Customers of TSB are reportedly still experiencing difficulties with internet and mobile banking services nearly 2 weeks after problems first began.

What Happened?

TSB, which was acquired by Spanish bank Sabadell in 2015, tried to fully migrate its computer systems from its old Lloyds Bank systems to its new core banking system, known as Proteo4UK. Proteo4UK is basically a version of Sabadell’s in-house core banking platform Proteo which has been designed for TSB.

The system had already been rolled out to staff in November 2017, and the full rollout to customers was also supposed to have happened in November but was put back until April to avoid potential confusion of the expected interest rate rise.

Why Migrate?

The expected benefits behind TSB’s decision to migrate were cost savings through not having to pay £160 million per year to Lloyds Bank for hosting, and the opportunity to be able to implement its own customer-facing systems offering digital banking services.

TSB had already launched a mobile app for Android and iOS devices to enable customers to use banking services via the new system in a convenient way, and was in the process of offering iPhone X users the opportunity to use their faces as identification.

Meltdown

Unfortunately for 1.9 million TSB customers, the bank staff, and TSB’s reputation, the migration did not go to plan and resulted in what some commentators have described as a ‘meltdown’ of its banking systems.

Some of the problems experienced by customers have included not being able to access their own money, no access to any mobile and online services, problems with direct debits, and amounts of money appearing and disappearing. It was even reported that one customer was mistakenly credited with £13,000. TSB has also been deluged, understandably, with complaints, with TSB staff facing hostility, and the reputation of the bank taking a battering in the media.

Response

Several apologies later, and even though TSB’s CEO Paul Pester announced in BBC Radio 4 interview that he would take direct control from the banks’ platform, and that he’d drafted in a team of global experts from IBM, and although the mobile app is now reportedly fixed, some customers are still reported to be experiencing problems. Some have appeared in tv news reports telling of their experiences and of their fears that important bills may not have been paid as a result of the system’s problems.

Treasury Committee Wants Answers

Executives from TSB and parent company Sabadell have been asked to appear before MPs to respond to questions and give evidence to the Treasury Select Committee on Wednesday 2nd May over the ongoing IT system outage.

What Does This Mean For Your Business?

It is well known that many banks run on old systems which have led to glitches in the past i.e. customers not being able to access their money, and have been the cause of worries about security. The case of TSB illustrates how the company had good commercial intentions as a challenger bank in migrating its systems to reduce costs and meet the modern customer’s digital expectations, but ended up creating a PR disaster for itself. It is thought that the problems could cost the bank millions in lost customers, compensation, and damage to the brand.

Some commentators have criticised the bank for mismanaging the migration and for focusing too much on creating fancy apps rather than focusing on just getting the migration to happen as smoothly as possible.

It has also been suggested that, if joining or switching to a new bank, customers could do worse than to ask their proposed new bank what their plans are in terms of core banking platforms, whether they have any major IT projects planned, and how up to date is the core banking system is.

The problems with TSB’s banking systems will undoubtedly have impacted many businesses as customers were unable to access funds or to spend as they normally would, or to pay existing agreements, and this all adds up to extra costs, reduced profits, and stress for business owners.

This story is also a reminder to businesses that unforeseen and potentially costly IT problems can happen, particularly with cyber-crime activity, and that having a good Business Continuity Plan and Disaster Recovery Plan is important.

In the light of the Facebook and Cambridge Analytica scandal where a quiz app was used to share personal details without the consent of users, you can take action boost your own security by checking what connected Facebook Apps you have. Here’s how:

– Log into Facebook.
– Pull down the toggle/arrow at the right top of the Facebook screen to reach the account details.
– Choose ‘Settings’ from the list.
– On the General Account Settings page, scroll down and select ‘Apps and Websites’ in the left-hand menu.
– The next page shows the Facebook applications that have been given account access, e.g. fun apps, and productivity apps (e.g. Hootsuite)
– If you’re not happy about a particular connected app having access, you can remove the app entirely by checking the box to the right and selecting ‘Remove’.
– If you select one or more apps and click remove, another dialog box will be shown with an additional checkbox option referring to previous activity e.g. prior posts made using the app.
– Once removed, an app or website will no longer have access to your information, yet they may still retain previously shared information.

With all the focus on the more visible elements of GDPR compliance ahead of the Regulation’s introduction of May 25th, one EU Working group is warning businesses not to forget what’s stored in the logfiles of their Internet-facing servers.

What Are Logfiles and Why Should We Care?

Logfiles record either events that occur in an operating system or other software, or messages between different users of communication software.

As well as being useful to an organisation e.g. for providing clues about hostile activity affecting the network from within and without, and providing information for identifying and troubleshooting equipment problems, logfiles on Internet-facing computers can also potentially provide information to hackers and cyber-criminals that could compromise your system and data security.

Report Suggestions

A draft report by the Internet Engineering Task Force’s Internet Area Working Group (IETF’s INTAREA) says that changing data regulations have meant that what were established best practices have now become poor practices. The draft, therefore, offers a checklist as a set of updates to RFC6302 designed to help plug this potential GDPR compliance black spot. The “Recommendations for Internet-Facing Servers” draft suggests that sysadmins adopt a data minimisation approach to configuring their server logs, and suggestions include:

• Full IP addresses should only be stored for as long as they are needed to provide a service;
• Logs should only include the first two octets of IPv4 addresses, or first three octets of IPv6 addresses.
• Inbound IP address logs shouldn’t last longer than three days, because that lets logging cover a weekend before it’s flushed.
• Unnecessary identifiers should not be logged e.g. source port number, timestamps, transport protocol numbers, and destination port numbers,
• The logs should be protected against unauthorised access.

It should be said that any legally-mandated logging e.g. to comply with local telecommunications data retention laws, isn’t covered by the draft.

Cookie Consent Pop-Ups

We are all used to seeing cookie consent pop-ups when we arrive at websites, but the “implied consent” website owners have assumed existed once people clicked “I Agree” to cookies may no longer apply under GDPR. This is because GDPR is consent specific, and there is no way “implied consent” can get you water-tight compliance. What this means is that cookie consent pop-ups may soon be on legally shaky ground when it comes to GDPR compliance.

What makes this issue more complicated is the fact that the EU had intended to publish an updated ePrivacy Regulation, with the commencement of GDPR, to relax the cookie popup requirements, but didn’t do so. This means that data privacy rules on this matter will be governed by the old ePrivacy Directive and GDPR at the same time, with GDPR having the precedence.

What Does This Mean For Your Business?

This story shows that with GDPR just around the corner, some of the finer areas of compliance are starting to come under the spotlight. Yes, data protection, data security and privacy are the responsibility of all of us, not just the ‘technical people’, but when it comes to having to deal with server-logs, there clearly is a need for a technical focus to ensure all-round general compliance. Hackers, by nature, are generally technically proficient, and can employ multi-level and sophisticated attack techniques. It makes sense, therefore, that companies make attempts to plug known technical weak-spots such as those highlighted in this draft.

The cookie consent pop-up issue highlights the complicated area of consent that many companies have anticipated with the introduction of GDPR. The important point to remember is that GDPR is consent specific. Consent can’t simply be implied, and consent must also be unambiguous, informed, a statement or clear affirmative action, and freely given. Also, under GDPR, a data subject has the right to withdraw their consent at any time.

MoneySavingExpert’s (MSE) founder and TV consumer champion Martin Lewis (OBE) has commenced UK High Court proceedings against Facebook to sue the tech giant for defamation over a series of fake adverts bearing his name.

What Happened?

Mr Lewis alleges that 50 fake ads bearing his name appeared on the Facebook social media platform over the space of a year, and that the fact that the ads were not from him, and could / did (in some cases) direct consumers to scammer sites containing false information may have caused serious damage to his reputation, and did cause some people to lose money.

Mr Lewis prepared for the first day of the court action against Facebook (on Monday 23rd April) by giving an interview to BBC radio explaining why he was taking the action, and offering to stop the court action altogether if Facebook ‘took responsibility’ for what he believes were its damaging actions against his reputation.

It is alleged that the adverts featured Mr Lewis’s face alongside endorsements that Mr Lewis says that he did not make. Mr Lewis has publicly stated many times that he does not appear in any adverts, therefore, any advert bearing his name must be a fake.

Long Fight

Mr Lewis has stated in a press release about the case that he has been fighting to stop the adverts from appearing on Facebook over the last year and that, even when they were reported to Facebook, many of the ads were left up for days or weeks, and when they are taken down, scammers were able to new, nearly identical campaigns very soon afterwards.
Mr Lewis is personally suing Facebook (not on behalf of MSE), and has published details of the legal action on the MSE website, saying “I will issue high court proceedings against Facebook, to try and stop all the disgusting repeated fake adverts from scammers it refuses to stop publishing with my picture, name and reputation.”

Mostly ‘Get-Rich-Quick Schemes’

The fake adverts are reported to have been mostly for ‘get-rich-quick schemes’ e.g. titled ‘Bitcoin code’ or ‘Cloud Trader’, which are reported to be fronts for binary trading firms based outside the EU. Martin Lewis has stated online that binary trading is a financially dangerous, near-certain money-loser, which the regulator the Financial Conduct Authority (FCA) strongly warns against.

Not For His Own Financial Benefit

Although Mr Lewis has said that he is seeking exemplary and substantial damages, he has said that this is because he wants to show Facebook that they can’t just pay damages as a kind of cost of business and then simply “carry on regardless”.
Mr Lewis has said that any money he does receive in damages from the court case will go not to him, but to anti-scam charities.

What Does This Mean For Your Business?

This case is compelling for many reasons. Firstly, it appears clear from what Mr Lewis has said publicly about his side of things that the fake adverts are bound to be damaging to a person whose public role is to fight for consumer rights, and is reported to have been damaging to other innocent victims of the scam ads e.g. the lady who reportedly had over £100,000 taken from her by the ad scammers. It’s in everyone’s interest that the activities of scammers are stopped.

Secondly, it will be interesting to see how successful Martin Lewis personally will be in taking on a rich tech giant that some commentators may see as being almost behaving as though it were above the law of some of the countries that it operates in. Since Martin Lewis is a consumer ‘champion’ and influencer when it comes to many financial products, it is likely that he will have a great deal of public sympathy and media attention which could give him extra bargaining power.

Thirdly, one key aspect of this case is which businesses Facebook is actually in rather than what business it thinks it’s in. For example, Mr Lewis is arguing that Facebook claims to be a platform not a publisher – and yet the problem has arisen not just from posts on a web forum, but from Facebook being paid to publish, promulgate and promote what may be fraudulent enterprises i.e. acting like a publisher. If Mr Lewis wins the case, it may be that Facebook will need to re-examine whether or not it now has to see itself as a publisher, and may be forced to change its system.

A new report published by manufacturers’ organisation EEF in partnership with insurance firm AIG and the Royal United Services Institute (RUSI) shows that 48% of UK manufacturers have been subject to a cyber-security incident at some time.

Loss and Disruption

Half of those manufacturing companies who admit to being hit by cyber-criminals have said that the incident(s) caused financial loss or disruption to business.

Challenges

The report highlighted several key challenges that the manufacturing industry faces in making itself less vulnerable to cyber-criminals. These challenges include:

• The age of equipment and the networked nature of production facilities. Many industrial systems are up to 20 years old and were developed before cyber threats became a big issue. As a result, poorly protected office systems, often the first implemented historically within manufacturing businesses, are particularly vulnerable. Also, a networked building, such as many manufacturing sites, can be hacked and exploited.
• Many manufacturing companies hold a large amount of classified information e.g. intellectual property (IP) and trade secrets, which makes them targets for (for example) financially motivated, state-sponsored hackers.
• Having no idea of the nature and size of the risks. 41% of manufacturing companies don’t believe they have access to enough information to assess their true cyber risk, and 12% of manufacturers admit they have no technical or managerial processes in place to even start assessing the real risk.
• A lack of basic detection that a cyber attack is taking place / has taken place, and a lack of investment in training i.e. 34% do not offer cyber-security training.
• Feeling that they are not equipped to tackle the risk anyway. For example, 45% are not confident they are prepared with the right tools for the job.
• A lack of confidence. Although 91% of the 170 UK manufacturing businesses polled are investing in digital technologies, 35% think that cyber vulnerability is inhibiting them from doing so fully.

What Does This Mean For Your Business?

For manufacturing businesses facing the very real threat of sophisticated, multi-level attacks, now is not the time to be left with a vulnerable outdated system. Advice from the report includes following the advice of the Government backed ‘Cyber Essentials’ scheme. This includes the 5 security essentials of using a firewall to secure your Internet connection, choosing the most secure settings for your devices and software, controlling who has access to your data and services, protecting yourself from viruses and other malware by using antivirus software, only downloading apps from manufacturer-approved stores, or running apps and programs in an isolated environment, and continually ensuring that operating systems and software are up-to-date and running the latest security patches.

Clearly, manufacturing companies with old systems may need to bite the bullet and invest in more modern, digitised, and well-protected systems. The report also indicates that greater investment in staff training is needed to help them spot and deal with risks, and to avoid the kind of human error that is needed in many modern cyber-attacks e.g. malware / viruses sent by email, phishing, and other social engineering attacks.

Another opportunity for manufacturing companies to boost cyber-security could also come from cyber-insurance. For example, many cyber insurers offer a comprehensive package of pre-loss services to businesses to carry out a cyber health check which could help to highlight gaps in cyber risk management and help identify what security measures should be prioritised.

 2.       Change all your financially related passwords including PayPal, Amazon, EBay, Bank logins and ANY site that may store credit card logins and ensure they are unique.

 3.       Take 15 minutes and review your logins with a particular emphasis on creating effective passwords. Passwords should not be a word but a phrase containing capitals, symbols and numbers.  Your password for each Application or Site needs to be unique.  We recommend ideally generating a Password using a Password Management Tool such as LastPass or RoboForm.

 4.       Check your operating system and applications are up to date on your devices. This includes your desktop computer, phones and tablets.

 5.       DO NOT TRUST your email. Even if you know the sender please do NOT click any links or open any attachments unless you are 100% certain of their content.

 6.       Vet your applications, do you really need Java and Flash, do you use it?

If not then remove it, streamline your OS and you lower your attack vector.

 7.       ALWAYS run updates from a legitimate source if you are unsure go to the developer’s website and check yourself.

 8.       Do not Trust ‘Fake’ Antivirus alerts such as XPAV, Windows security or Mac defender etc.

We recommend and install ESET to our customers, therefore you should only trust these Notifications. However if you use an alternative Antivirus and in doubt, please do not hesitate to contact us.

 9.       Social networks are great fun but treat them with respect. Honestly Apple do not need to give away iPads because the cellophane is ripped!

 10.   If in doubt give our Support Team a Call on 01246 266 039