Month: October 2024

Scattered Spider Attacks: Tips for SaaS Security

Scattered Spider Attacks: Tips for SaaS Security

By | | Comments 0 Comment

As cloud adoption soars, threat groups like LUCR-3 Scattered Spider and Oktapus are mastering new ways to exploit identity management systems(IAMs), making these attacks more frequent and harder to detect. By targeting cloud environments and leveraging human vulnerabilities, LUCR-3 compromises identity providers (IDPs) and uses sophisticated techniques to breach organizations.

Before we begin, I wanted to present a random sampling of the successful attacks carried over by the LUCR-3 aka Scattered Spider.

Company/ProductDate AttackedCompromised SystemProjected LossMitigation Time
Telecom Company (Unnamed)December 2022Mobile Carrier Network, IDP SystemsEstimated millions in damagesSeveral weeks (ongoing)​CrowdStrike
Octa (Roasted Oktapus)March 2022Identity Provider (Okta) and SaaSPotential damage to ~366 companies4-5 weeks​HeroWikipedia
British TelecommunicationsJune 2022Mobile Carrier Systems, BPO NetworksMillions in lost revenue3-4 weeks​CrowdStrikeHero
Gaming Company (Unnamed)September 2022Cloud Infrastructure (SaaS and IaaS)Losses in IP theft (unconfirmed)~2 weeks​ISPM ITDR
Cloud Hosting ProviderNovember 2022AWS, Azure Environments, IAM SystemsIP theft and reputational damage3 weeks​CrowdStrike
MGM ResortsSeptember 2023Corporate systems, Help Desk, and IDPMillions in lost revenueSystems offline for weeks​Wikipedia
Caesars EntertainmentSeptember 2023Identity Providers (IDP) and SaaS~$30 million ransom paid​ Wikipedia~1 month recovery​Cyber Defense Magazine
Charter CommunicationsApril 2024Cloud-based systems (Okta phishing)Potentially millions in damages​ ResilienceSeveral weeks
NHS Hospitals (UK)June 2024VMware ESXi servers, critical healthcare systemsDisruption of hundreds of operations​BleepingComputerOngoing​BleepingComputer
Synnovis Pathology ServicesJune 2024Ransomware on pathology services systemsEstimated millions in healthcare disruptions​BleepingComputerOngoing investigation​BleepingComputer
This table provides a detailed overview of Scattered Spider’s recent attacks across industries, demonstrating their evolving tactics and widespread impact.

This article outlines the technical steps LUCR-3 typically follows, from initial access to persistence and lateral movement within cloud environments, mostly targeting SaaS platforms.

Step 1: Initial Access Through Identity Compromise

LUCR-3 starts with a core weakness in modern security—identity management. Their main attack vectors include:

  1. SIM Swapping: LUCR-3 hijacks a user’s phone number by tricking the telecom provider into assigning the number to a new SIM card. Once they have control over the phone number, they can intercept One-Time Passwords (OTP) sent via SMS.
  2. MFA Fatigue: The attackers flood the target with repeated MFA prompts, often overwhelming them into approving a malicious login request.
  3. Phishing and Social Engineering: They set up fake login pages for SaaS applications (e.g., SharePoint or OneDrive), capturing legitimate credentials and OTP codes.

These techniques allow LUCR-3 to bypass standard Multi-Factor Authentication (MFA) protections and gain access to cloud environments​

ISPM ITDR, Hero.

Step 2: Bypassing MFA and Establishing a Foothold

Once inside, LUCR-3 focuses on maintaining access to the compromised identity. This is done by modifying the victim’s MFA settings. Their tactics include:

  • Registering New Devices: LUCR-3 will register their own devices (phones or emails) under the victim’s account, which ensures they can log in without triggering alerts. For example, they might register an iPhone if the victim previously used Android, raising minimal suspicion.
  • Adding Alternate MFA Methods: They add backup MFA methods, such as an external email address, making it even harder to lock them out if the breach is discovered​ISPM ITDR.

Step 3: Reconnaissance and Data Collection in SaaS Environments

After gaining access to cloud platforms, LUCR-3 conducts extensive reconnaissance to identify critical assets, credentials, and sensitive information. Here’s how they do it:

  1. SaaS Platforms: They use native tools within platforms like SharePoint, OneDrive, and Salesforce to search for documents containing passwords, intellectual property, or financial data. They operate like legitimate users to avoid detection.
  2. AWS Cloud: In AWS environments, LUCR-3 navigates the AWS Management Console, targeting services like EC2 (Elastic Compute Cloud) and S3 (Simple Storage Service). They leverage the AWS-GatherSoftwareInventory job through Systems Manager (SSM) to list running software across EC2 instances​ ISPM ITDR.
  3. Privilege Escalation: LUCR-3 may modify IAM roles or escalate privileges by updating LoginProfiles or creating new access keys, ensuring they have continued administrative access​Hero.

Step 4: Lateral Movement and Persistence

LUCR-3 ensures they have multiple ways to re-enter a compromised environment, even if one of their entry points is discovered. Here’s how they achieve persistence:

  1. Create New IAM Users: LUCR-3 creates new user accounts that align with the naming conventions of the compromised environment to avoid suspicion. These accounts often have high-level access, allowing them to continue accessing the environment even after the initial breach is patched.
  2. Secrets Harvesting: Using tools like S3 Browser, LUCR-3 harvests credentials stored in AWS Secrets Manager and similar services, allowing them to steal sensitive data and further penetrate systems​ Hero.
  3. MFA Manipulation: They alter MFA settings to ensure continued access, often registering additional email addresses or devices that align with the compromised identity.

Step 5: Data Exfiltration and Extortion

Once LUCR-3 has gained the necessary access and gathered sensitive data, they execute their final stage of the attack, which often involves extortion. The data collected during their reconnaissance, such as customer information or proprietary code, is used as leverage to demand payment from the compromised organization​ The Hacker NewsISPM ITDR.

How to Detect and Prevent LUCR-3 Attacks

Given LUCR-3’s sophisticated techniques, organizations must adopt advanced security measures to detect and mitigate such attacks:

  • Monitor MFA Changes: Keep a close watch for unusual changes in MFA settings, such as new device registrations or changes from app-based authentication to SMS-based methods.
  • Audit Cloud Logs: Regularly audit cloud environments, especially IAM policy changes, new access key creation, and suspicious activity in management consoles.
  • Behavioral Anomaly Detection: Implement advanced behavioral monitoring to detect when legitimate accounts are being used in unusual ways, such as accessing unfamiliar services or using unfamiliar devices.

Conclusion

LUCR-3 (Scattered Spider) represents a new breed of cyber threat actors that rely on identity compromise rather than malware or brute force. By targeting the very foundation of security—identity—they can infiltrate cloud environments, move laterally, and exfiltrate data with relative ease. As organizations increasingly rely on cloud services, strengthening identity management, closely monitoring for anomalies, and responding quickly to suspicious behavior are critical defenses against such attacks.

References and Further Reading

  1. The Hacker News: Provides a detailed breakdown of LUCR-3’s identity-based attacks across cloud environments, lateral movement techniques, and persistence strategies.
  2. Permiso.io: Discusses how LUCR-3 targets identity infrastructure, modifies MFA settings, and maintains persistence in cloud environments like AWS and Azure.
  3. CrowdStrike: Offers insights into Scattered Spider’s use of the Bring-Your-Own-Vulnerable-Driver (BYOVD) technique and their focus on telecom and BPO sectors.
  4. Resilience Cyber Research: Highlights recent phishing campaigns by LUCR-3 in 2024, targeting industries such as telecom, food services, and tech, using Okta-based phishing tactics.
  5. EclecticIQ: Discusses LUCR-3’s involvement in ransomware attacks targeting cloud infrastructures within the insurance and financial sectors, leveraging smishing and phishing techniques.
  6. Wikipedia (Scattered Spider): Overview of the MGM Resorts hack in 2023, detailing how Scattered Spider gained access to internal systems through social engineering and caused significant disruptions.
  7. Cyber Defense Magazine: Discusses how LUCR-3 has highlighted vulnerabilities in MFA and cloud security, predicting more targeted attacks on SaaS and cloud service providers.
  8. BleepingComputer: Provides an overview of LUCR-3’s collaboration with ransomware groups like Qilin, targeting high-profile companies such as MGM Resorts and healthcare services.
  9. Caesars and MGM Hacking Incident: Outlines how Caesars Entertainment suffered a breach in September 2023, paying a ~$30 million ransom, while MGM Resorts experienced extensive downtime following a similar attack.
  10. Microsoft and Qilin Ransomware: Microsoft linked Scattered Spider to ransomware attacks using the Qilin variant, affecting companies like Synnovis Pathology and NHS hospitals in 2024. Read moreBleepingComputerWikipedia

These resources offer in-depth insights into the attack strategies and defence mechanisms relevant to LUCR-3 (Scattered Spider), perfect for anyone looking to deepen their understanding of identity-based attacks and cloud security.

How Will China’s Quantum Advances Change Internet Security?

How Will China’s Quantum Advances Change Internet Security?

By | | Comments 0 Comment

Image Generated with Dalle 3

Introduction:

Chinese scientists have recently announced that they have successfully cracked military-grade encryption using a quantum computer with 372 qubits, a significant achievement that underscores the rapid evolution of quantum technology. This breakthrough has sparked concerns across global cybersecurity communities as RSA-2048 encryption—a widely regarded standard—was reportedly compromised. However, while this development signifies an important leap forward in quantum capabilities, its immediate implications are nuanced, particularly for everyday encryption protocols.

Drawing on technical insights from recent papers and analyses, this article delves deeper into the technological aspects of the breakthrough and explores why, despite this milestone, quantum computing still has limitations that prevent it from immediately threatening personal and business-level encryption.

The Quantum Breakthrough: Factoring RSA-2048

As reported by The Quantum Insider and South China Morning Post, the Chinese research team employed a 372-qubit quantum computer to crack RSA-2048 encryption, a cryptographic standard widely used to protect sensitive military information. RSA encryption relies on the difficulty of factoring large numbers, a task that classical computers would take thousands of years to solve. However, using quantum algorithms—specifically an enhanced version of Shor’s algorithm—the team demonstrated that quantum computers could break RSA-2048 in a much shorter time frame.

The breakthrough optimised Shor’s algorithm to function efficiently within the constraints of a 372-qubit machine. This marks a critical turning point in quantum computing, as it demonstrates the potential for quantum systems to tackle problems previously considered infeasible for classical systems. However, the paper from the Chinese Journal of Computers (2024) offers deeper insights into the quantum architecture and algorithmic refinements that made this breakthrough possible, highlighting both the computational power and limitations of the system.

Quantum Hardware and Algorithmic Optimisation

The technical aspects of the Chinese breakthrough, as detailed in the 2024 paper published in the Chinese Journal of Computers (CJC), emphasise the improvements in quantum hardware and algorithmic approaches that were key to this success. The paper outlines how the researchers enhanced Shor’s algorithm to mitigate the high error rates commonly associated with quantum computing, allowing for more stable computations over longer periods. This required optimising quantum gate operations, reducing quantum noise, and employing error-correction codes to preserve the integrity of qubit states.

Despite these improvements, the paper makes it clear that current quantum computers, including the 372-qubit machine used in this experiment, still suffer from several limitations. The system required an extremely controlled environment to maintain qubit coherence, and any deviation from ideal conditions would have introduced significant errors. Furthermore, the researchers faced challenges related to the scalability of the system, as error rates increase exponentially with the number of qubits involved. These limitations are consistent with the broader consensus in the field, as noted by Bill Buchanan and other experts, that practical quantum decryption on a global scale is not yet feasible.

The CJC paper also points out that while the breakthrough is impressive, it does not represent a complete realisation of quantum supremacy—the point at which quantum computers outperform classical computers across a wide range of tasks. The paper discusses the need for further advancements in quantum gate fidelity, qubit interconnectivity, and error correction to make quantum decryption scalable and applicable to broader, real-world encryption protocols.

Technical Analysis based on Li et al. (2024):

The paper explores two approaches for attacking RSA public key cryptography using quantum annealing:

1. Quantum Annealing for Combinatorial Optimization:

  • Method: This approach translates the mathematical attack method into a combinatorial optimization problem suited for the Ising model or QUBO model [1]. The Ising model represents a system of interacting spins, which can be mapped to the problem of factoring large integers used in RSA encryption.
  • Key Contribution: The paper proposes a high-level optimization model for multiplication tables and establishes a new dimensionality reduction formula. This formula reduces the number of qubits needed, thus saving resources and improving the stability of the Ising model [1]. The authors demonstrate this by successfully decomposing a two-million-level integer using a D-Wave Advantage system.
  • Comparison: This approach outperforms previous methods by universities and corporations like Purdue, Lockheed Martin, and Fujitsu [1]. This is achieved by significantly reducing the range of coefficients required in the Ising model, leading to a higher success rate in decomposition.
  • Focus: This technique represents a class of attack algorithms specifically designed for D-Wave quantum computers, known for their use of quantum annealing [1].

2. Quantum Annealing with Classical Methods:

  • Method: This approach combines the quantum annealing algorithm with established mathematical methods for cryptographic attacks, aiming to optimize attacks on specific cryptographic components [1]. It integrates the classical lattice reduction algorithm with the Schnorr algorithm.
  • Key Contribution: The authors leverage the quantum tunneling effect to adjust the rounding direction within the Babai algorithm, allowing for precise vector determination, a crucial step in the attack [1]. Quantum computing’s exponential acceleration capabilities address the challenge of calculating numerous rounded directions, essential for solving lattice problems [1]. Additionally, the paper proposes methods to improve search efficiency for close vectors, considering both qubit resources and time costs [1]. Notably, it demonstrates the first 50-bit integer decomposition on a D-Wave Advantage system, showcasing the algorithm’s versatility [1].
  • Comparison: The paper argues that D-Wave quantum annealing offers a more practical approach for smaller-scale attacks compared to Variational Quantum Algorithms (VQAs) on NISQ (Noisy Intermediate-Scale Quantum) computers. VQAs suffer from the “barren plateaus” problem, which can hinder algorithm convergence and limit effectiveness [1]. Quantum annealing is less susceptible to this limitation and offers an advantage when dealing with smaller-scale attacks.

Citations:

  1. Li, Gao, et al. “A Novel Quantum Annealing Attack on RSA Public Key Cryptosystems.” WC 2024 (2024).

Implications for Civilian Encryption: Limited Immediate Impact

While the Chinese breakthrough is undeniably significant, it is essential to recognise that the decryption of military-grade encryption does not immediately translate to vulnerabilities in civilian encryption protocols. Most personal and business communications rely on RSA-1024, elliptic-curve cryptography (ECC), or other lower-bit encryption systems. These systems remain secure against the capabilities of today’s quantum computers.

Moreover, as highlighted in the paper by Buchanan and echoed in the CJC analysis, many organisations are already transitioning towards post-quantum cryptography (PQC). PQC algorithms are specifically designed to withstand quantum attacks, ensuring that even as quantum computers advance, encryption systems will evolve to meet new threats.

Another key point raised by the CJC paper is that quantum decryption requires an immense amount of resources and computational power. The system used to break RSA-2048 involved highly specialised hardware and extensive computational time. Scaling such an operation to break everyday encryption protocols, such as those used in internet banking or personal communications, would require quantum computers with far more qubits and error-correction capabilities than are currently available.

Preparing for a Quantum Future: Post-Quantum Cryptography

As quantum computing technology evolves, it is imperative that governments, companies, and cybersecurity professionals continue preparing for the eventual reality of quantum decryption. This preparation includes developing and implementing post-quantum cryptographic solutions that are immune to quantum attacks. The National Institute of Standards and Technology (NIST) has already initiated efforts to standardise post-quantum cryptographic algorithms, which are designed to be secure against both classical and quantum attacks. The CJC paper underlines the importance of this transition and suggests that PQC will likely become the new standard in encryption over the next decade.

In addition to PQC, the CJC paper highlights the need for ongoing research into hybrid encryption systems, which combine classical cryptographic techniques with quantum-resistant methods. These hybrid systems could provide a transitional solution, allowing existing infrastructure to remain secure while fully quantum-resistant algorithms are developed and implemented.

Conclusion: A Scientific Milestone with Limited Immediate Consequences

The Chinese research team’s quantum decryption of military-grade encryption is a groundbreaking scientific achievement, signalling that quantum computing is rapidly advancing towards practical applications. However, as emphasised in the technical analyses from the Chinese Journal of Computers and other sources, this breakthrough is not yet a direct threat to civilian encryption systems. Current quantum computers remain limited by their error rates, scalability challenges, and the need for controlled environments, preventing widespread decryption capabilities.

As organisations and governments prepare for a post-quantum future, the adoption of post-quantum cryptography and hybrid systems will be crucial in ensuring that encryption protocols remain robust against both classical and quantum threats. While the breakthrough highlights the potential power of quantum computing, its impact on everyday encryption is still years, if not decades, away.

References and Further Reading

  1. Bill Buchanan, “A Major Advancement on Quantum Cracking,” Medium, 2024.
  2. The Quantum Insider, “Chinese Scientists Report Using Quantum Computer to Hack Military-Grade Encryption,” October 11, 2024.
  3. South China Morning Post, “Chinese Scientists Hack Military-Grade Encryption Using Quantum Computer,” October 2024.
  4. Interesting Engineering, “China’s Scientists Successfully Hack Military-Grade Encryption with Quantum Computer,” October 2024.
  5. Shor, P.W., “Algorithms for Quantum Computation: Discrete Logarithms and Factoring,” Proceedings of the 35th Annual Symposium on Foundations of Computer Science, 1994.
  6. National Institute of Standards and Technology (NIST), “Post-Quantum Cryptography: Current Status,” 2024.
  7. Chinese Journal of Computers, “Quantum Algorithmic Enhancements in Breaking RSA-2048 Encryption,” 2024.
Starling Bank’s Penalty: How to Strengthen Your Compliance Efforts

Starling Bank’s Penalty: How to Strengthen Your Compliance Efforts

By | | Comments 1 comment

Introduction

The rapid growth of the fintech industry has brought with it immense opportunities for innovation, but also significant risks in terms of regulatory compliance and real security. Starling Bank, one of the UK’s prominent digital banks, recently faced a £29 million fine in October 2024 from the Financial Conduct Authority (FCA) for serious lapses in its anti-money laundering (AML) and sanctions screening processes. This fine is part of a broader trend of fintechs grappling with regulatory pressures as they scale quickly. Failures in compliance not only lead to financial penalties but also damage to reputation and customer trust. In most cases, it also leads to revenue loss and or a significant business impact.

In this article, we explore what went wrong at Starling Bank, examine similar compliance issues faced by other major financial institutions like Paytm, Monzo, HDFC, Axis Bank & RobinHood and propose practical solutions to help fintech companies strengthen their compliance frameworks. This also helps to establish the point that these cybersecurity and compliance control lapses are not restricted to geography and are prevalent in the US, UK, India and many other regions. Additionally, we dive into how vulnerabilities manifest in growing fintechs and the increasing importance of adopting zero-trust architectures and AI-powered AML systems to safeguard against financial crime.

Background

In October 2024, Starling Bank was fined £29 million by the Financial Conduct Authority (FCA) for significant lapses in its anti-money laundering (AML) controls and sanctions screening. The penalty highlights the increasing pressure on fintech firms to build robust compliance frameworks that evolve with their rapid growth. Starling’s case, although high-profile, is just one in a series of incidents where compliance failures have attracted regulatory action. This article will explore what went wrong at Starling, examine similar compliance failures across the global fintech landscape, and provide recommendations on how fintechs can enhance their security and compliance controls.

What Went Wrong and How the Vulnerability Manifested

The FCA investigation into Starling Bank uncovered two major compliance gaps between 2019 and 2023, which exposed the bank to financial crime risks:

  1. Failure to Onboard and Monitor High-Risk Clients: Starling’s systems for onboarding new clients, particularly high-risk individuals, were not sufficiently rigorous. The bank’s AML mechanisms did not scale in line with the rapid increase in customers, leaving gaps where sanctioned or suspicious individuals could go undetected. Despite the bank’s growth, the compliance framework remained stagnant, resulting in breaches of Principle 3 of the FCA’s regulations for businesses​(Crowdfund Insider)​(FinTech Futures).
  2. Inadequate Sanctions Screening: Starling’s sanctions screening systems failed to adequately identify transactions from sanctioned entities, a critical vulnerability that persisted for several years. With insufficient real-time monitoring capabilities, the bank did not screen many transactions against the latest sanctions lists, leaving it exposed to potentially illegal activity​(FinTech Futures). This is especially concerning in a financial ecosystem where transactions are frequent and high in volume, requiring robust systems to ensure compliance at all times.

These vulnerabilities manifested in Starling’s inability to effectively prevent financial crime, culminating in the FCA’s action in October 2024.

Learning from Similar Failures in the Fintech Industry

  1. Paytm’s Cybersecurity Breach Reporting Delays (October 2024): In India, Paytm was fined for failing to report cybersecurity breaches in a timely manner to the Reserve Bank of India (RBI). This non-compliance exposed vulnerabilities in Paytm’s internal governance structures, particularly in their failure to adapt to rapid business expansion and manage cybersecurity threats​(Reuters).
  2. HDFC and Axis Banks’ Regulatory Breaches (September 2024): The RBI fined HDFC Bank and Axis Bank in September 2024 for failing to comply with regulatory guidelines, emphasizing how traditional banks, like fintechs, can face compliance challenges as they scale. The fines were related to lapses in governance and risk management frameworks​(Economic Times).
  3. Monzo’s PIN Security Breach (2023): In 2023, UK-based challenger bank Monzo experienced a breach where customer PINs were accidentally exposed due to an internal vulnerability. Although Monzo responded swiftly to mitigate the damage, the breach illustrated the need for fintechs to prioritize backend security and implement zero-trust security architectures that can prevent such incidents​(Wired).
  4. LockBit Ransomware Attack (2024): The LockBit ransomware attack on a major financial institution in 2024 demonstrated the growing cyber threats that fintechs face. This attack exposed the weaknesses in traditional cybersecurity models, underscoring the necessity of adopting zero-trust architectures for fintech companies to protect sensitive data and transactions from malicious actors​(NCSC).
  5. Robinhood’s Regulatory Scrutiny (2021-2022): In June 2021, Robinhood was fined $70 million by FINRA for misleading customers, causing harm through platform outages, and failing to manage operational risks during the GameStop trading frenzy. Robinhood’s systems were not equipped to handle the surge in trading volumes, leading to severe service disruptions and a failure to communicate risks to customers.
  6. Robinhood Crypto’s Cybersecurity Failure (2022): In August 2003, Robinhood was fined $30 million by the New York State Department of Financial Services (NYDFS) for failing to comply with anti-money laundering (AML) regulations and cybersecurity obligations related to its cryptocurrency trading operations. The fine was issued due to inadequate staffing, compliance failures, and improper handling of regulatory oversight within its crypto business. Much like Starling, Robinhood’s compliance systems lagged behind its rapid business growth​ (Compliance Week)

Key Statistics in the Fintech Compliance Landscape

  • 65% of organizations in the financial sector had more than 500 sensitive files open to every employee in 2023, making them highly vulnerable to insider threats​.
  • The average cost of a data breach in financial services was $5.85 million in 2023, a significant figure that shows the financial impact of security vulnerabilities​.
  • 27% of ransomware attacks targeted financial institutions in 2022, with the number of attacks continuing to rise in 2024, further highlighting the importance of robust cybersecurity frameworks​.
  • 81% of financial institutions reported a rise in phishing and social engineering attacks in 2023, emphasizing the need for employee awareness and strong access controls​.
  • By 2025, the global cost of cybercrime is projected to exceed $10.5 trillion annually, a figure that will disproportionately impact fintech companies that fail to implement strong security protocols​.

Recommendations for Strengthening Compliance and Security Controls

To prevent future compliance breaches, fintech firms should prioritise scalable, technology-enabled compliance solutions. This requires empowering Compliance Heads, Information Security Teams, CISOs, and CTOs with the necessary budgets and authority to develop secure-by-design environments, teams, infrastructure, and products.

  1. AI-Powered AML Systems: Leverage artificial intelligence (AI) and machine learning to enhance AML systems. These technologies can dynamically adjust to new threats and process high volumes of transactions to detect suspicious patterns in real time. This approach will ensure that fintechs can comply with evolving regulatory requirements while scaling.
  2. Zero-Trust Security Models: As the LockBit ransomware attack showed in 2024, fintechs must adopt zero-trust architectures, where every user and device interacting with the system is continuously authenticated and verified. This reduces the risk of internal breaches and external attacks​(Cloudflare).
  3. Real-Time Auditing and Blockchain for Transparency: Real-time auditing, combined with blockchain technology, provides an immutable and transparent record of all financial transactions. This would help fintechs like Starling avoid the pitfalls of delayed sanctions screening, as blockchain ensures immediate and traceable compliance checks​(EY).
  4. Multi-Layered Sanctions Screening: Implement a multi-layered sanctions screening system that combines automated transaction monitoring with manual oversight for high-risk accounts. This dual approach ensures that fintechs can monitor suspicious activities while maintaining compliance with global regulatory frameworks​(Exiger)​(FinTech Futures).
  5. Continuous Employee Training and Governance: Strong governance structures and regular compliance training for employees will ensure that fintechs remain agile and responsive to regulatory changes. This prepares the organization to adapt as new regulations emerge and customer bases expand.

Conclusion

The £29 million fine imposed on Starling Bank in October 2024 serves as a crucial reminder for fintech companies to integrate robust compliance and security frameworks as they grow. In an industry where regulatory scrutiny is intensifying, the fintech players that prioritize compliance will not only avoid costly fines but also position themselves as trusted institutions in the financial services world.

Further Reading and References

  1. RBI Fines HDFC, Axis Bank for Non-Compliance with Regulations (September 2024)
  2. RBI Fines Paytm for Not Reporting Cybersecurity Breaches on Time (October 2024)
  3. LockBit’s Latest Attack Shows Why Fintech Needs More Zero Trust (2024)
  4. Monzo PIN Security Breach Explained (2023)
  5. Varonis Cybersecurity Statistics (2023)

Scholarly Papers & References

  1. Barr, M.S.; Jackson, H.E.; Tahyar, M. Financial Regulation: Law and Policy. SSRN Scholarly Paper No. 3576506, 2020. Available online: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3576506
  2. Suryono, R.R.; Budi, I.; Purwandari, B. Challenges and Trends of Financial Technology (Fintech): A Systematic Literature Review. Information 202011, 590. https://doi.org/10.3390/info11120590
  3. AlBenJasim, S., Dargahi, T., Takruri, H., & Al-Zaidi, R. (2023). FinTech Cybersecurity Challenges and Regulations: Bahrain Case Study. Journal of Computer Information Systems, 1–17. https://doi.org/10.1080/08874417.2023.2251455

By learning from past failures and adopting stronger controls, fintechs can mitigate the risks of financial crime, protect customer data, and ensure compliance in an increasingly regulated industry.

Why Did Elastic Decide to Go Open Source Again?

Why Did Elastic Decide to Go Open Source Again?

By | | Comments 0 Comment

Elastic’s Return to Open Source: The Knight is back to the Pavilion

Elastic, the company behind Elasticsearch, recently decided to revert to an open-source licensing model after four years of operating under a proprietary license. This decision reflects a shift in strategy that emphasizes community-driven innovation and collaboration. In 2019, Elastic initially adopted a proprietary model to protect its intellectual property from cloud providers like Amazon Web Services (AWS), which were benefiting from Elasticsearch without contributing to its development. However, the move away from open-source posed its own challenges, including alienating the developer community that had helped build Elasticsearch into a widely-used tool.

In 2024, Elastic CEO Shay Banon announced the company’s return to an open-source framework. He explained that this decision stems from the belief that open collaboration fosters innovation and better serves the long-term interests of both the company and its user base. “We believe that the best products are built together,” Banon stated, emphasizing the value of community engagement in product development.

Recent Changes in Open-Source Licensing Models

Elastic’s decision is not an isolated incident. Over the past few years, several other technology companies have reconsidered their licensing models in response to the changing dynamics of software development and cloud service providers. These companies have struggled with how to balance open-source principles with the need to protect their commercial interests.

  1. Redis Labs
    Redis Labs initially licensed Redis under a permissive open-source license, but in 2018, the company adopted the Commons Clause to prevent cloud providers from offering Redis as a service without contributing to its development. However, after facing backlash from the developer community, Redis Labs adjusted its approach by introducing Redis Stack under more community-friendly terms, highlighting the difficulty of maintaining open-source integrity while ensuring business protection.
  2. HashiCorp
    In 2023, HashiCorp, known for popular tools like Terraform, adopted a Business Source License (BSL), which restricts the usage of its software in certain commercial contexts. HashiCorp’s move was driven by concerns over cloud providers monetizing its tools without contributing back to the open-source community. While BSL is not a traditional open-source license, HashiCorp continues to maintain a balance between openness and protecting its intellectual property, showing how companies are navigating complex market dynamics.
  3. MongoDB
    MongoDB’s shift to the Server Side Public License (SSPL) in 2018 was another major development in the open-source licensing debate. The SSPL aims to prevent cloud service providers from exploiting MongoDB’s open-source code without contributing back. While the SSPL is more restrictive than traditional open-source licenses, MongoDB’s goal was to retain the open-source ethos while ensuring that cloud vendors could not commercialize the software without contributing to its development.
  4. Chef Software
    Chef, an automation tool provider, switched all of its products to open-source in 2019 after years of operating under a mixed licensing model. This shift was largely a response to the growing demand for transparency and community collaboration. Chef’s decision allowed it to rebuild trust within its user base and align its business strategy with the broader trends in software development.

Impact on the Average Software Developer

For the average software developer, these licensing model changes can profoundly impact their work, career growth, and day-to-day development practices.

  1. Access to Cutting-Edge Tools
    When companies like Elastic and MongoDB return to open-source models, developers gain unrestricted access to powerful tools and frameworks. This democratizes the technology, allowing developers from small companies, startups, and even personal projects to leverage the same tools that major enterprises use, without the barrier of expensive proprietary licenses. For many developers, open-source provides not just tools, but an entire ecosystem for experimentation, learning, and rapid prototyping.
  2. Contributing to Open-Source Communities
    Open-source contributions are an essential career-building tool for many developers. By contributing to open-source projects, developers can gain real-world experience, build portfolios, and even influence the direction of widely-used technologies. When companies like HashiCorp and Redis Labs shift their focus back to open-source, it increases opportunities for developers to become part of a larger, global development community.
  3. Career and Learning Opportunities
    Exposure to open-source projects allows developers to work with cutting-edge technology and methodologies. This can accelerate learning, as open-source projects are often evolving quickly with input from diverse and global teams. Additionally, contributing to popular open-source projects like Elastic or Kubernetes can greatly enhance a developer’s resume and open doors to career opportunities, including job offers and consulting roles.
  4. Navigating Licensing Restrictions
    Developers must also become more adept at navigating the complexities of new licenses like SSPL and BSL. These licenses place restrictions on how open-source software can be used, especially in cloud environments. Understanding the fine print is crucial for developers working in enterprise environments or launching their own SaaS products, as improper use of open-source software can lead to legal complications. This makes legal and compliance knowledge increasingly important in modern software development roles.

Open Source vs. Open Governance: A Crucial Distinction

Elastic’s journey highlights a key debate in the software development world: the difference between open source and open governance. While many companies have embraced open-source models, few have transitioned to open governance frameworks, which involve community-driven decision-making for the project’s future direction.

As highlighted in my previous article, “Open Source vs. Open Governance: The State and Future of the Movement,” the distinction lies in control. In open-source projects, the code is freely available, but decisions regarding the project’s roadmap and key developments may still be controlled by a single entity, such as a company. In contrast, open governance ensures that decision-making is decentralized, often involving multiple stakeholders, including developers, users, and companies that contribute to the project.

For Elastic and others, returning to open-source doesn’t necessarily mean embracing open governance. Although Elastic’s code will be open for contributions, the strategic direction will still be managed by the company. This is a common approach in many high-profile open-source projects. For example, Google’s Kubernetes operates under the open-source model but is governed by a diverse group of stakeholders, ensuring the project’s direction isn’t controlled by a single entity. On the other hand, projects like OpenStack follow a more open governance approach, with broader community involvement in decision-making.

Understanding the difference between open-source and open governance is critical as the software industry evolves. Companies are beginning to realize that open-source alone doesn’t always translate into the collaborative, community-driven development they seek. Open governance provides a framework for more inclusive decision-making, but it also presents challenges in terms of efficiency and control.

Looking Ahead: Open Source as a Business Strategy

The return of Elastic and other companies to more open models indicates a growing recognition of the importance of open-source in the software industry. For Elastic, this decision is about more than just licensing; it’s about reconnecting with a developer community that thrives on transparency and collaboration. By embracing open-source again, Elastic hopes to accelerate product development and foster stronger relationships with users.

This broader trend shows that while companies are still cautious about cloud providers exploiting their software, they are increasingly finding ways to leverage open-source models as a business strategy. These recent changes to licensing frameworks highlight the evolving nature of software development and the role open-source plays in it.

For organizations navigating the complex decision between proprietary and open-source models, the key lesson from Elastic’s experience is that the long-term benefits of community-driven development and innovation can outweigh the short-term protection of proprietary models. As more companies follow suit, it’s clear that open-source is not just a technical choice—it’s a business strategy.

Further Reading:

  1. Why Open Source Matters for Innovation – Alan Turing Institute
  2. The Future of Open Source: What to Expect in 2024 and Beyond – MIT Technology Review
  3. Why Every Company Should be Open-Source Aligned – Forbes

References:

Bitnami