Approov study finds majority of banking and financial services apps extremely susceptible to API security issues

New research from Approov has revealed that 92% of the most popular banking and financial services apps contain easy-to-extract secrets such as API keys, which could be used in scripts and bots to attack APIs and steal data, devastating consumers and the institutions they trust.

The Approov Mobile Threat Lab downloaded, decoded and scanned the top 200 financial services apps in the U.S., U.K., France and Germany from the Google Play Store, investigating a total of 650 unique apps. Ninety two percent of the apps leaked valuable, exploitable secrets and twenty three percent of the apps leaked extremely sensitive secrets. As well as immediately exposing secrets, scans also indicated two critical runtime attack surfaces that could be used to steal API keys at runtime. Only 5% of the apps had good defenses against runtime attacks manipulating the device environment and only 4% were well protected against Man-in-the-Middle (MitM) attacks at run-time.

Commenting, Nick Rago, field CTO at Salt Security, said: “The Approov Threat Lab findings illustrate the critical importance of proper API runtime protection and malicious API behaviour detection for an organisation’s API security strategy. In order to function, most mobile apps rely on API-based communication from the application to an application back-end in the cloud or Internet-facing servers. That communication is frequently secured using static, hard-coded, admin-level or privileged API keys and secrets. App developers often mistakenly assume that the app user or an adversary could not access these keys. The Approov report highlights the wide-spread lack of protections app developers put around these credentials and how easy it can be for an adversary to inspect mobile app traffic or app manifests to extract privileged application communication credentials. Once those keys or credentials find their way into the hands of a bad actor, adversaries can leverage the APIs with admin-like authority. For financial services customers, the impact could be devastating as the attacker could not only gain the power to steal sensitive data associated with customer accounts but also conduct financial transactions associated with those accounts. Once a privileged API key is in the hands of an adversary, and they have the authority to use that API, your security defences are 100% reliant on your ability to quickly detect for abnormal and malicious API usage in runtime that indicates an attacker is abusing your APIs.”

Expert comments: International Women’s Day – Tackling savings inequity

“Today, there is no good reason why men should have more money than women. However, the gender savings gap remains as stark as ever – recent research has uncovered that women in the UK are still saving over a third less than men. This ultimately hinders their financial freedom, limiting their ability to save for important life goals and even fund their retirement.

“Lower disposable income is the primary reason for this, while some women may lack the confidence to invest their money, or choose to take a career break to start a family. In the current economic climate, the high cost of living is likely to be contributing to even greater wealth inequity.

“Tackling these issues at the source is imperative, but most banking services today are too generic to help level the playing field. Creating more targeted savings products – products that take women’s lived experiences into account and make their lives easier – and empowering women through financial education are the keys to championing real gender equity.”

Sam Compton, Director of Operations at SmartSave Bank

Excellion Capital appoints ex-AXA and UBS MD Anthony Shayle

Excellion Capital, the boutique investment and advisory firm focussed on real estate and asset-backed investments, has appointed ex-AXA and UBS MD Anthony Shayle as Director – Real Estate.

Shayle previously served for more than 10 years as MD & Head of Real Estate Debt for EMEA (ex Switzerland) at UBS Asset Management, where his team deployed and managed £1.5 billion in assets across UK Real Estate and UK Real Estate Debt. Prior to that, Shayle worked at AXA Real Estate Investment Managers as Head of Asset Management for the UK, Nordics and Benelux, responsible for c. €15 billion AuM and launched four new funds with c. €1.2bn equity.

Founded in London in 2007, Excellion Capital assists borrowers with their real estate finance requirements and makes its own investments. The boutique firm has now appointed Shayle to grow its debt advisory business, with a specific focus on assisting borrowers to refinance or restructure existing debts. His appointment comes as Excellion continues to see a marked increase in refinancing activity and enquiries, driven by higher interest rates in an environment in which many lenders are withdrawing lending products and tightening lending criteria.

As Director, Shayle reports to Ashley Marks, Head of Real Estate. Anthony Shayle’s appointment follows another successful year for Excellion Capital, in which the firm completed several flagship transactions across UK real estate. These include, amongst others:

  • debt financing to support the successful opening and launch of the new 141-room Hotel AMANO Covent Garden, which Excellion delivered together with its joint venture partner, AMANO Group;
  • arranging a £60 million debt financing for a nationwide social housing portfolio of c. 50 properties for an institutional investment firm;
  • arranging a £110 million debt facility for Red Oak Taverns, the operator of 200 pubs across the UK.

In 2023, Excellion already closed multiple property debt refinancings and several new transactions are credit approved. Earlier this year, Excellion also appointed David Horwich as VP Real Estate. The firm will continue to grow its debt advisory business and expand its proprietary investment portfolio.

Robert Stafler, Co-Founder & CEO, Excellion Capital said: “Anthony’s appointment is nothing short of a coup: he joins with a pristine institutional background and deep experience of the highest pedigree. More and more of our clients need help to refinance existing debts and seek our assistance. Anthony’s multi-decade experience as a lender in UK Real Estate will be invaluable in this regard, so I am very excited to welcome him to the top-notch team led by Ashley.”

Anthony Shayle, Director, Excellion Capital said: “I’m delighted to be joining Excellion, a unique boutique of highly skilled individuals with an outstanding track record and a strong moral compass; a firm that punches well above its weight. The market continues to pose difficult questions for borrowers, hence the need for skill and creativity in refinancing is pressing. I look forward to being part of this remarkable team, to help our clients navigate the current climate, achieve sustainable debts and create value.”

Ashley Marks, MD & Head of Real Estate, Excellion Capital said: “I first worked with Anthony in 2005 and I’m excited he joins our team today. Anthony comes to us at a critical time: existing clients already enjoy a 1st class service of value-adding property debt advisory, but the demand for our services keeps growing. Anthony’s decades of experience will help us meet this demand and grow.”

Praetura Commercial Finance, comments on International Women’s Day

“I’ve played a leading role at Praetura Commercial Finance since its formation in 2016, and our achievements have been plentiful over the last several years. We’ve grown the PCF loanbook to more than £100m, and have lent to some fantastic businesses, such as innovative exercise bike manufacturer Wattbike, which is an official supplier to the New Zealand All Blacks.

“On a personal level, this year will mark my eighth year as managing director of PCF. The team has also grown considerably in that time, which I’ve been very proud to be a part of.

“International Women’s Day is incredibly important, because it’s a chance for businesses to celebrate the efforts of women within their companies. Often around this time, we get to see the calibre of female talent making up the workforce. It’s a reminder to businesses, not just male dominated ones, that you don’t need to look far for exceptional talent.

“My role models tend to be peers within the industry – talented women who have pushed the finance industry forward. I’m inspired by industry champions and people who are incredibly visible and vocal – not just in the lending space but in all other areas of finance. I think there’s a misconception that role models need to be famous or known around the world, but I think a role model can just as easily be someone you work with.”

Lisa Wood is managing director and co-founder of Praetura Commercial Finance

More case studies added on banking facilities rule

The Solicitors Regulation Authority (SRA) has added further case studies to those published online to help firms remain compliant with the rule prohibiting use of the client account as a banking facility.

The SRA Accounts Rules include Rule 3.3, which states solicitors ‘must not use a client account to provide banking facilities to clients or third parties. Payments into, and transfers or withdrawals…must be in respect of the delivery of regulated services’. This rule was introduced initially in 2004 to specifically address the problem that some law firms were providing clients with banking facilities when they did not have access to one.

The SRA published case studies to help law firms understand the types of instances when paying money into the client account is not acceptable. These have now been updated with additional scenarios to give firms more guidance.

These case studies give firms an idea of the type of issues they might be confronted with. However, the SRA has cautioned firms that any case will turn on its own individual facts.

There are a range of risks of using a client account as a banking facility – it could facilitate money laundering, help someone avoid their obligations in an insolvency situation, or improperly hide assets in a commercial or matrimonial dispute. The SRA has also warned firms about the risks of allowing firms’ client accounts to be used to add credibility to questionable investment schemes.

Paul Philip, SRA Chief Executive, said: ‘It is really important that firms don’t use the client account as a banking facility – it can open the door to money laundering or help people inappropriately hide away assets.

‘This rule generates a lot of queries and I’ve been asked about it a number of times when meeting with local law societies in the last year. We want to support firms to help them remain compliant. We hope these case studies prove useful.

‘The most important aspect for all firms is the rule itself, read that first, and then have a look at the case studies for further help. Solicitors naturally will want to help their clients, but they of course must also do the right thing. If a client wants you to act in this way, you should seek to understand why they are asking you to do this and reassure yourself that you take an approach that is compliant.’

The case studies are in the guidance section of the SRA’s website.

Firms cannot justify processing money through the client account due to having a retainer with a client. Nor should they hold funds to enable them to pay a client’s routine outgoings, for instance when based abroad. Online banking developments mean this is no longer justifiable.

New Citizens Advice findings on IVAs “deeply troubling”

The Money Advice Trust has responded to findings in a new report from Citizens Advice, which identifies serious problems with Individual Voluntary Agreements (IVAs), a form of debt solution, as “deeply troubling” and paints a worrying picture for people struggling with problem debt.

The findings reveal people in financial difficulty are being misled by firms offering IVAs into a debt solution often unsuitable for their circumstances leaving them in a worse position than before and unable to keep up with repayments.

The charity that runs National Debtline and Business Debtline, and alongside Citizens Advice and partners in the debt advice sector has continued to highlight the issue of misleading debt advice adverts, is supporting Citizens Advice’s call for stronger regulation of the IVA market.

Figures released yesterday by the Insolvency Service show that the IVA market has boomed in recent years, with the number of active agreements increasing from less than 10,000 before 2003 to almost 88,000 by 2022.

Jane Tully, director of external affairs and partnerships at the Money Advice Trust, the charity that runs National Debtline and Business Debtline, said: “Citizens Advice’s findings paint a deeply troubling picture of the IVA market and the harmful impact incorrect advice and misleading ads are having on people in debt – something regularly seen by our advisers at National Debtline.

“With the impact of rising costs pushing more households into financial difficulty, making sure people can access the free, independent debt advice they need is more important than ever.

“Urgent action is needed from Government and regulators to tackle these harmful practices, and we support Citizens Advice in their call to bring the pre-advice IVA firms deliver under FCA regulation.

“Anyone worried about their finances to seek free debt advice from a service like National Debtline as soon as possible.”

Together announces internal executive team promotions

Specialist lender Together has announced three promotions to its executive team for Sarah Nield, Ryan Etchells and Julie Twynholm.

Sarah Nield will take on the role of Group Chief Compliance Officer. Her key focus will centre on delivering the group’s strategy to become an exemplar in the specialist lending market.

Sarah joined Together three years ago and has held two roles in Risk, enabling her to support the business in navigating the ever-changing regulatory environment for Together’s customers and regulators.

Ryan Etchells has been appointed as Chief Commercial Officer. His remit will be to drive the business’ commercial plan, developing strategies to ensure Together delivers value for all of its stakeholders in a sustainable way.

Ryan started his career at Together on the Graduate scheme, which provided the foundations to develop and progress. Ryan left Together to grow his knowledge and experience in banking and during this time, he gained a Master’s degree in Banking. In 2021, he returned to the Cheadle-based lender to lead the Product team.

Julie Twynholm has been promoted to Group Chief Risk Officer. Julie’s role will centre on keeping the business safe, collaborating across the business to navigate Together safely through the challenging macroeconomic environment and our transformation and modernisation.

Julie joined Together 18 months ago, after supporting the business as a consultant. Her previous roles have taken her across the globe, spending time in Bermuda and Hong Kong. Julie brings a wealth of experience in financial services risk management.

Gerald Grimes, Group CEO Designate at Together said: “I am delighted to announce the news that Julie, Sarah and Ryan will all be promoted into executive team roles.

“I want to take this opportunity to wish them well in their new roles and welcome them to the Executive Team. It is a great demonstration that Together provides colleagues with the opportunity to progress internally and these appointments will bring greater diversity to the current team.”

Together’s loan book grows to £5.9billion

Cheadle-based specialist lender, Together, has today announced its quarterly results revealing its loan book grew to £5.9billion, despite continued uncertainty in the UK economy.

The finance group, which provides property loans to individuals and businesses, recorded average monthly lending of £212.5million in the quarter ended December 31st – up 6.3% on the same period in the previous year.

The group loan book increased to £5.9bn – up 3.6% on the previous quarter and 33.3% on the same quarter last year. Customer arrears profiles remained “benign, reflecting robust loan book quality”, a Together spokesperson said.

Gerald Grimes, Group CEO Designate at Together, said: “Our business delivered another robust performance in the period, against a backdrop of extreme macroeconomic uncertainty, growing the loan book to £5.9bn while controlling origination volumes, increasing rates and maintaining prudent loans-to-value (LTVs).”

The group remained highly profitable and cash generative. Underlying profit before tax of £25.8 million, down from £43.0 million in Q2 ‘22 primarily due to higher impairment charges resulting from future macroeconomic uncertainty in forward-looking IFRS 9 modelling. Cash receipts were £559.9 million, up from £507.4 million in Q2 ‘22.

Together, which has its headquarters at Cheadle Royal Business Park, further enhanced its customer experience during the quarter, by redesigning and launching a new website and improving document management, collections and call handling infrastructure, among other operational improvements.

It added further strength and diversity to its funding, supporting future growth, with the successful launch of a new £467million warehouse facility for first charge owner-occupied and buy-to-let mortgages. As of December 31st, the group had £1.3bn facility headroom, according to the latest results.

Meanwhile, Together made continued progress against its sustainability targets in the three-month period, establishing a climate working group to progress its ambitions to reduce emissions and energy consumption as the business moves towards net zero.

Continuing its focus on colleagues, the group signed the Race at Work Charter, which aims to enhance recruitment and progression for underrepresented ethnic minorities. It also joined the Business Disability Forum, was awarded a 55/Redefined age accreditation as a result of its commitment to supporting employees over the age of 55 and approved a plan to support more than £1million of charitable giving each year.

Mr Grimes said: “We continued to deliver our strategic change agenda during the quarter, making further incremental progress on delivering the right experience for our customers and creating a more agile, efficient, and scalable platform. We also rolled out new training programmes to support growth and performance for all of our colleagues and made good progress against our sustainability targets and measures.

“While inflation has started to show signs of trending lower and the pace of interest rate rises has slowed, some economists are forecasting the UK economy could enter recession during 2023, and this continued uncertainty may result in increasing numbers of people looking to specialist lenders for support. With a clear purpose, a proven and well-funded business model and a successful multi-cycle track record, we believe Together is well placed to help many more customers realise their ambitions.”

Optimising Hybrid Cloud Application Delivery

For digital businesses, success depends on application performance. Organisations must deliver the best possible experiences for employees and customers while driving innovation and ensuring security. To do this, enterprises are increasingly migrating application delivery to hybrid/multi-cloud environments to achieve increased agility and resiliency.

But are businesses achieving these benefits? A10 Networks and Gatepoint Research surveyed senior technology decision-makers around the globe, revealing key insights into their experiences delivering applications in the cloud and their priorities around application delivery controllers (ADC).

Today, the industry is at a crucial inflection point in evolving digital infrastructure. To ensure the success of their move to hybrid and multi-cloud environments and deliver the best service for customers, organisations must overcome the limitations of their current ADCs. Reducing the complexity of IT operations will be essential, especially as new technologies and evolving systems expand the skills required of IT staff.

Ultimately, the ADC will either enable digital success or impede it—depending on the choices IT leaders make now.

Cloud complexities

Businesses are now hosting their applications in a variety of environments, both public and private, and yet 74% of respondents continue to host applications in an on-premises data centre.The combination of environments reported by respondents show the prevalence of a hybrid approach in which an on-premises data centre is leveraged in tandem with one or more types of clouds and vendors.

While this hybrid/multi-cloud approach offers great flexibility to choose the ideal environment for each application, it also increases the complexity of application delivery. Organisations need to manage application delivery and consistent policies across heterogeneous environments, including requirements such as performance optimisation, load balancing, and troubleshooting.

Application Migration initiatives show moderate success

Given the strategic importance of cloud migration, you’d expect that companies would be diligent in the planning and investment needed to achieve optimal results—but our findings tell a different story: only 26% of respondents said they had been highly successful in these efforts.

These unimpressive results show a clear need for better planning. Not all applications are suitable for all clouds, or for the cloud in general. IT organisations need to make the right choices about the right environment and provider for each application, and clearly think through the migration process. The more thought companies put into their cloud initiative, the more they’ll get out of it.

The role of an ADC is expanding

ADC functions are growing beyond the baseline uses, such as global server load balancing (GSLB), TLS/SSL Offload, and application acceleration and optimisation.

As cloud-native, microservice architectures transform the way applications are developed and delivered, 15% of respondents reported that they are using their ADC to control access to containerised applications. With security a perennial and rising concern, 12% of organisations are using their ADC for authentication and CAPTCHA access controls, a common feature in public commercial environments that is now making its way into enterprise planning. Given that digital business runs on DevOps, 10% of respondents are also using their ADC to support continuous integration/continuous delivery (CI/CD).

ADC satisfaction shows room for improvement

As a critical element of digital business infrastructure, companies have a right to expect exceptional results from their ADC. Unfortunately, most fall short.

Only a third (34%) of IT leaders are highly satisfied with their solution, likely due to the limitations of older solutions in meeting the newer challenges like observability, analytics, and feedback to DevOps.

ADC requirements have changed over the years as companies adopt new technologies to support their business and employees. Meeting today’s standards for an exceptional digital experience calls for a fully modern infrastructure.

ROI is king

As organisations evaluate their next ADC solution, one consideration stands above all others: return on investment (46%). Over time, ROI depends on the lifetime value of a solution, so it is important to avoid getting locked into a deployment model that no longer fits an organisational needs. Interestingly, 9% of respondents cited flexible and portable licensing as a crucial consideration, a relatively new concept.

While moving to hybrid/multi-cloud environments can help companies achieve the application performance, business agility, and IT resiliency demanded by today’s digital businesses and markets, many are struggling to realise these benefits. Outdated application delivery infrastructure can make it difficult to address security threats, ensure availability, and deliver the best possible experience for customers and employees.

IT leaders are increasingly recognising the potential of the latest application delivery capabilities to solve problems more quickly, empower staff for greater effectiveness, and put data to work to improve performance, security, and uptime throughout the infrastructure, moving digital businesses into the future.

By Adrian Taylor, VP EMEA at A10 Networks

Specialist Finance Centre appoints Recruitment Director

Specialist Finance Centre (SFC), the second charge and specialist finance packager, has announced the appointment of Joe Dillon as its Recruitment Director.

Joe has joined the Cardiff-based broker to spearhead the growth of its self-employed arm, SFC Solo, where advisers remain self-employed whilst benefiting from all the support and infrastructure the head office provides.

He has 16 years’ experience within the financial services sector, having previously worked at Y3S for 13 years and Charles Frank Finance for three years.

Joe is tasked with onboarding specialist brokers, high street brokers and equity release advisers across the country to SFC Solo.

Advisers who join SFC Solo not only get to trade independently with no monthly fees or hidden costs but benefit from the administration and compliance support that the employed side of the business has to offer. Free CRM and sourcing are all included, with free office space available to those based in South Wales.

Daniel Yeo, Founder and Managing Director at Specialist Finance Centre, commented: “I’m very pleased to welcome Joe to Specialist Finance Centre. He has the right experience to lead our growth strategy for SFC Solo; he’s very well connected and is the perfect fit for this role.

“SFC specialises in first and second charges, commercial and buy-to-let, and bridging and development finance. Joe’s remit is to recruit the best talent who work within these areas and match our core values of integrity, collaboration and determination.”

Joe Dillon, Recruitment Director at Specialist Finance Centre, commented: “I was delighted by the opportunity to spearhead the growth of SFC Solo. The proposition is very strong, providing admin and compliance support with no monthly fees or hidden costs.

“Our advisers also get to benefit for having all mortgage and finance products under one roof so if you’re a first charge broker you can concentrate in that area but can refer any specialist cases to the head office and vice versa.

“If you are a mortgage or specialist mortgage adviser and are considering a change or would just like to discuss how SFC Solo could benefit you, please get in touch.”