Category Archives: Cloud Computing

Devops is essential to the cloud, and to its payoff

The notion of devops means that you’re streamlining the movement of applications from the point of need to production. It matters not if you’re changing or improving applications or building new ones.

Of course, devops arose around the rise of cloud computing, and that’s no mystery. Cloud computing provides a point of central deployment using a shared consumption model. So, devops, fits well into that model considering that you’re consistently developing and deploying applications around the notion of continuous improvement.

However, what’s more interesting is not the fact that devops is a nice way to leverage the value of cloud computing; it’s the fact that devops should be systemic to all that is cloud for most, if not all, enterprises. Indeed, I’m rarely working on a cloud migration project that does not have a devops component. Either the company is building a new devops organization and processes at the same time, or it is improving existing ones. Enterprises are getting it—or have already got it.

Devops is to cloud computing as are security, governance, and managemen—meaning it’s no longer optional. It’s needed to gain the true value of cloud computing.

Of course, there are still many enterprises that are doing cloud first and devops second. That’s a huge mistake considering that you’re leaving as much as 30 percent of the value of cloud computing on the table. Fortunately, enterprises are understanding more and more than one can’t be decoupled from the other and so are biting the bullet around the extra costs associated with building a devops organization and related tools.

The downside of all this is that it makes cloud computing costlier to implement. Considering that you also need to add security and the other subcomponents that make cloud computing work, devops is often something new on the budget line.

However, the ROI is just one year in most cases, and then returns are as much as 30 percent after that. That being the case, cloud computing and devops are clearly now functionally tightly coupled.  

Space Photos of the Week: 410 Lights Years Away, a Proto-Saturn Comes to Life

Water, water, everywhere! This is our moon, pockmarked with craters and scratches that show its rich history of run-ins with other objects in our solar system. But this time it’s something below the surface that has scientists excited. We knew there was water on the moon—and a decent amount, too—but new data reveals that instead of the water being hidden in specific regions, it might instead be spread out everywhere.

The Juno spacecraft snapped this series of images on February 7 while flying over the south pole of the planet Jupiter. While these images might look like they’re the same, they’re not. Look closely from left to right and you’ll see how the spacecraft’s trajectory changed as it sped away from the planet.

This is Jupiter like you’ve never seen it before. This close-up image of the south pole was captured by the Juno spacecraft during its eleventh orbit on February 7. This image shows the terminator of the south pole where the planet is no longer illuminated by the sun. The glowing section is over-exposed, but after image processing by citizen scientist Gerald Eichstädt, some of the features suddenly come to life.

The Chandra X-Ray observatory captured this stunning photo of the Whirlpool galaxy, illuminated by billions of stars. But there is one especially bright object to the left side of the image: an ultra luminous X-ray source, or ULX. Astronomers believe most of these ULX signatures were supermassive black holes, but this new object turns out to be a neutron star. Neutron stars are some of the densest objects in the universe—just a teaspoon weighs more than a billion tons—so their gravity pull in lots of material around them from nearby stars. As this material speeds into the neutron star, it glows in the X-ray light seen here.

This blurry orange photo is actually a young star system called AS 209, surrounded by a disc of gas and baby planets. The gaps surrounding the star, captured by the ALMA telescope array in Chile, are actively being carved out by new planets as they form. This system appears to be growing a Saturn-sized planet—likely responsible for that largest gap in the outer part of the system.

This lumpy rock is actually Mars’ largest moon, Phobos—though it’s still pretty tiny, coming in at only seven miles wide. Enjoy it now, because someday Phobos will cease to exist. Mars is slowly pulling its moon closer, and eventually Phobos will break apart or slam into the planet, leaving only a crater as a reminder.

Equifax breach could be most costly in corporate history

NEW YORK/TORONTO (Reuters) – Equifax Inc (EFX.N) said it expects costs related to its massive 2017 data breach to surge by $275 million this year, suggesting the incident at the credit reporting bureau could turn out to be the most costly hack in corporate history.

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.

“It looks like this will be the most expensive data breach in history,” said Larry Ponemon, chairman of Ponemon Institute, a research group that tracks costs of cyber attacks.

Total costs of the breach, which compromised sensitive data of some 247 million consumers, could be“well over $600 million,” after including costs to resolve government investigations into the incident and civil lawsuits against the firm, he said.

Equifax on Thursday reported fourth-quarter profit that topped Wall Street forecasts and disclosed that it uncovered an additional 2.4 million people whose data was stolen in the attack.

Its shares rose nearly 4 percent to $115.82 on Friday on the higher-than-expected earnings. They have lost about a quarter of their value since Equifax disclosed the incident in early September.

Equifax said in September that hackers had stolen personally identifiable information of U.S., UK and Canadian consumers, including names, Social Security numbers, birth dates, addresses driver’s license and credit card numbers.

That disclosure prompted outrage from politicians and consumer advocates around the world, a string of government probes into company and the departure of top executives.

Equifax warned in regulatory filing on Thursday that further analysis could identify more consumers or additional types of data stolen in the hack.

This year’s costs include technology and security upgrades, legal fees and free identity theft services to consumers whose data was stolen, the company said in a conference call.

Reporting by John McCrank in New York and Jim Finkle in Toronto; Editing by Chizu Nomiyama and Meredith Mazzilli

Chrome's WebUSB Feature Leaves Some Yubikeys Vulnerable to Attack

There’s no better way to protect yourself from the universal scourge of phishing attacks than with a hardware token like a Yubikey, which stymies attackers even if you accidentally hand them your username and password. But while Yubikey manufacturer Yubico describes its product as “unphishable,” a pair of researchers has proven the company wrong, with a technique that allows clever phishers to sidestep even Yubico’s last bastion of login protection.

Two weeks ago, in a little-noticed presentation at the Offensive Con security conference in Berlin, security researchers Markus Vervier and Michele Orrù detailed a method that exploits a new and obscure feature of Google’s Chrome browser to potentially bypass the account protections of any victim using the Yubikey Neo, one of the most popular of the so-called Universal Two-Factor, or U2F, tokens that security experts recommend as the strongest form of protection against phishing attacks.

With a sufficiently convincing phishing site and a feature in Chrome known as WebUSB, a hacker could both trick a victim into typing in their username and password—as with all phishing schemes—and then also send a query directly from their malicious website to the victim’s Yubikey, using the response it provides to unlock that person’s account. (A disclaimer: WIRED partners with Yubico to give free Yubikeys to subscribers. According to Vervier and Orrù, the model WIRED offers is not susceptible to their attack.)

Vervier and Orrù, who work for the security consultancy X41, are careful to note that their technique doesn’t demonstrate a flaw in Yubico’s products so much as a very unintended byproduct of Chrome’s WebUSB feature, which the browser added just last year. “U2F is technically not broken, but it’s still phishable, which many people thought was impossible,” says Vervier. “It’s a great example of how new interfaces allow ways to attack technology that were believed to be unbreakable.”

When WIRED reached out to Google, security product manager Christian Brand responded that the company became aware of the researchers’ attack after their Offensive Con presentation. While Google considers the attack an edge case, the company is working with U2F standards body the FIDO Alliance to fix the problem. “We are always appreciative of researchers’ work to help protect our users,” Brand wrote in a statement. “We will have a short term mitigation in place in the upcoming version of Chrome, and we’re working closely with the FIDO Alliance to develop a longer-term solution as well. We aren’t aware of any evidence that the vulnerability has been exploited.”

Beware WebUSB

Let’s be clear: Vervier and Orrù’s findings don’t change the fact that adding two-factor authentication remains one of the most basic and crucial steps to protecting your sensitive accounts, and a U2F token like a Yubikey is the most secure form of that protection you can use. Even two-factor authentication methods like text messages or Google Authenticator still rely on temporary codes that the user enters when they log in; a convincing phishing site can simply trick you into handing over those codes along with your username and password. A U2F token like the Yubikey instead performs an authentication handshake with a website that not only proves to a website that it’s your unique key, but requires that the website prove its identity too, preventing lookalike sites from stealing credentials.

But a crack in those safeguards may have appeared last year when Chrome added WebUSB, a feature that allows websites to directly connect to USB devices, from VR headsets to 3-D printers. Vervier and Orrù found that they could code a website to connect to the Yubikey Neo with that WebUSB feature, instead of with the usual Chrome API for U2F that it’s designed to use. In doing so, they could circumvent the checks that the browser performs before querying the Yubikey—the checks that confirm that websites are the ones they claimed to be.

That could enable, the researchers warn, a “man-in-the-middle” attack. If a victim logs into a fake Google site, the phishing site passes on their username and password to the real Google login page. Then the spoofed site passes back Google’s request for the user’s U2F token and collects the Yubikey’s unique answer, all via WebUSB. When that answer is then presented to the real Google site, the attackers gain access to the victim’s account.

“The browser developers put a proper API in place that makes careful use of whatever U2F token is in the computer,” says Joern Schneeweisz, a security researcher for Recurity Labs who reviewed Vervier and Orrù’s findings. “And then they put in another feature that subverts all the security they’d put in place.”

A Sophisticated Phish

The attack Vervier and Orrù imagine isn’t exactly easy to pull off, and would likely only be used by sophisticated hackers targeting high-value accounts. Aside from first requiring that a phishing site trick a victim into typing in their username and password as usual, the phishing site would also have to ask the user’s permission to enable WebUSB access to their Yubikey, and then tap the physical button on the key. But all of that could be achieved by phishers who trick users with a prompt requiring them to “update” their U2F token, or some other scam. After all, the only change from the usual login process would be that one added permissions prompt. “You could come up with a pretty plausible pretext,” says Orrù. “The user only has to click once.”

Vervier and Orrù note that their technique would only work with U2F keys that offer protocols for connecting to a browser other than the usual way U2F tokens communicate with a computer, known as the Human Interface Device or HID, which isn’t vulnerable to the attack. The Yubikey Neo, for instance, can also connect via the CCID interface used by smartcard readers, offering another avenue of exploitation, but the Yubikey Nano, 4 Series, and the original, cheaper Yubikey aren’t vulnerable, they say—nor, based on their testing, were the Feitian keys recommended by Google for its locked-down Advanced Protection setting.

“This sounds like an assumption was made by Chrome that all U2F is HID, which doesn’t hold for the Neo, whereas Yubico made an assumption that USB will never be accessible by web pages directly,” explains Jonathan Rudenberg, an independent security researcher who has focused on U2F implementations in the past. The combination of those two assumptions adds up to a significant security vulnerability.

A Larger Problem

A long-term fix could take the form of tweaks to Chrome to block WebUSB connections to certain devices like the Yubikey Neo. But the problem could go much further than Yubikeys alone, potentially exposing a whole new class of devices to unexpected interactions with websites. Vervier and Orrù say they believe smartcard authentication systems could also be vulnerable, for instance, though they haven’t yet tested them.

“Google should have never shipped WebUSB in its current form,” says Rudenberg. “Users cannot be expected to understand the security implications of exposing their USB devices to potentially malicious code…I don’t think this is the last time that we’ll see WebUSB used to break things.” Rudenberg went so far as to quickly code a Chrome extension that disables WebUSB, which he recommends everyone install and use until they have a reason to enable the feature. Rudenberg says there’s no other easy way to disable the feature.

When WIRED reached out to Yubico for comment, spokesperson Ronnie Manning essentially placed the blame on Google’s browser. “Per the U2F protocol, the security key is not responsible for doing that verification” of the origin of authentication requests, Manning said in a statement. “In fact, they cannot do so effectively as they would have to rely on data passed by the browser, and if the browser is not trustworthy, neither is the data.”

Manning also noted that Chrome could give users the option to turn off WebUSB, or blacklist vulnerable devices like the Yubikey Neo. But he adds that “unless such a blacklist is complete and perfect, issues like this are possible with the current WebUSB implementation.”

As for Vervier and Orrù themselves, they say concerned Yubikey users should disable WebUSB, and that IT administrators should even consider setting a policy blocking it for all their employees. And they suggest a simpler solution, too: That users remain wary online, and think twice about where they enter their passwords. Despite Yubico’s “unphishable” marketing, it’s no substitute for some healthy skepticism.

Phishing License

A 1.3Tbs DDoS Hit GitHub, the Largest Yet Recorded

On Wednesday, at about 12:15pm ET, 1.35 terabits per second of traffic hit the developer platform GitHub all at once. It was the most powerful distributed denial of service attack recorded to date—and it used an increasingly popular DDoS method, no botnet required.

GitHub briefly struggled with intermittent outages as a digital system assessed the situation. Within 10 minutes it had automatically called for help from its DDoS mitigation service, Akamai Prolexic. Prolexic took over as an intermediary, routing all the traffic coming into and out of GitHub, and sent the data through its scrubbing centers to weed out and block malicious packets. After eight minutes, attackers relented and the assault dropped off.

The scale of the attack has few parallels, but a massive DDoS that struck the internet infrastructure company Dyn in late 2016 comes close. That barrage peaked at 1.2 Tbps and caused connectivity issues across the US as Dyn fought to get the situation under control.

“We modeled our capacity based on fives times the biggest attack that the internet has ever seen,” Josh Shaul, vice president of web security at Akamai told WIRED hours after the GitHub attack ended. “So I would have been certain that we could handle 1.3 Tbps, but at the same time we never had a terabit and a half come in all at once. It’s one thing to have the confidence, it’s another thing to see it actually play out how you’d hope.”

Real-time traffic from the DDoS attack.

Akamai

Akamai defended against the attack in a number of ways. In addition to Prolexic’s general DDoS defense infrastructure, the firm had also recently implemented specific mitigations for a type of DDoS attack stemming from so-called memcached servers. These database caching systems work to speed networks and websites, but they aren’t meant to be exposed on the public internet; anyone can query them, and they’ll likewise respond to anyone. About 100,000 memcached servers, mostly owned by businesses and other institutions, currently sit exposed online with no authentication protection, meaning an attacker can access them, and send them a special command packet that the server will respond to with a much larger reply.

Unlike the formal botnet attacks used in large DDoS efforts, like against Dyn and the French telecom OVH, memcached DDoS attacks don’t require a malware-driven botnet. Attackers simply spoof the IP address of their victim, send small queries to multiple memcached servers—about 10 per second per server—that are designed to elicit a much larger response. The memcached systems then return 50 times the data of the requests back to the victim.

Known as an amplification attack, this type of DDoS has shown up before. But as internet service and infrastructure providers have seen memcached DDoS attacks ramp up over the last week or so, they’ve moved swiftly to implement defenses to block traffic coming from memcached servers.

“Large DDoS attacks such as those made possible by abusing memcached are of concern to network operators,” says Roland Dobbins, a principal engineer at the DDoS and network-security firm Arbor Networks who has been tracking the memcached attack trend. “Their sheer volume can have a negative impact on the ability of networks to handle customer internet traffic.”

The infrastructure community has also started attempting to address the underlying problem, by asking the owners of exposed memcached servers to take them off the internet, keeping them safely behind firewalls on internal networks. Groups like Prolexic that defend against active DDoS attacks have already added or are scrambling to add filters that immediately start blocking memcached traffic if they detect a suspicious amount of it. And if internet backbone companies can ascertain the attack command used in a memcached DDoS, they can get ahead of malicious traffic by blocking any memcached packets of that length.

“We are going to filter that actual command out so no one can even launch the attack,” says Dale Drew, chief security strategist at the internet service provider CenturyLink. And companies need to work quickly to establish these defenses. “We’ve seen about 300 individual scanners that are searching for memcached boxes, so there are at least 300 bad guys looking for exposed servers,” Drew adds.

Most of the memcached DDoS attacks CenturyLink has seen top out at about 40 to 50 gigabits per second, but the industry had been increasingly noticing bigger attacks up to 500 gbps and beyond. On Monday, Prolexic defended against a 200 gbps memcached DDoS attack launched against a target in Munich.

Wednesday’s onslaught wasn’t the first time a major DDoS attack targeted GitHub. The platform faced a six-day barrage in March, 2015, possibly perpetrated by Chinese state-sponsored hackers. The attack was impressive for 2015, but DDoS techniques and platforms—particularly Internet of Things-powered botnets—have evolved and grown increasingly powerful when they’re at their peak. To attackers, though, the beauty of memcached DDoS attacks is there’s no malware to distribute, and no botnet to maintain.

The web monitoring and threat intelligence firm ThousandEyes observed the GitHub attack on Wednesday. “This was a successful mitigation. Everything transpired in 15 to 20 minutes,” says Alex Henthorne-Iwane, vice president of product marketing at ThousandEyes. “If you look at the stats you’ll find that globally speaking DDoS attack detection alone generally takes about an hour plus, which usually means there’s a human involved looking and kind of scratching their head. When it all happens within 20 minutes you know that this is driven primarily by software. It’s nice to see a picture of success.”

GitHub continued routing its traffic through Prolexic for a few hours to ensure that the situation was resolved. Akamai’s Shaul says he suspects that attackers targeted GitHub simply because it is a high-profile service that would be impressive to take down. The attackers also may have been hoping to extract a ransom. “The duration of this attack was fairly short,” he says. “I think it didn’t have any impact so they just said that’s not worth our time anymore.”

Until memcached servers get off the public internet, though, it seems likely that attackers will give a DDoS of this scale another shot.

DDoS R Us

Amazon Picks a Fight With Cable Companies Over Plans to Sell UFC Pay-Per-Views

Amazon’s not pulling any punches as it steps into the octagon.

The online retailer and (increasingly) video company has reportedly signed a deal with UFC to sell pay-per-view packages for upcoming fights, starting with this weekend’s UFC 222. And while that’s likely to be music to the ears of cord cutters, it’s a solid jab to cable and satellite companies, as well as other streaming services.

Rather than some other online services, which still require people to have a cable or satellite subscription to order a pay-per-view event, Amazon will offer the option to anyone willing to spend $64.99 for one night’s series of fights. This price is the same as what cable providers charge.

It’s the first time Amazon has offered a live sports pay-per-view event, but the company has increasingly been looking to lure sports fans to its platform. Last year, the company streamed Thursday Night Football games (paying a reported $50 million for the rights). Nearly 2 million people logged onto the site to watch the first game.

Other services, like Hulu, are also expanding into live sports. Hulu streamed the 2017 World Series, but ran into service issues when the stream crashed in the middle of game four.

Amazon has long competed with Netflix as a cable alternative, but by bringing pay-per-view options to its service, it could be targeting companies like Comcast and Time Warner Cable as well.

Why Etsy’s Stock Jumped 24% Amid Some Complaints From Sellers and Buyers

Artisan craft marketplace Etsy has had its ups and downs since going public almost three years ago, but new CEO Josh Silverman appears to have convinced investors that sales are on track for solid growth in 2018.

Etsy’s stock price jumped as much as 24% in midday trading on Wednesday, and has now more than doubled from a year ago, thanks to Silverman’s turnaround strategy that got the company out of Amazon’s long shadow. Silverman, a veteran of eBay’s (ebay) Shopping.com site, has emphasized simple improvements like adding “best seller” badges and site-wide sales for Labor Day and Cyber Monday last year, as well as deeper changes that improved customer searches using artificial intelligence and machine learning with a program Etsy calls “Context Specific Search ranking.”

The results pleased Wall Street. Etsy reported solid fourth quarter results on Tuesday evening, including sales on the site increasing 15% to $1 billion—the company’s first billion dollar quarter ever—while Etsy’s own revenue, which includes its cut of the sales plus other services it sells, increased 21% to $136 million. Earnings per share of 36 cents reversed a loss of 19 cents per share last year and beat Wall Street’s expectations of just 13 cents (though the latest quarter included a one-time benefit from the new tax law).

Analysts also cheered Etsy’s forecast for 2018, including overall sales on the site increasing 14% to 16% to as much as $3.8 billion and its own revenue growing 21% to 23% to as much as $543 million. Analysts had forecast Etsy’s 2018 revenue would hit only $519 million.

Get Data Sheet, Fortune’s technology newsletter.

Silverman explained the improvements that led to last year’s growing sales, while also offering more ideas that will boost growth this year. “There’s still much work to do to improve the shipping experience on Etsy and this will be an area of strong focus in 2018,” he told analysts on a call on Tuesday.

Still, there were complaints from some sellers and buyers last year that Etsy was losing its identity as a craft marketplace focused on individual artisans amid all the changes. Silverman said the latest results were proof that, on the whole, his strategy was working for most.

“You know as a platform our job is to make the experience better for all of our buyers and sellers,” he said. “On any given day, there will be individual winners and losers because that’s the nature of the marketplace–you know, is the product that a particular seller is selling, is it in fashion or not, how is it resonating with the marketplace, that’s up to each of our sellers.”

Under prior CEO Chad Dickerson, Etsy stumbled in the face of growing pressure from Amazon (amzn), which introduced its own handmade craft-oriented platform just a few months after Etsy went public. Dickerson was pushed out last May after a disastrous first quarter that led to layoffs

Further improvements at Etsy this year will come from giving sellers better data analytics tools, making it easier for buyers to have items shipped quickly, and further optimizing search results, among other initiatives, Silverman said. The company will also look at hosting more site-wide events with discounting, though Etsy (etsy) doesn’t want to become known as a discount site, he said.

In many cases, “these are things that are perhaps best practices already used in other parts of the web that we haven’t yet adopted,” Silverman said. “We also want to make sure that we’re stretching ourselves and we’re thinking about bolder bigger events.”

Google not obligated to vet websites, German court rules

FRANKFURT (Reuters) – Google (GOOGL.O) is not obligated to ensure websites are free from defamatory content before displaying links to them in search results, Germany’s highest court ruled on Tuesday.

The case, which comes in the context of debate about the so-called “right to be forgotten”, had been brought by two individuals seeking Google to prevent its search engine from displaying links to websites on which they were verbally attacked by other internet users.

They wanted Google, a unit of Alphabet Inc, to set up search filters to keep those websites from appearing in future search results, information about the users who had posted the offending comments and payment of damages, saying Google was partly responsible for the violation of their rights.

The German Federal Court of Justice said, however, that a search engine operator need only take action if it is notified of a clearly recognizable violation of individuals’ rights, rather than checking ahead of time whether the content complies with the rules.

“Instituting a general duty to inspect the content would seriously call into question the business model of search engines, which is approved by lawmakers and wanted by society,” the court said in a statement.

“Without the help of such search engines it would be impossible for individuals to get meaningful use out of the internet due to the unmanageable flood of data it contains,” it added.

In May 2014, the Court of Justice of the European Union (ECJ) ruled that people could ask search engines, such as Google and Microsoft’s Bing (MSFT.O), to remove inadequate or irrelevant information from web results appearing under searches for people’s names – dubbed the “right to be forgotten”.

Google has since received requests for the removal of more than 2.4 million website links and accepted about 43 percent of them, according to its transparency report.

Reporting by Maria Sheahan; Editing by Mark Potter

Britain's big banks play catch up with fintech with new apps

LONDON (Reuters) – British retail banks are poised to introduce money management apps to compete with those already launched by financial technology start-ups, betting their trusted brands, broad client base and deep pockets will help them make up lost ground.

HSBC (HSBA.L), Lloyds Banking Group (LLOY.L) and the Royal Bank of Scotland (RBS.L) are at various stages of producing cutting-edge apps that will allow customers to pull data from different accounts, even those at rival lenders, on their mobile devices and home computers.

They are playing a serious game of catch-up. Numerous fintech firms and digital banks like Monzo and Money Dashboard already offer the kinds of apps the banks are building, winning fans among the young and tech-savvy.

The user base for Monzo’s app, which analyses and categorizes spending habits, sends budgeting nudges and allows users to freeze and unfreeze cards at the click of a button, soared by 300 percent to 450,000 in nine months last year.

After years spent rebuilding balance sheets and managing regulatory change after the 2008 financial crisis, technology is now at the top of the banks’ agenda, said Edward Firth, managing director for UK banks at brokerage Keefe, Bruyette & Woods.

“This is all they’re talking about,” he said.

The drive has been turbo-charged by new “open banking” regulations requiring Britain’s nine biggest banks to share data so that customers can access their financial information across providers in an aggregated format and make it easier to compare services as well as change banks.

The rules were supposed to be implemented on Jan. 13 but six of the banks, including Barclays (BARC.L) and HSBC, have asked for more time to ensure the data is secure.

The changes will now start for the majority of customers in March, although some banks have been allowed to delay until next year for certain segments of their customer bases.

Jeremy Light, managing director of Accenture Payment Services for Europe, Africa and Latin America, said the changes will spark a competitive technology race in which aggregator apps will be the “bare minimum”.

“You will have to have them, because if you don’t you’re out of the game,” Light said. “It’s really all of the other services that you then start offering.”

Monzo, Starling Bank and Revolut have already opened a “marketplace” within their apps where users can shop around for and sign up to other products and services from fintech firms, banks or even energy and insurance companies.

HSBC is the only major lender to show an interest in this kind of service so far, teaming up with fintech firm Bud to trial a money management and marketplace app with users on its First Direct brand.

MONEY, BRAND AND LOYAL CLIENTS

FILE PHOTO: The HSBC headquarters is seen in the Canary Wharf financial district in east London, Britain February 15, 2016. REUTERS/Hannah McKay /File Photo

Big banks have the advantages of scale, name recognition and funding power, Accenture’s Light said.

Lloyds, which had 13.5 million users of its online and mobile offerings in 2017, plans to unveil a new app with “full open banking capability”, Chief Executive Antonio Horta-Osorio said at the bank’s annual results announcement on Feb. 21.

He did not give a date for the launch, but a source familiar with the matter had previously told Reuters it was expected sometime this year.

Horta-Osorio also unveiled a 3 billion pound investment program focused mainly on digitization and staff over three years.

HSBC’s app, dubbed HSBC Beta in the pilot stage, aggregates data from users’ current accounts, loans and savings, calculating their disposable income each month and sending nudges like Monzo’s app.

The app will launch to existing clients “imminently”, said Raman Bhatia, head of digital at the lender for the UK and Europe, and will eventually be available to other banks’ customers too.

HSBC has earmarked $2 billion for investments in and 3,000 people working on digital technology globally, with Britain taking a large share of the funding and around a third of the workforce, he said.

Tom Moore, a 30-year-old graphic designer, is taking part in a trial of the HSBC app and told Reuters via Facebook that although there are some features he would like to change, he would trust such products from HSBC above others.

“The benefit of this being done by HSBC, rather than some mysterious company nobody has ever heard of, is definitely in their (the bank‘s) favor,” he said.

RBS will launch its account aggregator app some time in 2018 but tests with customers have already started, Jane Howard, managing director of personal banking at RBS, told Reuters.

Barclays said it was too soon to talk about its plans.

Light said smaller firms tended to be able to deliver slick technology faster and more effectively than big rivals who have to contend with vast user bases and complex legacy technology.

Nikolay Storonsky, founder & CEO at Revolut, which claims more than one million customers across Europe, says he isn’t worried, “no matter how much funding the big banks have”.

“They may copy some of our savings products 12 months after we’ve launched them, but by that time we have three or four other features in this area and we’re moving onto the next big thing,” he said in an email.

“To keep younger customers excited and loyal, they will need to focus on reducing red tape, attracting top developers and begin innovating, not copying.”

(GRAPHIC – Digital banks rise: tmsnrt.rs/2BdERcZ)

Editing by Sonya Hepinstall

Huawei in early 5G trials with 30 telcos; CEO rejects U.S. security fears

BARCELONA (Reuters) – The chief executive of Huawei [HWT.UL] said on Monday the pace of commercialization for next-generation 5G wireless network is picking up pace as the Chinese telecom equipment giant has begun pre-commercial development with more than 30 telecom operators.

Speaking to reporters at the annual Mobile World Congress in Barcelona, CEO Ken Hu also said he welcomed “factual debate” about any security concerns governments or network operators may have about security threats from its products.

Hu dismissed U.S. government concerns that its products pose security threats as “groundless suspicions”.

Reporting by Eric Auchard; editing by Jason Neely