforce the contract as defined. The decentralized blockchain network controls the execution of trusted transactions and agreements. All the transactions are trackable, irreversible, and impossible to manipulate because of the immutable audit trails created by blockchain.
In simple words, smart contracts are programs that run based on predetermined conditions. Participants engaged in a smart contract are sure about the outcome. The unique digital structure of a smart contract makes it super secure and resilient to any kind of data modification. What problems do smart contracts solve, though? Here are a few examples of real-world problems solved by smart contracts.
How does a smart contract work?
A smart contract is a blockchain application. Just as a standard legal contract, a smart contract outlines the terms and conditions between two organizations. It works on a condition-based principle, that is: ‘if-when-then.’ Smart contracts allow you to define as many conditions or terms as you would require. Moreover, a smart contract enables both parties to interact in real-time, saving enormous time and resources. Additionally, it allows for anonymity, if needed.
How smart contracts assist banks and financial institutions to solve KYC-related problems?
1. Identity theft
Clients’ identity includes data on where they live, their passport number, driving license, security number, and so on. These data points are stored in centralized databases. If a criminal gets hold of one of these documents, they can exploit certain security flaws and steal your client’s identity. Cybercriminals can use your customer’s identity to gain some financial advantage or steal money. There have been occasions when a criminal successfully stole a deceased person’s identity to commit crimes.
Smart contracts on blockchain offer a novel solution that may include a comprehensive electronic signature service. It allows access to a private key and a public key. While a public key provides access to your public records, it offers concrete security as no one has access to change or edit your data. However, a private key allows you to give access to those required. This simple method helps prevent and restrict identity theft. Best-in-class data encryption technology ensures the highest levels of safety standards.
2. Distributed user data collection
Smart contracts enable finance companies to uncomplicate the process of identity verification. It can make data available on a decentralized network. For example, claiming, verifying, and processing insurance has always been a labor-intensive task that frustrates your customers. Smart contracts offer a single source of truth, drastically reducing friction in the business process.
Here is how smart contracts simplify the process:
- Make data reconciliation easy
- Improve accuracy
- Minimize time spent in uncovering information
- Enhance improvements in speed and accuracy
- Improve customer experience
3. Automation and standardization of operations
Client data is collected daily. Name, address, and social security number are required for almost all transactions. Considering the recent progress achieved on KYC policy standardization, it is now possible to use smart contracts to control operations and execute agreements or transactions.
You can streamline the procedure across the industry by coding and standardizing the KYC workflow. It will minimize manual oversight and increase the effectiveness of the KYC system. It even allows you to implement multilingual solutions with the help of translation tools and smart contracts. Since smart contracts remove the need for a manual process for each document, decisions can be made quicker.
4. Comprehensive authentication process
It is crucial to verify the identity of individuals for data protection compliance and the prevention of fraud. A cryptographic verification solution is vital here. On the other hand, industries face another major challenge – allowing users to conduct online banking through apps. The glitch is that if a person loses her smart device, she exposes herself and the bank to a greater security risk.
Fortunately, the blockchain’s decentralized model almost eliminates the security risk by not allowing any edits on the data accessed by the thief or the fraudster. Once a smart contract on blockchain is formed, it remains immutable.
5. Communication and transparency
The smart contract will allow you to monitor everything from account openings to day-to-day transactions actively. Since the terms and conditions are pre-defined, it is recorded immediately, and remittance is raised automatically. This process avoids laborious approval workflows.
Since it allows for trust data to be stored on the KYC smart contract platform, banks or financial service providers can eliminate the secondary validation processes and cross-checking. Apart from this, when mistakes occur, they are quickly identified, reported, and solved. While transparency has to be dictated by the parties involved in traditional contracts, smart contracts always remain transparent. Such openness makes tracing transactions less cumbersome and could be traced right from the point of origin. Additionally, it automatically creates fully accessible history.
6. Heightened security
KYC banking processes can go on for weeks, highly increasing the maintenance of regulatory compliance as the industry struggles to dodge financial fraudsters and terrorists. Fortunately, a shared ledger will help adjust and monitor the KYC process for all those involved. This would allow all parties to view any changes or updates made to the clients’ data. Such direct access would save on the time-intensive process of identifying suspicious activity and reporting it.
Get smart with smart contracts!
As you can see, Smart Contracts are so much more than just an intelligent way of handling contracts. They are going to become the only way, and it’s time you get ahead of the competition by leveraging this technology. Talk to us and allow us to guide you through any questions you might have.
Stay up to date
on whats new
Get a free
Talk to our experts today
about your business
Cloud security threats: How to protect your data and mitigate risks?
Be it Google G-Suite, Dropbox, Adobe, Salesforce, or Microsoft Office 365, almost every business uses cloud services for their critical business requirements. Despite its rapid growth, cloud computing brings the possibility of severe security threats that can drastically affect an organization. According to Cybersecurity Ventures, cybercrime damages might hit $6 trillion by 2021. 1 out of 4 will experience a data breach, and on average, businesses are investing about $7.2 million on security breaches. These figures prove how devastating security threats can be if they are left unchecked.
While cloud systems, applications, and networks are not located within your control physically, the security responsibility and risk mitigation are definitely within your control.
Some of the latest security threats to cloud data management include:
- Phishing attacks
- Ransomware attacks
- Insider threats
- Asynchronous procedure calls
- Distributed Denial of Service Attacks (DDoS)
- Uneven security gaps
Why is cloud security important?
While cloud service providers protect your data, they can’t protect your data when it leaves the cloud to interact with other systems.
Cloud security is essential to protect your data as well as the integrity of your business. According to a survey, 60% of breaches occur at patches that are available but not applied. You will need a team to continually monitor potential security threats to ensure that your cloud infrastructure is always up-to-date.
Regardless of your organization’s size, it would be best to implement strong network security services to protect your organizational and customer data.
Read more: Why It’s Time to Embrace Cloud and Mobility Trends To Recession-Proof Your Business?
Six ways to protect your data and monitor your cloud environment
1. Set-up multi-factor authentication (MFA)
Stolen credentials make it easy for hackers to access your business data and applications is to steal your credentials. The combination of complex usernames and passwords alone is not sufficient to secure your user accounts from hackers.
So, protect your cloud users with two-factor authentication or multi-factor authentication to ensure only authorized people can access your cloud apps and have access to sensitive information.
Deploying multi-factor authentication is an effective way to keep potential hackers from accessing your cloud applications. Most security experts believe that it is mandatory to implement MFA as it is also one of the cheapest security controls an organization can have.
2. Assign access controls
Not all your employees need to have access to every file, application, or data. By setting up proper authorization levels, each employee can only view or access applications or data required to complete their job.
Assigning access controls will ensure that your employees don’t edit any information accidentally that they are not authorized to access. Additionally, it will also protect you from hackers who have hacked an employee’s credentials.
3. Leverage automation to monitor, log and analyze user activities
Real-time monitoring and user activity analysis can help you identify any irregularities or abnormal moves that are not part of your regular usage patterns. For example, log in from an unknown IP or device.
Such irregularities could indicate a breach in your system, so it is essential to identify them early on to prevent hackers from hacking your system and help you resolve any security issues before they wreak havoc with your security system.
You can leverage data protection solutions to automate the process and support 24/7 monitoring and management.
Note: Every business has different needs for different levels of security services, so you may consider getting a third-party risk assessment before making significant investments. At Fingent, we identify and evaluate any loopholes in your current infrastructure and provide you with apt cloud infrastructure solutions using our unique approach.
4. Provide anti-phishing training to your employees
Small Business Trends reports that 1 in every 99 emails is a phishing attack, which amounts to 4.8 emails per employee in a five-day workweek.
Hackers can easily steal employees’ login credentials to gain access to secure information via phishing. In this kind of social engineering attack, the attacker sends fraudulent emails, texts, or websites to trick the victim into sharing access to sensitive information. Providing ongoing training to your employees to recognize a phishing attempt is the best way to prevent employees from falling prey to such scams.
5. Create a comprehensive off-boarding process for departing employees
Ensure that your departing employees no longer have access to your cloud storage, data, systems, customer data, and intellectual properties.
As every employee is likely to have access to different cloud applications and platforms, you need to set up a process that will ensure all the access rights for departing employees are revoked. If you can’t manage this internally, you may consider outsourcing this task to a credible vendor.
Learn more: Take a look at how InfinCE, an infinite cloud platform, ensures secured work-collaboration within an organization, and helps enhance company efficiency & growth!
6. Cloud-to-cloud backup solutions
There is no doubt that there are legitimate risks associated with any cloud application or platform. However, the odds of you losing data due to your cloud provider’s error is low compared to human error.
Say, an employee deletes your data accidentally, and a hacker obtains the account password and corrupts the information, or an employee clears her inbox and folders. In such cases, cloud providers can do nothing much past a specific period. Most cloud providers store deleted data only for a short time.
You can check with your cloud provider about the time frame and whether they charge any fees to restore the data. If your company must abide by strict regulations or be concerned about being liable for corrupted data, you can consider cloud-to-cloud back-up solutions.
There’s no denying that cloud computing is one of the most cost-effective options to maintain a high level of security for your sensitive data. At Fingent, our experts can help design a comprehensive cloud computing strategy that will help achieve your business objectives and provide you with ongoing management to keep your data protected. Contact us now and get started.
Stay up to date
on whats new
Get a free
Talk to our experts today
about your business
How AI and Machine Learning are Driving Cyber Security in FinTech?
Being a subset of the financial services domain, FinTech is targeted by hostile cyber villains. Industries thus require secure mechanisms to keep their data safe and secure. Preventing data losses are critical for Fintechs.
The World Economic Forum states that cyber-security is the Number One risk associated with the financial services industry.
Cyber Security Risks Associated With FinTech
Cybersecurity has remained a pressing concern for FinTech. Ever since the global financial crisis of 2008 that challenged the traditional financial institutions significantly, technology-driven start-ups have started evolving increasingly to cater to finance, risk management, digital investments, data security, and so on. Presently, we are in the FinTech 4.0 era.
The major cybersecurity risk that enterprises implementing FinTech face are from integration issues such as data privacy, legacy, compatibility, etc. Hackers target FinTech as they handle large volumes of customer data that include personal, financial, and other critical information.
FinTech offers a multitude of easily accessible services via its APIs. For instance, API banking. Here, the APIs are developed for the banks to access the FinTech platforms. It becomes open, API banking when open APIs enable third-party developers to build banking applications and services.
Let us walk through the major cybersecurity challenges triggered by FinTech.
Data Integrity Challenge
Mobile applications deployed for FinTech services play a predominant role in cybersecurity assurance. FinTech services require strong encryption algorithms to avoid integrity issues that can arise while transferring financial data.
Cloud Environment Security Challenge
Cloud computing services such as Payment Gateways, Digital Wallets including other secure online payment solutions are key enablers of the FinTech ecosystem. Though it is simple to make payments via cloud computing, it is equally crucial to maintain the security of data as far as banks are concerned. Appropriate cloud security measures are thus critical while dealing with sensitive information.
Third-Party Security Challenge
Third-party security challenges include data leakage, service challenges, litigation damages, and so on. Banks should be aware of FinTech service relationships while associating with third-parties.
Digital Identity Challenges
Major FinTech applications are web apps that have mobile devices working at the front-end. Banks and other financial institutions need to learn about the security architecture of the electronic banking services offered by these applications before implementing the FinTech application.
Money Laundering Challenges
The use of cryptocurrency for financial transactions makes FinTech-drive banks prone to money laundering activities. Thus, the FinTech ecosystem needs to be formally regulated based on global standards.
Private keys can be stolen in case of weak security in blockchain architecture. Cryptographic algorithms need to be strong and transactions need to be confidential.
The increase in the number of FinTech implementation of interfaces will cause a rise in the number of cybersecurity challenges as well.
How Artificial Intelligence And Machine Learning Enables Cyber Security For FinTech?
Artificial Intelligence is both reactive as well as proactive or preventative. AI reinvents FinTechs by bringing in behavioral biometrics solutions. These solutions are used to monitor customer and device interactions that take place during transactions that enhance security and authentication. BB or behavioral Biometrics with AI provides problem-solving capabilities for FinTechs. FinTechs utilize Artificial Intelligence is an expert system that enhances decision-making abilities using deductive reasoning. Big Data analytics is used here to focus on quality data.
The underlying technology in using Artificial Intelligence involves reasoning, learning, perception, problem solving, and linguistic intelligence to provide critical insights. It helps in understanding business in real-time operations.
In this digital era of increasing cybersecurity attacks and malpractices, AI can be used effectively to prevent risks and attacks. The following are major ways of how AI and ML protect FinTechs:
1. Fraud Detection
AI and machine learning algorithms are used to detect frauds in FinTechs by being able to identify transactions in real-time accurately. The traditional strategy of fraud detection involved analyzing large volumes of data against sets of defined rules using computers. This process was time-consuming and complex. Unlike this traditional method, more intelligent data analytics tools for fraud detection such as KDD (Knowledge Discovery In Databases), Pattern Recognition, Neural Networks, Machine Learning, Statistics, and Data Mining have evolved.
2. Controlling Access
Access control to critical data is crucial when it comes to security. Machine learning is used to derive critical insights from previous behavioral patterns such as geolocation, log-in time, etc to control access to endpoints. The risk scores are fine-tuned by combining supervised and unsupervised machine learning methods to reduce fraud and thwart breach attempts as well.
3. Smart Contracts
Smart contracts are coded in a programming language and stored on the blockchain. With blockchain, new contracts can be added to existing ones without having to change the individual contracts, in case of agreement expansion. Artificial Intelligence has become an integral part of FinTech as more traditional banks are teaming up with FinTechs to leverage the benefits of both worlds. For instance, when customers face issues with a poor credit history while applying for loans.
Artificial Intelligence is yet to be transforming the face of FinTechs in a multitude of ways. Drop-in a call right away and our strategists will guide you on how to leverage the benefits of AI and ML to secure operations and prevent breach attacks.
Stay up to date
on whats new
Get a free
Talk to our experts today
about your business
6 Chatbot Security Practices You Need To Implement
According to a survey by Oracle, regarding the benefits of using chatbots for their consumer-facing products, which included responses from 800 decision-makers, including chief marketing officers, chief strategy officers, senior marketers, and senior sales executives from France, the Netherlands, South Africa, and the UK, it was found out that “80 percent of companies wanted to have some type of chatbots implemented by 2020!
It is also forecasted that 90% of bank-related interactions will be automated by 2022. Moreover, 80% of businesses will have chatbot automation implemented by 2020. Also, 47% of consumers would buy items from a chatbot when 28% of top-performing companies are already using AI for marketing! With chatbots turning into the trend, it is vital to implement chatbot security measures.
A Back Door Open To Hackers
Chatbots are nowadays mostly used in industries such as retail, banking, financial services, and travel that handles very crucial data such as credit/debit cards, SSN, bank accounts, and other Sensitive PII (Personally identifiable information).
The aggregation of such data is crucial for the chatbot to perform. Thus, it is required that chatbots are not vulnerable to be exploited by any hackers.
A recently released report from MIT Technology Review and Genesys showed that 90% of companies are already using AI strategies to increase revenue. The research also found that on average, between 25% and 50% of all customer queries can be solved through automated techniques. This has made it easier than before to handle complex tasks.
Related Reading: Read on to know more about the top AI trends of 2019.
The HTTPS Protocol For Security Of Chatbots
HTTPS protocol is the basic and default setting required for a good security system. The data that is being transferred over the HTTP via encrypted connections are secured by Transport Layer Security (TLS) or Secure Sockets Layer (SSL).
Related Reading: Check out how Fingent helped create an enhanced and engaging learning experience through chatbots.
Types of Security Issues
Security Issues fall into two main categories:
Threats are usually defined as different methods by which a system can be negotiated or compromised. Threats can include incidents such as Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privileges, and many other threats.
Vulnerabilities are defined as methods that a system is compromised and cannot be identified and solved correctly and on time. A system becomes open to attack when it has poor coding, lax security, or because of human errors. The most effective way to solve the issues of a possible vulnerability is to implement SDL (Security Development Lifecycle) activities into the development and deployment methods.
As per the study by the Ponemon Institute, In 2017, the average total cost of a successful cyber-attack was over $5 million, or $301 per employee!
Here are 6 chatbot security issues that you need to consider right away:
Data while transit can also be misused. There exist different protocols that provide encryption, while addressing these problems of misuse and tampering.
According to article 32 (a) of the General Data Protection Regulation (GDPR), “it is specifically required that companies take measures to de-identify and encrypt personal data. So, chatbots have access only to encrypted channels and communicate through those”.
For instance, Facebook Messenger introduced the new feature called “Secret Conversations” that enabled end-to-end encryption based on Signal Protocol.
2. Authentication and Authorization
Authentication is performed when the user needs to verify their identity. This is often used for bank chatbots.
Generated authentication tokens verify data that are requested through a chatbot. On completing the verification of the user’s identity, the Application produces a secure authentication token, along with the request.
Another step of security measures is an authentication timeout. The token generated is used for only a certain amount of time, after which the application has to process a new one.
Two-way verification is another process where the user is asked to authorize their email address or to receive a code via SMS. This is a crucial process which is necessary to verify that the user of that account is the real user that is using the chatbot.
3. Self-destructing Messages
When Sensitive PII (Personally identifiable information) is being transferred, the message with this data is deleted after a definite period of time.
Personally identifiable information (PII) is any data which can be used to identify a particular person. It includes records such as a person’s medical, educational, financial and employment information. Examples of data elements that can identify and locate an individual include their name, fingerprints or other biometric (including genetic) data, email address, telephone number or even their social security number.
This kind of security measure is crucial when working with banking and other financial chatbots.
4. Personal Scan
When working with personal data, it is necessary to take security precautions and measures.
Apple was the first company that added finger authentication to their iPhones. This technology is now being used widely to verify an individual’s identity. This is performed when initiating a transaction or when you want to access your bank account using a chatbot that a personal scan is required.
5. Data Storage
Chatbots are effective because they retrieve and store information from users.
For instance, if you have a chatbot that performs online payments, this can mean that your clients are providing their financial information to a chatbot.
The best solution in this situation is to store such information in a secure state for a required amount of time and to discard these data later on.
Some other concerns are the following:
- Biometric authentication: Iris scans and fingerprint scans are popular and robust.
- User ID: User IDs involve processing secure login credentials.
- Authentication Timeouts: A ‘ticking clock’ for correct authentication input. This prevents giving hackers an opportunity to guess more passwords.
- Other strategies could include 2FA, behavior analytics, and kudos to the ever-evolving AI trends.
6. Tackling Human Causes
The one and only other factor or cause that cannot be altered is the human factor. With commercial applications in specific, that chatbot security and end-user technique have to be resolved. This will ensure the chatbots from being vulnerable to threats.
Related Reading: Find how artificial intelligence can drive business value.
To know more about secure bot building, get in touch with our IT consultants today!
Stay up to date
on whats new
Get a free
Talk to our experts today
about your business
Wannacry? If you have been inflicted with this latest piece of deadly malware that is wreaking havoc in cyberspace, there’s little else to do but cry! However, understanding what the menace is, and taking basic precautions would save you the tears, allowing you to remain safe and be spared of the data carnage presently underway.
What is Wannacry malware?
Wannacry is a ransomware malware and worm, which has affected computer systems running on Microsoft Windows operating system, at a global scale. The malware, the deadliest one in 2017 so far, started to spread last week, taking over files stored in the infected systems, and demanding $300 in bitcoins, to restore access. Users were also warned the amount would double after three days, and the ‘captured’ files would be deleted irrecoverably if the ransom is not paid within seven days.
It spreads laterally between computers on the same LAN by using a vulnerability in implementations of Server Message Block (SMB) in Windows Systems. The exploit is called ETERNALBLUE. The worst affected are financial institutions, academic institutions, and other businesses attack. It is possible the perpetrators specifically targeted organizations and individuals with sensitive data they cannot afford to lose.
Ransomware is a type of malware that gets into a system by stealth, exploiting some latent vulnerability. Once it enters and installs itself in the system, it encrypts files on the hard drive, and demand payment for the encryption key.
Where is it spreading?
Wannacry has taken the world by storm, affecting thousands of computers in over 150 countries. At last count, it has impacted over 10,000 organizations and over 200,000 individuals, spread across 150 countries. The ransomware mutates itself, spreading from one system to another in different ways.
Among the most high-profile victims have been FedEx, the US-based delivery company, Renault factories in France, the National Health Service in the UK, several telecom and gas companies in Spain, and thousands of other users, from corporate to small businesses, and from non-profits to individuals. While the most high-profile attacks have been in Europe, China and India are especially hard-hit, considering the sheer number of victims, and a large number of systems running on Windows XP and other legacy variants of the OS.
Who are the Perpetrators?
As of now, the perpetrators of the attack are not known. The ransom is to be paid in bitcoins, which are hard to trace. Microsoft, in the line of fire, as Windows systems are the ones coming under attack, gave an indication of the tool used in these attacks being developed by the US National Security Agency (NSA), and now stolen by hackers. It is customary for the NSA to keep a war-chest of cyber-weapons ready, a controversial practice by any account, and the danger of which has now become apparent.
“If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,” NSA whistleblower Edward Snowden says.
Nevertheless, with investigators across the world working on the case, it is only a matter of time before the perpetrators are unearthed, and hopefully, brought to book. Some of the usual suspects, such as Russia, have categorically denied their involvement.
Is the threat over?
One would have thought the malware would have subsided by now after a wave drowned thousands of unsuspecting users in the first few hours of the attack. While there are reports of the attack slowing down, the threat is far from over. There were reports of fresh attacks in Asia and Europe on Monday. At an individual level, several inboxes still have “landmines” in them, mail with attachments that if opened could trigger the attack in the system. There are also reports of a new and deadlier variant of the attack that infects users directly through a malicious link on hacked websites, without requiring users to download an attachment.
There is light at the end of the tunnel though. A UK security researcher discovered a “kill switch” in the rogue software’s code, albeit accidentally. The discovery does not undo the damage already done, but stops the malware in its tracks, preventing its spread to new computers. Also, the possibility of several “copy cat” variants of the attack that will not have the same “kill switch” is also a real possibility.
Precautions to Take
Trying to take remedial measures after being greeting with the red screen of “WannaCry” is like bolting the door after the horse has bolted. The best cure is prevention. Computer users would do be on their alert, and especially consider the following precautions.
- Maintain backups of all critical data and important files in a Google drive, or in an offline hard disk, CD, pen drive, or any other source. The ransomware encrypts the file on the hard drive of the system, rendering it inaccessible to the user. With a backup in hand, users can retrieve the data easily and need not even consider paying the demanded ransom.
- Do not open any mail from unknown senders, and especially avoid spam mail like plague. This is a best practice for all times, and more so in the present troubled times, where any unsolicited mail, even from known accounts, need to be looked upon with suspicion and extreme caution. The safest approach is not to open any attachment or click on any URL in the email, without confirming the sender actually send it. Wannacry is reportedly slipping in malware through common file extensions such as pdf, ppt, doc and tiff, along with media files such as MP4 and MKV files, meaning every file is a potential landmine. Executable files, ending with .exe or .js are especially dangerous. Likewise, be especially wary of shortened URLs. The safest approach is not to download any files or click on any link unless absolutely required.
- The internet is the lifeblood of the ransomware and any cyber attack for that matter. If a system gets affected, the ransomware tries to spread itself rapidly by searching for other unpatched, vulnerable Microsoft PCs in the same local network. It also looks out for any random host on a wider internet. Manually disconnecting the system from the internet at the slightest hint of infection or suspicious behavior may just save the day. Seek professional held when restarting the system.
“Wcrypt mainly penetrates through the SMB ports, so if you block the ports 135 and 445 through which the virus penetrates (in most cases they are not used by ordinary users) you can prevent its spread.“- Akhil S, Ethical Hacker, Fingent Technologies
- Establish a Sender Policy Framework (SPF) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
- Access only legitimate and trusted websites. Stay well clear of dubious and unknown sites, especially torrents.
- Shun pirated software, which would invariably have a host of vulnerabilities, and no support or patch updates to effect a fix.
- Update the systems. The main reason why the virus could spread the way it did was because many users fail to keep their systems up-to-date. This kind of attacks thrives on vulnerabilities that exist in the operating system and source code of software that has not been updated. Make sure all software are updated with the latest patch release, and preferably with the latest version as well. Microsoft released an update, Microsoft Security Bulletin MS17-010 as early as March, to tackle the specific the problem involved in the latest attack, but many users have still not downloaded it.
- If there is any incident that illustrates the need for a good antivirus or antimalware suite, this is it. Install and update a good antimalware suite, if not already in place.
As of now, the malware is limited to Windows systems, making other OS such as Android and Ubuntu a safe bet. However, there is nothing preventing a new variant to inflict other operating systems as well, making it expedient for all users to be on high alert.
What to do in case of becoming a victim?
At this point of time, there is precious little to do if an attack has already locked down the files in the computer. The only practical option is to reformat the system and start afresh. Contact the law enforcement and report the attack, though.
The UK’s National Crime Agency, and also most cyber-security experts advise users infected by the malware not to pay the required ransom. Even without any ethical considerations at play, there is no guarantee the systems will be restored even if payment is made. Worse, payment may just embolden the gang behind the operation to demand more.
Stay up to date
on whats new
Get a free
Talk to our experts today
about your business
Smartphone malware rose by 400% in 2016, and touched an all-time high, with an estimated 8.5 million malicious installation packages in existence!
With mobility in the middle of a golden boom, it is no secret smartphones are in the crosshairs of cyber criminals. By October 2016, 1.35% of all mobile devices across the world had already succumbed to malware attacks, up from 1.06% in April 2016. With restricting mobile devices now no longer an option, here are some tips to keep your business safe, amidst the rising malware threat.
1. Monitor Usage
An enterprising cyber-attacker could exploit latent vulnerabilities in an app to take control of the device, and use it as a bot. The ready example is the Mirai botnet and the associated DDoS attacks, the most devastating attacks in 2016. Mirai turned computer systems into remotely controlled “bots,” primarily targeting devices such as remote cameras and home routers, and in the process exposing the latent vulnerabilities of the emerging Internet of Things.
Trying to prevent such infiltration is likely a losing battle. Android platforms, being open source, are very distributed with different manufacturers, operating system vendors, app vendors, handset makers, carriers, and other stakeholders in the mix. Malware can be slipped in at any point. Monitoring network activity using any of the available network monitoring or anti-malware tools could detect abnormal traffic, and pinpoint it to a source, offering an effective solution to the menace.
2. Update the OS Regularly
The focus of any respectable cyber-security strategy is to prevent the smart device getting compromised in the first place, rather than making amends after it is flawed. Keeping the operating system up-to-date is the first step towards this effort. One of the reasons Android and other operating systems issue updates regularly is, to offer patches for vulnerabilities that may have surfaced recently, and which cyber attackers may exploit. The situation is graver in Android OS than any other OS, considering devices with Android OS accounted for 81% of malware infections in the second half of 2016.
3. Be Careful of Downloads
Download apps only from trusted sources, preferably only the Google Play Store, Apple’s store, or the official store of the respective OS or enterprise. They have an approval process for accepting apps on the iTunes. If the app has gone viral and is around for while, it is likely to be safe. The user ratings and comments offer a good indication of the reliability of the app. Google’s “Bouncer” for instance scans for problem apps in the PlayStore. However, all these methods are not foolproof.
As far as possible, stay away from such third-party app stores, or any source outside the official app store. However, at times, downloading from such sources may become inevitable. In such an eventuality, perform a background check on the app developer. Seek out reviews of the app wherever possible as well. Always err on the side of caution.
Also, consider the permissions sought at the time of installation. In modern smartphones, each app has its own work environment and is unable to access other apps’ data. The extent of activity the app can do depends on the permission it is granted, to access the phone’s features and data. If the app asks for a permission it is unlikely to need to perform its intended function, it raises a huge red flag.
4. Use a VPN
Determined hackers are always on the prowl, and logging on to public Wi-Fi make oneself especially vulnerable. Hackers on the same network have several tools to snoop on user activity. Encrypting the connection using a virtual private network (VPN) is a safe practice when using public connections.
5. Deploy an Antivirus Suite
An antivirus suite may seem obsolete in smartphone’s where each app works in isolation, depending on the privileges it receives. However, a good antivirus suite still has its uses but not just offering antivirus protection, but scanning app activity. With smartphones being used extensively for browsing, such anti-virus suites scan for malicious URL and shields the phone. Many antivirus suites offer value-added features, such as blacklisting problem numbers, ability to PIN protect private apps, Wi-Fi scanning options for improved security, and more.
6. Have Precautions in Place
At times, even with the precautions, malware inevitably strike. The hacker may not even have to slip in the malware. Merely following the smartphone owner and stealing the smartphone during one careless moment may do the trick in accessing sensitive corporate data.
Deploying a lock screen, having a remote wipe feature activated to use in case the smartphone is lost or compromised, activating the remote track facility, limiting remote access to internal apps or programs that involve sensitive corporate data, and more are some of the other features to protect the data even if the smartphone itself is compromised.
Very often, the weakest link in the security chain is not the technology, but the people. Often it is the failure in basic security practices or lack of common sense from employees that throw open the door for hackers to make their entry. Training and awareness, even on those things considered too obvious, can never be underestimated.
Have a solid and comprehensive mobile device management (MDM) strategy which encompasses and integrates all facets of security. Whether it is building state of the art cutting edge apps, with solid inbuilt security features, or instituting and deploying a company-wide security policy, we have the experience and expertise to do it and make an ideal partner for all your requirements.
Stay up to date
on whats new
Get a free
Talk to our experts today
about your business
The more advanced the technology, greater the security risks. Instances of cyber breaches, ranging from hackers stealing consumer’s bank account to hacking nuclear power plants, are all too commonplace. It comes as no surprise many CIOs rank cyber security as their number one challenge.
Trying to keep cyber attackers at bay by fortifying perimeter security, or adding extra layers is trying to fight the sea waves. It has been proved again and again that it is only a matter of time before cyber criminals get one-up on whatever new approach security experts throw at them. Many of the hackers represent the best brains in the industry, and many of them are actually in for some cause and display missionary zeal to breach networks. Such forces are unstoppable, as even Fortune 500 firms have found out the hard way over the last decade.
In such a state of affairs, the only effective approach is incorporating security with the system, by ensuring the code is impeccable. Cyber attackers exploit some latent vulnerability in the code, to launch an attack. If they are no vulnerability, the code cannot be breached. A tight-knit code, with no vulnerabilities, shuts the door firmly on attackers and eliminates the major source of the breach.
The State of Vulnerabilities
Ensuring tight-knit security within the system by testing the code for vulnerabilities and flaws is an indispensable best practice, regardless of the nature of the software, or the size of the enterprise.
The reality on the ground is markedly different, though. A September 2016 survey by Veracode reveals 83% of cyber experts releasing code before testing or even before resolving known bugs and other security issues. A March 2015 IBM report reveals one in every three enterprises do not even bother to subject their mobile apps to testing for security vulnerabilities, before rolling it out in the market.
The obvious reason is competitive pressures in a fast-paced business environment, where even a few days delay in launching an app can have an adverse impact on its adoption and success. Most enterprises who compromise testing evaluate the time taken for testing would defeat the very purpose of rolling out the app in the first place.
Another reason for short-cuts on testing is the severe skill shortage. Lack of talented hands with the ability to conduct the process with aplomb force many enterprises into compromises.
Such short-cuts and omissions are a mistake but are the practical reality. Success does not come by wishing away the reality, but accepting it, and doing something to counter it. Here are some tips in this direction.
Integrate Security into the Design
Security did not have a place in the traditional software development model and was actually included as an afterthought when breaches started to cause serious damage. Changing this model is the key towards ensuring effective security.
As the adage goes, “you can’t protect what you don’t understand.” The basic requirement is understanding the system, as in how existing components and systems communicate with one another, a map of the workflow, a review of past incidents and most likely attack vectors, and more. Such information helps the development team understand the key elements and assets to protect, and devise ways to thwart potential attacks on the system.
For instance, a new e-commerce site will invariably feature an UI for end-user interaction, a set of services where the business logic will reside and a data store. When the user submits a form through the UI, the data moves from a user-controlled environment to a trusted server. Smart developers identify a trust boundary at this point and take effective precautions such as modeling threats or codifying validations.
Develop a baseline security standard based on standards like ASVS, and use threat modeling tools to identify additional vulnerabilities unique to the system.
Cross-Check the Code
Co-opting security into the software development model requires testing for code integrity early and often, as opposed to penetration testing at the end of the process to catch bugs.
The practice is catching on. A December 2016 Veradode survey reveals 40% of developers incorporating securing testing during programming stage itself and 21% at the design stage. Identifying and eliminating bugs, glitches, and vulnerabilities at the development stage itself make it that much easier, simpler, and less costly to eliminate the same, and do not leave any window for attackers to exploit the vulnerability before it is identified. Developers could use a combination of static application security testing tools and dynamic application security testing technologies, or even visual testing at the development stage.
Post Production Initiatives
Despite the best of precautions, there is always a chance of some vulnerabilities slipping through the net. Some vulnerabilities may not manifest itself until the software gets active, and interacts with its ecosystem.
Static and dynamic analysis tools help identify vulnerabilities missed during development and testing. Automated checks for libraries that require updating is also fairly simple to include.
Deploying a group of ethical hackers, such as IBM X-Force Red, is another approach to discover and fix bugs in a proactive manner before the bad guys discover the bugs first.
The importance of software developers as the first and most effective line of defense against cyber-attacks can never be understated. For this reason, a credible partner who has considerable experience in delivering highly robust and secure apps, and who have the talent and expertise to combine innovation and best practice in the most optimal way, can give a big fillip to your enterprise security. With our uncompromising approach to quality and backed by a highly competent and talented team, you can rest assure the solutions we deliver are as secure as it comes. Partner with us to ensure your code is robust and secure in all aspects, and security vulnerabilities do not wreck your business.
Stay up to date
on whats new
Get a free
Talk to our experts today
about your business
Do you remember the popular, James Stewart starrer, 1946 classic “It’s a Wonderful Life?
According to this movie, every time a bell rings, an angel gets wings.
Applying the same theory with the modern world today, it would go something like this:
Every time a programmer makes an application security error, a customer loses his/her confidential credit card information.
I’m talking about serious application security breaches that have recently gone way up in frequency as well as severity. Let’s take a look at some recent shocking facts.
According to the 2014 IBM X-Force Threat Intelligence Quarterly, that was just recently issued, almost half a million records were jeopardized in 2013. It also shows how the incidents of cyber attacks and breaches have increased from 2009 till the end of 2012, and how it persisted throughout 2013.
Some other observations from the report are as follows:
– SQL injection was identified as one of the main breach vectors since the tracking of public breaches began.
– Apart from all the recorded data, there are a substantial number of breaches that go undisclosed too.
Another interesting fact that was brought to light through the report, though not explicitly mentioned in it, is that Java-based threats and vulnerabilities have increased by almost three times since 2012. Now this is no surprise as, considering how Java enables cross-platform benefits, it also brings with it the same level of exposure to attacks across platforms. Once written, it can be deployed everywhere, but in the same way, it is vulnerable to multi-platform attacks.
“Java-based threats and vulnerabilities have increased by almost three times since 2012”
The ugly truth
As much as we hate to face the truth, the damages that data breaches can cost, are pretty staggering. The average cost of a data breach can go up to $ 7.2 million for a business, due to factors like Government fines, litigation, costs to repair and brand erosion. And it takes almost 80 days to detect a data breach, plus another 123 days or more than 4 months, to resolve the issue.
The costs involved in remediation at different stages of a project can be different, although the later in the stage, the higher the amount. A fix in the development stage costs about $80 per defect while one in the production stage can cost almost $7,600 per defect.
So it is clear from all these figures that, fixing application security issues in coding, while in the development stage can save all of us a load of money, not to mention efforts and mental suffering.
So what can you do to avoid this mess?
Tips to enhance application security
A data breach can put you through some of the worst days of your life for sure. But it’s not like there is nothing you can do about it. As a matter of fact, you can save yourself from almost 80% of the consequences by taking care of a few simple things. Here is what you can do:
- Sanitizing user input – This step mainly helps to prevent SQL injection attacks as well as cross-site scripting (XSS) and cross-site request forgery (XSRF) attacks. SQL injection targets web servers and XSS/XSRF attacks clients by corrupting the HTML that is given to the browser. You need to check all apostrophes while entering into the database and remove or neutralize them. This prevents people from running their own SQL code in your database. You should also take care to never use POST and GET variables directly in SQL queries. This way even if a user enters malicious data, the sanitize function will filter the data entered by the user before sending it to the database.
– Using White listed values
– Using in-built escape functions
– Data type validation processes
– Re-validating selections
- Incorporating static and dynamic application security testing processes – While SAST and DAST are not exactly the substitutes to secure coding practices, they can help in finding errors or mistakes that you might miss. They not only help in identifying latent security compromises but also be a part of your source control system and help train developers learn more about how exactly vulnerability manifests itself. Such application scanning systems can also figure out other incessant defects, and allow you to focus more on training efforts.
- Disabling error reporting features – Features, like the PHP error reporting feature, which are in-built, often help developers in resolving problems by displaying error messages on the page. While this may be helpful for the developers in fixing bugs, it may allow hackers to access important information like database login information. Hence, such features should be disabled.
- Better training on secure coding practices – This is something that requires the support and help of the management. They need to arrange and also fund training programs specifically for secure coding practices and ethical hacking classes. This allows developers to channel their efforts, the attacker in them, mailing lists and many other resources to combat security threats, and get up to speed on counter techniques and defensive programming.
Simple steps like these can go a long way into avoiding huge security issues. These were just some of the measures to avoid common problems. There are many more. What do you think can be added to this list? Let’s discuss.
Stay up to date
on whats new
Get a free
Talk to our experts today
about your business
By now, we all know that we are living in the midst of billions of devices and machines that are connected to the internet and to each other. Need more evidence to believe it?
Well, Gartner predicts the number of internet connected devices and things to grow to almost 21 billion by 2020. IoT is in fact, huge and growing.
We humans are literally on the verge of being outnumbered by connected devices in the coming years. Now, I bet we didn’t see this coming when we first started using smartphones!
And get this, each of these devices, whether they are smart or wicked smart or even not so smart, are constantly collecting data through various sensors around them. In fact, a lot of our personal information is being accessed by our smartphones alone for crying out loud!
Is it almost time to start fearing the appalling situation of “Technological Singularity”?
Are we all going to get phased out by the intelligent machines one day?
We will have to let time answer that question, although we do have a hold over it through security measures.
Security and privacy are two of the most questionable aspects of IoT. Especially, now that the number of devices, as well as the amount of data are increasing rapidly, it becomes all the more difficult to monitor its use.
Connected everything – is it a boon or a bane?
When you take consumer devices like smartphones, think of the data it collects from your applications. It takes note of everything we do with our phones, wherever we go, including things like what we eat, what mode of travel we use, which route we choose, who we communicate with, what pictures we take and so on.
When it comes to fitness and health care, we have wearables and other smart devices that monitor our heart rate, our sleep time, our exercise routines and the like.
Likewise, we have sensors sending and receiving information on a number of devices we use on a daily basis. Combining all this information, along with analytics in the cloud, the value and amount of information that can be collected about our health and lifestyle is massive. The issue here is that, the level of technology has grown so much that, it surpasses the ability of law to control and protect how this data might be used. And needless to say, the endless number of devices being used, the amount of data generated and the applications that use the data, together make it worse. It is pretty hard to ensure security on such a wide scale.
Delving a little deeper into wearables, a study in 2015 showed that around 41,000 patents were granted from 2010 to 2015 for wearable technologies. This only shows the pace at which wearables are advancing.They are seen more as a means to overcome some of the common issues of the modern society, and encourage people to move more. They help us in leading healthier lifestyles by tracking our sleep patterns, monitoring temperature, heart rate, glucose levels and the like.
For example, the Microsoft Band, makes use of galvanic skin response sensors, just like the ones used in lie detectors to track your activity levels, heart rate and more.
CES (Consumer Electronics Show) this year saw the first ever Bluetooth connected pregnancy test along with its app.
What we earlier thought to be science fiction, is a reality now.
In healthcare, though, we do have the HIPAA (Health Insurance Portability and Accountability Act of 1996) rules and regulations to monitor and control the sharing of health information. They are pretty strict as well. Devices like Fitbit are majorly being discussed around the world, on whether or not they violate the HIPAA rules. So, we do seem to have a certain safety element around health wearables.
According to a paper published by the Federal Trade Commission (FTC) on Consumer Data Privacy and the IoT, out of many issues that could affect data privacy, there are four basic ones that need our constant attention, namely security, data minimization, choice, and notice.
Data minimization is the practice of limiting the amount of data collected from various devices, to only what’s necessary for the application, and deleting any old information as well, all for privacy purposes. The paper mentioned that such data minimization affected innovation, as even though collecting extra information may not seem to be useful at present, it may help future applications and functions, and restricting such possibilities affects the chances of better, improved applications for the consumers.
Notice and choice refer to the information given to the consumers about the amount and kind of data they are going to be sharing, and the option for them to opt in and opt out.
How many times have you seen an application asking for access to your smart phone’s camera, contacts, location and the like?
Even an app that doesn’t seemingly need to read your contacts, like a fitness app, prompts you for such information. Sometimes these permissions are hidden in clickthrough approvals of end user agreements necessary for the app to function or to activate a device or an app.
And many other apps claim to use “bank grade security” and “encryption” as protection measures for your data, but seldom do people know even the meaning of those terms.
Hence, the bottom line remains, that security and privacy are indeed two important aspects of IoT and data collection. But a lack of standards, and rules to ensure adherence to the same makes it an ever growing concern in the IoT era.
What are your thoughts on security and sharing of data across devices? Let us know in the comments below.
Stay up to date
on whats new
Get a free
Talk to our experts today
about your business
Let’s think for a moment, of the technology driven world that we live in now and how much the all pervasive technology has changed the way that we all live our daily lives. From our personal spaces to the biggest businesses and industries, we have come a long way from brick sized cell phones and DVDs to sleek touchscreens and microchips to name a few of the smallest changes. With the advent of the “Internet of Things” and “Industry 4.0” or the Fourth Industrial Revolution, we have been introduced to and have infact been living with a concept called Ubiquitous computing or pervasive computing.
According to Wikipedia, ubiquitous computing in contrast to desktop computing, involves the usage of any device in any location and in any format. It basically enables a user to interact with a computer which may exist in a number of different forms such as the regular laptops, desktop computers and notebooks to sensors and terminals in our everyday objects like the refrigerator, a pair of glasses, the TV and the like. We have all come to embrace these concepts, getting used to the “things that think” around us, and having the ability to get things at our fingertips.
Such ubiquity of software has touched almost all aspects of our lives and all industries in the business landscape as well, including the manufacturing sector and the audit and compliance sector, leaving no stones untouched.
Software in manufacturing and audits
The first ever industrial robot was used in the production line in 1954, and since then, software has always played a huge role in manufacturing and production, not as a core function though, but as a supporting function. But with increasing moves towards digitization and automation of processes and procedures, especially under the Industry 4.0 umbrella, software started to assume bigger, more comprehensive roles and now we find software everywhere, from production lines to control systems. Literally every device or equipment involved in the processes are connected among each other as well as to a central unit, and are also programmable, thus making the already thin line between physical and digital even more blurred.
Considering the industry’s general shift towards a more consumer-driven approach, it is indeed necessary to incorporate more flexibility, agility and control across all processes, as the pressure to deliver high quality, configurable products and services is only going to increase down the lane. All this increases the need for manufacturing companies to invest in technology, especially software based technology, so as to generate more speed and flexibility, both of which are critical to be profitable in this environment.
Business Intelligence and Performance management are two other areas in manufacturing which make use of software and data gathering on a large scale according to Gartner. Hence, the manufacturing industry assumes one of the top three positions in the list of industries looking to hire technology and software experts.
Just like manufacturing, the concept of software everywhere also redefines the scope for audits, inspections and compliance, and there are many newer challenges to face. One point of concern though, is that there may be a thousand risks and consequences associated with certain kinds of technologies and their deployments, but only little thought is put into understanding them, and even the manufacturers, lawmakers and compliance bodies know very little about many of these risks. For example, the risk of manipulation is something that most people have often overlooked and the recent scandal of the German automobile giant, Volkswagen proves this point.
The Volkswagen scandal
In September 2015, Volkswagen was issued an EPA notice after it was found by independent NGOs that they had been cheating in emission tests. It was discovered that Volkswagen cars were emitting up to 40 times more toxic fumes than permitted, which included particulates that are really harmful to the lungs especially for those with breathing related issues. They had since then admitted that they sold about 11 million cars over the last 4 years, which implies that this practice or this cheat has been going on for a quite a while.
The British newspaper “The Guardian” estimates an average of 1 million tonnes of air pollution from the Volkswagen cars every year, which is roughly the same as the emissions from all of United Kingdom, from power stations, vehicles and the like. It only means that the pollution caused by this cheat is as bad as the pollution from an entire country.
Now how did Volkswagen manage to get past all the rigorous, stringent and detailed tests conducted by the EPA, that too for a long time?
It was in the tests
All the tests of the EPA, like a cold start test, a hot start test and many others along with a 30 minute rigorous test by the Federal procedure as well, are usually specified in great detail, as are the steps in order to prep the cars for them. And unlike any other compliance tests which may have many grey areas, these tests of the EPA contain specifications, which are very thorough, detailed and extremely clear – everything that you can expect from a good quality specification.
It was this very attention to detail that enabled Volkswagen to cheat. Most mechanical parts of a car these days are managed and controlled by computers and electronic control units. These units have information about almost every single part of the car such as the speed, the angle of steering, the fuel intake etc. and such information is generated almost every instant that the car is switched on. The extremely detailed test specification and the availability of such specific information about the car enabled Volkswagen engineers to program the computers to use this information to recognize when the car was being tested. They were able to program the software to switch the car from a road mode to a calibration mode, when it recognized that the car was being prepared for a test.
Now the one thing that is crystal clear from this whole issue is the fact that it impacts all of us in the business of quality assurance and inspections. Just like cars, almost all equipment used in manufacturing and production rely on some kind of software, and software, as we know it, is a very different beast, considering the traditional equipment that we are used to, when it comes to production, manufacturing, control systems and the like.
This shows that advancements in technology only mean more vulnerabilities and challenges for compliance auditors and inspectors and more alertness from their end. So what exactly are the points that we, as auditors need to keep in mind when it comes to compliance inspections and what are the challenges that we face? Read more on our blog, Challenges For Auditors And Inspectors In The World Of Connected Devices.
Here’s a webinar on the ubiquity of software in the compliance industry, by Deepu Prakash, Head of Process and Technology Innovation at Fingent Corp: