Setting Out a Vision for Customer Authentication

Setting Out a Vision for Customer Authentication

We all know that "passwords suck", as my colleague Bob Meara stated clearly and succinctly in his recent blog. But what's the alternative – is the answer biometrics or something else?

We do believe that biometrics is part of the answer. However, our vision for authentication – security measures banks take when providing customers access to their services – is broader than that. Mobile devices will play a key role, but for them to be effective tools for authentication, a strong binding between customer identity and the device is essential – unless this step is done correctly, all subsequent authentication efforts are pointless.

We also contend that authentication must be risk- and context-aware. It should take into account what the customer is trying to do, what device they are using, how they are behaving, etc. and assess the risk of fraudulent behaviour. Depending on that assessment, the customer could either gain access or be asked to further authenticate themselves. And while biometrics can and will play an important role, the banks' authentication platforms need to be flexible to support different authentication factors.

We outline this vision in more detail in the report published yesterday by Celent, Security, Convenience or Both? Setting Out a Vision for Authentication. In addition, the report discusses:

  • The upcoming PSD2 requirements for strong authentication.
  • The rise of biometrics, including different modalities and device-based vs. server-based implementations.
  • An overview of various standard-setting bodies, such as FIDO alliance and W3C Web Authentication Working Group.

Also, yesterday we launched a new Celent Digital Research Panel survey, this time focused on Authentication and Identity management. The objectives of this survey are to assess amongst the US financial institutions:

  1. Investment drivers for customer authentication and identity management.
  2. Current state and immediate plans around authentication and identity management.
  3. Perspectives on the future for authentication and identity management.

If you already received an email invite, we do hope that you will respond before our deadline of August 8th. If you represent an FI in the US, and would like to take part, but haven't received the invite, please contact us at info@celent.com. We will publish the results in a Celent report, and all respondents will receive a copy of the report, irrespective of whether they are Celent clients or not. We look forward to hearing from you!

External Forces Affecting Global Transaction Flows: Is the Payments World Becoming Flatter?

External Forces Affecting Global Transaction Flows: Is the Payments World Becoming Flatter?

In his 2005 book titled The World Is Flat: A Brief History of the Twenty-First Century, New York Times reporter and author Thomas Friedman famously wrote about the impact of technology on globalization, the result of which is a truly global economy with unprecedented flows of investments, goods, and ideas. This trend has continued, despite the global recession that followed a few years after his book was published. 

In contrast, corporate treasurers have seen little “flattening” of cross-border payment processing since SWIFT was introduced in the 1970s, with the exception of intra-EC euro-denominated payments. The reality is that even in 2016, most cross-border payments have several critical elements of uncertainty about them. And it's not just about moving the money more efficiently:  increasingly the focus is on how to improve the transparency and speed of payment information.

But it is important to recognize that the global banking system (including SWIFT) is not the only influence on cross-border payments. As corporate treasury organizations make tactical and strategic decisions about how to effectively make and receive payments across borders, they must take into consideration a wide range of external forces.

External Forces

Economic instability and geo-political conditions are categories of external forces that corporate treasurers need to take into account when moving funds across borders, not only in the immediate term but when considering the longer term strategic impact on instability on trading corridors and growth markets. Yesterday's historic "Brexit" vote by the citizens of the United Kingdom to exit the European Union is the perfect example of how geo-political instability has both an immediate impact on cross border payments in terms of the impact on FX rates but also on the longer term prospects for trade, foreign investment and the movement of people across borders. It will be many months, perhaps years, before the impact is fully understood.

Industry initiatives leveraging technology advances to improve cross border payment processing are playing a larger role than ever before as global adoption of SEPA elements becomes a reality, new regional payment networks and real time cross border payment solutions are being developed and alternative payment providers are offering solutions to some of the longest standing corporate complaints about traditional cross border payment processing.

Finally, demographic trends such as uneven population growth, migration and the rise of the digital natives will all have long term implications for how corporate treasury moves money and information across borders.

Celent's recently published report on this topic Following the Money: External Forces Affecting Global Transaction Flows includes some of the key data trends related to these external forces that are critical for corporate treasurers to understand and to continue to evaluate as they develop a plan for future proofing their payment environments. The report also includes recommendations for how treasury organizations should collaborate with their transaction banking partners to ensure that cross border payment processing and the delivery of payment information is optimized as the global payments landscape changes.  This report and the webinar on the same topic was produced as part of a series sponsored by HSBC on topics relevant to corporate treasury.

following-the-money_Page_01

 

EBAday 2016: A Brave New World for Payments

EBAday 2016: A Brave New World for Payments

EBAday 2016 LogoHosted by the European Banking Association and Finextra, EBAday attracts payments professionals from leading financial institutions and technology providers. This year’s event was held in Milan Italy with the theme, “A Brave New World for Payments.” Sessions focused on the dilemma facing the payments industry – enhancing existing payment models while preparing for alternative payments and technology.

I had the honor of moderating day two’s strategic roundtable discussing future challenges and opportunities for banks. The panelists were Paolo Cederle, CEO, UniCredit business integrated solutions; Christophe Chazot, group head of innovation, HSBC; and Damian Pettit, RBS head of payment operations.

EBAday 2016 Day Two Panel

The panelists felt that there is a disconnect between the limitations of legacy bank infrastructure and the promise of new technologies. With the majority of bank IT budgets spent on maintenance, the challenge is for banks to keep existing systems running while investing in the future. For customers, there is too much complexity, especially in cross-border payments, and customers want an easy experience at minimal cost.

Discussing Faster Payments in the UK, the panelists said the introduction eight years ago has revolutionized payments, completely changing customer behavior and paving the way for new mobile-based services such as Paym, the UK’s mobile payments service offered by seventeen banks and building societies. For countries having implemented immediate payments, real-time is the new norm and with that comes expectation and demand from customers.

With the EU PSD2 payment services provisions looming on the horizon, the discussion turned to the prospect of disintermediation of banks by third-party providers. The panelists were optimistic about the future, and feel that the regulation is helping to steer the banks toward new initiatives and innovation in services, and is a great opportunity to better service customers and push banks up the value chain.

Regarding the question of whether emerging payment models and technology represent an escalating threat, the response was that instant payments brings security challenges. But the panelists overwhelmingly agreed that convenience and speed cannot come at the cost of security–safety and security is absolutely paramount.

The discussion then moved onto the theme of disruption — are payments in a revolutionary or evolutionary phase? The panelists felt it was a bit of both. Revolutionary technologies such mobile and artificial intelligence are pushing payments along an evolutionary path. And banks have an advantage. The Fintech startups entering the market don't have the direct customer interaction and track record that banks have in safety and security. The banks are running hackathons and open to working with startups while improving legacy systems and simplifying the customer proposition.

All of the panelists’ banks are members of the R3 blockchain consortium. Blockchain is bringing a new way of working together for banks and technology providers. Each of the panelists is watching the technology closely and one area of opportunity cited was the last mile of the payments chain and in the trade finance arena.

My take-away from the roundtable was that the global payments industry is transforming. The “brave new world” is one with an imperative to be nimble, keeping your eye on all of the opportunities both for existing payment models as well as alternative technologies. Collaboration is key whether through acquisitions, consortiums, partnerships or open source projects.

Blockchain: Beware the Hype

Blockchain: Beware the Hype

At Celent, we just published a new research report with the same title as this blog – Blockchain: Beware the Hype. Why such a title? Isn't blockchain the coolest technology out there at the moment?

It is. At Celent, we firmly believe that blockchains and other shared ledger platforms will be a powerful catalyst for change in financial services and other industries for many years to come. There are some very promising use cases, particularly in cross-border payments, corporate banking, and capital markets, and even outside of financial services, in identity management, trade logistics, healthcare, and many other sectors. Even if “blockchain” ends up being a small component of the ultimate solutions, it facilitates new thinking that forces organisations to reimagine how they work, both internally and externally. And that can only be a good thing.

However, we do caution against succumbing to the hype, which is inevitable for any new exciting technologies. Blockchain hype is particularly acute, given the complexities of the underlying technologies. Nobody wants to be left behind when proclaiming the benefits of blockchain, but not everybody truly understands how those benefits can be achieved.

Luckily, the investment going into shared ledger technologies is resulting in a growing number of individuals and organisations lending their collective resources to explore deeply how financial services can benefit from these technologies. Their efforts are directed at exploring practical use cases (e.g. Everledger, Ripple, Shocard), developing new technology and tools (e.g. Ethereum, Intel, Multichain) and building out infrastructure for blockchain initiatives (e.g. IBM, Microsoft), with a number of firms engaged across the board. And the collaborative efforts such as the Hyperledger project or R3 are also bearing fruit – for example, R3 recently announced Corda, a new distributed ledger platform specifically designed for financial services.

We do think that is the way forward: thinking carefully about suitability of technology for the business problem at hand, and deconstructing blockchain technology to its fundamental components only to assemble the most attractive features in a way that makes sense for financial services. That is what will ultimately help us all move beyond the hype.

Celent research clients can access the full report here.

Security, fraud, and risk Model Bank profiles: Alfa Bank and USAA

Security, fraud, and risk Model Bank profiles: Alfa Bank and USAA

Banks have worked hard to manage the different risks across their institutions. It has been and will remain costly, time consuming and a top priority. Celent profiles two award-winning banks who have modelled excellence in their use of risk management technologies across their banks.

They demonstrated:

  1. Degree of innovation
  2. Degree of difficulty
  3. Measurable, quantitative business results achieved
(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

(Left to right, Martin Pilecky, CIO Alfa-Bank; Gary McAlum, SVP Enterprise Security Group USAA; Joan McGowan, Senior Analyst Celent)

ALFA-BANK: SETS THE STANDARDS FOR BASEL COMPLIANCE IN RUSSIA

Alfa-Bank built a centralized and robust credit risk platform to implement Basel II and III standards, simultaneously, under very tight local regulatory deadlines. The bank decided to centralize all corporate credit-risk information onto a single platform that connected to front office systems and processes. Using Misys FusionRisk, Alfa-Bank was able to implement a central default system with a risk rating and risk-weighted asset calculations engine. The initiative is seen as one of the most important initiatives in the bank’s history. The successful completion of the project has placed Alfa-Bank at the forefront for setting standards and best practice methodologies for capital management regulations for the Russian banking industry and Central Bank.

USAA: SECURITY SELFIE, NATIVE FINGERPRINT, AND VOICE SIGNATURE

The game-changer for USAA is to deliver flawless, contextual customer application services that are secured through less intrusive authentication options. The use of biometrics (fingerprint, facial and vocal) to access its mobile banking application positions USAA to be able to compete with Fintechs across the digital banking ecosystem and offer exceptional service to its military and family members.

USAA worked with Daon Inc. to provide biometric solutions paired with its “Quick Logon” dynamic security token technology, which is embedded in the USAA Mobile App for trusted mobile devices. Biometric and token validation focus on who the user is and who the verifiers are and it addresses increasing concerns around the high level of compromise of static user names, passwords, and predictable security questions from sophisticated phishing attacks, external data breaches, and off-the-shelf credential-stealing malware.

For more information on these initiatives, please see the case study abstract on our website.     

The banking railroad of innovation: Follow the river

The banking railroad of innovation: Follow the river

I'm a big fan of the old movie classics. The TMC channel was a loyal companion during my graduate school days at the University of Illinois, offering a comforting black and white backdrop to frequent all-day programming sessions, and today I frequently call on TMC to get me through my daily hour-long treadmill sessions.

This weekend TMC offered up Jimmy Stewart as railroad detective Grant McLaine in 1957's Night Passage. A classic Western, McLaine was fired in disgrace over a railroad robbery carried out by his estranged brother, only to be offered a second chance to prove his loyalty to the railroad by being the courier for a large cash payroll being sent to the workers at the rail head.

Night Passage Poster

Grant's companion during the critical train ride to the rail head was young Joey.  Riding with Grant on a flatbed car as the train twisted and turned through the Rocky Mountains, Joey asked Grant how the railroad builders knew the best route through the harsh terrain.  This question gives Jimmy Stewart the rare opportunity to showcase his singing and accordion-playing skills as he responds by singing a song called "Follow The River".  The song ends with the chorus:

"Follow the river,
Wherever you may be,
Follow the river back to me."

Just as the railroad builders used the river to guide the design and layout of the early railroads, bankers have used technology to guide how banking services are designed and built.  In an interesting bit of historical irony, the first use of machine-based bank processing was being rolled out by the Bank of America just as Night Passage was hitting the movie theaters.

The system was called ERMA (Electronic Recording Method of Accounting), a machine-driven approach to electronically reading checks and processing the bank's accounts.  ERMA was co-developed by Bank of America and the Stanford Research Institute, launched in 1958, and was able to process 50,000 accounts per day.  While ERMA's initial capacity was small by today's standards, in those days, it represented an outlandish number in comparison with 10,000 accounts per month that BOA estimated it could process using existing paper-based manual methods.

ERMA ushered in the era of Big Iron in banking (a term also used to describe railroad locomotives), as improvements in the speed and capacity of what we today call the mainframe computer facilitated the rapid growth of the large banks during the 1960s and 70s.  Mainframe computers running programs powered by Rear Admiral Grace Hopper's newly developed Common Business Oriented Language (COBOL) became the river that banks followed when planning and building new banking systems like Electronic Payments (EFT), Electronic Tellers (ATM), and others to meet emerging customer demands.

Mainframe computers are interesting from operational processing perspective in that data (specifically customer accounts and daily transaction data) takes a while to load, but once loaded accounts can be processed at a lightning-fast rate.  While ERMA could process only 50,000 accounts in a day, modern mainframes can process millions of accounts in a matter of a few hours.  COBOL itself as a programming language was scorned nearly from Day One by the computer science cognoscenti as a crude and unstructured way to build an enterprise system. 

In 1975, a respected Dutch computer scientist named Edsger Dijkstra made the famous comment that: "With respect to COBOL you can really do only one of two things: fight the disease or pretend that it does not exist, " before concluding, "the use of COBOL cripples the mind; its teaching should therefore be regarded as a criminal offense."  Despite the withering criticism from academia, mainframe vendors and banks moved forward on the basis that the systems simply workedThroughput is the key to understanding how high-volume banking systems and today's railroad system works. 

A case in point is the Canadian National railroad's purchase in 2007 of the Elgin, Joliet & Eastern Line (EJE) to facilitate its rail connection of parts east and west through Chicago.  While the distrance from Gary, Indiana to Waukegan, Illinois is only 70 miles by car, CN now connects these points using EJE's 198 miles of track.  This makes no apparent sense until you consider that CN is now able to route cross-country trains around the busy hub of Chicago, where previously CN endured a variety of operational restrictions and traffic jams arising from the many at-grade crossings through the congested urban core.  To CN, routing traffic around Chicago rather than through Chicago resulted in more throughput and fewer train delays, more than compensating for the additional mileage.

And so it has gone for the banking processing. The use of oft-criticized COBOL and the unique operating characteristics of mainframe computers was tolerated as there were no other alternatives for banks requiring reliable processing at very high scale. That is, until recently.

Just as the river in Night Passage twisted and turned through the Rockies, the path of technological progress has twisted in an unexpected way to many bankers, as cloud services are now challenging the hegemony of mainframe-based banking systems. While a top of the line mainframe computer can be purchased with more than a 100 lightning fast processors, a bank can "rent" thousands, even tens of thousands, processors for 10 minutes, 10 days, or 10 years. Using software that is tuned to manage the distributed processing of bank accounts across thousands of virtual machines, banks can now meet and exceed the enormous throughput of their mainframe computers at a fraction of the cost.

The king of mainframe computing, IBM, clearly understands and has responded to the changing role of the mainframe in banking.  During the 50th Anniversary celebration of the mainframe in 2014, IBM rolled out its new vision of the mainframe as an uber-sized cloud server, allowing for the hosting of several thousand virtual machines at one time.  Last summer, IBM upped the ante with the annoucement of IBM LinuxONE Emperor, a z13-based server allowing for up to 8,000 virtual machines to be hosted on a single machine.

While banks have experimented with cloud services to varying degrees, most of the innovation has taken place at the channel services level, with new online and (particularly) mobile banking applications getting a technology refresh through the unique benefits of cloud services.  While each bank will need to build its own business case for the gradual porting of COBOL-based account processing systems to modern programming languges that are "cloud-ready", it is clear that cloud-based account processing will allow the level of agility in product development that is increasingly called for as channel and payment systems continue to evolve.

Cloud-backed innovation in back office systems has been slow to develop, with many banks citing security and the fear of regulatory issues as inhibitors to adoption.  As the recent two-part Celent report Banking in the Cloud:  Between Rogues and Regulators establishes, regulators in fact do not have any objections to banks hosting their banking services in the cloud, provided that banks follow the same standard of care (including encryption, access controls, data masking, etc.) that they manage for in their own data center.

In time, I expect that the banking railroad will continue to follow the river of innovation that is now leading us directly into the age of cloud services. The proven yet inflexible COBOL-based systems that have served the industry reliably for 50 years will be replaced with agile and cloud ready account processing platforms that will over time both reduce costs and the drive service quality improvements that banks will need to compete and survive in the increasingly competitive world of financial services.

Digital banking is ready to take off in Latin America

Digital banking is ready to take off in Latin America

Digital is the new reality in Latin America. In a recent Celent survey 100% of the participants recognized that a scenario where all financial products get digitized needs to be addressed sometime in the next 7 years and 59% of them believe it needs to be addressed immediately. There is also a general consensus that most banks are entering into Digital late, despite some are already moving in that direction. Threat of fintechs is also a reality. Over 80 fintechs in Brazil and 60 in Colombia are a good sense that the industry is already being challenged beyond incumbents.

In other geographies Banks have responded to this threat by becoming extremely digital and also neo-banks have been launched to attract those customers seeking for a more friendly and digital relationship with its financial institution. Atom Bank in the UK, Fidor Bank in Germany, and mBank in Poland are only a few to mention. In Latin America the major milestones in Digital development we had seen were Nubank (Brazil – Market Cap $500M) and Bankaool (Mexico – ~$142M in assets), until March of 2016 when Banco Original (~$1,67Bn in assets) launched in Brazil.

While Nubank is focused entirely in offering a credit card with a customer friendly personalized real-time view of expenses and modern contact channels (email, call or chat), Bankaool is mainly focused in a checking account with a debit card, SME loans and investment vehicles.

Banco Original is the 3rd step in this digital only bank strategy in the region, becoming the 1st universal digital only bank in Latin America.  As part of its strategy to position the bank as different and innovative they launched this advertising campaign featuring Usain Bolt. As part of a strategic definition in 2013 the bank started a ~$152M investment over the period of 3 years to become a digital bank. They launched in March of this year . The bank has no branches and the interaction is 100% through digital channels and a call center. This move was central to its strategy of becoming a universal bank moving away of being solely focused in agribusiness.

While most of neo-banks and fintechs looking to change the customer experience in financial services have adopted in-house development to support their digital strategy, this is not the case of Banco Original which relied in a 3rd party Open API solution. Commercially available solutions that can support a digital only bank means that as an industry we are ready to take off. There is no reason now why other banks should not follow, and software vendors will do their part pushing their offering into banks of all sizes.

I believe that we are in a tipping point were banks in Latin America will need to re-think their investments and strategies towards digital: the threat is now real.

Two upcoming reports will be covering Digital and a couple of disruptive scenarios in the banking industry in Latin America, so expect to have more information soon if you are a Celent customer. If you would like to become a Celent customer please contact Fabio Sarrico (fsarrico@celent.com).

 

Top trends in corporate banking webinar

Top trends in corporate banking webinar

Please join me on Thursday, April 21st at noon EST for an overview of the 2016 edition of our Top Trends in Corporate Banking report, which was published in March.

2016-04-18_15-40-50

Corporate banks continue to place an enormous focus on investing in digital channels to meet the ever-increasing demands of clients for enhanced tools while boosting security and fraud prevention. Despite this investment, corporate banking has lagged in terms of adoption of innovative technologies. To improve that performance, corporate banking lines of business are undertaking a broad set of initiatives to overcome the inertia that has left clients behind in terms of innovation. Among the top trends, we will examine the opportunities in trade finance and customer onboarding for improving efficiency and enhancing client satisfaction.  Other top trends include fintech partnerships, distributed ledger technology and open APIs and adapting liquidity management strategies.  I look forward to having you join us on Thursday! 

Click here to register

 

 

 

Congratulations to Celent Model Bank 2016 Winners!

Congratulations to Celent Model Bank 2016 Winners!

Last week many of us at Celent were in New York attending our Innovation and Insight Day on April 13th. It is Celent's flagship event during which we announce Model Bank and Model Insurer winners and celebrate their achievements. In addition, the program includes keynote speeches from industry leaders and Celent analysts, plenty of opportunities to network with peers, and even to experience some of the latest technologies first hand, courtesy of our sponsors.

The theme of this year's event was "Financial Services Reborn", and the Museum of American Finance on Wall Street provided an inspiring setting to celebrate innovation in financial services. Craig Weber, Celent CEO, kicked off the proceedings drawing insightful parallels between the battle of Alamo and the future of financial services. It must have been the first time in Craig's career that he had to come up on stage to the soundtrack of hip hop music, an extract from the Broadway musical "Hamilton", but it set the tone for the rest of the day – to expect the unexpected and to be open to new ideas.

Both of our guest speakers – Nadeem Shaikh, Co-Founder and CEO of Anthemis Group, and Leanne Kemp, Founder and CEO of Everledger – thrilled the audience and opened everyone's eyes to the opportunities presented by Fintech and Blockchain respectively, while our colleague Will Trout spoke eloquently about consumer-led convergence. A big 'thank you' to all the speakers, as well as the sponsors supporting the event!

The rest of the day was all about celebrating the achievements of Model Bank and Model Insurance award winners. As many of this blog's readers know, the vision for Celent’s Model Bank research, now in its ninth year, is to spotlight effective uses of technology in banking. This year we received a record number of submissions – well over 100 – that came from all over the world; the nominations were spread equally between North America, EMEA and APAC. The award winners come from four continents and nine countries and range from credit unions and microfinance institutions to the world's largest banks.

Celent Model Bank 2016 winners are:

  Model Bank 2016 Categories

  Award Winners

  1. Digital Banking Transformation

  Citizens Bank, US

  DenizBank, Turkey

  Garanti Bank, Turkey

  Santander, US

  2. Omnichannel Banking

  BECU, US

  Beyond Bank, Australia

  Standard Chartered Bank, Korea

  3. Digital Payments and Cards

  Bank of America Merrill Lynch, US

  RBC, Canada

  4. Corporate Payments and Infrastructure Modernization

  Bank of China, China

  CBW Bank, US

  5. Cash Management and Trade Finance

  CIBC, Canada

  HBL (Habib Bank), Pakistan

  6. Security, Fraud, and Risk Management

  Alfa-Bank, Russia

  USAA, US

  7. Legacy Transformation

  Sberbank, Russia

  Umpqua Bank, US

  Vietnam Bank For Social Policies, Vietnam

  Model Bank of the Year

  Eastern Bank, US

As always, we published a series of reports with detailed case studies of all winning initiatives. Celent research subscription clients can access the Model Bank of the Year and individual category reports via our website.

This year we also introduced a new award, Model Bank Vendor. We wanted to acknowledge the vendor role in helping multiple clients achieve technology or implementation excellence, one of our judging criteria, and to extend our appreciation to the entire vendor community, which is instrumental in the ongoing success of the Model Bank program. Celent recognized two companies as Model Bank Vendors for 2016:

  • EdgeVerve Systems
  • Nucleus Software

Congratulations to all our award winners! We are grateful to have been exposed to so many extraordinary initiatives and the talented individuals responsible for their success. We look forward to continuing with the Model Bank program next year to identify and award the most impressive banking technology initiatives from around the world, and will begin accepting nominations again in September – stay tuned!

 

The iPhone, the FBI, and the lessons for bankers

The iPhone, the FBI, and the lessons for bankers

With today’s news comes the interesting development that the FBI has apparently used a “tool” acquired from an unnamed third-party white hat security firm to gain access to the locked iPhone of one of the San Bernardino shooters without requiring Apple’s cooperation.  This issue had been the subject of a recent tug-of-war between Tim Cook and the US Department of Justice.

While FBI Director James Comey has been mum on the details, some in the IT security community have speculated that the new tool employs a so-called “brute force attack” on the iPhone by sequentially guessing the device’s passcode until the device unlocks itself.  While the lock-out feature is user-configurable, an iPhone running the current version of iOS will normally give the user 10 chances to input  the passcode correctly before permanently locking the user out while deleting all user data from the device.

Cloud services to the rescue.  The speculation is that the newly acquired FBI tool was able to get around this measure by simply cloning the software from the perpetrator’s iPhone — including the operating system and all of the user data files — hundreds or thousands of times and performing what is effectively a “distributed brute force attack” by repeatedly guessing passcodes from a master checklist across the clones in parallel.  When an individual clone became locked, that clone is discarded and the tool continues the guessing game with other clones on a reduced list of candidate passcodes until one of the guesses finally works.

The likely reason why the FBI has apparently succeeded is the fact that the perpetrator’s passcode was static, meaning it didn’t change during the course of the many times that the FBI tried one guess after another.  (In this context, it was important that the perpetrator was caught, as otherwise  he would have changed his passcode and/or wiped the data remotely, a capability that Apple provides to all iPhone users.)

What does this have to do with banking security?  As demonstrated by the success of the FBI’s  new white hat tool in breaking Apple’s device security, the simple reality of data protection is that no encryption technique is foolproof, particularly from the threat of a brute force attack.

Given the power of the cloud to solve a large computational problem like guessing an large encryption key using a cloud-based “divide and conquer” approach, bankers need to pay attention to the need to employ strong encryption keys while rotating their keys on a regular basis.

The definition of “regular basis” will depend on the sensitivity of the data to be protected, but one thing is for sure:  the bank that creates an enterprise encryption key once and thinks the bank is protected forever is dangerously vulnerable to a future cyber attack based on a distributed brute force technique such as the one that was quite possibly used by the  FBI’s white-hat vendor.

Given the importance of encryption to maintaining a safe and FFIEC-compliant environment for the safekeeping of NPI, and especially in light of the emergence of  services like Blockchain that are dependent on encryption for success, banks ought to be paying close attention.