New research from Approov has revealed that 92% of the most popular banking and financial services apps contain easy-to-extract secrets such as API keys, which could be used in scripts and bots to attack APIs and steal data, devastating consumers and the institutions they trust.

The Approov Mobile Threat Lab downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany from the Google Play Store, investigating a total of 650 unique apps. Ninety two percent of the apps leaked valuable, exploitable secrets and twenty three percent of the apps leaked extremely sensitive secrets. As well as immediately exposing secrets, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime. Only 5% of the apps had good defenses against runtime attacks manipulating the device environment and only 4% were well protected against Man-in-the-Middle (MitM) attacks at run-time.

Commenting, Nick Rago, field CTO at Salt Security, said: “The Approov Threat Lab findings illustrate the critical importance of proper API runtime protection and malicious API behaviour detection for an organisation’s API security strategy. In order to function, most mobile apps rely on API-based communication from the application to an application back-end in the cloud or Internet-facing servers. That communication is frequently secured using static, hard-coded, admin-level or privileged API keys and secrets. App developers often mistakenly assume that the app user or an adversary could not access these keys. The Approov report highlights the wide-spread lack of protections app developers put around these credentials and how easy it can be for an adversary to inspect mobile app traffic or app manifests to extract privileged application communication credentials. Once those keys or credentials find their way into the hands of a bad actor, adversaries can leverage the APIs with admin-like authority. For financial services customers, the impact could be devastating as the attacker could not only gain the power to steal sensitive data associated with customer accounts but also conduct financial transactions associated with those accounts. Once a privileged API key is in the hands of an adversary, and they have the authority to use that API, your security defences are 100% reliant on your ability to quickly detect for abnormal and malicious API usage in runtime that indicates an attacker is abusing your APIs.”

Excellion Capital, the boutique investment and advisory firm focussed on real estate and asset-backed investments, has appointed ex-AXA and UBS MD Anthony Shayle as Director – Real Estate.

Shayle previously served for more than 10 years as MD & Head of Real Estate Debt for EMEA (ex Switzerland) at UBS Asset Management, where his team deployed and managed £1.5 billion in assets across UK Real Estate and UK Real Estate Debt. Prior to that, Shayle worked at AXA Real Estate Investment Managers as Head of Asset Management for the UK, Nordics and Benelux, responsible for c. €15 billion AuM and launched four new funds with c. €1.2bn equity.

Founded in London in 2007, Excellion Capital assists borrowers with their real estate finance requirements and makes its own investments. The boutique firm has now appointed Shayle to grow its debt advisory business, with a specific focus on assisting borrowers to refinance or restructure existing debts. His appointment comes as Excellion continues to see a marked increase in refinancing activity and enquiries, driven by higher interest rates in an environment in which many lenders are withdrawing lending products and tightening lending criteria.

As Director, Shayle reports to Ashley Marks, Head of Real Estate. Anthony Shayle’s appointment follows another successful year for Excellion Capital, in which the firm completed several flagship transactions across UK real estate. These include, amongst others:

• debt financing to support the successful opening and launch of the new 141-room Hotel AMANO Covent Garden, which Excellion delivered together with its joint venture partner, AMANO Group;
• arranging a £60 million debt financing for a nationwide social housing portfolio of c. 50 properties for an institutional investment firm;
• arranging a £110 million debt facility for Red Oak Taverns, the operator of 200 pubs across the UK.

In 2023, Excellion already closed multiple property debt refinancings and several new transactions are credit approved. Earlier this year, Excellion also appointed David Horwich as VP Real Estate. The firm will continue to grow its debt advisory business and expand its proprietary investment portfolio.

Robert Stafler, Co-Founder & CEO, Excellion Capital said: “Anthony’s appointment is nothing short of a coup: he joins with a pristine institutional background and deep experience of the highest pedigree. More and more of our clients need help to refinance existing debts and seek our assistance. Anthony’s multi-decade experience as a lender in UK Real Estate will be invaluable in this regard, so I am very excited to welcome him to the top-notch team led by Ashley.”

Anthony Shayle, Director, Excellion Capital said: “I’m delighted to be joining Excellion, a unique boutique of highly skilled individuals with an outstanding track record and a strong moral compass; a firm that punches well above its weight. The market continues to pose difficult questions for borrowers, hence the need for skill and creativity in refinancing is pressing. I look forward to being part of this remarkable team, to help our clients navigate the current climate, achieve sustainable debts and create value.”

Ashley Marks, MD & Head of Real Estate, Excellion Capital said: “I first worked with Anthony in 2005 and I’m excited he joins our team today. Anthony comes to us at a critical time: existing clients already enjoy a 1^st class service of value-adding property debt advisory, but the demand for our services keeps growing. Anthony’s decades of experience will help us meet this demand and grow.”

The Solicitors Regulation Authority (SRA) has added further case studies to those published online to help firms remain compliant with the rule prohibiting use of the client account as a banking facility.

The SRA Accounts Rules include Rule 3.3, which states solicitors ‘must not use a client account to provide banking facilities to clients or third parties. Payments into, and transfers or withdrawals…must be in respect of the delivery of regulated services’. This rule was introduced initially in 2004 to specifically address the problem that some law firms were providing clients with banking facilities when they did not have access to one.

The SRA published case studies to help law firms understand the types of instances when paying money into the client account is not acceptable. These have now been updated with additional scenarios to give firms more guidance.

These case studies give firms an idea of the type of issues they might be confronted with. However, the SRA has cautioned firms that any case will turn on its own individual facts.

There are a range of risks of using a client account as a banking facility – it could facilitate money laundering, help someone avoid their obligations in an insolvency situation, or improperly hide assets in a commercial or matrimonial dispute. The SRA has also warned firms about the risks of allowing firms’ client accounts to be used to add credibility to questionable investment schemes.

Paul Philip, SRA Chief Executive, said: ‘It is really important that firms don’t use the client account as a banking facility – it can open the door to money laundering or help people inappropriately hide away assets.

‘This rule generates a lot of queries and I’ve been asked about it a number of times when meeting with local law societies in the last year. We want to support firms to help them remain compliant. We hope these case studies prove useful.

‘The most important aspect for all firms is the rule itself, read that first, and then have a look at the case studies for further help. Solicitors naturally will want to help their clients, but they of course must also do the right thing. If a client wants you to act in this way, you should seek to understand why they are asking you to do this and reassure yourself that you take an approach that is compliant.’

The case studies are in the guidance section of the SRA’s website.

Firms cannot justify processing money through the client account due to having a retainer with a client. Nor should they hold funds to enable them to pay a client’s routine outgoings, for instance when based abroad. Online banking developments mean this is no longer justifiable.

Specialist lender Together has announced three promotions to its executive team for Sarah Nield, Ryan Etchells and Julie Twynholm.

Sarah Nield will take on the role of Group Chief Compliance Officer. Her key focus will centre on delivering the group’s strategy to become an exemplar in the specialist lending market.

Sarah joined Together three years ago and has held two roles in Risk, enabling her to support the business in navigating the ever-changing regulatory environment for Together’s customers and regulators.

Ryan Etchells has been appointed as Chief Commercial Officer. His remit will be to drive the business’ commercial plan, developing strategies to ensure Together delivers value for all of its stakeholders in a sustainable way.

Ryan started his career at Together on the Graduate scheme, which provided the foundations to develop and progress. Ryan left Together to grow his knowledge and experience in banking and during this time, he gained a Master’s degree in Banking. In 2021, he returned to the Cheadle-based lender to lead the Product team.

Julie Twynholm has been promoted to Group Chief Risk Officer. Julie’s role will centre on keeping the business safe, collaborating across the business to navigate Together safely through the challenging macroeconomic environment and our transformation and modernisation.

Julie joined Together 18 months ago, after supporting the business as a consultant. Her previous roles have taken her across the globe, spending time in Bermuda and Hong Kong. Julie brings a wealth of experience in financial services risk management.

Gerald Grimes, Group CEO Designate at Together said: “I am delighted to announce the news that Julie, Sarah and Ryan will all be promoted into executive team roles.

“I want to take this opportunity to wish them well in their new roles and welcome them to the Executive Team. It is a great demonstration that Together provides colleagues with the opportunity to progress internally and these appointments will bring greater diversity to the current team.”

For digital businesses, success depends on application performance. Organisations must deliver the best possible experiences for employees and customers while driving innovation and ensuring security. To do this, enterprises are increasingly migrating application delivery to hybrid/multi-cloud environments to achieve increased agility and resiliency.

But are businesses achieving these benefits? A10 Networks and Gatepoint Research surveyed senior technology decision-makers around the globe, revealing key insights into their experiences delivering applications in the cloud and their priorities around application delivery controllers (ADC).

Today, the industry is at a crucial inflection point in evolving digital infrastructure. To ensure the success of their move to hybrid and multi-cloud environments and deliver the best service for customers, organisations must overcome the limitations of their current ADCs. Reducing the complexity of IT operations will be essential, especially as new technologies and evolving systems expand the skills required of IT staff.

Ultimately, the ADC will either enable digital success or impede it—depending on the choices IT leaders make now.

Cloud complexities

Businesses are now hosting their applications in a variety of environments, both public and private, and yet 74% of respondents continue to host applications in an on-premises data centre.The combination of environments reported by respondents show the prevalence of a hybrid approach in which an on-premises data centre is leveraged in tandem with one or more types of clouds and vendors.

While this hybrid/multi-cloud approach offers great flexibility to choose the ideal environment for each application, it also increases the complexity of application delivery. Organisations need to manage application delivery and consistent policies across heterogeneous environments, including requirements such as performance optimisation, load balancing, and troubleshooting.

Application Migration initiatives show moderate success

Given the strategic importance of cloud migration, you’d expect that companies would be diligent in the planning and investment needed to achieve optimal results—but our findings tell a different story: only 26% of respondents said they had been highly successful in these efforts.

These unimpressive results show a clear need for better planning. Not all applications are suitable for all clouds, or for the cloud in general. IT organisations need to make the right choices about the right environment and provider for each application, and clearly think through the migration process. The more thought companies put into their cloud initiative, the more they’ll get out of it.

The role of an ADC is expanding

ADC functions are growing beyond the baseline uses, such as global server load balancing (GSLB), TLS/SSL Offload, and application acceleration and optimisation.

As cloud-native, microservice architectures transform the way applications are developed and delivered, 15% of respondents reported that they are using their ADC to control access to containerised applications. With security a perennial and rising concern, 12% of organisations are using their ADC for authentication and CAPTCHA access controls, a common feature in public commercial environments that is now making its way into enterprise planning. Given that digital business runs on DevOps, 10% of respondents are also using their ADC to support continuous integration/continuous delivery (CI/CD).

ADC satisfaction shows room for improvement

As a critical element of digital business infrastructure, companies have a right to expect exceptional results from their ADC. Unfortunately, most fall short.

Only a third (34%) of IT leaders are highly satisfied with their solution, likely due to the limitations of older solutions in meeting the newer challenges like observability, analytics, and feedback to DevOps.

ADC requirements have changed over the years as companies adopt new technologies to support their business and employees. Meeting today’s standards for an exceptional digital experience calls for a fully modern infrastructure.

ROI is king

As organisations evaluate their next ADC solution, one consideration stands above all others: return on investment (46%). Over time, ROI depends on the lifetime value of a solution, so it is important to avoid getting locked into a deployment model that no longer fits an organisational needs. Interestingly, 9% of respondents cited flexible and portable licensing as a crucial consideration, a relatively new concept.

While moving to hybrid/multi-cloud environments can help companies achieve the application performance, business agility, and IT resiliency demanded by today’s digital businesses and markets, many are struggling to realise these benefits. Outdated application delivery infrastructure can make it difficult to address security threats, ensure availability, and deliver the best possible experience for customers and employees.

IT leaders are increasingly recognising the potential of the latest application delivery capabilities to solve problems more quickly, empower staff for greater effectiveness, and put data to work to improve performance, security, and uptime throughout the infrastructure, moving digital businesses into the future.

By Adrian Taylor, VP EMEA at A10 Networks