Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

8/20/2020
10:00 AM
Matt Deres
Matt Deres
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Banks and the New Abnormal

Banks have hesitated to adopt many strong security practices, and for understandable reasons. But now is the time to be bold.

With businesses starting to reopen after the COVID-19 shutdown here in Massachusetts, I am already tired of hearing about the "new normal." We're nowhere near hitting anything approaching "normal." We're certainly never going back to where we were on March 1, but no one knows where we'll be when a vaccine is discovered and we can go to the grocery store without taking a Silkwood shower when we get home. We're in the middle of chaos, and IT departments are just trying to juggle the day-to-day issues related to remote workforces and new security risks.

But that will change sooner than we think. Companies everywhere are declaring working from "anywhere" as the new standard for their employees, and so many cybersecurity teams are already planning for the uncertain future. And that future is going to be radically different than anything we've seen before. If you've been waiting for the next great leap forward (and were around for the invention of the transistor), you may be in the right place at the right time. The planet is facing an unparalleled challenge, and the fixes will not be incremental. Strap yourself in for a hell of a ride.

Most innovations in banking are slow and linear, but right now we're seeing myriad new consumer-driven changes affecting how people use their money and disrupting the industry. These include the expectation for contactless payments, card-not-present payments, and instant payments. In Australia and some European countries, these immediate payments are taking over for long-standing money-transfer systems like ACH, wires using SWIFT networks, and other credit card batch settlement methods. Things have gotten faster, and they're changing dramatically.

Here's why: Since the advent of electronic communication as the primary means of sharing information — roughly the past 35 years — there has never been a disruption like the COVID-19 pandemic. We've had mega-disasters like 9/11 and Category 5 hurricanes that have upturned payment methods and banking, but they've all been regional in scope and not enough to change broad behaviors. This is why regulators managed by the Federal Financial Institutions Examination Council have an ever-extending checklist of "must-dos" for banking security controls. With the challenges of the current pandemic, the current banking anti-fraud and security infrastructure is now being severely tested.

Along with the banking product changes, banks have thousands of employees working from home on nonsecure Internet connections, which has created unprecedented challenges. Ditto for billions of dollars being wired or mailed to taxpayers. We need to rethink what we're doing from the ground up. After all, we don't know if we will ever be back in our offices again, and if we do, whether people will come in every day. Is COVID-19 the beginning of a permanent work-from-home revolution? Will the idea of the central office even matter in two years or will everything be decentralized? Those are the questions we need to ask ourselves every day.

So what do we do? For starters, we need to reimagine the VPN. The basic concept is sound, but most private networks were designed for a "spoke" model rather than thousands of independent access points. And multifactor authentication (MFA) can no longer be an auxiliary or perimeter security measure. It needs to be baked into the front lines of defense.

And that's just for remote access. What about reconciliation and fraud detection? Is a daily balancing really good enough anymore, or do banks need to adopt real-time updates to prevent unauthorized access and transfers? Do we need a full, across-the-board, zero-trust approach?

The good news is that the infrastructure to supporrt all of this is very strong, and it exists right now. Most banks use mainframes, which are incredibly fast and reliable — not to mention difficult to improperly access. MFA tools are already in use, but they're not universally deployed. Zero trust exists, but many institutions are wary of the effects of end-user inconvenience.

Banks have been hesitant to adopt many of these practices — and for good reason. But now is the time to make the next bold step. Security has always been important, but now it's  non-negotiable. Banks need to do whatever they can to keep their assets, and those of their customers, as safe as possible.

 

Matt Deres is senior vice president and chief information officer at Rocket Software, a Boston area-based software development firm specializing in application modernization and optimization, where he oversees IT strategy for the company's domestic and global operations. He ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shih-Chin Yang
50%
50%
Shih-Chin Yang,
User Rank: Apprentice
8/24/2020 | 12:24:04 AM
We all have a lot to learn for working-anytime-anywhere
For software companies, it might be easier to adopt a working-anywhere-anytime model, since their deliverables are digital in nature.

On the other hand, for incumbent industries such as banking, a lot need to be learned to make sure a smooth and secure transition. MFA(or 2FA) and use of strong passwords are just basics, but inconvenience seems to be the excuse of not using it.

There are other measures such as

. Not to send confidential information over Email;

. Encrypt your confidential data before sending it to cloud;

. A secure knowledge or content management for distributed workforces with access controls for different groups of people;

From a broader perspective, the first wave of cloud services adoption is to know that they are very great for productivity. As more and more people concerned with their data privacy, an extra layer of protection such as end-to-end encryption is to make sure no third-party could look into customers' data.

Banks are indeed in a race to protect their core business, and not to lose to the competition, especially technology companies.
ScottyTheMenace
50%
50%
ScottyTheMenace,
User Rank: Strategist
8/22/2020 | 12:23:31 AM
end-user banking security is universally awful

Along with the infrastructure and employee security you talk about, banks are desperately in need of upgrades to end-user security, which is universally awful.

Most banks' idea of end-user security is blocking VPNs, imposing ridiculous captchas, and using security questions any third-rate hack can find answers to on social media or the dark web.

If a bank is not offering app- or token-based MFA and forces users to turn off their VPN before accessing their site then they have no business being in the banking business.

I'm not a guy who wants federal solutions to all (or even most) problems, but insecure access to a bank seems to me a clear place for regulation. FDIC needs to require banks to offer robust end-user security options like app or token MFA (knowing that technologically challenged users won't use them) as a condition of their charter.

News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...
CVE-2021-31737
PUBLISHED: 2021-05-06
emlog v5.3.1 and emlog v6.0.0 have a Remote Code Execution vulnerability due to upload of database backup file in admin/data.php.
CVE-2020-28198
PUBLISHED: 2021-05-06
** UNSUPPORTED WHEN ASSIGNED ** The 'id' parameter of IBM Tivoli Storage Manager Version 5 Release 2 (Command Line Administrative Interface, dsmadmc.exe) is vulnerable to an exploitable stack buffer overflow. Note: the vulnerability can be exploited when it is used in "interactive" mode wh...
CVE-2021-28665
PUBLISHED: 2021-05-06
Stormshield SNS with versions before 3.7.18, 3.11.6 and 4.1.6 has a memory-management defect in the SNMP plugin that can lead to excessive consumption of memory and CPU resources, and possibly a denial of service.