Category Archives: Commerce

A Banking View on Windows XP and the End of Support: See It, Block It

A Banking View on Windows XP and the End of Support: See It, Block It
By Christopher Budd

We are a couple of days away from a proverbial red letter day: the end of security support for Windows XP on April 8, 2014.

For the past few months, we’ve been talking about this impending event. We’ve talked about what people can expect in terms of the number of vulnerabilities they may see when Microsoft stops issuing security patches. And we’ve tried to make very clear that this is a situation that can affect everyone, not just those running Windows XP.


When we talk about the dangers that people on Windows XP pose to others, there’s probably no single industry that faces a greater set of risks by users being on Windows XP than banking and finance. More than any other industry, banking and finance face significant risks of fraud and loss due to its customers’ making the unwise decision to stay on Windows XP. As an industry facing extraordinary, unprecedented risks around Windows XP, banking and finance should consider equally extraordinary, unprecedented steps to protect themselves by alerting customers who are on Windows XP of the risks and encouraging them to upgrade. In some cases, especially as time goes on, the banking and finance sector should consider taking steps to block customers still on Windows XP from their services entirely.

The reason that banking and finance are at so much at risk by its users being on Windows XP is that unpatched vulnerabilities will be found and attacked on Windows XP. And as we’ve shown in our 2013 Threat Roundup, online banking malware is a huge problem. From 2012 to 2013, detections of online banking malware more than doubled from 500,000 worldwide in 2012 to more than 1 million in 2013. And the United States and Brazil alone accounted for 50%, or 500,000 detections, of online banking malware. Skyrocketing online banking malware combined with a coming slew of never-to-be-patched vulnerabilities means that online banking on Windows XP is going to become incredibly dangerous soon. And while that is a risk to the users of those Windows XP systems, in aggregate and in the end, it’s those users’ banks and financial institutions that face the greatest risks.

From a technological point of view, when users go to websites, it’s a relatively simple matter to detect the browser and operating system that’s accessing the site. Using that information to create an alert to make people aware of the risks of being on Windows XP and what they should do about it is an easy way to help spread the word. And a step like this will reinforce actions that Microsoft themselves are taking to alert users through alert messages. The broader the net is spread to pass the word about these risks the better.

But warnings may not be enough. People tune warnings out and ignore them. We shouldn’t fool ourselves into thinking that warnings alone will be sufficient. And as time goes on, this situation will become worse and worse. Banks and financial institutions should also start considering the drastic measure of actively blocking users on Windows XP from using their online services entirely.

This is clearly an extreme measure as it will cause lost business. But this step may be justified, especially if the risks of financial losses from Windows XP users exceed the risks of losses from losing those customers. It’s not desirable to turn customers away, but businesses do it all the time in service of their larger concerns. The coming situation with Windows XP and the risks those users pose to their banks and financial institutions is a good example of when these larger considerations pertain.

Of course, in addition to online alerts or blocks, further education campaigns make sense. Notifying customers of the risks and what they should do, through email and online campaigns, can further reinforce the message. Banks and financial institutions (and really anyone) should feel free to disseminate our flyer that outlines these risks.

Banking and finance aren’t the only sectors that are particularly at risk starting next week. But it is the sector that may face some of the greatest impact over time as its users continue to refuse to switch. We’re getting down to the wire and time is running out. Increasingly, those still on Windows XP represent those who most stubbornly refuse to take action. Increasingly, organizations who are themselves at risk by the non-actions of these recalcitrant users will have to themselves take actions that seek to spur those users into action. In short, we have to make it more painful for these users to do nothing than to take action. And so, a viable tactic in support of this goal around Windows XP is if you see it, block it.

Christopher Budd is a communications manager with Trend Micro. His focus is on communications around online security and privacy threats to help people understand in plain English the risks they face and what they can do about them. In addition, he focuses on managing crisis communications utilizing a framework and processes he helped put in place.

A Rebuttal to the New York Times: Why Give Crowdfunding “Investors” Trinkets When You Could Give Them Returns?

[Editor's Note: 99% of the time, I am an avid fan and reader of the New York Times. This past Sunday, I was thrown by the comments of the NYT's editorial team in an op-ed commenting on the SEC's forthcoming Title III rules on crowdfunding. Except for using Facebook's recent announcement to purchase Oculus VR, the timing for the piece seemed a bit out of left field. I reached out requesting a rebuttal to the NYT's op-ed.]

From The New York Times Editorial Board – March 29, 2014:

“Currently, only high-net-worth, high-income investors can legally invest in start-ups through crowdfunding sites. But soon, legislative and regulatory changes will open the sites to everyone.

That is where the Securities and Exchange Commission, with its explicit mission to protect investors, is supposed to come in. But the agency’s proposed crowdfunding rules, to be finalized in the months ahead, are a joke.”Full Article

A Rebuttal to the New York Times:
Why Give Crowdfunding “Investors” Trinkets When You Could Give Them Returns?
By Chris Tyrrell

The recent $2 billion acquisition of Oculus by Facebook is an ideal example of why continued delay in the release of final Title III crowdfunding rules is a bad idea. If Title III had already been in place, the contributors to Oculus would be receiving a return on their investment, instead of just thank you notes and “rewards”.As the second anniversary of the JOBS Act approaches, Title III crowdfunding is waiting for the Securities and Exchange Commission to pass the final rules empowering this new form of capital formation.
The New York Times takes issue with the draft securities crowdfunding rules, suggesting that funding portals that facilitate capital raises under the new law do not have to do enough to protect investors, and that the SEC is somehow asleep at the switch.Nothing could be further from the truth.

Funding portals are highly regulated. They have mandatory duties to educate investors on specific and general risks of crowdfund investing, and they have to verify the investors have actually learned the information provided. They have an obligation to run background checks on issuers and their principals. And they have significant disclosure requirements mandated by law and regulation.

Investors, too, have a high regulatory burden. They have to go through a formal process (much like creating a brokerage account) to receive investment information from a funding portal. There is a cap on how much an investor can invest in all crowdfund securities, across all companies, in any twelve month period. For many investors, it’s as low as $2,000.

Finally, issuers have significant regulatory and legal requirements. Besides the background checks they and all of their significant investors and officers must undergo, they can only raise $1 million per year. And they can’t advertise their raise directly – they have to send people to the portal. The regulations require that all investor communications go through the portal so that potential investors may read each others’ commentary regarding a particular investment.

The New York Times’ concerns that the SEC is abrogating its duty of investor protection are misplaced and misinformed. SEC staff and commissioners, with the input of stakeholders from all camps, have gone overboard to make sure that the regulations balance the concerns of capital raisers and investors.

The JOBS Act was a watershed moment in US securities law. Everyone, from investors to small business owners to job seekers can find something to celebrate in it. It liberates capital that will grow the economy and create jobs.

Chris Tyrrell is the founder and CEO of OfferBoard—an investment platform that leverages the technology of the Australian Small Scale Offerings Board (ASSOB)—the world’s oldest small equities funding platform—to help companies raise capital through Regulation D securities offerings. Chris is also the chairman of Crowdfunding Intermediary Regulatory Advocates (CFIRA), the leading advocacy organization for the equity crowdfunding industry, and a board member of ASSOB.