- About the risks that abound, in the world of technology when everything is connected and snooped upon, one way or another. Are you safe?

Follow by Email

Wednesday, December 28, 2016

Digital Banking

What is 'Digital Banking'?

For simple understanding, call it 'Uber-Banking' - that of customers having a myriad of choices of cheap financial services at their fingertips, literally a call away. It is safe to assume that banks in their current form, will be not be able to compete with the disruptive and innovative financial products (Fintech) popping up ubiquitously. 

These disruptive technologies cover a wide range of services like crowdsourcing (donations, investments, or loans), new payment gateways, tailored healthcare insurance, wealth management...etc.

Here are two examples:

1. Microbanking - A smart card value storage application system that operates among small corner convenience stores, that accepts the low income groups as customers - a category that conventional  banks would consider as 'unbankable'. That means the lower income have values stored in their smart cards where they can either purchase goods or withdraw/deposit cash at convenient stores. 

2.Small Farmer Trading - A Over-The-Counter Small Farmer trading system that is authenticated and verified using BlockChain Technology. For more about blockchain, click here. This means that small farmers can work as a cooperative to sell their produce directly to their customers, by passing the middle man.

Note that both examples above do not necessarily need to transact through conventional banks.

Banks vs Fintech

At the moment, Fintech is mostly unregulated, while in contrast, banks are heavily regulated. This is akin to freewheeling Uber cabs versus regulated taxi companies. Some central banks are planning to regulate Fintech,  albeit lightly, so as not to strangle them to an early death.

It is inevitable that banks must change, or die. That said, many Fintech startups are not immune to the tough world of commerce either, eventually, many will die too, like most startups do. Besides, their scalability, extensibility and resilience against regulatory compliance, are yet to be truly tested.

I liken Fintech to be experimental films, where most are wild and imaginative, with only a few managing to find their symbiotic positions in the ecosystem.

Technologies: There are three areas that banks may like to dip their toes in the waters to get a feel of the Fintech revolution, namely:

1. BlockChain Technology. For simple understanding, a Block Chain is a chain of hash values. Each hash value correlates to a transaction. Hash values are non-repudiatable , so it is possible to mathematically demonstrate that the chain of transactions did indeed happen. For more about one-way hash, click here.

2. Internet of Things (IOT). Soon billions of devices will be intelligently interconnected, generating tetrabytes of data and meta data.  Vending machines, for instance, may be connected to suppliers' inventory systems, that are in turn connected to outsourced fulfillment vans plying the roads every hour; that in turn have navigation systems connected to GPS....etc.  And it goes on....

In time, Artificial Intelligence will be required to monitor the tetrabytes of data generated and passing through every few hours into perpetuity.

3. Common APIs. These will emerge among major players so that any bank or Fintech developer can use them to connect to the financial services eco-system.

What does this mean for Information Security?

The weakest links have to be identified. Where is the weakest link in the Block Chain Transaction? It is unlikely to be in the one-way hash algorithm, but more likely in the processes, perhaps processes that are vulnerable because of their need to interoperate with legacy systems, or the need to fulfill customer experience requirements.

How are we going to make sure that IOT is doing what it is supposed to be doing and not used as part of a Distributed Denial Of Service (DDOS) attack? With such volumes of data, it is not humanly possible to monitor manually. Inevitably, Artificial Intelligence (AI) will have to come in. Then the task will be to check the AI to make sure that they do not run tangent to the original plan. An AI rebellion or mutiny will be scary.

With Common APIs, we have to ensure that they are programmed to Secure Programming Standards and changes in control infrastructures will be necessary, since these APIs are now exposed to the outer and wider Cyberspace.

There are a lot more details we can go into, but the above is a good start.


The term 'digital banking' is superfluous. Banks have gone digital since the early 1980s. The real revolution in banking is in the decentralisation and democratisation of information. 

The prolific author and futurist Alvin Toffler had predicted the above trends, plus the odd problems of overchoice and mass customisation in the economy. These are mentioned  in his books "Future Shock" and "The Third Wave" back in the 1970s.

These trends are turning conventional economies on its head, disrupting the finance, transportation, travel, education, news and information, software development and film production industries; with many more others to follow. 

Automation in many industries will soon render many jobless, causing unemployment in big cities and workers returning to subsistence living in the countryside, this time aided by technology. So, more neo-hippie communes will sprout in the next fifteen years with their own system of barter, digital currencies, energy generation,...etc.

We are indeed living in exciting times.

For more about the changing trend of the: 

TV and Film industry, click here.

Future of information security, click here.

Management of one such disruptive startup, click here.

For more about the future of cryptography

click here.

Wednesday, June 15, 2016

Augmented Security

The following are notes I have taken from the book launch of "Augmented - Living Life in the Fast Lane", by Brett King on the 8th June 2016 in Singapore. I have taken efforts to make sure that the information here is as close to what he had said during the launch as possible. If there are any misrepresentation of facts, they are probably mine.  Please accept my apologies in advance.

Fundamentally Moore's Law has been proven right since it was coined - that computer processing power will double every two years. What we have in our pocket mobile phone is many times the processing power of the early computers that occupied an entire basement of a large building.

Four points that the book is based on:

1. Artificial Intelligence (AI) - that it will take over many aspects of our life. It executes many tasks better than humans. For instance, automatically driven cars are safer. It has a lower accident rate than cars driven by humans; AI diagnoses cancer with a 90% certainty, whereelse a  human oncologist can achieve only a 50% certainty. This is because AI is fed a lot more information to execute the tasks than a human being can handle. Besides, AI remembers the data and a human-being may forget some data during his analysis or diagnosis.

2. Internet Of Things (IOT) - Everything will be connected via the internet by the year 2030. There will be more robots than humans by then, though the former comes in different forms. That is, not all robots will look like humans, nor should they be. It depends on the tasks the specialise in.

3. HealthTech and Genome - The progress of HealthTech and Genome, thanks to the computer processing power will result in more early detection of diseases and fixing the problem via genetic engineering. This may cause a upheaval with Big Pharmacies, who now face a challenger that can fix health problems better and faster.

4. Smart Infrastructure - Solar power will be half the price of the nearest cheapest fuel by the year 2030. Coal mines will not be economical. Eg. Recently, China has laid off 1.5m mine workers. They know that it will not be economically feasible to mine coal.

The cheapness of solar energy and other alternative free energies, will disrupt the commodity markets and decimate it.


Every leading company will be a technology company by 2030. If you are not, than you are not making profits. Profitability in large technology companies like Apple, has a profit per employee of around $0.5m, compared to $30k for walmart or $50k for banks.

The service industry will be disrupted dramatically in employment patterns. People will not live their life "working for a living". Governments may be compelled to give a universal basic income (covering lodging, food, electricity...) to everyone for free. Humans will adjust to this new state.  There will be new jobs like geo-engineering, that aims at reversing the climate change, while many traditional jobs or jobs that are here now, will be gone. Perhaps some of us will be re-invented as robot psychiatrists to counsel misunderstood and mishandled robots!

Global population growth will flatten by the year 2050 at around 9.5 billion people. People will be living longer and longevity itself will be a challenge. For instance, if we are all going to live till 200 years old, then all of us here in this hall are mere 'teenagers' within our lifespan. Major culture shifts will be needed.

If you do not have a digital persona, you may be treated with suspicion, pay a lot more for things,...etc. It will  be impractical. In ten years time, 60% of our online purchases will be handled by an AI agent.

Banking will be required in the future, but not banks. Banks that base their business on the conventional business streams of credit cards, POS,... etc will be gone. There will be contextual credits evaluated when you walk into a store that will handle your transaction.

Not all entities that hold a bank account will be humans. For instance, autonomous driving cars will have bank accounts to get on with their 'life', like to pay for their Electronic Road Pricing (ERP) fees, electricity top ups, for receiving payments for ferrying people around like an Uber cab,...etc.

AI, robotics...etc will become so much part of the system that we will not even think about it, like electricity - we just switch it on and use it and hardly (if at all) think of it as 'technology'.

Governments will be the last industry to be disrupted and replaced by technology.

Do you agree with Brett King's projection of the future?

But let's just say we take it just as an exercise for now. That should the projections come true, how will we protect our information?

Some of the security issues that I predicted 15 years ago are now a reality.

  • For instance, wearable computers are now easily available and affordable by the man-in-the-street, so it won't be practical to check them at the gates. 
  • About collaborating for collective intelligence among big companies, especially banks. This is now happening via cloud-based Web Application Firewall providers.

Pervasive Security

With IOT, the hacker playground has enlarged. Whoever hacks in will have connectivity to hack the next adjoining device, affecting another community which will be likely dispersed worldwide. Surely this sounds much more fun to the hacker than it is now.

With device getting very small and many of them embedded, it will be impossible to rely on perimeter security. Security controls will have to be pervasive. Already in the present day, every business process will trigger six or seven other security processes. 

For instance, just to transfer money in an ebank, the following non-business processes are triggered:

  1. Identification - the user is a bot or human.
  2. Authentication - if the user is the user he claims to be.
  3. Double authentication - to make sure that the user device is not hijacked. This possibly using technologies like cognitive biometrics. 
  4. Authorisation  - to check the extent of the privileges the user is entitled to access.
  5. Central data logging - to log all transaction data such that if need be the transactions can be easily reconstructed.
  6. Prediction - with the large amount of data logged, it becomes possible to predict if the transaction is a fraud. If suspected, then transaction logging will be stepped up.
  7. Notification - notifying the user by an alternative channel of his transaction. 
Many more processes will be added over time to make the transaction even more secure. And even item 1, will have to be re-assessed when non-human entities legitimately have bank accounts, eg. autonomous cars. 

How will we be able to safely identify one robot from another? Do they have unique characteristics and behaviour, like humans, beyond their (encrypted) id tag? Will accumulated machine learning in the robot develop habits and character in them?

Data Ownership

Also, in an IOT world, who owns the data? When there is a hack, who is the custodian that has not kept the data well and had resulted in some people (or robots) violated? With so much data generated, it will be impossible to manage data ownership. To compound the problem, some legitimate data owners may not want to own the data, as ownership comes with responsibilities.

Quantum Computing
When Quantum Computers come into the market, many computers will be hacked in the interim period, before information systems had time to convert to quantum cryptography to protect their systems.

What are your thoughts?

I am sure you can come up with many other scenarios from now to the next ten years and how we can pre-empt security breaches.


Brett's view of the future seems to be solely based on the advance of Moore's Law. That computers will get more powerful and progress is mostly enabled by more number crunching and processing. 

There are other visionaries that embraces, in my opinion,  a wider scope of how progress may come about, like Buckminster Fuller, Alvin Toffler and Peter Schwaltz. They dwell into the future with scientific fundamentals and a scope beyond computers. Not surprisingly, many of their projections have even come true.

Here are other technologies that we may see in the future:

Saturday, April 16, 2016

Pre-empting Cyber-Fraud in Investment Banks

An investment bank is a hive of activities helping businesses or banks to raise capital by issuing stocks or bonds; and finally underwriting and distributing the issue. They also sell securities, manage assets/personal wealth of high networth individuals and help in corporate mergers and acquisitions. These activities expose them to a myriad of operational risks, legal risks, market risks, credit risks and reputational risks.

A common thread among all these risks is CyberFraud, amid today's highly computerised and networked world.

CyberFraud is multi-dimensional and it is targeting citizens, businesses, and governments at an alarming rate. They can also be conduits for organised crime and terrorism, and pose a threat to national security.

Stolen financial data is now an illicit commodity. With the required data, money can be siphoned through fraudulent credit card transactions, bank transfers, or other instruments. Given the impersonal nature of the crime and that the fraudsters can be seated at a physically remote location, an underground industry for Cybercrimes have rapidly grown. To compound matters, fraud can also originate both from outside and inside the bank.

The broader aspects to contain the growth of CyberFraud have to be worked together with the police, central banks and cloud-based security services like web-application firewalls, online biometric services,...etc. Sharing of such information among banks via central authorities is key.

Within the bank, besides having a secure IT infrastructure, it is  essential to have a centalised log server, where if need be, is capable of reconstructing any transaction to provide sufficient forensic data to bring the fraudsters to court. (This is a regulatory requirement stipulated by many central banks, like the Monetary Authority of Singapore). With the wealth of data in the log server, it is possible through data analytics to predict where the fraud will come from, and pre-empt them from occurring. It would be useful to use software like Splunk to facilitate the indexing, searching and monitoring of the logs, some of which may not even be structured.

For more details on a secure banking architecture, click here.

The common patterns of suspicious activities usually exhibit abnormal transaction volumes, trading volumes, fluctuating data feeds,... etc. A rules engine will have to be agreed between the businesses, fraud management department and cybersecurity department of the bank. 

For more details on applying data analytics, click here.

There are also cognitive patterns of user behaviour that can be captured and analysed. Several cognitive biometric systems, like BioCatch, are now capable of differentiating an online bot from a human user; and for the case of a human user, the capability to authenticate his identity.

These new implementation will require more sophisticated technical and awareness training. In a world where the criminals are connected with shared expertise, banks will need to have all their staff educated in an effective manner.

Many banks have resorted to quick online multiple-choice quizzes to measure the awareness level of their staff.  But truly, how many cases in our lives work the same way as such multiple-choice tests? Hardly, to say the least. Therefore, realistic scenarios must be written and rehearsed to leverage on the participants' other cognitive senses. To be effective, the training methods must be experiential and immerse the participants in role play, to truly understand the scope of managing CyberFraud and applying the knowledge in their daily work.

For more details of how to apply role play in cybersecurity training, click here.

Naturally, the above activities will take time to implement. Senior management will have to be convinced that they are worthy to commit the necessary resources.  The savings from CyberFraud management will have to be enumerated and quantified. But it is no longer just the case of preventing or managing financial losses to Cybercrime, banks now also have the moral duty to prevent funds from reaching terrorists and organised crime, for national security.

Conversely, if you are in the Senior Management of the bank, you may like to read about the 5 types of technology salesmen out there waiting to pull the wool over your eyes. :) 
Cick here.

Last but not least, while it is crucial to have the technical infrastructure and controls, predictive analytics and  technical and awareness training; no fraud cases can be effectively closed without the good old fashion offline work of committing troops to the ground. Common detective work of recognising clues, hints and motivation of crime are equally important. So are cultural understanding and language skills. The latter being particularly useful for high tech big data keyword searches and interpretation. Ultimately, the investigator will need to be able to hear a conversation in a noisy room, has a concern for detail and a sense of urgency.