Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Matt Deres
Matt Deres
Connect Directly
E-Mail vvv

Banks and the New Abnormal

Banks have hesitated to adopt many strong security practices, and for understandable reasons. But now is the time to be bold.

With businesses starting to reopen after the COVID-19 shutdown here in Massachusetts, I am already tired of hearing about the "new normal." We're nowhere near hitting anything approaching "normal." We're certainly never going back to where we were on March 1, but no one knows where we'll be when a vaccine is discovered and we can go to the grocery store without taking a Silkwood shower when we get home. We're in the middle of chaos, and IT departments are just trying to juggle the day-to-day issues related to remote workforces and new security risks.

But that will change sooner than we think. Companies everywhere are declaring working from "anywhere" as the new standard for their employees, and so many cybersecurity teams are already planning for the uncertain future. And that future is going to be radically different than anything we've seen before. If you've been waiting for the next great leap forward (and were around for the invention of the transistor), you may be in the right place at the right time. The planet is facing an unparalleled challenge, and the fixes will not be incremental. Strap yourself in for a hell of a ride.

Most innovations in banking are slow and linear, but right now we're seeing myriad new consumer-driven changes affecting how people use their money and disrupting the industry. These include the expectation for contactless payments, card-not-present payments, and instant payments. In Australia and some European countries, these immediate payments are taking over for long-standing money-transfer systems like ACH, wires using SWIFT networks, and other credit card batch settlement methods. Things have gotten faster, and they're changing dramatically.

Here's why: Since the advent of electronic communication as the primary means of sharing information — roughly the past 35 years — there has never been a disruption like the COVID-19 pandemic. We've had mega-disasters like 9/11 and Category 5 hurricanes that have upturned payment methods and banking, but they've all been regional in scope and not enough to change broad behaviors. This is why regulators managed by the Federal Financial Institutions Examination Council have an ever-extending checklist of "must-dos" for banking security controls. With the challenges of the current pandemic, the current banking anti-fraud and security infrastructure is now being severely tested.

Along with the banking product changes, banks have thousands of employees working from home on nonsecure Internet connections, which has created unprecedented challenges. Ditto for billions of dollars being wired or mailed to taxpayers. We need to rethink what we're doing from the ground up. After all, we don't know if we will ever be back in our offices again, and if we do, whether people will come in every day. Is COVID-19 the beginning of a permanent work-from-home revolution? Will the idea of the central office even matter in two years or will everything be decentralized? Those are the questions we need to ask ourselves every day.

So what do we do? For starters, we need to reimagine the VPN. The basic concept is sound, but most private networks were designed for a "spoke" model rather than thousands of independent access points. And multifactor authentication (MFA) can no longer be an auxiliary or perimeter security measure. It needs to be baked into the front lines of defense.

And that's just for remote access. What about reconciliation and fraud detection? Is a daily balancing really good enough anymore, or do banks need to adopt real-time updates to prevent unauthorized access and transfers? Do we need a full, across-the-board, zero-trust approach?

The good news is that the infrastructure to supporrt all of this is very strong, and it exists right now. Most banks use mainframes, which are incredibly fast and reliable — not to mention difficult to improperly access. MFA tools are already in use, but they're not universally deployed. Zero trust exists, but many institutions are wary of the effects of end-user inconvenience.

Banks have been hesitant to adopt many of these practices — and for good reason. But now is the time to make the next bold step. Security has always been important, but now it's  non-negotiable. Banks need to do whatever they can to keep their assets, and those of their customers, as safe as possible.


Matt Deres is senior vice president and chief information officer at Rocket Software, a Boston area-based software development firm specializing in application modernization and optimization, where he oversees IT strategy for the company's domestic and global operations. He ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Shih-Chin Yang
Shih-Chin Yang,
User Rank: Apprentice
8/24/2020 | 12:24:04 AM
We all have a lot to learn for working-anytime-anywhere
For software companies, it might be easier to adopt a working-anywhere-anytime model, since their deliverables are digital in nature.

On the other hand, for incumbent industries such as banking, a lot need to be learned to make sure a smooth and secure transition. MFA(or 2FA) and use of strong passwords are just basics, but inconvenience seems to be the excuse of not using it.

There are other measures such as

. Not to send confidential information over Email;

. Encrypt your confidential data before sending it to cloud;

. A secure knowledge or content management for distributed workforces with access controls for different groups of people;

From a broader perspective, the first wave of cloud services adoption is to know that they are very great for productivity. As more and more people concerned with their data privacy, an extra layer of protection such as end-to-end encryption is to make sure no third-party could look into customers' data.

Banks are indeed in a race to protect their core business, and not to lose to the competition, especially technology companies.
User Rank: Strategist
8/22/2020 | 12:23:31 AM
end-user banking security is universally awful

Along with the infrastructure and employee security you talk about, banks are desperately in need of upgrades to end-user security, which is universally awful.

Most banks' idea of end-user security is blocking VPNs, imposing ridiculous captchas, and using security questions any third-rate hack can find answers to on social media or the dark web.

If a bank is not offering app- or token-based MFA and forces users to turn off their VPN before accessing their site then they have no business being in the banking business.

I'm not a guy who wants federal solutions to all (or even most) problems, but insecure access to a bank seems to me a clear place for regulation. FDIC needs to require banks to offer robust end-user security options like app or token MFA (knowing that technologically challenged users won't use them) as a condition of their charter.

NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Possible memory out of bound issue during music playback when an incorrect bit stream content is copied into array without checking the length of array in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobi...
PUBLISHED: 2021-01-21
Local privilege escalation in admin services in Windows environment can occur due to an arbitrary read issue in XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
PUBLISHED: 2021-01-21
Possible out of bound memory access in audio due to integer underflow while processing modified contents in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon We...
PUBLISHED: 2021-01-21
Memory corruption while calculating L2CAP packet length in reassembly logic when remote sends more data than expected in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Weara...
PUBLISHED: 2021-01-21
Arbitrary read and write to kernel addresses by temporarily overwriting ring buffer pointer and creating a race condition. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon ...