Please go to my new blog

at Transforming Finance

Big boost for alternative lenders

The government is planning £100m in funding for alternative lenders, including new internet finance firms.

It is part of £500m being made available to small and medium sized firms through the government’s Business Finance Partnership.

So called peer-to-peer lenders are expected to be big beneficiaries. They use the internet to match businesses with investors with money to loan

  http://www.bbc.co.uk/news/business-18273739

Business travel: Keeping mobile roaming headaches at bay

With summer holidays coming up and international roaming data at £1 for 1mb – thats one email with an attachment, it’s time for drastic action.

http://www.bbc.co.uk/news/business-14129868

Gagging for IT

I can’t comment on what someone who can’t be said to be a banker was up to when the Crunch hit. The buzz when Twitter user @injunctionsuper spilled the beans was mainly around the celebrities named.

@Ruskin147 – Rather weird that Twitter has been alive with super-injunction details for weeks – but one new account with inaccurate reports is news

@DorothyKing – If we’re not “allowed” to know who has a #superinjunction how do we know who not to discuss? Goldsmith? Ryan Giggs? Fred Goodwin? Branson?

@TheSpacePope – Anyone think @injunctionsuper got one wrong deliberately to allow trad media to be able to report the story? #superinjunction

However less was said about the conduct of those at the helm of an industry whose collapse cost the UK taxpayer £1trillion – perhaps because they have deeper pockets. But even if you get a “Contra Mundi” super-injunction it can’t redact the internet rumours altogether.

• The story may have been pulled from http://onlinejournalismblog.com/2011/03/12/internet-destroys-fred-goodwins-affair-super-injunction …but it still shows up in Google search results and the full blog is still in the cache at http://bit.ly/iFPlYR
  
• The Daily Mail may have pulled the story published in print before the injunction from its website – but it seems to have overlooked the mobile version web page
  
• And Guido Fawkes still publishes a rumour without naming names or professions: http://order-order.com/2011/03/11/unbankable-story/

But I can’t say anything.

Except to point out that sometimes even recent history repeats itself:

http://www.telegraph.co.uk/news/uknews/1573557/Northern-Rock-chief-had-affair-before-collapse.html

Adobe’s name is mud

More is coming out about the loss of the “keys to the Kingdom” at RSA.

For a great discussion of this and other security topics follow the Security Now! Podcast and the archive at GRC.com

In short a user just opened a spreadsheet.

A small group of RSA employees received a targeted spearfishing email, which got intercepted and moved into their spam folders.

Steve Gibson continues:

But one of the employees in one of these small groups looked in her junk mail folder, and the email was titled “2011 Recruitment Plan.” And she opened the email, and there was an attachment, 2011 Recruitment Plan.XLS, making it a Microsoft Excel spreadsheet. That she opened, and that allowed a Flash movie, an Adobe Flash file that was embedded in the spreadsheet with an at-that-time unknown exploit, a zero-day flaw which Adobe has since patched, that allowed it to run. And that installed a well-known trojan which is freely available on the Internet called “Poison Ivy.” It’s a so-called RAT, an R-A-T, a Remote Administration/Access Tool/Toolkit trojan, which then phoned home, that is, it called outwards from her machine to a remote server that gave bad guys essentially the ability to do anything that she could do from her machine, they could do. And that’s all it took. That was their foothold in RSA. And the rest, as they say, is history…

The incident highlights two major security issues.

Firstly however much you warn people not to open attachments from sources they don’t know, the hackers will always come up with something so tempting – such as the promise of video of a tennis star -that someone, somewhere will just have to open it. And it only takes one. That’s social engineering!

The second is equally challenging to solve.

Adobe have rightly earned their place on every desktop, laptop, tablet and smartphone (except for Flash on Apple IOS!) by providing software for rich media.

A PDF document will always display a document as it would appear on the printed page – but it can extend beyond that to include video and links to the page. When filing my company return earlier in the year, I downloaded a PDF from the Companies House , filled it in. The PDF document validated my return and then transmitted the return off with the click of a button. Most useful when you have four hours left before the filing deadline.

No multimedia or social networking site would survive now without Adobe Flash videos. Celebrating the Royal Wedding I am stiing with the live YouTube courtesy of Flash and even the programme with animated page turns.

However to provide this rich media the Adobe software has system powers far beyond what you would expect for a “reader” or “player” software. And the Adobe software is cross platform – common across browsers (Internet Explorer, Firefox, Chrome, Safari, Opera) and Operating Systems (All versions of Windows, Mac OS, Unix) so the products provide a big target for exploits.

My Adobe Reader has 21 Plugins – from a vanilla installation – allowing internet access, sending mail, reading out loud, updating, and the Adobe EScript plug-in ‘that allows PDF documents to take advantage of JavaScript’.

Right click on any flash plug in and look at the settings. There flash can take over your hardware including the microphone and the webcam. It can put a file anywhere the user can – including the installation of malicious software.

Adobe are belatedly patching vulnerabilities – and seem to be giving up on their lethargic quarterly update frequency. Adobe Reader X (I’m no sure if that’s an “ex” or a “ten”) is starting to introduce a sandbox to isolate Adobe from the core operating system.

So what can be done to avoid these vulnerabilities?

• You can remove add-ins and features you don’t need or intend to use (For adobe reader Edit Menu Preferences – but this is a long winded “expert-level” exercise.
• You can handle this at a corporate level with the security settings downloaded from a specified location – This has a slight downside by slowing down distribution of updates patching vulnerabilities.
• Braver IT Management might even try to eliminate Adobe Software. Other PDF readers are available – and Google’s Chrome browser now has a built in PDF reader. Many larger web video sites are moving away from Flash video toward the emerging HTML5 standard. This has the additional advantage of reducing the client resources needed.

However it would be a brave IT manager to try to take Adobe reader and Flash away from users, and it is a complex exercise to find substitutes. Few would have enough clout to impose the “iPhone approach” and simply say No.

Compliance testing

I was chased today to complete my overdue mandatory compliance training.

So I spent a few hours completing the training and the test. The result?

“Test Passed

The exam contained 14 questions, of which you answered 13 correctly, or 93%.

These are the questions you answered incorrectly:

• What are the consequences of failing to complete / attend mandatory Compliance training?”

Phishermans Friend

I get an email from McKinsey. “Someone you have never heard of has lost your data.”

I was not alone. Epsilon, a marketing services company that sends 40 billion e-mails a year has been hacked. An estimated 2% of its customer date has been “exposed”. As with the recent major leak at RSA, Epsilon has not disclosed any details of the breech. The full impact of the breech is well explained in the Economist.

The emails being sent by major companies including JPMorgan Chase, Target, McKinsey and Marks & Spencer are all in the same format:

“We have been assured by Epsilon that the only information that was obtained was your first name, last name and e-mail address and that the files that were accessed did not include any other information…We want to urge you to be cautious when opening links or attachments from unknown third parties.”

Well the files stolen DID contain some other valuable information – the trusted relationship between me and the company. The phishing emails won’t appear to come from ‘unknown third parties’ – they will look as if they have come from the company which I know, and have trusted until now.

Phishing emails are always obvious from:

• They contain basic spelling errors.
• They never address you personally.
• They come from a company where you don’t have an account.

Combined with a spell checker, the spear phishers behind the Epsilon leak can give the crime a quantum leap.

Here are the questions to ask any company that has been using Epsilon to email you:

I am sorry that your email of n April provided so little information about the data breach. The wording, which appears to be the same boilerplate sent by other customers of Epsilon, contains some significant omissions:

• “the only information that was obtained was your first name, last name and e-mail address” – did it not contain more?: the trusted relationship with you? my home address? my email preferences?
• “We want to urge you to be cautious when opening links or attachments from unknown third parties.” Any spear phishing emails using this lost information will not “come” from an unknown third party.
• ” We take your privacy very seriously, and we will continue to work diligently to protect your personal information.”. What diligent work had been undertaken before the breech to audit the security at Epsilon?

Postscript

To McKinseys credit they responded within hours:

Dear Nic

Below is another boiler plate for you as I’ve had to answer this a lot. Incidentally, I looked up your account under nic@nicevans.eu, and you are just a free member so we only have your email, name, company and title – not your address. Epsilon assures us that ONLY name and email were taken. Please read on for further info.

McKinsey Quarterly deeply regrets this unfortunate circumstance.  We take your privacy concerns very seriously, and we felt it was important to inform our users as soon as the facts became available to us.

As you may have seen since McKinsey Quarterly’s message to its users, McKinsey Quarterly was one of many Epsilon clients whose data was compromised.  Many of our users have noted that they subsequently received breach notifications from credit card companies, reward programs, online services, retailers, etc.  Epsilon is one of the largest email service providers, and, unfortunately, many have been affected.
For all affected companies and end users, Epsilon has publicly stated that the breach was “limited to email addresses and/or customer names only.”  Following our message to users, Epsilon has provided further assurances to McKinsey Quarterly, specifically: “All data extracted from the platform is logged and the only data extracted/downloaded to a file was email, first name and last name.”  Additionally, “the attacker was only logged into the system for a short period of time based on application logs… which would not have allowed the user to manually review (rather than download) a single record at a time.”

McKinsey Quarterly does not store sensitive personal information (such as account passwords, financial information, or other personal identity details) with Epsilon.  We urge our users never to respond to emails requesting sensitive information and to be cautious when opening links or attachments from unknown third parties.

Epsilon has detailed for McKinsey Quarterly security measures put into place since the breach, and they are working with appropriate legal authorities in an ongoing investigation.  McKinsey Quarterly is separately undertaking its own review of Epsilon and email service providers, in general, and we can assure our readers that we will endeavor to ensure the highest security of our users’ information.

Again, McKinsey Quarterly deeply regrets the inconvenience to our valued readers. Thank you for your continued patience, understanding and readership.

Sincerely Yours,

Rik Kirkland
Senior Managing Editor,
McKinsey & Company

Break in at the locksmith

The IT security world was rocked by the publication of an open letter, written by security vendor RSA boss Art Coviello on 18 March.

In the letter he said the company had ‘identified an extremely sophisticated cyber-attack in progress’. ‘An investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat’. In layman’s terms that means that a burglar broke in, the alarms didn’t go off, and they were there for quite a time.

‘The attack resulted in certain information being extracted from RSA’s systems. Some of that information is specifically related to RSA’s SecurID two-factor authentication products.’ Just about anyone who has used a corporate Virtual Private Network in the last ten years will be familiar with these tokens which display an apparently random 6 digit number that changes every minute or so. This number is used together with some other password (two factors) to log-in.

I am sure this letter will become a case study in damage limitation – see my earlier blog “Sorry seems to be the hardest world“. This was a clear example of the minimum necessary disclosure approach. There was much speculation at the Financial Sector Technology Expo in London today about what might have been stolen. “If I knew, I couldn’t tell you” said one Chief Security Officer. “They are only speaking to a very few of their major customers at Banks, and then under tight Non Disclosure Agreements.”

In the absence of hard facts, most informed opinion suggests the breech included the data that links the key used to generate the number to the identification number engraved on the back of each token. This is supported by advice going around that you should remove this engraved number – and RSA’s fix which is to issue replacement tokens.

So the news headlines again:

• There has been a break in at the locksmiths.
• Some of the customers’ master keys have been stolen
• Why did they need to keep a copy?
• Could you trust that locksmith again?

Social Security Payments

Madison Kay spent $1,400 on bushels of Smurfberries. Aside from illustrating the need for Stephanie Kay to keep one-click ordering away from her eight year old daughter, it also illustrates the bushels of money to be made from virtual worlds: with $99 for a barrow load of smurfberries in a game ostensibly for children, what money could be made for more adult products?

There have been many red faces on social networks with the appearance of FireSheep – a simple add in to the FireFox browser that allows anyone to hijack social networking sessions of other users on an open wireless network. The security hole was basic. While the login to Facebook is performed over a secure https connection the subsequent exchanges are then open. These can be eavesdropped and even hijacked: the security credentials are stored in cookies on the client and passed to the eavesdropper.

So was Facebook’s hasty move to implement secure connections, which had previously been too expensive to implement, out of concern for the privacy of their users data?  There is a bigger and more direct motive for Facebook.

Many addicts of Facebook apps, such as Farmville and Bejewelled Blitz will have been tempted to get extra credits for a small credit card payment. Up until now each of these virtual worlds have had their own virtual currency. However Facebook are now making the Apps providers use Facebook credits. The spin is that it’s simpler for the single market and travellers in these virtual worlds. But most lucrative for Facebook who take a 30% commission on the exchange between real currency and Facebook credits.

And Apple makes a similar 30% on payments through its Apps store – and is similarly forcing apps providers to make payments for usage of apps through the Apps store. Which makes easy money for virtual products like Smurf’s Village – even with hasty patching forcing users to input a password for purchases. But is tough on real service providers like Spotify. Even Rupert Murdoch – whose iPad only Daily launched last month in the US – pays 30%.

These may be small amounts individually but enormous in total. The market capitalisation of Zynga, owner of FarmVille is over $5.5Billion – comparable to the merged British Airways and Iberia (IAG) $6,7Billion- so a 30% cut of their revenues is….a lot.

Keeping Tags On Your Assets

Some old fashioned truths were brought to the fore at LeasingWorld Expo, which lead Nic Evans on to a high tech solution for a very current industry challenge.

Mark your card

“Mark your card” said the magician. I wrote my initials and a smiley on the four of clubs before holding it firmly down on the bar in the Tattershall Castle. With hindsight it was inevitable that my card should have gone from under my hand. The mystery remains of how it got to be folded and gripped by a paper clip in the magicians hand, which had remained in clear view of both myself and the esteemed editor of Leasing World.

This incident took me back to the FLA Seminar earlier that day at LeasingWorld Expo on Responding To Higher Credit Risk. I expected a discussion on the finer points of credit analysis or risk weighted pricing. However Robert Munn of Total Asset Recovery took us back to a much more fundamental truth. “In this challenging economic climate, as credits are more difficult to underwrite, the Asset is your key collateral. This needs a proactive approach to asset management”

The key questions that Rob posed at the seminar are:

• Does the asset exist? – Speak to dealers and suppliers. Physically inspect some of them.
• Is it correctly priced? – Check asset prices – from manufacturers’ price lists and by physical inspection.
• What’s the asset worth now and over time? – Get a market valuation prediction.
• Are you buying what you think?
• What’s your audit policy? – Audits counter fraud
• Will the asset be there if the dreaded day comes? – asset marking is an important often neglected activity in fraud mitigation

We have all been there:

• The Credit Director wanders into the IT department asking “Could you just look down this list of kit and see if the prices are reasonable?” “Well that must be a great laptop at that price!”
• The unseemly rush of funders trying to get ahead of the receivers as they make sure that their assets are clearly marked.
• Dawn raids on dodgy Essex motor dealers with suspiciously empty forecourts.

Return to ‘Old Fashioned’ lending

There is no money in being wise after the event. “Return to ‘Old Fashioned’ lending – get to know the customer and treat your asset as core collateral” says Rob. He went on to show some of the practical inspection services and asset marking services that Total Asset Recovery offer. A DNA datadot, less than 1 mm across, can be invisible to the untrained eye, but contain more information to identify an asset than an easily removable serial number sticker.

Clearly the power behind such identification is the central asset register. The Vehicle Finance Industry is familiar with the HPI database – and that is clearly a major protection against asset fraud.

“Why haven’t registers been adopted for other sectors?” came the question at LeasingWorld Expo. In technology serial numbers are widely used – although the Service Tag seems tightly managed by the manufacturers. Could they have a vested interest in controlling this connection to their customers rather than sharing a central register? Technology funders such as 3Step IT also offer services for asset tracking and management, giving lessees online access to maintain additional information on their equipment, such as cost centre and location.

Chips with everything

In the last decade the use of technology for identification of assets has become very established. The principle technology in this area is Radio Frequency Identification or RFID.

The basic version – Passive RFID – has chips that respond with their identification when scanned. Chips can be embedded in an asset, which makes them hard to remove. This technology has already gained acceptance in financial services for micropayments, with toll road payments, touch n’ go payment cards and London Transport’s Oyster Card. While such “electronic purses” usually don’t hold balances on the chip, the storage on these chips can be large as is seen with their use in biometric passports. The security of such sensitive information is an issue, with reports of data being read off the passport over several yards, even though shielding is now built into the covers of US passports.

Another limitation of this passive technology is clearly demonstrated by my dog Clover: despite being ‘chipped’ – which gives her buttock more intelligence than her head – this is no help in finding her when she escapes. Active RFID overcomes this limitation by having a powered chip that can transmit up to 50 feet using Wi-Fi technology. This can be increased to a distance of several miles by using mobile phone technology, which allows tracking across the coverage of mobile phone networks, and finding the location by measuring the distance from several mobile phone masts.

Location, Location, Location

“The primary benefit of this technology to the funder is the security of the asset.”

says Adrian McMullan of L&A Consultants, who specialise in integrated resource management for fleet and logistics operations. “If you are concerned over the location of vehicles, alarms can be set that will notify you if the vehicle passes way points such as approaches to ports. It can be covertly equipped in the dashboard or under the engine – there are so many black boxes in a modern vehicle it is hard to remove.”

At his desk or on the golf course?

Such pervasive tracking does resurrect the old tachometer “spy in the cab” arguments, with a very modern twist of internet privacy. Indeed it has even been controversially suggested that companies should use this to measure the effective use of some of their more expensive human assets – keeping track of their sales force by the location of their mobile phones.

Once you have this connection to track your assets almost wherever they might be, then clearly they can also communicate more than their identity, but also usage and service data . This starts to open up new opportunities for leasing and equipment rental:

• Copiers that send in their own meter readings.
• Cars that not only say how far they have driven, but how fast and even how well.

“You can get real-time mileage capture for vehicles, which both warns of excess usage and prevents clocking.” says McMullan. “Both funders and insurers ask us to provide Incident Data Recorders – IDR – that are triggered by extreme deceleration. They will record speed and other measurements every tenth of a second for thirty seconds before the deceleration and fifteen seconds after. Insurers use this to find who was at fault for an accident. Funders can check that repairs have been carried out to protect the value of their asset. Hitting a kerb may not visibly damage bodywork , but the funder can see that the impact could have damaged the chassis.”

Getting Connected

Such “Smart” telemetry can fundamentally change the whole economic relationship between the asset and the user. “Once devices are connected and their use can be metered, there is no longer any need to buy them.” says the Economists technology correspondent Ludwig Siegele, in his recent report on Smart Systems.

“Once devices are connected and their use can be metered, there is no longer any need to buy them”

Which car shall we use today?

In London, and several US Cities, members of Zipcar simply logon to find the nearest vehicle (that reports its own position by GPS), unlock the car with another RFID chip in their membership card, use it by the hour and then return it to any of the allocated parking bays across the city. You can look for the nearest estate car if you have a load to move or make a ‘lifestyle choice’ for coupe with a sunroof and an adapter for your iPod

Rolls Royce offer in-flight monitoring for their jet engines, that not only lets them charge airlines a fixed cost per flight hour, but also allows them to predict when maintenance will be needed, which increases aircraft availability. (It is not known whether this showed any problems with the Rolls Royce Trent engine that disintegrated on the Quantas A380 over Singapore in November.)

Paying for service

Now the IASBs Draft Exposure places new requirements for lessee capitalisation and complex accounting calculations. It is widely expected that this will drive a large move toward service contracts in order to keep assets, particularly non-core assets, off the balance sheet. This will mean many finance industry changes:

• from copier rental to managed print services,
• providing the use of a car, rather than lease of a specific vehicle
• even paying for thrust rather than financing a jet engine.

Use of such smart systems to remotely monitor usage clearly allows charging for a service rather than the right to use an asset.

Could we even see city car sharing schemes like Zipcar coming to the company car park?

A message behind the Boris Bike?

Perhaps the sponsor’s message on the back of the “Boris Bikes” now being rented around London is a sign that one bank has already spotted this opportunity in technology-enabled short-term service contracts?

This Article appeared in January 2011 Edition of LeasingWorld.

(c) Nic Evans 2011. This Article may not be reproduced, in full or in part, without the prior permission of the author.

Nic Evans is an independent consultant and interim manager for commercial finance technology and business agility. He is an affiliate at Invigors LLP. If you want to discuss any points raised by this article or broader issues he can be contacted by email nic@nicevans.eu or through LinkedIn http://uk.linkedin.com/in/nicevans