Tuesday, July 25, 2017

Preparing the financial system for digital attacks

As money moves online and onto mobile phones, security could stand between banking customers and hacks and attacks – but some say the industry isn’t quite ready for security showdowns.

Financial players worldwide put up all kinds of barriers to keep attacks at bay. But in Myanmar, some of these walls can be flimsy. Education around security risks remains low and infrastructure for preventing them lacking – all this in a market rapidly moving onto the internet.

Tim Scheffmann, CEO of mobile banking software provider Frontier Technology Partners, has had a long career in banking and said he was currently experiencing déjà vu in Myanmar. “Everything is repeating itself right now, but it’s faster and on a higher level,” he continued.

Security has not always kept pace with the speed of the development in the banking sector, according to Mr Scheffmann.

“The last 40 to 50 years, no one has had to think about that,” he said. “There was no crime and there was no one hacking or with hacking capabilities here.

“Now that has changed.”

Adam Hunt of Yangon entrepreneurship school Opportunities NOW used to be a “white hat” hacker – someone that works to expose security issues for hire, or for other benevolent reasons. On the other side of the coin, ”black hat” hackers do a similar job, but with more malicious intentions.

Mr Hunt, speaking at downtown innovation lab Phandeeyar on March 12, called security a holistic mindset, and listed different aspects that make up the whole: physical, procedural, technical and social components.

Physical security seems the most traditional, and can involve practices like locking doors and windows. But even elementary security measures might be absent in Myanmar.

Mr Scheffmann erected an iron cage around Frontier Technology Partners’ servers and installed CCTV cameras when he first arrived, he said. On the procedural side, the company has also made sure employees know what to do and who to tell in case of fire, and also how to wield pepper spray – the last taught using a balloon with a menacing expression.

Technical security involves the network, hardware, firewall, servers and work stations, Mr Hunt said.

Frontier Technology Partners depends on German powerhouse SAP for its software, which protects data with measures like encryption and safeguards information that other Myanmar vendors and solutions can’t with “homemade” programs, Mr Scheffmann said. “They just do not have the capacity.”

The social side to security can deal with more complex threats – ones in disguise. Mr Hunt describes his history as a white hat hacker and strategies to obtain sensitive information, including using false business cards and back stories.

“We’re using people, we’re using their lack of education or the goodness of their hearts to gain access,” Mr Hunt said.

To him, the primary threat to users’ data is education. “Millions of people in Myanmar are beginning to use computers and cell phones and the internet for the first time, and they don’t know what the risks are,” he said.

Unfortunately, what they don’t know can hurt them. Mr Scheffmann shakes his head when asked about a bank’s response to customers’ tribulations in the case of hacks. “You can call the help desk,” he said.

Mr Scheffmann said that at the regulatory level around mobile money and mobile banking, the Central Bank of Myanmar did not demand specific security standards be met. The financial institution, charged with oversight of the banking industry, has taken a cautious approach around policy.

“We are dealing with a regulator who is very, very conservative,” Mr Scheffmann said. While it tends not to risk anything, it actually opens doors to other potential risks.

Mr Scheffmann said the maxim “slow and steady wins the race” prevails in the Myanmar market.

He mentions a story a friend told him about elephants worried about their footing on unstable ground. “When elephants tread onto muddy waters, they become totally insecure ... so they break a branch, put it on the muddy ground and then step on the branch,” he said. “If the elephant driver is pushing them too hard to move forward, the elephant will grab the driver, put it in the mud and step on the driver.

“That happens every other month here in Myanmar.”

Mr Hunt said banks must begin migrating online to keep competitive, but that by doing so they implement publicly accessible systems that could get attacked.

Moving toward a secure future in Myanmar will require people work on the strength of even the weakest links in the security chain.

“[Banks] need to go through all of those areas of security – technical systems and training and physical and all that,” Mr Hunt said. “Because if all the areas work except one ... then that’s where you’re going to get hit. All the rest doesn’t matter.”