The Trusted Execution Environment is a secure area of the main processor in a smart phone (or any connected device) which ensures that sensitive data is stored, processed and protected in an isolated, trusted environment.

An introduction to the Trusted Execution Environment for mobile services security

Industry interest in the Trusted Execution Environment is gaining momentum, as it addresses the needs of most applications by offering a higher level of security than a Rich OS, without the constraints associated with the secure element (SE).

The white paper introduces the Trusted Execution Environment and its general security characteristics, before progressing through the key security concerns and perspectives of various actors and markets.

The paper illustrates particular use cases, offering an understanding of how a TEE lays to rest major concerns within those use cases. In particular, the TEE’s role in the following implementation examples is examined: mobile payments, enterprise (bring-your-own-device), content protection and government eID solutions.

“As mobile and consumer markets for connected devices mature and expand, an increasing number of security concerns demand attention,” explains Kevin Gillick, Executive Director of GlobalPlatform.

“Yet while it’s in the interest of all actors in the mobile services value chain to protect applications on many levels, a balance has to be struck to ensure that security doesn’t compromise the end-user experience or the relative ‘openness’ of the device environment which offers commercial opportunities to so many stakeholders. This need to balance security and openness is a key challenge faced by the mobile services industry today.

“The TEE offers a solution which addresses many security concerns without imposing an undue burden on applications,” concludes Gillick. “This white paper will help audiences understand why this is the case and outlines its relevance for many use cases.”

The post An introduction to the Trusted Execution Environment for mobile services security appeared first on Accourt Payments Specialists.

These are the findings of a survey published today by Mobey Forum, exploring the current attitudes to biometrics within the banking industry, the key use cases, industry drivers and obstacles standing in the way of progress.

Of the 235 respondents from across the world, it is clear that biometric services are a priority. 22% of banks already offer biometrics to their customers and 65% are planning to offer services in the near future. More than half plan to launch fingerprint biometrics for their end users, with an additional 21% focusing on voice recognition.

Do you offer biometric
authentication for mobile
financial services

Authenticating the user during the login process and during payment or transaction confirmation was cited by 70% as the most important use case for biometrics in financial services.

A number of key drivers for the use of biometrics are explored in the study, with nearly half of respondents stating that it is the convenience for their customers, together with the desire to be viewed as an innovative and advanced bank, which makes biometrics appealing. There are, however, a number of obstacles that need to be overcome. One in five highlighted dependence on technology providers as an issue. In addition, the customer concerns relating to privacy are seen as a barrier.

What kind of technology are you planning to use?

“Biometrics in financial services still face challenges,” comments Sirpa Nordlund, Executive Director of Mobey Forum. “It is clear, however, that progress is being made and there are well defined use cases and benefits to moving forward. We believe that inter-bank collaboration will expedite the development of this technology and 42% of the market agrees with us. Successful financial solutions need to be easy and convenient; a collaborative approach will ensure consumers are presented with stable and consistent services, driving adoption.

“We will continue our discussions around biometrics both within our own working group and in our collaborative discussions with the Natural Security Alliance and the Biometrics Institute. We look forward to releasing further analysis in the coming months.”

The post Biometrics has a strong future in financial services appeared first on Accourt Payments Specialists.

Cyber-crime within the financial services industry has reached unprecedented *levels and

Top 8 future cyber security threats to the financial services sector

currently costs the global economy £266 billion each year. As companies increasingly adapt to emerging technologies, such as digital wallet service Apple Pay and Near Field Communication (NFC), the likelihood of hacks and data security breaches is rising.

Neil Cross, Managing Director of Advanced 365, explains, “The financial services industry must find a balance between embracing innovation to establish a competitive advantage whilst meeting needs for greater compliance and cyber security in order to survive. At present, too many firms are preparing for yesterday’s threat instead of updating their strategies to defend against tomorrow’s.”

Cross outlines below the top eight technology threats that financial services firms will face in the future.

1. Botnet attacks – The Botnet (robots and networks) of Things is a group of computers or internet-connected devices that have been hacked to commit fraud or attack servers. Industry experts estimate that botnet attacks have contributed to the loss of millions of pounds from financial institutions. Mass adoption of the Internet of Things will only exacerbate security challenges as it introduces billions of potential new bots.
2. Self-mutating computer virus – ‘Pandoras’ are regarded as the next generation of self-mutating computer virus attacks. They are designed to destabilise, confuse and destroy critical electronic infrastructures essential to the financial services industry. From a strategic perspective, they can be used as both offensive and defensive security mechanism.
3. Near Field Communication (NFC) – NFC allows two devices within a short distance of each other to exchange data. It is increasingly being adopted by banks to introduce new products and facilitate mobile payments. Customers are susceptible to aggressive avatar-based attacks which rely on advanced digital creation assembled from stolen aspects of an individual’s identity.
4. Payments technology – Mass market adoption of new mobile payments technologies, such as Apple Pay and Google Wallet, is expected to occur by the end of 2016. Hackers are intensifying their efforts as companies and consumers increasingly adopt these new systems and related fraud cases in the United States are already totalling millions of dollars.
5. Biohacking – Biohacking applies to advanced techniques that use science and technology to affect human performance and could be a target for radical security breaches. Smart implants will be used for identification and authentication of individuals which include the ability to access buildings and activate mobile phones, in addition to making bank transactions to replace smartphone PIN codes.
6. Big data and the cloud – In ten years’ time, most of the world’s data will move through or be stored in the cloud at some stage. This is expected to result in more sophisticated data security attacks targeting cloud infrastructures, shifting from device-based to cloud-based botnets, hijacking distributed processing power.
7. Mobile – 80% of internet connections could originate from a mobile platform by 2025. Industry experts predict that mobile devices will no longer be used to crack a phone code or steal data from a device itself. Instead they will be targeted by cyber criminals as a catalyst for obtaining additional data resources that can be accessed via the cloud.
8. Bring Your Own Device (BYOD) – Heavily regulated industries are struggling with the risks introduced by allowing employees to bring their own devices. A 2014 survey of financial services respondents by PwC revealed that 44% said employees represented the highest and most likely source of security incidents. This figure is 9% higher compared with the all industries’ average.

Cross adds, “Financial services providers must adapt to the new world and the demands it places on their organisation. Businesses that fail to demonstrate a greater awareness of emerging technological challenges and transform their notion of security could fall prey to damaging breaches.”

The post Top 8 future cyber security threats to the financial services sector appeared first on Accourt Payments Specialists.

According to Telstra’s “Mobile Identity – The Fusion of Financial Services, Mobile and Identity” report, with smartphones now the primary channel used by Gen X and Gen Y to access and manage their finances, expectations around how financial institutions manage mobile identity are being transformed.

Willingness to Share Personal Information with Financial Services Institution

“For the last six months, we’ve spoken to consumers and banks all over the world, in an effort to understand how our relationship with our smartphone is affecting our relationship with our financial institutions,” said Rocky Scopelliti, Global Industry Executive for Banking, Finance & Insurance, Telstra.

“What we uncovered is that when it comes to mobile banking applications, consumers no longer believe in just the safety of passwords and usernames.

“Instead, two-thirds of UK consumers think that using biometrics – such as voice, fingerprint, iris and facial recognition – would be more secure and help reduce the risks of fraud.

Willingness to Share Personal Information with Financial Services Institution (by Net Worth $ (Total Investments & Assets – Debt))

“In fact, one in four UK consumers would even consider sharing their DNA with their financial institution, if it meant it would make authentication easier and their financial and personal information more secure,” he said.

According to the research, while factors such as interest rates and ease of accessing funds used to be the most important considerations when selecting a financial institution, today, more than half of UK consumers cite the security of their finances and personal information their top priority, together with their institutions’ reputation for security.

Despite this, the report found that only a third of UK consumers were ‘very satisfied’ with their institutions’ authentication methods, with one third willing to pay an extra £11 GBP per annum for more sophisticated mobile security measures.

Identity Theft (Global)

“Our research shows consumers are using their mobile banking applications in some really cutting edge ways, so they’re expecting much more than ever before from their financial services providers in terms of security, innovation and functionality.

“In fact, Gen X and Gen Y has become so dependent on their smartphones to access their financial services, that it’s led to a behavioral state we are calling ‘no-finapp-phobia’ – the fear of being without financial applications,” he said.

In the UK, Nationwide and NatWest customers are the most satisfied with the identity and authentication methods offered and are accordingly, the most likely to recommend them.

“With our consumption of financial services intrinsically linked with the mobile device, our mobile identity is the key to unlock trust with our service provider.

“For ‘no-finapp-phobic’ Gen X and Gen Y consumers it’s time to create mobile identity solutions that instantly recognise them for who they are,” Mr Scopelliti concluded.

For more information on Telstra’s Mobile Identity – The Fusion of Financial Services, Mobile and Identity whitepaper click here.

The post One in four UK consumers would share their DNA with their bank to secure financial information appeared first on Accourt Payments Specialists.

The report discloses how much criminals can profit from malware attacks, which data they target, how they get

Cybercrime compromises by Industry

inside, how long it takes for businesses to detect and contain data breaches, what types of businesses criminals are targeting and where the majority of victims are located. It also reveals the most commonly used exploits, most prevalent malware families and more.

Trustwave experts gathered the data from 574 breach investigations the company’s SpiderLabs team conducted in 2014 across 15 countries in addition to proprietary threat intelligence gleaned from the company’s five global Security Operations Centers, security scanning and penetration testing results, telemetry from security technologies distributed across the globe and industry-leading security research.

2015 Trustwave Global Security Report: Key Highlights

• Return on investment: Attackers receive an estimated 1,425% return on investment for exploit kit and ransomware schemes ($84,100 net revenue for each $5,900 investment)
•  Weak application security: 98% of applications tested by Trustwave in 2014 had at least one vulnerability. The maximum number of vulnerabilities Trustwave experts found in a single application was 747. The median number of vulnerabilities per application increased 43% in 2014 from the previous year.
• The password problem: “Password1″ was still the most commonly used password. 39% of passwords were eight characters long. The estimated time it took Trustwave security testers to crack an eight-character password was one day. The estimated time it takes to crack a ten-character password is 591 days.
• Where victims reside: Half of the compromises Trustwave investigated occurred in the United States (a nine percentage point decrease from 2013).
• Who criminals target: Retail was the most compromised industry making up 43% of Trustwave’s investigations followed by food and beverage (13%) and hospitality (12%).

• Top assets compromised:  42% of investigations were of e-commerce breaches. Forty were of point-of-sale (POS) breaches. POS compromises increased seven percentage points from 2013 to 2014, making up 33% of Trustwave’s investigations in 2013 and 40% in 2014. E-commerce compromises decreased 13 percentage points from 2013 to 2014.
• Data most targeted: In 31% of cases Trustwave investigators found attackers targeted payment card track data (up 12 percentage points over 2013). Track data is the information on the back of a payment card that’s needed for an in-person transaction. Twenty percent of the time attackers sought either financial credentials or proprietary information (compared to 45% in 2013) meaning attackers shifted their focus back to payment card data.
• Lack of self-detection: The majority of victims, 81%, did not detect breaches themselves. The report reveals that self-detection leads to quicker containment of a breach. In 2014, for self-detected breaches, a median of 14.5 days elapsed from intrusion to containment. For breaches detected by an external party, a median of 154 days elapsed from intrusion to containment.
• How criminals break in: Weak remote access security and weak passwords tied as the vulnerability most exploited by criminals in 2014. Weak remote access security or weak passwords contributed to 94% of POS breaches.
• Spam on the decline: Spam volume continues to decrease making up 60% of total inbound mail (compared to 69% in 2013 and more than 90% at its peak in 2008), but six percent of it included a malicious attachment or link, a slight increase from 2013.

Industry breakdown of IT environments compromised by Cybercrime

“To defend against today’s sophisticated criminals, businesses must see attacks from their front windshield instead of their rear view mirror,” said Trustwave Chairman, Chief Executive Officer and President Robert J. McCullen. “By providing a wealth of current, actionable data breach trends and threat intelligence, our 2015 Trustwave Global Security Report helps businesses identify what’s coming so that they can engage the people, processes and technologies needed to thwart cybercrime attacks that can generate close to a 1,500 return on investment.”

Download a complimentary copy of the full 2015_TrustwaveGlobalSecurityReport

The post Criminals receive 1,425% ROI from Cybercrime appeared first on Accourt Payments Specialists.

Worldpay saw over 133,000 fraudulent transactions worth £10 million reported in March alone, leaving businesses out of pocket as fraudsters purchased goods and services using stolen card details. Over 67% of all fraudulent transactions happened online, while purchases made over the phone or by mail accounted for 19% of the total.

“Technology to guard against card counterfeiting and fraud has come a long way, yet the rates of attack are truly alarming. Card details are the weakest links in consumers’ and businesses’ defences and the one area that fraudsters know to hone in on,” comments Tim Lansdale, Head of Payment Security at Worldpay.

This graph shows the number of investigations into card breaches (i.e. known breaches) amongst Worldpay customers, by business PCI DSS level during 2011-2014. There were a total of 140 investigations held during this period.

Businesses that fail to protect their payment systems are not only left out of pocket when goods are purchased using stolen card details but also face paying for the investigation into the breach and the stiff industry penalties which inevitably follows. They are also likely to face bad publicity, which can swiftly erode the years of trust customers have built up in a business and can lead to even more lost custom in future.”

Small businesses, which accounted for 85.7% of all card data breaches, last year, make easy prey for the more advanced cyber hackers. By contrast, Worldpay has seen a 179% increase in payment security compliance amongst the UK’s biggest businesses, as the boardrooms of larger, better resourced companies look to bulk up their security in line with the card payment industry standards.

Causes of card data breaches

Regardless of business size, the clean-up costs of being targeted by hackers and suffering a card data breach can run to tens of thousands of pounds. A standard small business forensic investigation into a card data breach costs £11,250 on average and typically attracts at least a £8,000 industry penalty, not including the costs of lost goods and damage to reputation. Worldpay has seen larger businesses pay up to £100,000 for the forensic investigation alone.

“Prevention is clearly better than the cure when it comes to getting hacked. The UK’s largest companies have made great strides to improve their payment security but small businesses are still falling behind and being targeted as a result. Businesses of all shapes and sizes should be taking the necessary measures to protect themselves and their customers and employees,” said Lansdale.

Industries affected by card data breaches

Download the report here

Advice to businesses: How to avoid being a victim:

Card data breaches:

1. Check you meet the card industry’s standards for keeping card data safe, and that your third party suppliers do too.
2. Install all the latest patches for servers, operating systems, applications, and frameworks (Java, .NET etc.), to protect your ecommerce website.
3. Change online system log-ins from the default, and use strong passwords that hackers cannot guess.

Fraud:

1. Ask your payment processor about online protection, such as Verified by Visa, to make ecommerce payments safer from fraud.
2. Be wary of high value or unusual orders from a customer you do not know, particularly if the product can be resold easily.
3. Use the Address Verification Service, to match the customer’s delivery address with the billing address of the card owner.

The post Card fraud increases as stolen cards used once every 20 seconds appeared first on Accourt Payments Specialists.

First, the headline successes. Fraud conducted in the face-to-face retail environment continues to show a healthy decline trend (down 14% on the previous year) with card ID theft (down 19%) and cheques (down 35% off a rapidly decreasing base) also showing notable declines.  These figures show an industry that continues to tackle some of the key fraud issues head-on, however, there are still significant challenges that need to be addressed, writes Vaughan Collie, Partner, Accourt – Payments Specialists.

On the downside, e-commerce and online banking continue to be areas of material concern.

E-commerce fraud has increased by 14%, continuing its worrying upward trend. These figures show an above average fraud-to-sales ratio (i.e. a common industry indicator of how much fraud loss is experienced for every unit of sales) in an industry where online commerce continues to grow exponentially and, with the increasing popularity of commerce through mobile devices such as smartphones and tablets, this remains an area of significant concern.

Annual fraud losses on UK-issued cards 2008 to 2014 (Source FFA UK)

Online banking fraud has also shown an eye-watering increase of 48%.  One of the key drivers of this is a criminal element adept at basic, low-tech social engineering, preying on unsuspecting, sometimes gullible and vulnerable consumers – making this type of fraud relatively difficult to defend against (especially with legacy fraud management products and techniques).  This is primarily due to the ability of the criminals to bypass the safeguards put in place by the banks and other financial institutions once they’ve stolen sensitive information and/or credentials from consumers via these social engineering techniques.

It is not difficult to see the common element between the highest impact fraud losses is the underlying online ecosystem.  This ecosystem remains popular with criminals due to its inherent detachment from face-to-face interactions (often perceived as more risky) and relatively easy attack scalability coupled with, perhaps most importantly, the relative ease of exploiting human fallibility, especially in technology-enabled channels.

Fortunately, there are a number of advanced tools and techniques that service providers in the online ecosystem can employ to detect, mitigate against and, ultimately, stop future attacks.  However, there are so many products and services available in the market place and this makes it extremely difficult to determine which products, services, tools and techniques are most appropriate and effective at addressing the prevailing threats.  Many of the products and services have been available for a long time and have failed to adapt to the rapidly changing landscape of threats.  Technology and products that used to be good not that long ago are now less effective.

Annual online, telephone banking and cheque losses 2008 to 2014 (Source FFFA UK)

Furthermore, the P&L challenge to fraud managers is (rightly) changing dramatically.  Whereas fraud management was traditionally seen as a necessary cost of doing business, with very limited ability and budget to materially and positively impact an organisation’s fortunes, modern technologies and best practices enable dynamic fraud managers to positively contribute to the bottom line, but without adversely impacting the organisation’s fraud profile.  Done right, this means that an organisation is able to, for example, enable authorisation of more good sales volume and/or decrease the friction of consumer interactions – all without adversely impacting that organisation’s risk and fraud profile.

How can Accourt help?

• As a vendor/product independent organisation, Accourt advises on and conducts many vendor and product evaluations, particularly in the payments fraud management ecosystem.
• Accourt is at the forefront of the emerging and break-through fraud detection and management technologies across all geographies.  With a bedrock understanding of payments across the entire payments value chain, Accourt is consistently able to cut through to and isolate the core value and differentiators of market products, thereby objectively distilling market-leaders from the rest.
• Accourt’s focus is always an integrated approach, most effectively combining the product and operational aspects of the undertaking to its clients’ benefit.
• Recognising that many organisations cannot decommission existing products, Accourt has significant practical and pragmatic experience in how to engineer a complementary fit of newer products and technologies alongside the existing legacy.
• The focus on omni-channel commerce and customer service has further challenged legacy products in the fraud management ecosystem.  Accourt is able to independently identify and advise on those products that have managed to overcome and address this challenge.
• Coupled with industry-leading fraud management knowledge and experience, Accourt is steeped in deep operational knowledge and experience of chargeback optimisation and implementation.  An integrated approach to fraud and chargeback management generally returns greater operational and financial benefit than a ‘silo’ approach.

The post Online fraud – an unrelenting, unforgiving battleground… appeared first on Accourt Payments Specialists.

• Cybercriminals used the names of well-known banks in 16.3% of attacks; in 2013, the level of bank phishing was 22.2%
• In the Payment Systems category, cybercriminals mostly targeted data belonging to users of Visa cards (31.02% of detections in the Payment Systems category), PayPal (30.03% of detections) and American Express (24.6%)
• The names of well-known online shopping sites were used in 7.3% of attacks (6.5% in 2013)
• In 5.1% of cases, Kaspersky Lab’s protection technologies were triggered by phishing pages mentioning payment systems, which is 2.4 percentage points more than in 2013
• The proportion of financial phishing detected on Mac systems increased by 9.6 percentage points compared to the previous year, representing 48.5% of all instances in which the anti-phishing component of Kaspersky Lab security products for Mac OS X was triggered

Distribution of instances where anti-phishing technologies were triggered in Kaspersky Lab products in 2014

Phishing is a type of Internet fraud that is used by cybercriminals to lure users into providing their data (account logins and passwords and other personal information) by creating fake web pages to imitate popular online resources.

Last year, the proportion of financial phishing to all phishing attacks fell by 2.7 percentage points compared to 2013, primarily due to a decrease in the level of banking phishing. At the same time, there was proportionally more phishing targeting other financial categories.

In the Payment Systems category, cybercriminals mostly targeted data belonging to users of Visa cards (31.02% of detections in the Payment Systems category), PayPal (30.03% of detections) and American Express (24.6%). A the same time, in 2014 detections for phishing pages mentioning PayPal saw their share fall by 14.09 percentage points compared to 2013.

Distribution of instances where anti-phishing technologies were triggered in Kaspersky Lab products in 2014 – Payment Systems

Amazon remains the most commonly-attacked brand in the Online Shopping category – 31.7% of attacks in this category used phishing pages mentioning Amazon. However, this is 29.41 percentage points less than in the previous year.

“The rise in financial phishing that we saw in the past has naturally drawn a response from the brands most frequently abused in phishing scams – they are beginning to tackle phishing distribution channels, especially email spam, more actively,” says Nadezhda Demidova, web content analyst at Kaspersky Lab.

“That leads to a reduction in the levels of phishing that targets some of the larger brands. However, cybercriminals immediately responded by targeting new ‘markets’. For example, in 2014 we saw a large number of phishing scams based on websites that sell plane tickets. These are targets that used to be seen fairly infrequently in phishing scams.”

Kaspersky Lab experts have also recorded an increase in the proportion of financial phishing attacks against Mac OS X users. Overall, about 48.5% of all phishing attacks detected on computers with Kaspersky Lab security products for Mac installed on them were designed to steal financial data. In particular banks were mentioned in 29% of attacks, payment systems in 11.21% and online shopping sites in 8.32% of attacks.

You can find information on other changes in the 2014 financial cyberthreats landscape in the full text of the report on Securelist.com

Modern phishing websites are getting more and more sophisticated, making them very hard for users to recognise. That is why we recommend using an Internet security solution with an advanced anti-phishing technology in place.

The anti-phishing module is included in key Kaspersky Lab products for home and corporate users, as well as Kaspersky Fraud Prevention – a platform created specifically to protect banks from online financial fraud. Its three components – anti-phishing databases, Kaspersky Security Network and heuristic analyser – provide robust protection against phishing. The module’s effectiveness has been confirmed by independent test labs.

The post 25% of phishing attacks in 2014 targeted financial data appeared first on Accourt Payments Specialists.