Credit providers to proceed with caution

Featured

man-and-women-window-shipping-at-mallCredit-granting companies are urged to continue to carry out stringent checks on prospective lenders, following a recent ruling that relaxes affordability assessment requirements.

While many local retailers have lauded a recent High Court ruling that binned a legal clause requiring lenders to demand payslips and financial statements from credit applicants, the move has been met with raised eyebrows from SA’s credit regulator – which is concerned it may lead to reckless lending.

Indeed now more than ever, in light of the historic ruling, it is worth reiterating how vital it is for credit lending – in whatever form – to be approached with caution. If you are a business owner that deals with individuals or other businesses, the importance of carrying out thorough checks when assessing customers’ credit status cannot be stressed enough.

While it is unquestionably important for businesses to have customers, financially vulnerable customers only spell trouble – both for your company’s bottom line and the customer, who you as a business should be protecting.

Court ruling

On March 16 this year, the Western Cape High Court made a ruling that binned the clause of the National Credit Regulations that, since 2015, had made it compulsory for credit lenders to acquire payslips and financial statements from prospective borrowers before granting credit.

The judgment applies to all forms of credit lending, from store credit to microloans.

Prior to the recent ruling, subsection 23 A(4) of the National Credit Regulations required credit providers to obtain three recent payslips or bank statements as proof of income from applicants who were permanently employed – and three recent documented proofs of income or bank statements from those who did not receive a salary. If the applicant could not provide proof of income, credit providers had to then get three recent bank or financial statements from them (see page 18 of the Government Gazette, 13 March 2015).

While affordability assessments have always been a requirement of the National Credit Act (NCA), prior to the more stringent requirements put in place in 2015, credit providers were allowed to decide on their own means of carrying these out.

This year’s Western Cape High Court ruling – spurred on by applications by Truworths, the Foschini Group and the Mr Price Group – essentially returns the affordability assessment subsection of the NCA back to its former, more moderate, self.

The three retailers brought the case against the Department of Trade and Industry and the National Credit Regulator (NCR) because they claimed the said affordability assessment regulation adversely affected their businesses.

Continue with caution

However, the NCR, which believes an important tool in the fight against reckless lending and borrowing has been removed, is not happy with the ruling, to the extent it is considering an appeal.

The Credit Ombud, meanwhile, has also reportedly greeted the ruling with caution.

News site iol cites NCR company secretary, Lesiba Mashapa, urging credit providers to continue to carry out thorough credit checks despite the ruling: “We appeal to credit providers to continue to apply the income verification standards set by the regulations to protect themselves and consumers from reckless lending and borrowing.”

While the credit regulations in terms of affordability assessments have been significantly relaxed, Section 81 of the NCA, which requires credit providers to take “reasonable steps” to assess consumers’ financial stability before granting credit, remains in force.

Mashapa has urged credit providers to proceed with caution, and continue to carry out stringent credit checks on prospective customers. “[Credit providers] should request consumers to produce proof of income.”

pbVerify offers a range of B2B and B2C Credit Risk Management tools for any size business in South Africa that grants credit. For more information visit our products page HERE

 

[REFERENCES]

  1. Credit Ombud – National Credit Regulations including affordability (Chapter 3: Page 17)
  2. The Department of Justice & Constitutional Development – National Credit Act (Page 114)
  3. Southern African Legal Information Institute – Truworths Limited and Others v Minister of Trade and Industry and Others (4375/2016) [2018] ZAWCHC 41
  4. iol – High Court ruling removes barriers to credit
  5. Business Day – Court ruling leaves credit providers in catch-22 situation

Data protection: SA companies need to take a global stance

Featured

how-to-comply-with-the-data-protection-act-457501399With the implementation of the EU’s data protection laws just around the corner, local entities need to study up on how it could affect them.

D-day for implementation of the European Union’s (EU) General Data Protection Regulation (GDPR) is just three months away – and South African organisations are by no means off the hook.

If you are a South African entity that handles individuals’ personal data, you will be acutely aware of our country’s data protection law – the Protection of Personal Information (POPI) Act – but have you considered how the looming GDPR affects the way you manage clients’ personal information?

The fact of the matter is, if you are a locally-based business that offers goods or services to EU customers, you also deal with personal information or data relating to EU citizens’ – and you are just as responsible for complying with the GDPR as any EU business.

Leon van der Merwe, head of digital at customer communication firm PBSA, points out that any entity controlling or processing data relating to EU citizens is affected by the GDPR. “Controlling refers to any organisation that states why and how data is processed, while a processor is any party doing the actual processing of the data, whether based in the EU, or not.”

GDPR vs POPI

Van der Merwe says it is crucially important for local companies with dealings abroad to do their homework and familiarise themselves with the GDPR’s ground rules. “Companies could be fined heavily under GDPR regulations if they fail to provide evidentiary and auditable processes, as well as adequate IT security, to protect personal data.”

The GDPR is a regulation borne out of the European Parliament, Council of the European Union and European Commission’s joint intent to strengthen and unify data protection EU citizens.

Non-compliance with the GDPR comes with a hefty fine of up to €20 million (about R290 million) – or 4% of annual sales.

Similar to SA’s POPI Act, the GDPR is all about data protection. Data includes things like a person’s name, email address and phone number, as well as information collected by website cookies like internet browsing habits.

Breaching rules laid out in the POPI Act comes with a R10 million fine and/or a jail sentence.

Van der Merwe summarises the parallels between the two data-protection directives: “POPI and GDPR are similar, in that they both aim to strengthen the protection of personal information. They differ in their approach, in that the GDPR takes a wider, more global perspective that includes anyone, anywhere either controlling or processing – or both – data relating to EU citizens.”

Auditable business processes

A big part of compliance, when it comes to both the POPI Act and the GDPR, specifically involves audit trails – something PBSA’s digital signature and workflow product, SignFlow, is heavily centred on.

For evidentiary purposes and in order for any company to assert GDPR compliance, the automated management of an audit trail is imperative.

Van der Merwe says SignFlow is can assist customers in their strategy to automate and digitise processes in a responsible and compliant manner. “Business Process Automation is at the forefront of our technology development at SignFlow, including tools like DocFlow, CaseFlow and our digital customer on-boarding tools.”

At the core of SignFlow, he says, is Public Key Infrastructure (PKI). “PKI manages users’ private keys, and signs and secures documents using Public Key Cryptography. Not only does this make documents tamper-evident after they’ve been signed, but the entire operation is conducted in a secure network over encrypted secure socket layers between the public, personal devices and private servers.”

Unlike paper files and systems managing email attachments, this portal fully controls and audits the workflow and communication channels between interacting parties. “This greatly reduces the risk of data leaks,” says van der Merwe.

“The system enhances non-repudiation, creating a digital trail of undeniable events that prove intent and identity.”

With GDPR set to come into effect on 25 May 2018, and the high stakes attached to non-compliance, South African companies simply cannot afford not to take a global view on data protection. “The protection of personal information goes far beyond just the POPI Act for local companies dealing with international customers,” says van der Merwe.

 

[REFERENCES]

  1. Digiday – For the GDPR-curious: WTF is the Article 29 Working Party?
  2. The Digiday Guide to GDPR (PDF)
  3. The Sun – What is GDPR, what does it stand for, when is the deadline in 2018 and how can you check if a business is compliant?
  4. Michalsons – What does the GDPR mean for the POPI Act?
    POPI commencement date or POPI effective date starts the clock
  5. Wikipedia – General Data Protection Regulation
  6. IOL – Protection of Personal Information Act soon to become a reality
  7. ITWeb – Unpacking the POPI Act: The ins and outs of protecting personal information

New partnership simplifies company registration process

Featured

company-registration-MalaysiaCompany and domain names can now be registered as one, making it easier for companies looking to manage credit risk to access pbVerify’s full suite of services.      

A recent partnership between three South African agencies, allowing company and domain names to be registered together, has streamlined the process of registering local companies and, in turn, of accessing pbVerify’s suite of verification products.

Earlier this month it was announced that the Companies and Intellectual Properties Commission (CIPC), the ZA Domain Name Authority (ZADNA) and the ZA Central Registry NPC (ZACR) had collaborated to make it possible for new companies to register with the commission and claim a parallel co.za domain name at the same time.

The move will not only give new companies greater control over their intellectual property, it also significantly simplifies the process of acquiring unique online credentials – a requirement for access to many professional services, including pbVerify’s credit vetting products.

Daily online news portal, SME South Africa, cites ZACR CEO Lucky Masilela as saying the three-party agreement enables new enterprises to protect their fledgling online identities. “This innovative offering seamlessly combines the offline and online worlds in a way that provides total convenience and protection for start-ups.”

Credit management services

pbVerify is South Africa’s leading data bureau, offering small-to-medium enterprises (SMEs) and corporates all the information needed in order to make informed, intelligent business decisions to the end of mitigating credit risk.

The easiest way to verify businesses, people and property in South Africa, pbVerify’s suite of credit management services includes business credit checks, CIPC business and director searches, Home Affairs ID verification, SARS advanced VAT verification and bank account verification – among others.

Minimum requirements for companies seeking full access to pbVerify’s services are: a business email address; a business landline number and valid business registration details pertaining to an active business.

Now, thanks to the CIPC, ZADNA and ZACR partnership, companies can quickly and painlessly ensure they are able to tick all the above boxes.

Masilela describes the partnership as a “a fantastic example of domain name space pioneering coupled with out-the-box thinking in the area of public-private partnerships” and says the organisation is looking to launch further services for new enterprises, start-ups and other commercial users in future.Masilela describes the partnership as a “a fantastic example of domain name space pioneering coupled with out-the-box thinking in the area of public-private partnerships” and says the organisation is looking to launch further services for new enterprises, start-ups and other commercial users in future.

For more information on pbVerify’s services call 010 300 4898 or send an email to support@pbverify.co.za.

 

REFERENCE:

SME South Africa – Attention Startups! Company and Domain Names Can Now be Registered Together

 

SignFlow engineers terminate menacing Bitcoin virus

Featured

pic for SignFlow bitcoin blogA dangerous Bitcoin-mining virus has been detected and disabled by two of our IT experts.

A potentially devastating Bitcoin-mining virus has been stopped in its tracks, thanks to the vigilance and quick actions of SignFlow (a PBSA brand) engineers William Vermaak and Morne Wilken.

Vermaak and Wilken detected malicious activity on one of their customer’s servers last week, immediately analysed the source of the virus and un-infected the server.

According to Vermaak, the virus had gone undetected by all available virus packages. “We submitted samples to ESET the next day and [the company] immediately responded from its virus lab in Denmark, confirming the virus was wild and that detection for the threat had been added to its latest definition updates.”

Founded in 1992, ESET is a Slovakia-based IT security company that offers anti-virus and firewall products such as ESET NOD32. The security company named the virus winlog.VBS – VBS/TrojanDownloader.Agent.QE trojan winlog.bat – BAT/CoinMiner.UG Trojan.

By the time of detection, the virus had already infected 0.04% of Windows computers in South Africa, while Russia was hardest hit, with 0.5% of all Windows computers infected. Windows is currently the most popular end-user operating system in the world.

Essentially a Bitcoin-mining virus, the Winlog Virus downloads a Bitcoin CPU miner on the victim’s computer, and then mines Bitcoins for the virus originator. Vermaak says this type of virus is particularly evasive. “It tries to make itself resilient and configures various system schedules to start it again if it’s stopped. The virus will also install itself on the system as a system service.

“The virus infiltrates the System Registry and changes some keys to make itself run again if it’s shut down. Shortcuts on the victims’s Desktop are modified to run the virus and these then run the original program, in an attempt to mask it’s presence. The virus also copies itself into various other files on the system – including Microsoft.exe – to try ensure resilience.”

Prevalent pest

According to Manuel Corregedor, chief operations officer at information security company Telspace Systems, Bitcoin-mining viruses have become rampant. “There has definitely, in recent times, been an increase in Bitcoin-mining viruses – in particular the diversification of the type of currencies they mine.”

Almost three months ago, Russian president Vladimir Putin’s Internet advisor, Herman Klimenko, issued a dire public warning that 20 to 30 percent of all computers in Russia were infected with computer malware designed to turn devices into Bitcoin-mining machines.

At the time Klimenko told Moscow-based news broadcaster RBC that viruses that install bitcoin-mining software are the “most common and most dangerous” type of computer malware in existence.

Corregedor says the main issue Bitcoin-mining malware creates, is that it negatively impacts the performance of the victim’s computer. “[The malware] does this by stealing/utilising the infected computer’s resources (CPU, GPU, RAM, etc). This may result, over time, in increased wear and tear, which may cause the computer to fail or cease.” On top of this destructive consequence, he adds, there are other costs associated with increased power consumption.

But this destructive malware goes even further. Apart from the said performance impact, Corregedor notes that – apart from mining Bitcoins – it  has also been seen launching web- and network-based attacks, such denial of service attacks, login brute force attacks and web application attacks.

“It should also be noted that the danger [with Bitcoin-mining malware] is further increased due to the fact that [it] has been found to be infecting Internet of Things devices i.e. web cameras, routers, Network Attached Storage devices, etc.  The infections have mainly occurred due to these devices having default credentials configured on them – for example user name admin and password admin on a router.”

Protection pointers

Corregedor says users can protect themselves against these kinds of malicious virtual attacks by ensuring their operating systems (Windows, Linux etc) are up to date with the latest security updates (patches).

He gives the following pointers:

  • Ensure you have anti-virus software installed and that it is up to date
  • Ensure your devices are not using any default login credentials and/or weak login credentials, in particular devices such as routers
  • Enable/install a Firewall
  • Install a HIPS (Host Intrusion Prevention System)
  • Be cautious/aware when it comes to receiving unexpected emails with attachments and/or installing potentially unwanted software

“Attackers are constantly scanning the internet looking for devices that are not up to date and/or are not configured securely (for example using default credentials).  Once such systems are identified, they are infected with malware,” he warns.

“Additionally, attackers are also constantly sending out spam/phishing emails that contain malicious attachments.”

Corregedor says, while South Africa is just as vulnerable as any country when it comes to infection, the country’s lack of a National Information Security Awareness campaign could render it in deeper danger.

SA experts stop bitcoin virus

Published by IT-Online on 17 October 2017

A dangerous Bitcoin-mining virus has been detected and disabled by two Johannesburg-based IT experts.

White hat ethical hacker William Vermaak, from PBSA’s digital arm pbDigital, and senior software developer Morne Wilken, detected malicious activity on one of their customer’s servers last week. The two immediately analysed the source of the virus and uninfected the server.

According to Vermaak, the virus had gone undetected by all available virus packages.

“We submitted samples to ESET the next day and [the company] immediately responded from its virus lab in Denmark, confirming the virus was wild and that detection for the threat had been added to its latest definition updates.”

By the time of detection, the virus had already infected 0,04% of Windows computers in South Africa. Russia was hardest hit, with 0,5% of all Windows computers infected.

Essentially a Bitcoin-mining virus, the Winlog Virus downloads a Bitcoin CPU miner on the victim’s computer, and then mines Bitcoins for the virus originator.

Vermaak says this type of virus is particularly evasive. “It tries to make itself resilient and configures various system schedules to start it again if it’s stopped. The virus will also install itself on the system as a system service.

“The virus infiltrates the System Registry and changes some keys to make itself run again if it’s shut down. Shortcuts on the victims’s Desktop are modified to run the virus and these then run the original program, in an attempt to mask it’s presence. The virus also copies itself into various other files on the system — including Microsoft.exe — to try ensure resilience.”

Almost three months ago, Russian president Vladimir Putin’s Internet advisor, Herman Klimenko, issued a dire public warning that 20% to 30% of all computers in Russia were infected with computer malware designed to turn devices into Bitcoin-mining machines.

At the time, Klimenko told Moscow-based news broadcaster RBC that viruses that install bitcoin-mining software are the “most common and most dangerous” type of computer malware in existence.

 

SA white hat hackers disable Bitcoin-mining virus

Published by ITWeb on 17 October 2017.

A dangerous Bitcoin-mining virus has been detected and disabled by two Johannesburg-based IT experts.

A potentially devastating Bitcoin-mining virus has been stopped in its tracks, thanks to the vigilance and quick actions of two local IT experts.

Although mining Bitcoin with regular computer hardware is no longer profitable, that isn’t keeping criminals from giving it a try. Over the past few years, there have been several types of Bitcoin-mining malware, infecting computers all over the world.

White hat ethical hacker William Vermaak, from PBSA’s digital arm pbDigital, and senior software developer, Morne Wilken, detected malicious activity on one of their customer’s servers last week.

The two immediately analysed the source of the virus and uninfected the server. “Unfortunately, the only trace left in the code by the originator is the Bitcoin wallet that the Bitcoins will be deposited into. To trace the Bitcoin wallet is extremely difficult and you will need a police warrant to get any information from the Bitcoin companies hosting the wallet,” says Vermaak.

According to Vermaak, the virus had gone undetected by all available virus packages. “We submitted samples to ESET the next day and [the company] immediately responded from its virus lab in Denmark, confirming the virus was wild and that detection for the threat had been added to its latest definition updates.”

Founded in 1992, ESET is a Slovakia-based IT security company that offers anti-virus and firewall products such as ESET NOD32. The security company named the virus winlog.VBS – VBS/TrojanDownloader.Agent.QE trojan winlog.bat – BAT/CoinMiner.UG Trojan.

By the time of detection, the virus had infected 0.04% of Windows computers in SA, while Russia was hardest hit, with 0.5% of all Windows computers infected. Windows is currently the most popular end-user operating system in the world.

Essentially, a Bitcoin-mining virus, the Winlog Virus downloads a Bitcoin CPU miner on the victim’s computer, and then mines Bitcoins for the virus originator. Vermaak says this type of virus is particularly evasive.

“It tries to make itself resilient and configures various system schedules to start it again if it’s stopped. The virus will also install itself on the system as a system service. It infiltrates the System Registry and changes some keys to make itself run again if it’s shut down,” Vermaak explains.

“Shortcuts on the victim’s desktop are modified to run the virus and these then run the original program, in an attempt to mask its presence. The virus also copies itself into various other files on the system – including Microsoft.exe – to ensure resilience.”

Bitcoin-mining machines

Almost three months ago, Russian president Vladimir Putin’s Internet advisor, Herman Klimenko, issued a dire public warning that 20% to 30% of all computers in Russia were infected with computer malware designed to turn devices into Bitcoin-mining machines.

At the time Klimenko told Moscow-based news broadcaster RBC that viruses that install bitcoin-mining software are the “most common and most dangerous” type of computer malware in existence.

With the surge in Bitcoin-mining viruses, Vermaak says: “You need to keep your anti-virus software updated, and your operating system on the latest updates.

“With the growing demand for Bitcoin, this is sure to escalate in the near future, but it is still very new so hopefully we’ve stopped this method of infection for now.

“These days there is no such thing as a bulletproof system. Everything has got some weakness whether it’s a known or unknown vulnerability. Someone will find a vector that no one will think of to gain access to a system and use it to their advantage. The only thing you can do is to minimise the risk by using a good anti-virus package and to do backups regularly,” Vermaak concludes.

Tackling security in an IoT world

Featured

eepublishersPublished by EE Publishers on 20 September 2016

The internet of things is here – and it is bigger than we could have imagined – is your business ready?

The internet of things (IoT) is undeniably one of this century’s biggest phenomena in terms of ubiquitous impact and, while the implications associated with this technological wave are varied, one of the most crucial – if not the most crucial of these – centres around security.

Type the words “IoT and…” into your Google search engine bar, and one of the first phrases that comes up in the dropdown menu is “IoT and security”, says Leon van der Merwe, head of digital at customer communications firm PBSA. Security is a huge concern for businesses when it comes to this emerging network of connected things. Even with the strides made in cultivating a secure internet, this vast entity is just not 100% secure.

By nature, he says, the internet is arguably impossible to fully secure – and is becoming considerably more complex as the human race starts connecting everyday hardware devices. “We are basically building an internet of any and everything.”

And, contrary to common belief, South Africa is not playing catch-up to such an extent that local businesses need not be concerned. The IoT may not be as mainstream in South Africa as it is in other, developed countries, but it is fast heading that way. Any business that even remotely values its security would be making a grave mistake by not heeding the red flags inherent in the IoT.

In fact, according to a recent International Data Corporation (IDC) report – The Internet of Things in Africa – the market for connected devices in the country will account for $2-billion of the global total value ($1,7-trillion) by 2020. As for the continent as a whole, the research firm says Africa is likely to house around one billion connected devices by the turn of the decade.

A 2015 survey revealed that 33% of South African enterprises are planning major and/or significant investment in IoT over the next three years.

Unprecedented power

We know the IoT is set to explode – globally and on our own doorstep – but we must also consider, when taking security measures, the immense power this thing denoting a connected future holds.

The World Economic Forum (WEF) designates the IoT part of the “Fourth Industrial Revolution” – an era of technological advancement characterised by ubiquitous, mobile supercomputing. Klaus Schwab, founder and executive chairman of the WEF, says the possibilities of billions of people connected by mobile devices, with unprecedented processing power, storage capacity, and access to knowledge, are unlimited.

These possibilities will be multiplied by emerging technology breakthroughs in fields such as artificial intelligence, robotics, the IoT, autonomous vehicles, 3D printing, nanotechnology, biotechnology, materials science, energy storage, and quantum computing.

Given the enormous impact the IoT will have on businesses’ security, Van der Merwe believes local companies need to take security far more seriously. Many of the larger, security-conscious organisations take their security very seriously, but they don’t necessarily have the right strategies in place. When it comes to the so-called midstream businesses in South Africa, these generally have very poorly managed security policies, if any.

Access management

But where does one start when it comes to tackling this giant, looming phenomenon? At ground level, at one of the very core aspects of your connected devices – accessibility.

One of the products PBSA’s software arm, pbDigital, advocates is identity and access management (IAM). IAM outsources all require security requirements to run on the latest international identity and access management on one centralised solution.

Contact Leon van der Merwe, PBSA, Tel 011 516-9459, leon@pbsa.co.za