Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

8/20/2020
10:00 AM
Matt Deres
Matt Deres
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Banks and the New Abnormal

Banks have hesitated to adopt many strong security practices, and for understandable reasons. But now is the time to be bold.

With businesses starting to reopen after the COVID-19 shutdown here in Massachusetts, I am already tired of hearing about the "new normal." We're nowhere near hitting anything approaching "normal." We're certainly never going back to where we were on March 1, but no one knows where we'll be when a vaccine is discovered and we can go to the grocery store without taking a Silkwood shower when we get home. We're in the middle of chaos, and IT departments are just trying to juggle the day-to-day issues related to remote workforces and new security risks.

But that will change sooner than we think. Companies everywhere are declaring working from "anywhere" as the new standard for their employees, and so many cybersecurity teams are already planning for the uncertain future. And that future is going to be radically different than anything we've seen before. If you've been waiting for the next great leap forward (and were around for the invention of the transistor), you may be in the right place at the right time. The planet is facing an unparalleled challenge, and the fixes will not be incremental. Strap yourself in for a hell of a ride.

Most innovations in banking are slow and linear, but right now we're seeing myriad new consumer-driven changes affecting how people use their money and disrupting the industry. These include the expectation for contactless payments, card-not-present payments, and instant payments. In Australia and some European countries, these immediate payments are taking over for long-standing money-transfer systems like ACH, wires using SWIFT networks, and other credit card batch settlement methods. Things have gotten faster, and they're changing dramatically.

Here's why: Since the advent of electronic communication as the primary means of sharing information — roughly the past 35 years — there has never been a disruption like the COVID-19 pandemic. We've had mega-disasters like 9/11 and Category 5 hurricanes that have upturned payment methods and banking, but they've all been regional in scope and not enough to change broad behaviors. This is why regulators managed by the Federal Financial Institutions Examination Council have an ever-extending checklist of "must-dos" for banking security controls. With the challenges of the current pandemic, the current banking anti-fraud and security infrastructure is now being severely tested.

Along with the banking product changes, banks have thousands of employees working from home on nonsecure Internet connections, which has created unprecedented challenges. Ditto for billions of dollars being wired or mailed to taxpayers. We need to rethink what we're doing from the ground up. After all, we don't know if we will ever be back in our offices again, and if we do, whether people will come in every day. Is COVID-19 the beginning of a permanent work-from-home revolution? Will the idea of the central office even matter in two years or will everything be decentralized? Those are the questions we need to ask ourselves every day.

So what do we do? For starters, we need to reimagine the VPN. The basic concept is sound, but most private networks were designed for a "spoke" model rather than thousands of independent access points. And multifactor authentication (MFA) can no longer be an auxiliary or perimeter security measure. It needs to be baked into the front lines of defense.

And that's just for remote access. What about reconciliation and fraud detection? Is a daily balancing really good enough anymore, or do banks need to adopt real-time updates to prevent unauthorized access and transfers? Do we need a full, across-the-board, zero-trust approach?

The good news is that the infrastructure to supporrt all of this is very strong, and it exists right now. Most banks use mainframes, which are incredibly fast and reliable — not to mention difficult to improperly access. MFA tools are already in use, but they're not universally deployed. Zero trust exists, but many institutions are wary of the effects of end-user inconvenience.

Banks have been hesitant to adopt many of these practices — and for good reason. But now is the time to make the next bold step. Security has always been important, but now it's  non-negotiable. Banks need to do whatever they can to keep their assets, and those of their customers, as safe as possible.

 

Matt Deres is senior vice president and chief information officer at Rocket Software, a Boston area-based software development firm specializing in application modernization and optimization, where he oversees IT strategy for the company's domestic and global operations. He ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shih-Chin Yang
50%
50%
Shih-Chin Yang,
User Rank: Apprentice
8/24/2020 | 12:24:04 AM
We all have a lot to learn for working-anytime-anywhere
For software companies, it might be easier to adopt a working-anywhere-anytime model, since their deliverables are digital in nature.

On the other hand, for incumbent industries such as banking, a lot need to be learned to make sure a smooth and secure transition. MFA(or 2FA) and use of strong passwords are just basics, but inconvenience seems to be the excuse of not using it.

There are other measures such as

. Not to send confidential information over Email;

. Encrypt your confidential data before sending it to cloud;

. A secure knowledge or content management for distributed workforces with access controls for different groups of people;

From a broader perspective, the first wave of cloud services adoption is to know that they are very great for productivity. As more and more people concerned with their data privacy, an extra layer of protection such as end-to-end encryption is to make sure no third-party could look into customers' data.

Banks are indeed in a race to protect their core business, and not to lose to the competition, especially technology companies.
ScottyTheMenace
50%
50%
ScottyTheMenace,
User Rank: Strategist
8/22/2020 | 12:23:31 AM
end-user banking security is universally awful

Along with the infrastructure and employee security you talk about, banks are desperately in need of upgrades to end-user security, which is universally awful.

Most banks' idea of end-user security is blocking VPNs, imposing ridiculous captchas, and using security questions any third-rate hack can find answers to on social media or the dark web.

If a bank is not offering app- or token-based MFA and forces users to turn off their VPN before accessing their site then they have no business being in the banking business.

I'm not a guy who wants federal solutions to all (or even most) problems, but insecure access to a bank seems to me a clear place for regulation. FDIC needs to require banks to offer robust end-user security options like app or token MFA (knowing that technologically challenged users won't use them) as a condition of their charter.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...