From Wikipedia – “Pwn is a slang term derived from the verb own, as
meaning to appropriate or to conquer to gain ownership. The term implies
domination or humiliation of a rival, used primarily in the
Internet-based video game culture to taunt an opponent who has just been
soundly defeated. "You just got pwned!" well I did anyway and here’s the proof:
A Quick Check
Thankfully it is easy to check, just go to the URL below.
Now I have your attention, let me talk about Passwords.
“Open sesame”, was the famous passcode that Ali Baba used to gain
access to the legendary treasure.
In Hebrew, the word “Sesame” has
connotations for being the name of heaven.
For hackers, this is
indeed “heaven” and gaining access to a password provides more than a
simple way to feed the family. Passwords are the bane of our everyday
existence and for most of us we struggle with the different requirements
of expiration and format.
It might surprise you that the
average person has 17-19 different passwords and uses around 8-12 per
day. In our working day, we cope with around 6-7 just at our place of
employment. Then when we want to relax, and use the internet we have to
use a further 4-5. So much for chilling out!
It is not the
daily websites that are an issue, but the more infrequent ones, where we
just have little hope of remembering these passwords.
Data Breaches
With so many passwords and these having different rules and expiry dates. This just exacerbates the current situation.
Not
surprisingly with so many passwords it is often the case that users, or
should I say the average person will therefore tend to use not as
“strong” passwords and also likely that they have duplicates.
Recent
evidence is that more than 60% of all data breaches came from weak
credentials and user authentication. We have a problem and the current
approaches don’t work.
Authentication Sucks
The
fact is that around 70% of users forget their passwords every month. It
was embarrassing as a CIO to be calling the helpdesk to reset my
password, but like many others we fall victim of multi tasking.
Authentication
as it stands – does suck. We need a more intuitive approach and the
hypothesis is that we need a pattern to remember our passwords. The
usual good advice is to use a poem or rhyme to help you make this mental
recall eg.
Mary Had a Little Lamb = MHALL
Biometric sensors
We are all now using smartphones with
gestures or biometric sensors. It is a great improvement over typing in
on that little virtual keyboard. I recall reviewing the patent of the
biometric touch for the iPhone, which was a number of years ahead of
this being launched.
It is however fascinating to look at what
more recent Apple’s patents. They have patented full finger (multiple
fingers) patents. Of course let’s remember that the importance of using
one’s finger is that it provides that third factor authentication.
This is critical for payments and Apple Pay will be using a biometric
approach to approve the transaction.
They are taking this one step further with the concept of User ID using Plethysmography,
which my understanding is a combination of motion, gestures and light
movement. Thus in the future we can use a gesture, not unlike the
movements used at the gambling table to make a bet etc
Apple is
doing some R&D on using biometrics on a TV remote, just imagine your
remote knowing David’s preferences and what alternatives you like.
Just an exciting development, but based on Apple’s normal innovation process this is going to be a few years away.
But back to security…..
Continuous Monitoring is the answer?
Where
I would place my bet is where you can use a number of sensors to
validate myself. The theory here is that using Machine Learning it will
monitor a combination of sensors.
How fast and how you type and such key-stroke patterns would
understand your normal tempo etc.
But what happens that day that you are
not feeling 100% or perhaps jetlagged.
Your device is therefore your monitor and will also be listening to how you speak and what you say?
Thus
this is not binary – Yes or No Password, but continuous monitoring that
develops an ongoing trust score that is authenticating you in real time
on your device. Our friends at Google are working on this approach.
Will
this mean the end of being Pwned? I’m not sure, but clearly I could be
using “Open Sesame” as my password and with continuous monitoring this
may be enough to validate who I am.
Fancy a game with that banking transaction? Most people don’t expect
banking to be fun and pretty much want to get ‘in and out.’ But
Sydney-based startup, Moroku, is changing that with gamification
technology that is getting some attention from the largest banks in the
world.
CIO sat down with Moroku’s CEO, Colin Weir to discuss what motivated him to start the company and its core objectives.
CIO: Gamification provides a distinctly different customer experience. Can you outline the strategic drivers behind Moroku?
Weir:
The unfortunate truth is that after spending billions of dollars
creating banking systems, banks are well off but the customers are less
so. In the developed world, we are hooked on debt, spending billions of
dollars on interest and fees at exorbitant rates.
In Australia,
the average savings at retirement is $130,000, in America it’s the same
and in Europe, 20 per cent of the population risk spending their lives
in poverty once they retire. In my opinion, that just isn’t good enough
for some of the wealthiest countries in the world.
CIO: So with that in mind, what are your core objectives?
Weir:
We want ordinary people to save more than they spend and retire well –
not in poverty. We want people to be able to look at the holistic
journey of 30 years work, with house paid off and no debt. In essence,
shifting from share of wallet, to making the wallet bigger for each
customer.
CIO: How do you make banking fun but still business-like?
Weir:
Like with many things, it just starts with awareness: Awareness that a
focus on product, interest and fees is perhaps not the most sustainable
of models.
There are an increasing number of banks and regulators
around the world who are turning their attention to a new model, one
based on liquidity and growing the overall size of the revenue pool
based on customer success.
As we do this, we find turning to game design a very useful approach.
Game play in all sorts of its variations is very good at thinking about
the core set of skills and capabilities the customer needs to acquire
in order to get to the next level and win.
This serves us very
well when we think about the skills and capabilities customers need to
win, and how banks support their customers’ financial journey through a
digital experience.
From all the research we have done, our
dopamine-based reward system actually hard wires us for fun. We firmly
believe that for banks to win, their customers need to win. If customers
are going to win we must find a way to lead with fun.
CIO: Can you explain how and why customer engagement is improved by this novel approach?
Weir:
Engagement is improved by applying ‘fun to use’ as a design paradigm
and coupling it with social connection to drive engagement and care
factor. When we do things that are fun dopamine is released in the brain
and triggers our reward centre.
The return on investment is very
measurable; Bain research shows that customers who engage with
companies over social media spend 30 per cent more than those who don’t
and demonstrate a deeper emotional commitment. Engaged customers buy
more. Our pilots will prove this out and get data to support this.
CIO: What’s the user experience philosophy behind Moroku?
Weir:
The first thing we do is think about customers as players and their
journeys. Whilst user journeys are employed in ‘human-centered design’,
these are often conceived as a journey within an app.
Rather than
thinking about what the bank to winning, we first ask what does winning
look like for a customer. We ask questions around the skills and
challenges for people get good at managing cash and progress to being
great.
From there, we employ a combination of design principles
and mechanics from gaming, coupled with behavioural economics and
insights from Maslow and Pavlov.
Games are very good at on-boarding new players, we then look at a
range of feedback loops that can be implemented to corral the user and
nudge them along. Our belief is that ‘ease of use’ has run its course as
a design principle. If we don’t move to ‘fun to use’, we will be left
behind.
The Moroku GameSystem interface CIO: What’s the basic architecture behind your technology?
Weir: The
Moroku GameSystem has 4 components. We build customers apps from a
baseline set of mobile libraries. The platform’s designed with a rules
engine at its centre. This allows us to tweak
some of the experience on
the fly without releasing new versions.
Non-banking interactions
are all delivered through cloud based GameServer. As no personally
identifiable information is held within the GameSystem, enabling us to
support most banking regulations with regards to the use of cloud
infrastructure.
An anonymisation service connected at the bank
side manages the relationship between the GameSystem player and actual
accounts at the bank.
Customisable standard reports are provided
to measure performance and behaviours such as payments made, click
through rates and customer acquisition.
Plus the API is provided
to integrate GameSystem with the bank’s payment and internet systems.
This enables the registration process to be presented via the bank’s
internet banking platforms.
We’ve built everything from scratch.
One rarely gets to start with a white canvas but this has really helped
us build and own something which gives us flexibility and agility around
our core challenge.
CIO: Who’s using your technology right now?
Weir: We have a customer already live in Europe.
Their target market is young savers, as they search to appeal to
millennials and the next generation of banking customer. We have a
number of prototype and pilot engagements on the boil too.
Our
target market for this year is Asia and we are seeing a broad range of
interest from unbanked, under served, retail banking, wealth management,
high net worth, and insurance-based customers. CIO: Any talks with Australia’s big 4 banks or other global banking organisations?
Weir:
Our participation in the Accenture FinTech Lab has given us great
engagement with a dozen global and regional banks, including CBA. The 12
week program finishes up on November 4. I’m confident that we will come
away with 3 to 4 new customers from the Asia Pacific region.
CIO: How hard was it to integrate your ‘games’ front end onto existing mobile or online banking functionality?
Weir: This integration is relatively easy and we plug into existing online and mobile channels.
It’s
not a silver bullet. If we’re planning on getting customers to save
more, or pay off their debt earlier, we need everyone in. This message
then needs to be supported through a broad range of customer
communications to ensure it has integrity.
Lastly we need to
drive the analytics hard. It’s a science and as with the best science it
involves a series of experiments that get us moving closer and closer
to the truth with each iteration.”
CIO: How quickly can a new bank deploy Moroku?
Weir:
Our typical project commences with a 2 week scoping engagement to
understand the strategic customer objectives and how that may play out
as a digital experience. Then we identify opportunities for integration,
cloud, security etc.
We then run 8 – 12 week build and learn cycle that see these concepts
become real and deployed into the hands of customers to validate and
test assumptions.
CIO: What are the key attributes of your team?
Weir:
We have 3 values that we look for – courage, curiosity and creativity.
These are our tickets to the game and you don’t get to a skills
interview without them.
The first is a combination of confidence,
awareness and openness; to know who you are. Our engineering teams
possess a blend of mobile and cloud skills coupled with solid software
engineering principles.
Every business is addressing Digital as the approach to drive a
better customer experience and to reduce costs through the introduction
of self-serve channels.
In the
Digital world, everything is open 24 hours per day and that is the basic
expectation. Recently SKYPE had an unexpected outage and all customers
received an apology with an offer for a week’s free calls.
We
expect systems to work 24x7 and that there be no downtime. I’ve seen
myself access closed on weekends for basic maintenance and have to do a
double take. Oh yeah that’s correct.
Digital is clearly the Glue for Business, even in Australian
Government we are seeing the focus on ‘e’ across all portfolios and
there are a series of Digital Disruption Government Conferences that
have emerged.
Moving
into the Digital era, means often that you require capabilities that
are not in-house and therefore have to be acquired. This starts to open
the Enterprise Fortress and while, openness is not a bad thing this has
significant implications for security.
These partners also become
the targets for cyber security hackers, which is sobering and we all
have existing vendors that may or may not meet the security requirements
that we enforce in the Enterprise. If they don’t then it is clear then
that you are accepting that risk whether you realise it or not.
Accenture have noted in a recent Strategy document
that: “Downtime is not just costly but untenable. Failures and hostile
cyber actions have profound impacts on enterprise performance—even
enterprise viability”.
In every organisation there are usually two CXO parties that are
responsible for Cyber Security. This might be the CISO and CIO \ CMO\
CRO or in many organisations this also includes the CEO.
Cyber
Security is all about protecting one’s reputation and in a Digital world
this is not a domain that can be delegated. It is becoming too
important and every breach that has occurred and is going to occur is
going to reinforce this position.
The CEO has to take this onto
his personal agenda, if he or she doesn’t then it will result in
scenarios like we saw in Target USA and many other organisations.
It
is reality that cyber security is no longer a backoffice concern and
the expectation of Digital Resilence. Our thought leaders at McKinsey
have noted that this shift from cyber security as a control function is
in the past.
There is a greater integration of Digital IT with
Business Processes (the Glue), and with these raised stakes Cyber
Security becomes critical. Extending the Perimeter
This means that our
staff, their families and partners that we work with all become part of
the security ecosystem. With this scope it is not really possible to
simply extend the security perimeter but we have to find mechanisms to
educate and provide safeguards for these players.
It won’t be
acceptable for staff or partners not to take cyber security policies as
serious and it becomes a dismissible offence.
The CEO will also
have to provide the input around risk – resource tradeoffs. To actually
assume more risk has a real cost and that’s not just Cyber Security
Insurance Premiums but largely reputational risk.
For any Digital business ‘trust’ is a critical element of the
transaction. It is assumed that you can trust this organisation with
your sensitive and valuable data. Any breach of that trust has a cost
that is impossible to fully recover from. Just ask any of the Executive
teams from organisations that have had major cyber security incidences.
A growing challenge for CMO
Enterprises
will progressively embrace greater sources of data and even in the
absence of Big Data, this will be sources of data from objects, such as
sensors, drones and devices.
Some cool data, but of this
information will be sensitive and private. It will require the CXO –
perhaps the CMO to be working with the CISO on understanding cyber
security which becomes part of the brand.
You may not have noticed but there is a startling new feature in iOS9
and that is marketed as being to improve your mobile web experience……
This
new version of software allows for the first time for ad blocking and
there are a number that have appeared in the Apps store in recent weeks
including –
Ad Block Mobile
Freedom Ad Blocker
Crystal
Lionz Blocker
Ad Locker
Clear Ad Blocker
Stops Ad
Blocker
EZ Block Ad
Distilled
ibBlock
Ad Stop
Ad Kill
Unity Ad Blocker
Super Ad Blocker
Green Duck
Block Ads
Blockr
I
will stop there as the list has grown from a standing start to be both
extensive and prolific. Theoretically this is all about speed and
stopping those annoying adverts that pop-up and take bandwidth.
For most of us, we all take advantage of reading free content and it
is the model that we understand that we surrender some degree of privacy
of our browsing so that a 3rd party gets to understand our preferences etc
As
we click through to sites from these referrals, there is a monetization
of cents or partial cents that is paid. That all happens without our
explicit consent or approval, but that is the basic economics of a free
internet.
Who is behind this tracking can varies from site to
site, but we all know that our friends at Google are big on tracking on
cyber activity and making specific offers to us.
In essence,
Apple is forcing our hand and we have to view news content via an App
that is approved by them and that they get monetized for.
However the war is just starting and we have witnessed Google
reacting to this situation by punishing Ad Block users with un-skippable
YouTube adverts.
In the last day we have seen the promotion of
Accelerated Mobile Pages (AMP), with the intention that this will
address speed issues. A number of companies including BBC, Washington
Post, Fairfax Media, NineMSN, Twitter, Linkedin, Pinterest are using or
about to use AMP.
This works on the basis of simplifying the web pages and stripping out heavy javascript, thereby pages are smaller – hence load much faster.
Plus
in order that this runs faster, the content is also loaded onto servers
and cached in memory. While this has been releases this has to be
rolled out and we would expect new pages to be rendered that are AMP
optimized.
Facebook in an Instant
Our
friends at Facebook are also in the picture, but note that in the main
their content sits within the Facebook environment – thus Ad Blockers
don’t effect them.
Facebook launched what they named Instant Articles
earlier this year in May with a claim that content would load 10 x
faster than standard mobile web and this has been proven for nearly 50
major online newspapers.
As users we are stuck in this battle for the eyeballs and there is
not a clear path. You could lash out and buy an Ad Blocker for $1.29 but
it may not be necessary should Google (AMP) and Facebook (Instant
Articles) all works as expected.
It does however create a new
market opportunity for micro payments and being able to pay to not be
annoyed by adverts. I’ve spoken confidentially to a contact who is
working on such a deal.
There is a sinister side of iOS9 and
allowing ad blocking. But there are much bigger stakes at play than
actually how fast your mobile web experience turns out to be. We watch
while we have 3 large titans of Silicon Valley all fighting for their
longer term profitability and positioning.
On the Internet the current approach of using Public and Private key
codes has worked effectively with silicon technology. This is not
perfect but we are assured that the RSA approach provides security to
our environments.
However what has worked is now under
threat, with the emergence of Quantum computing. Quantum computers are
more powerful than any platform that is available now and therefore have
the ability to crack most public-key algorithms.
Today’s
encryption methods that protect sensitive data will be easily broken by
the sheer processing power grunt of this new technology.
I say “will” as this is still early days.
Breaking Moore’s Law
Since
the early days of computing we have been living within the anticipated
constraints of Moore’s Law. Which states that “processors will double
in power every 18 months”, as such Moore predicted that this trend would continue.
The
architecture of modern computers work by manipulating bits that exist
in one of two states: a 0 or a 1. However quantum computers use the
power of atoms to perform memory and processing tasks. This means that
they are also not restricted to be being either 0 or 1.
Quantum computers are expected to calculate faster than current the architecture.
A Threat to Banking
All
banks use Public key cryptography to perform secure money transfer and
their Online Banking systems is conducted on the Internet using this
encryption for securing websites access.
The security of public key cryptography has meant that hackers have
to find other ways to get information. Once encrypted we are now assured
that this is extremely difficult to crack and hence it is “secured”.
RSA works in the principle that it is difficult to breaking up a large number into its prime factors, which serve as its key.
Post quantum algorithms
Quantum computers are expected to be coming into vogue in the next few decades. However a recent article by AFR has speculated that there could be such a Quantum Computer within 5 years here in Australia.
The threat then is how to secure such devices which could decrypt
what we consider to be “secure” data including bank records to email
passwords. This would be tantamount to “wiki-leaks on steroids”.
We
would then be entering what will be called the Post-quantum algorithm
stage. By then we hope that there will be a new approach using
(public-key algorithms) that will be secure against a quantum computer
attack.
Just imagine the potential huge payout for the country or
enterprise that is able to figure this out. Let’s hope that the good
guys are the people that are the ‘first to walk’ on the post quantum
(moon).
Apparently the emerging schemes
are based on the mathematics of lattices which are multidimensional,
repeating grids of points. Which sounds to me like a more complex
Rubik’s cube or a multidimension maze.
Give me the Rubik’s Cube
Frankly,
I struggled with the old Rubik’s cube (while my brother in law was
annoyingly able to solve this within seconds). But in this case the
stakes are exceedingly high and vast amounts of secret data and money is
awaiting the puzzle being solved.
The sweet spot for Quantum
computing is high-powered applications. This includes Biotech molecule
simulation and data mining, which can be used for ‘good’. Unfortunately
Quantum computing can also be used to crack codes.
I’m a person who has had a keen interest in trying to stay across
developments in Cyber Security, but a recent Symposium at Sydney’s Luna
Park has been an eye opener on many fronts.
Personally I’ve always struggled with the concept of White and Black
Hat hackers. What makes a person decide to take which path? As I scanned
the audience of 350+ and wondered which of these participants are here
‘scouting’, but actually playing for the other side?
You know that you can’t really tell – unfortunately the bad guys
don’t wear a ‘hat’ that gives them away. So who watches the watchmen?
How to get into the Black Hat Mindset
The nagging question for me has been is this about fundamental
integrity and honesty? Or is this just lack of career options, that then
leads to this choice?? Another more cynical side wonders if is just the
fact that Black Hat hackers are much more skilled at hacking???
For answers, I was privileged to hear Brian Krebs past writer for
Washington Post, who has engaged with the Black Hat hackers to write his
book entitled SPAM Nation. A New York Times Best Seller,
Brian is a
fascinating storyteller who was able to connect with ‘friendly’ Black
Hats and also some others who were not so friendly.
This is especially the case in the Russia and the Ukraine there are
also no legal deterrents to this activity. (Perhaps I was correct about
lack of career options being a factor!)
Brian noted that the average 20 year old Russian will get into this
profession gradually, and on a part-time basis. They are selling what is
essentially software as a service – albeit a Bot service or a DDOS
capability.
Australia’s Cyber capability weakness
Here in Australia, we don’t have a great standard of Maths and
Science compared to global leaders.
Hence I do worry that our local
White Hat Hackers are less skilled and indeed outgunned by others who
speak a different native language but use the same TCP IP protocol.
Let’s remember though that one of the most famous hackers in the
world comes from Australia.
Julian Assange also studied Maths, Science
and programming and started off as an ethical ‘White’ Hat hacker, then
went rogue later pleaded guilty to 25 charges. Assange was also a good
guy as an Advisor to the Government and generally providing advice on
computer security. Then he founded WikiLeaks, which is debatable what
colour hat he wore?
The wake-up call is that; it’s just a ‘hat’ and perhaps it is more
‘Gray’ than either Black or White. To me the bigger issue, is that the
so-called White Hat guys are given access to test your systems for
vulnerabilities – so how do you know if you can really trust someone?
Yes, we have to trust our guards but who then guards them??
Cookie Crumbs
From what I see, it is not fair to say that the Black Hat guys are
smarter hence gravitate to this field. They are also human and fall to
the same mistakes that you and I make.
Brian Krebs discussed that he followed crumbs to gather evidence and
this required extreme patience. In many ways it emulates the same
technique that Black Hat operatives will use and that is monitor and
look for those vulnerabilities sometimes waiting for 9 to 12 months
before acting on this.
In the same fashion, Brian explained how he pursued comprehensive
analysis and followed trails. The same weaknesses that Hackers exploit
being the ‘human’ element is also what he looks for.
Some examples were reusing a personal email address for business, and
then having the same password on chat rooms as email or even reusing a
pseudonym name. These are all behavior that in corporate worlds leads to
vulnerabilities and it just proves that it is more about ‘people’ not
the technology that is the most critical factor.
Brian shared that he has waited for these moments when hackers hacked
each other, leading to them bringing down the Hacker Forums. At that
moment he would then grab all the unprotected details of these
databases. This provided you access to their personal photos, which are
brazenly shared. It is interesting to note that Black Hat guys also use
tools that you and I utilize such as SKYPE, and not some secret
encrypted service.
Hackers Hack each other
I’ve never thought that Hackers hack each other for fun. My belief
was this was just for money and ransom. I was not aware the degree of
ego involved in this ecosystem and Hackers when they are not targeting
enterprises are taking pot shots at each other. There is real
competition between these parties and getting an advantage over someone
else clearly has monetary reward as well. At the end of the day, most
hackers are also ‘gamers’ and this is part of their psyche.
That was another huge wake-up call moment to me and I start to worry
about the background of the White Hat guys that I might engage. Then
consider are they really low profile and have no enemies?
Social Engineering Attacks
My hair also stood up with another discussion, and that was how
Hackers use Linkedin to scout and gather further information on you. As
an avid user of that channel, it makes you more wary of those
unsolicited requests that we receive.
In the case study, once a hacker knows more about you then they can
provide what looks like an innocent connection for an app. However what
is lurking is a malware injected app that is able essentially take over
your smartphone – to read your calendar, email and even record your
conversations.
Yes, we do carry that phone device everywhere don’t we…..
This takes social engineering, beyond what I imagined to be just the
help desk and customer service being points of concern. In this regards,
yes the bad guys are much smarter than we are and can take advantage of
our people, process and technology weaknesses.
Smelling salts
Now that I realise that I know much less than I thought. It is a
poignant moment to reflect on how very advanced are the hackers. This is
their living and it is only when you take on their persona and approach
much pros like Brian Krebs have adopted do you have a fighting chance.
Alternatively you have to hire a CISO and security staff who perhaps
are much more closer to that edge than you thought. But then how do you
know that they are really White and not like our friend Julian Assange
and been all the various shades?
Then we have to watch these watchmen as they hack each other through various tactics and work out are they still White hat?
Apple recently applied for a patent in the
United States for what could be called an iRing. This initially sounds
like a goofy idea but hold that thought!
Image credit: US Patent and Trademark Office
Apple has designed a ring will incorporate a motion-sensing
accelerometer and gyroscope. This essentially means it will understand
360-degree movement, allowing hands free gesture control. A great
feature for gamers it would seem.
The iRing is worn on the index finger with a provision for control by your thumb.
Apple
has also separately announced what it calls the iPad Pro, a 12.9 inch
tablet with an A4 screen making it perfect for reading documents without
need to navigate back and forth on the page. The iPad Pro has
been built with the idea that you would perhaps use a companion keyboard
or the first ever Apple Stylus. It is therefore a natural progression
that you could use the iRing as a companion device.
A use case
that I can clearly see is where an iRing can be used to help scrolling
between pages, or perhaps even used to ‘cut and paste’ an article
online.
These gestures could also be a great breakthrough for
disabled users, making it easier to use such tablet devices without
having to grip the actual hardware. Much like the Apple Watch, which
allows you to receive alerts and messages, features that I believe
aren’t that attractive.
But having an Apple iRing on my index
finger does allow me to use the microphone and have ‘hands free’
conferences while driving for instance.
Perhaps controlling my Apple TV to select and change channels is also going to be really handy (pardon the pun) feature.
But the most attractive use case will be in payments and the iRing’s
use with Apple Pay, the mobile payments and digital wallet service.
For a glimpse at the future, take a look at London-based startup, Kerv.
This startup has created a ring that uses near field communication (NFC) technology that is often built into smartphone.
When
a user travels on the London tube or buys a morning coffee, they simply
wave the Kerv ring at an existing contactless terminal.
The
iRing – if it is released – will be used for many things, but for me the
key reason I would wear this is that I don’t have to get out my phone
or wallet to make a payment.
Theoretically, with the use of a biometric thumb print, then you can also control the valid usage of this wearable device.
I’m
sure there are digital teams at the 'big four banks' that are
potentially adding this to their future mobile roadmap. While I’ve never
been keen on an Apple iWatch, an Apple iRing makes sense and I want one.
Banjo is a new Australian startup created by three former National
Australia Bank executives, Andrew Colliver, Julian Hedt and Stephen
Murphy.
David Gee sat down with CEO Andrew Colliver to
discuss how the online lender of secured and unsecured loans to small
businesses – which raised $7.5 million last month – intends to take on
Australia’s big four banks.
CIO: Where did you get the inspiration to start Banjo and how are you different from the banks?
Colliver: We leverage the power of data to obtain a more holistic view of a businesses’ position so we can approve more loans.
Our
logo is a folded $10 note, and Banjo Paterson inspired the name. The
concept for establishing a marketplace lender such as Banjo [popped into
my head] during a ‘make over’ of my front and back yard.
Over a
coffee with my two co founders [Stephen Murphy and Julian Hedt], I
remember both of them saying that I needed to understand that: firstly,
we were building a technology company with a financial services
offering; and secondly, a symbiotic relationship between the business
and technology was fundamental for success.
All of our people
irrespective of job role are co-located to solve common problems. From
inception, we have built an organisation totally focused on seven
principles.
Leveraging data to remove friction between the customer and the institution
Prototyping
and constantly evolving every aspect of the customer interaction. Not
just optimising the experience but looking to revolutionise it
Mobile as a core competency
Originating clients without concerns of the costs of a large branch network
Being channel agnostic. Simply, use the channel the customer uses
Establishing a symbiotic relationship between software developers, executives, business development people and marketing
Risk
management and compliance monitoring solutions implemented at level
equal to or greater than any mainstream bank, and available in real time
with minimal or no human intervention.
CIO: Based on your own research, what is the customer experience like for businesses and what benchmarks are you trying to beat?
Colliver:
Post-GFC, there has been a global trend of a growing disparity between
banks and small businesses whereby demand for small business loans has
exceeded supply. More onerous restrictions have been imposed on
borrowing arrangements; the application takes too long and processes are
too difficult.
It is also evident there has been a growing
spread differential between home loans and small business loans, with
small business loans being charged 200 basis points over the average
cost of a home loan.
A survey from an established market place lender in the US revealed
that for every 10 customers, 6 considered borrowing from banks and 4 of
those 6 did not end up applying due to the perception the process is too
difficult and will take too long.
In Australia, a business credit card can take 7 – 10 days, and a typical business loan will could take 30 – 60 days.
Marketplace
lending can provide a better solution to the borrower. If you review
the daily life cycle of a small business client, they have a series of
tasks that need to be done efficiently. And 40 per cent of SMEs apply
for banking services after 6pm.
However in Australia, our
experience shows peak usage at 10am and 4pm with applications also
flowing in at these times. We also receive a number of applications and
queries on weekends, presumably when small business clients catch up on
their paperwork and process matters for their business.)
So when
you have ‘financial technology’ platforms such as Banjo being totally
designed to take banking services to customers when and where they need
it, regardless of device (mobile, tablet or PC) and remove the
frustrations of paperwork…this becomes a powerful value proposition.
Customers’ expectations for anything, anytime, anywhere banking was our foremost design parameters from inception.
CIO: What process did you follow to build the offering?
Colliver: To become an online marketplace lender, we focused on 4 major pillars all executed in parallel:
1.
Building a modular technology platform incorporating the best of breed
off the shelf systems melded with our own proprietary systems using
technology to enable scale and operating leverage.
2. Unlocking
value and creating liquidity for buyers and sellers through the
establishment of the Banjo Small Business Fund, offering a targeted
fixed income coupon of 8 to 10 per cent per annum for corporate and
wholesale investors.
3. Build a value proposition across product type and user experience
that is consistent with helping the customer complete their daily tasks
efficiently…where and when they want to.
4. Built our company
from inception around the brand. For instance, the brand was not
retrofitted to the company once it was built. We commenced with a brand
platform, followed by a brand narrative and brand identification
process, followed by the creation of brand assets and so on. It was a
total build.
Of these steps, 1 and 2 were the most difficult, closely followed by raising seed funding for the business.
CIO: You
have engineered your solution to maximise provide both simplicity and
speed. Was it harder to break established norms and achieve simplicity?
Colliver:
Post-GFC, large banks globally focused on the strategic imperatives of
risk management, and adapting to a new regulatory compliance and capital
regime. Cost reduction initiatives tackled flat line revenues in a low
consumer and business growth environment.
In every other
financial shock, the banks could rely on long tested means and methods
to respond to a conventional value chain. And they did again.
Yet
at the same time, the building blocks of the internet of things (IoT)
were gaining traction improving information connectedness, scalability,
speed and driving the costs of technology stacks down to levels unheard
of ten years ago.
It was only natural that new entrants
leveraging technology to focus on taking banking services to clients in a
relevant and convenient manner would fill the gap.
Even today,
most of the technology investment by banks is going into compliance and
retooling of core legacy systems rather than the user experience and
servicing the needs of the client.
For Banjo, we did not need to
deal with retooling core legacy systems or transitioning existing
systems to a new modular technology platform. We could review what the
customer was seeking, and build a customised solution.
CIO: Without giving away too many secrets, could you
talk about your cost to income ratio and roughly how this compares to
the big banks?
Colliver: Our cost structure
would be approximately 350 basis points lower than a mainstream bank.
The cost savings are predominantly in the absence of a large branch
network, and lower people costs across administration, collection and
processing role types.
CIO: Given that you are a
startup and trying to build a brand. How do you plan to compete with
the bigger players? Is there a social media strategy that you are
adopting or is this relying more on expert referrals.
Colliver:
We have a very detailed digital marketing campaign, and a ‘business to
business’ channel management strategy involving strategic partnerships
with accountants, and other 3rd parties interested in assisting SMEs achieve their goals. We are currently in discussions with a number of 3rd parties.
There
are 2 million SMEs in Australia and 51 per cent do not have a business
lending product at all. The SME market is estimated at $250 billion in
Australia, with compound annual growth rates of 4 to 5 per cent.
But
there are a large number of SMEs in Australia that either do not have a
home to offer as collateral for a small business loan or they would
prefer to not provide their home as collateral.
In some ways, we
are trying to expand the $250 billion small business lending market by
offering access to finance to those SMEs that are using credit cards or
cash reserves or family loans, and our marketing may not compete head to
head with the bigger players.
CIO: Have you
made much investment into analytics to understand your loan portfolio
and gain greater insights into credit risk management?
Colliver:
We have incurred significant investment in analytics to understand our
customer interactions through our customer contact management system; to
understand our clients through website usage; and to understand our
clients holistically in the operation of their businesses.
As
mentioned above, we have Banjo Score, which is a good example of our
investment in this space. We have a sophisticated call centre,
Salesforce contact management system, combined with data gathered from
Google Analytics and our own database.
CIO: What’s the idea behind the selfie? Other starups such as We Chat using such approaches to validate a transaction.
Colliver:
We wish to remove friction between Banjo and the client. That means the
elimination of paper, and we wished to avoid a person seeking
validation of their identity in a branch or Australia Post office. Our
aim was real time verification online. We have witnessed Airbnb and
others successfully use this approach over many years.
CIO: But as you already have a photo of the driver’s license, what purpose does this serve?
Colliver: Security
is paramount, and we wish to mitigate against identity theft. The
person applying needs to be the owner of the licence. In a 3 director
company, the other 2 directors need to consent to the borrowing and we
need evidence of their identity and consent. (This is the same for where
this is a partnership entity or a complicated trust vehicle.)
Big data is one of the more glamorous terms in
today’s IT vernacular, but in reality making it work is about small
dirty jobs that take up a lot of resources for little immediate return.
As business adopts obsessive focus on ‘the customer’, there is a
clear divide opening up between companies such as Amazon and Uber that
run their businesses on analytics, and the silent majority simply trying
to do things a little bit better.
The secret to staying on the right side of this gap is investing
early into the little things, like metadata governance, standardisation
and data glossaries.
Here are a few simple tips to guide the formative days of your business’s big data future.
Cleaning up the metadata
The big data holy grail for enterprises is a single customer view.
But the reality is that most organisations probably have around eight
to 10 different customer databases that all exist to support different
transactional systems. Each customer probably has a different ID in each
of these accounts.
This is only going to become more daunting as the internet of things
becomes a day-to-day reality and sensors are used to detect a customer
instore, track their browsing behaviour and make them offers via their
devices.
We have to remember that big data usually hasn’t been cleaned up and
integrated into a single source of truth – indeed the opposite is the
case.
To understand what is in the data lake, we need high quality metadata
to track the various data stores and to distil some meaning from them.
Metadata Tsars
This is where good quality governance becomes critical.
Most enterprises have some form of data governance, but its focus is
usually restricted to higher level priorities than metadata.
But you really can’t make any sense of the vast amounts of data unless you have a comprehensive metadata management approach.
This means taking on historical and headache-inducing problems like
data types and data names that are not always consistent, like dates
being stored as variable character fields.
Correcting these is a significant exercise with often little to show
for it until a sizable investment has been already made. Unfortunately
these are jobs that can’t be avoided.
Data lakes not data dumps
There is no point in building a data lake if this information can’t be accessed. That is a data dump.
Enterprises have traditionally struggled to implement data warehouses.
At best they have been a reasonable place for basic reporting
systems. At worst, the shortfalls have resulted in a proliferation of
these environments and the truth is that most enterprises now have a
number of data warehouses.
The current architecture landscape would appear to be splintered into a number of separate data stacks.
We have learnt this lesson so let’s not repeat the same mistakes when it comes to big data.
Think like a librarian
The right approach is to do what librarians do and ensure you
establish a data glossary to catalogue the enterprise data sources.
This does not need to be all-encompassing and you do not need to boil
the ocean. Instead you can build a common data set of critical business
data elements. What you will be focused on will be enriching the
catalogue so sources are noted and applications that use this data are
tracked.
Like a library, this enables sharing. Thus anyone in the business can
now use their own BI tool of choice to access a shared and validated
database.
For financial services, it is also critical to maintain data lineage,
and in essence that means that regulated data is never deleted.
Therefore if we find an issue and want to correct this, we need to
maintain a history of these changes by appending rather than
overwriting.
Elephants are afraid of mice
Doug Cutting’s daughter had a toy elephant that was named Hadoop -
and that inspired the name of his influential big data product. But most
of us would think of elephants as giant marauding beasts in Saharan
Africa.
I’ve often heard that elephants are afraid of mice and in the data world at least this seems to hold true.
A giant Hadoop database cluster looks all powerful and strong, but
without the small things like high quality metadata being implemented,
the elephant is much weaker than one would expect.
When it comes to big data the small things really matter.
You have been asked to present next month to the board about the
enterprise readiness for Advanced Persistent Threats. From what you
understand it appears that, either the Chief Risk Officer, External
Auditor or a ex colleague of the Board has made this suggestion.
Unfortunately
you really don’t know what level of awareness the board members have
about Advanced Persistent Threats. With trepidation you start to
prepare for this, and the first question is how honest should you be?
Then you wonder about opening pandora’s box and making this a moment that you will regret.
Honesty is the only policy
While you don’t want to incite any panic, it is all about getting the
balance right around being confident in the approach that is being
adopted, but also realistic to not provide any suggestion that your
approach is bulletproof.
Yes, be honest. The worst situation
would be to leave the board with the perception that everything is under
total control. In the same vein you also never want them to think it
is out of control.
For most of us, we aren’t good at lying and
this will show in our expression. I’d hate to be in that situation.
Honestly is the only policy.
Start at the Beginning
It
is critical that the board gets it that an Advanced Persistent Threat
is not a virus that can be simply addressed. Instead it can take many
forms and the best ones morph to use different attack vectors.
This could be started with a simple virus infection, or malware that
comes from an email or even code coming from a USB thumb drive. The
board themselves are perhaps also part of the targeted group that
hackers look to exploit.
That email from a board member’s
personal pc at home to the CFO, could indeed be the mechanism to
penetrate to the senior executive. Once this is understood that the
scope is as wide, any reference to the need for education is a really
great angle to ensure is shared.
The APT Lifecycle
What is going to help is
use as much as possible ‘plain english’ and explain that these APT
threats while using various approaches to get into an organisation, have
an objective to remain undetected as long as possible.
Thus
admitting to the fact that it is possible that these may indeed be
already in the enterprise, collecting sensitive information and
assessing when to take action. In your defence you can explain the
measures that are in place to address this:
We have a ‘state of the art’ firewall to restrict access to your corporate network.
Endpoint software is deployed on all devices to prevent and detect malware
Strong passwords with two factor authentication is in place
The enterprise has strong Privacy and or PCI measures in place to protect sensitive information
Acceptable
Use Policy is in place for all staff and they understand that
Cyber Security starts with them no clicking on the wrong links
Wearing the Black Hat
Moreover it will be critical to demonstrate that we have internal
staff and partners that we ask to wear the black hat. That means we are
doing our own monitoring for vulnerabilities – reconnaissance if you
like.
The resource will use all the dirty tactics of phishing,
social media engineering attacks and perhaps even dumpster diving. We
could also use a tactic to try mock attacks. This could involve a mock
spear phishing attack and seeing what happens when random staff are sent
a false message with an attachment etc.
Understanding the
network and the perimeter and which ports are vulnerable. To this end
I’ve met with Security companies that are pitching to work with me that
have conducted such an exercise and they can highlight potential risk
areas, even without breaking the law.
A random audit of SIEM logs
can also provide some interesting insight. If your team is not closely
monitoring these, then it is likely that any clues are being missed.
Taking that sample and checking that any items that should be deemed
suspicious was noted would be a great exercise. This is all about
‘trust but verify’.
Be confident but not smug
The
board will appreciate your humility and that you are taking all
measures to stay on top of any threat from Advanced Persistent Threats.
Being
confident about the approach and having the board now fully informed,
they are now in a position to re-evaluate the Enterprise Risk Appetite.
(Phew) you can keep your job – for now at least.
