Saturday, October 27, 2018

Ransomware Attacks: Pre and Post Attack Protection

I was contacted by a company that had been infected with ransomware that encrypted their servers' files and demanded money to provide decryption. The company's entire infrastructure was infected, including the backup server which backed files onto internal disks, so the backup was encrypted and inaccessible as well.

Below is a screenshot of the display showed on every server, instructing the victim of the situation and how to reach the attacker for decryption "services." I've masked the code so the victim wouldn't be identified and prone to revenge attack again.



The company that was attacked did have an antivirus in place, a firewall and some security measures, but that didn't prevent the attack. The attack occurred after the attackers spear-phished one of the admins and when the admin opened the attachment, the infection spread like wildfire.

Though an encrypted file sample was submitted to the ID Ransomware free service, unfortunately, it wasn't detected. When submitting your sample, give screenshots, emails and other related info. Even if it's not identified, it helps block such attacks in the future. The victim in this case ended up paying to decrypt 1 server (the backup) and didn't decrypt others. Wiped out all systems and started restoring.

Mistakes


  1. Servers ran unpatched Windows OSs. They were vulnerable to an old vulnerability that Microsoft had patched earlier this year in network sharing protocol SMBv1 that caused many malwares to spread via network.
  2. The backup software stores backups as files (which is fine), and those were stored on the internal disks only.

Positive Actions

  1. The owner contacted friends who were techies, who knew techies or who had been victims of similar incidents in the past.
  2. Did not touch any of the systems and left them as is. This is important, as some infections can be reversed if the server isn't rebooted (encryption key stays in memory sometimes).
  3. Contacted a local ISP that provided on-site security consultation. The person who attended there knew what to look for and that greatly helped identify the infection method.
    It's important to contact an external entity to look at your systems. Sometimes your admins will hide info to protect themselves and this does more damage than good for everyone: the company and the admins themselves.
  4. Contacted the attackers and act desperate (even if you aren't) to buy some time, and sometimes you can buy sympathy from your case handler (attacker replying to your email) and offer reduced price for decryption instead of paying full amount.

Protections and Precautions

  1. If you do pay to decrypt your data, fully understand that you're still infected, but now have access to your files. This does not mean you're safe, as the ransomware is still on your systems. You need to disinfect or completely wipe everything after getting your data out, and only the data without OS files.
  2. Always keep your systems up to date. Always. Force the business units or management to allocate suitable downtime for regularly patching all systems. Have procedures for critical patches that need to be applies ASAP and cannot wait for the usual schedule.
  3. Avoid running old operating systems. If you have software that must run on an archaic OS, find an alternative. Investing in migrating from old software that keeps you crippled is a lot cheaper than falling victim due to attacks on legacy systems, and running maintenance costs of legacy systems.
  4. When discovering an infection in the infrastructure, alert management immediately. Also, collect as many logs from as many systems as possible:
    1. Firewall logs
    2. VPN logs
    3. Server hardware logs
    4. Operating System events and logs
    5. Antivirus logs
  5. If the servers are running in your own datacenter in your building, disconnect everything from network, but keep the servers running. At least this prevents further spread or reinfection.
  6. Use latest version of an antivirus, not only updated signatures. You must always have the latest version of the application itself to make use of better self-defense mechanisms and detection methods.
  7. Use an antivirus on servers and PCs that has Application Control and Trusted Application Mode modules. I know Kaspersky and Bitdefender offer these, but some others sure do.
    Trusted Application Mode is most important to only allow verified and known applications to work, while blocking everything else. This way, should a malware reach a server, it won't be able to run there.
  8. Have an offline/off-site backup, either on some backup service, such as Veeam Cloud Backup, or on tape cartridges.
    If you decide to ship your tape cartridges abroad or take them outside of your building, make sure you place them in an anti magnet compartment to prevent metal detectors or Explosive Detection Systems (EDS) from damaging the tape. X-Ray is completely safe and does not emit any magnetic field, so it's safe to carry cartridges in your carry-on, but not your checked-in luggage that is subject to EDS, and not when in your pockets, as you go through metal detectors.
  9. Linux is also susceptible to ransomware, not only Windows. Keep your *nix systems patched.

It's important that one plans for worst case scenarios. Don't protect the perimeter from the outside, and leave the inside vulnerable. Live under the assumption that your internal systems can, and will, be infected one day, so plan accordingly.

Feel free to leave a comment to share your story, or an insight to help others, if you've been in a similar situation before.

Be paranoid. Be safe.

Tuesday, October 9, 2018

Unlock The Hidden Data: Enterprise Microservices Seminar

IBM is organizing a technical event to show use cases of containers, API consumption and micro-services in enterprise environments.

The event will have live demos and the speaking/presenting panel consists of technical engineers, and the though the agenda is brief, the audience is free to ask for specific demos of use cases or features.

The event will hold place at Sirdab Lab on Sunday Oct 14th, 5 PM to 8 PM. Attendance is free, but registration is required to provide sufficient seating and catering.

Event Information & Registration Link: https://www.eventbrite.com/e/unlock-the-hidden-data-enterprise-microservices-tickets-51119341326

Friday, September 7, 2018

Migrating Windows Fileservers: Preserving NTFS and Domain Controller Permissions

A client was running a Windows 2008 fileserver. Share folders have been created and used for years, and permissions were set per group or per user over the many folders, linked to Active Directory domain controller.

For this particular case, the shares were on a dedicated drive that is a storage mapped volume. Reassigning the volume from the old server to a new one is quite easy, but the tricky part was preserving the share settings and the NTFS permissions along with the active directory domain controller security permissions.

After much digging around, the solution was a builtin command line that can backup the permissions, and exporting a registry key to backup the configurations of the shares and their paths. Make sure you test this on a test machine first before applying to production! This will save both local users and domain controller security permissions.

Pay attention to back slashes (\) as it makes a difference to the tool.

Step 0: Backup and Restore Shares and their Permissions


  • Run regedit with administrator permission: search for regedit then right click and choose "Run as Administrator"
  • Go to this location:  HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares
    Note: HKLM = HKey_Local_Machine
  • Right click the Shares registry key and export. The key that looks like a folder in the left pane, not the content inside on the right pane.
To restore the shares and their permissions, double click the saved exported file.

Step 1: Backup and Restore NTFS and Active Directory Security Permissions

  • Open the command prompt (cmd.exe) with administrator permission.
  • To backup: icacls "path to folder" /save ntfsperms.txt /t /c 2> errors.txt
    Example: icacls d:\data /save ntfsperms.txt /t /c 2> errors.txt
    /t for recursion to include subfolders of the main one.
    /c to continue even when errors occur, but they'll printed and written to the errors text file.

    Note: If you put multiple folders directly on the root of the drive, the command should look like this: icacls d:\* /save ntfsperms.txt /t /c 2> errors.txt
To restore: icacls d:\ /restore ntfsperms.txt

Yes, there's a difference in the way you restore the permissions and the path. Even if you had backed up d:\data, you restore to the root directory/folder d:\. That's how the tool works.

Keep in mind that the text file you'll save the permissions to will exist in the same place where it's showing the command prompt. If you run the cmd as Admin, you'll be in C:\Windows\System32 by default.

Thursday, August 30, 2018

Kuwait Game Jam 2018

Once again, Q8Geek is organizing Kuwait Game Jam, where people gather to create games over a weekend based on a theme decided on the first day.

Date: September 6 - September 8
Location: Niu - Business District One
Details: https://bit.ly/kgj_18


Kuwait Game Jam 2018 - Poster 1
https://www.instagram.com/p/Bm-u0QzBtnm/?taken-by=q8geek

Kuwait Game Jam 2018 - Poster 2
https://www.instagram.com/p/BnD2cpCncmT/?taken-by=q8geek

Saturday, August 25, 2018

High CPU Utilization on Live Streams

While watching a live stream of Dota2, I noticed my CPU utilization on Firefox (Fx) is going 50%-60% after a minute of watching the stream. I did some comparison against Chrome and Brave and both were using less than 3%.

The live stream website of Steam TV uses Akamai's HTTP Live Streaming, which according to Akamai, uses H264 video codec and AAC audio codec. Specifically:
Video: H.264 Baseline Profile Level 3.0, Main Profile Level 3.1, High Profile Level 4.1, and MPEG-4 Simple Profile
Audio: HE-AAC or AAC-LC up to 48 kHz
In all cases below, there's only one private/incognito tab open, each browser was launched without the other loading the same site, and left to stream for 2 minutes minimum.

I did the same comparison against YouTube & Vimeo, and all browsers had very low CPU utilization.

Computer Specs

CPU: i7-6700k
GPU: nVidia GTX 1080
OS: Windows 10 Pro - Build 17134

Firefox Browser

firefox cpu and gpu utilization
CPU utilization: 60.9%
GPU utilization: 5.4%
Memory utilization: 788 MB
Browser version: 61.0.2

Note: There's only one tab open, but you see 6 processes launched. This is probably using multiple processes for video or other content the site has loaded.

I have disabled Ghostery addon intentionally to make sure the spike in CPU wasn't caused due to blocked scripts, ads or anything else.

Firefox GPU options: I checked the "Performance" under General options and when unchecking the Optimum check mark, it does show that it uses hardware acceleration when available.

GPU Options


H264 Options


Brave Browser

brave cpu and gpu utilization
CPU utilization: 1.9%
GPU utilization: 12.3%
Memory utilization: 634 MB
Browser version: 0.23.79

Browser left to its default settings.

Chrome Browser

chrome cpu and gpu utilization
CPU utilization: 1.4%
GPU utilization: 3.7%
Memory utilization: 271 MB
Browser version: 68.0.3440.106

Browser left to its default settings.

Oddly enough, it's using the least GPU, but still manages to keep CPU utilization low.

Summary

I still don't know what's the cause. Be mindful of what you use and your resources, as more CPU utilization can quickly eat your device's battery (laptop).

Update 1: Aug 26th, 2018 - 19:17. Added system info and browsers' version.

Tuesday, August 21, 2018

Banking App Comparison: Boubyan Bank vs NBK

Introduction

The purpose of this post is to compare functionality and usability of banking applications from Boubyan Bank (BB) and National Bank of Kuwait (NBK).

I will ignore any banking service not provided in the app, and provided in the branch or on the web portal, as that will drag the post much longer than I'd like (with one exception: login process).

Image Quality

Some banking apps have enabled an Android security flag in their apps that prevents taking screenshots (which is dumb). NBK has enabled that, but BB didn't. I was able to take clean screenshots of BB, but for NBK, I had to take pics with another phone, so the output isn't clean.

Background

The reason I'm writing this comparison is because I'm fed up with NBK. This is not a vindictive post, but a series of issues have happened throughout years that have pushed me into looking elsewhere, after being with NBK for 23 years.

Whenever I wanted to do transactions, I had to go to the branch, because the phone support couldn't touch my account. Getting out of office and driving to the bank is not something I want to do, as I hate driving, and it's a huge waste of time to get the simplest of things done by forcing me to go to the branch.

I've had friends try BB and show me their banking app, and I was quite shocked to how much can be accomplished from the app itself, without the need to ever go to the branch. This is what drove me to finally move all my funds and my salary to BB: Easy of use of services, and using applications that are made for humans, not a clump of features thrown together and is up to the consumer to figure things out, as you'll see with the NBK app.

For the sake of completeness: My account type in NBK is "Thahabi" (Gold) and its equivalent in BB is "Platinum" which is the one I have now. So, both accounts have almost similar privileges, mainly that you get a dedicated account manager that you can contact directly (if needed), in addition to account perks.

On-Boarding Process

This is first time you enroll into the banking app.
BB: You can enroll from the app directly.

NBK: You cannot enroll from the app directly. You have to login to their web portal and grab some validation code to do the enrolling process. Their web portal is not mobile friendly.

Here's the BB process:
onboarding - unlink existing device
Removing my existing phone data to do a fresh setup

onboarding - creating a new account
Creating new account. Notice you need both username and a few civil ID digits.

onboarding - answering a secret question
Answering the secret question. This is only done once to enroll this device/phone.

onboarding - finally typing the password
Typing the password while also showing an image and some text that you've previously selected to guarantee the site isn't fake

As you can see here, you can do everything from the app itself, whether it's creating a new user or enrolling/adding a new device to access your account(s). No need for a web portal, like NBK requires.

Score

BB: 1
NBK: 0

Login Process

Recently NBK moved away from logging into the account using the debit card number on their web portal, and instead did as BB: use a username.

This introduced one very important element: to login to BB, you need to know some digits of the civil ID, else you cannot proceed.

In NBK, to login, it only asks for the username, which allows for Denial of Service (DoS) attacks, either by malicious intent or by unknowing users who forgot their actual user and entered yours by mistake a few times, which leads to locking YOUR account.

BB

BB login drag to right side for normal login or left for Musaed chat bot

BB login enter password

In the first picture, you can see 2 options to login: drag to the right for the normal app login, or drag to the left for "Msa3ed" (pronounced Musaed) which is a chat bot to do your typical tasks faster by telling the bot what you want.

Your full name shows under the avatar icon. Drag to any side, and then you're prompted to enter your password. After that, you're inside your account.

NBK

NBK login press button to start login process

NBK login answer secret question

NBK login enter password or fingerprint

Here you see the main login page of NBK showing your username which you chose during the initial sign up process. You click a button to start the login process, which asks you a random question that you have to answer based on your signup process, then enter the password or your fingerprint.

It's inconvenient to have to answer a secret question every time. I have already enrolled my device, so you know it's me, why ask me every time?

The fingerprint use case is nice, but I don't personally use it. Also, I don't know if the app ditches the secret question if you enroll a fingerprint, but it shouldn't ask for one anyway after enrolling your device.

Assuming you added your fingerprint, you still have to remember answers to all 3+ questions, as you'll be asked every time, so the convenience of the fingerprint is overridden.

Score

BB: 1
NBK: 0

App Main Page and Info Access

Here we'll explore what info or functions are available from the screen.

BB

BB contacts and social media accounts

BB notifications

BB apps

BB branches

Social media icons, and contact info. They provide WhatsApp in addition to live chat. Both very useful for when you're abroad and don't want to incur international calls for generic questions that don't require your personal info. If you do need to call to access your account, you can call the local hot number or the international number (the hot number is not possible to dial from outside of Kuwait).

Push Notifications are visible from the main app page without needing to login. This might be a privacy issue for some people, but then that's why you should pin-lock your phone. The notifications shows the transactions and remaining amounts in the debit or credit account/card.

Boubyan Apps offer some quick tools: Demonstration (demo) mode, Branch and ATM Locator, Currency Exchange, Prayer Times, Qibla Location/Direction, Discounts, Tutorials and Brochures. The Discounts part shows a list of shops/companies that BB has offers with and provide discounts to their clients. Conveniently, it has a search function to easily find a shop you're looking for.

Finally, the branch/ATM locator shows both a map of ATMs and Branches and a list based function. When clicking on the phone icon, you get to call that branch, or click on the location icon and you open your maps app to navigate there. It also shows the working hours of the branch.

Sadly, the branch list doesn't have a search function and it doesn't show which branches have Boubyan Direct ATMs.

NBK 

NBK main page tell friend

NBK main page side menu

NBK contact us info

NBK contact us info continued

NBK branch map

NBK branch list

On the top right, a "Tell a Friend" button to send an SMS to a friend to download the NBK app. Useless feature. The other button shows the version of the app (might be useful for debugging/helping a customer on the phone but using an old version).

Side menu offers Demo mode, NBK Rewards, Travel Tips, Products and Services, Common Questions, Map of Branches, and Contact Us info.

Rewards, Map and Contact are already available as buttons on the main page without accessing the side menu, so why add them there again?

Contact info lists social media accounts, one on each line, then the phone numbers for Kuwait and outside of Kuwait as it has operations internationally. NBK offers contact via WhatsApp for generic questions, but no dedicated live chat, so those without WhatsApp (like myself) cannot chat and will have to call.

Rewards list provide list by category, but no search function. Horrible usability.

The maps show the map view, but for some reason the list is empty for me.

The map view offers a filter option that shows Branches, ITMs and ATMs. ITMs are equivalent to Boubyan Direct. However, the search feature is "Google wide" so if you type "Abdullah" hoping it'd show Abdullah Al-Salem area, you'd be mistaken, and instead it jumps to some location 3000 km away on Google Maps.
When you do find the branch/ATM you want manually, you get its name and the area. No extra info, such as branch phone number, nor working hours. Semi-useless.

So much wasted space here in the main page and redundant items, in addition to putting the contact list as a long side list, instead of a clear big page. Also, why put each social media link in a separate line, rather than just put icons and keep it simple and consume smaller area?

No notifications quick access or view.

Score

BB: 6
NBK: 2

WhatsApp, Live chat, usable map list, branch info, searchable branch names, contacts, searchable discounts/rewards/offers

Account Summary

First thing you see after you login. Accessing your account info, history and some other stuff.

BB

BB account summary

BB account history

BB account info and IBAN copy

BB credit card info

You can put nicknames for your accounts and credit cards, to know which one is for what/whom. I have 2 accounts: my salary account and a savings account where I dump extra money to get some profit off of it at the end of the month. I have 2 credit cards: one is mine and the other is for a family member. VISA Signature allows for 2 free for life complimentary cards for a card holder (VISA feature, not the bank).

If you click on the account itself, you'll see the transaction history, which is searchable. Search options are: Date range, period (last month-12 months), amount, description or cash back. Clicking on "Last 3 months" in period, it auto fills the date range. I tried the description search to find name of a cafe I bought some stuff from, but it didn't show. Only amount worked. Usability not properly tested here.

Back to the summary page, if you click on the very obvious red 3 dots, you get some settings for that account/card: edit account/card name, copy IBAN number, print statement, transfer money, make a payment, or view transaction history, along with some other info.
For the credit card, it's nice to see the expiration date there, and how many days are remaining for the expiration.
Adding the transaction history button there is redundant since you already get that when you click on the account/card.

NBK 

NBK account summary

NBK account history

NBK account details/info

NBK account extra functions menu

NBK account extra functions

No account nicknames. Clicking on the account number shows the history. On the top there is a filter and a search function. The filter shows: Transaction Type (Debit, Credit, All), and Date Range list. The search field allows you to search in existing history and works well. I searched for a place I visited and paid there, and it showed it in the list.

There's a Details pane that you can click and it shows your account type and its number, below it you get the account number (again), IBAN and balance.

Back at the summary page, there's a tiny obscure arrow that if you manage to click, you get an extended menu for the account: History, Details and Operations. History and Details take you to the respective pages discussed above, and clicking Operations gives you the menu to Transfer, print statement, copy account number and copy IBAN.

Consider the fact that History and Details are very obvious and easy to access by clicking on the account, why waste more space in this hidden menu, and why make it difficult to notice and click in the first place!?

Also, isn't it easier to simply put a copy button (or make the IBAN/account numbers clickable to copy) in the Details page/pane?!

Score

BB: 4
NBK: 3

account and card nicknames, easy access to copy IBAN, access to history, searching for description, and statement access.

Notifications

BB

BB push notifications

BB notifications settings

BB offers multiple options on how to receive notifications, either SMS or Push or both (in some cases). One thing not shown here, is when you enter the notifications list, you can delete all notifications or one by one. Delete function is not available when accessing the notifications from the main app page before logging in, which is excellent in terms of privacy (to prevent someone close to you from buying with your card and deleting notifications).

NBK

NBK notifications options

NBK doesn't offer options to choose from SMS or Push, but provides what to receive in Push notifications. If you've subscribed to their SMS service, you'll receive SMS for debit and credit transactions.

As of this writing, Kuwait's Central Bank has mandated that all banks in Kuwait, local or foreign, enable SMS notifications for all transactions for free for all their clients, starting from September 1st, 2018.

From NBK's list above, it's not clear whether account/card transactions would be considered "events" or not, so if you're traveling and have removed your SIM card, you may not receive a notification via Push. If it's otherwise, please let me know.

For lack of granularity on SMS, while milking the Push option for promotions and campaigns. I.e., NBK put its own needs over the client's needs.

Score

BB: 1
NBK: 0

Travel Notice

Banks request their clients to notify them when traveling so that they input into their fraud detection systems the countries the client will travel to, to avoid false positives.

Previously with NBK, I used to call the support line to notify them. Now both banks offer this in their apps, but at varying degrees.

BB

BB travel notice options

BB travel notice return

Everything in one page. Simple and intuitive, and after selecting one, or more debit and credit cards, along with multiple destinations and the duration of the trip, you get another screen where you can end the trip after you come back, in case you decided to extend your stay.

No more calling and waiting for support.

NBK

NBK travel notice card selection

NBK travel notice country selection

NBK travel notice date selection

NBK travel notice summary

Something so simple needlessly turned into an essay. What's worse, after the final submission, you get a prompt stating "your requested has been submitted" but there's no way to validate or show that they received it or how to cancel it upon your return.

Score

BB: 3
NBK: 0

Simplicity, visual confirmation of canceling or ending trip, and end trip option.

Money Transfer

This section is a bit lengthy, as it involves multiple categories: Self transfer (between accounts), same bank transfers (other people using same bank), local transfers (others using other banks), international transfers, collecting payments from others, and finally, remittance.

BB 

BB adding same bank beneficiary

BB listing local bank beneficiary

BB adding local bank beneficiary

BB adding international bank beneficiary

BB payment collection via knet

BB western union money remittance

BB western union money remittance continued

Comparing western union remittance to a local remittance company

BB cardless cash withdrawal with civil id

BB cardless cash withdrawal with temp code

Same bank transfers: BB offers 2 options, either add a beneficiary by account number, or by their mobile number, if they had allowed being added by it in their privacy settings. This is a great convenient function!

Local bank transfers: You can add a local beneficiary in a different bank by their IBAN as it's required by all banks, but notice the excellent touch of adding the local bank's logo to easily identify the account. Those could be your own accounts in different banks, so this is far easier to find the right account instead of reading text.

International transfers: First you choose where the bank is located , then the currency, then you fill the rest of the information. When I added a company in EU using the web portal (it was easier to copy/paste stuff from email and notes), it automatically filled the SWIFT code information, bank name and address! I checked the same function in the app and it worked! Super convenient!

Payment Collection: BB was the first to introduce this feature, as far as I know, and it basically creates a link to KNet for you to send to someone to pay you, or you can do it in-app and have someone fill in the information on your phone directly (no need to send a link).
This makes group gatherings easy as we won't need to collect money from everyone and waste time dividing the remainder, for example.
There are daily and monthly limits, however, they're not shown in the app. Definitely loses points for the missing crucial info.

Remittance: I can't state how happy I am to finally find something that works properly and free me from driving to remittance companies and waiting in queues!
Our housekeeper is from Philippines and I had made a transfer for her the other day, then decided to add the same person as Western Union (WU) beneficiary int the app and check the fees.
It turns out WU dropped their fees to match Cebuana (another remittance company) = 1 KD per transfer, and WU's/BB's currency exchange fees are even better than the remittance company.

The transaction above and the WU quote in the app were done on the same day with only 40 minutes of time difference between them.

Added bonus: in a later menu you'll see a clock icon near certain items, including WU. This means you can set this transaction to be recurring automatically.

Cardless Cash Withdrawal: This feature is available from Boubyan Direct ATMs only, but allows one to have others withdraw cash from one's account without handing over the card or its pin code.
Example: you want your driver to take some money and buy groceries, then you have him use his civil ID and withdraw the allocated amount from the app.
Notice the "cash for me" option? This is useful in case you had lost your debit card or forgot it. Still requires using your civil ID.

NBK

NBK transfers page

NBK KNet payment collection option

NBK KNet payment collection option - details

NBK KNet payment collection option - details2

All payments are lumped into one page. What's worse? You cannot add beneficiaries using the app. You have to use the web portal, which is not mobile friendly at all, to add them the first time.

As you can see from the list, the names are listed alphabetically and no image/icon to differentiate banks from each other, be it your accounts or someone else's. A salad.

The payment collection option is there and does what it needs to do, but also shows daily and monthly limits. A bonus point for NBK.

Score

BB: 7
NBK: 2

Categorization of beneficiaries, simplicity of adding same bank beneficiaries, simplicity of adding and differentiating local beneficiaries, simplicity of adding international beneficiaries, payment collection option, remittance option, clarity of payment collection limits, and cardless cash withdrawal.

App Service Menus

Menus to access other app functions.

BB 

BB service menu - transfers

BB service menu - payments

BB service menu - eServices

At the top of the menu, you can see the account type "Platinum" and then next to it is the full name of my account manager (I redacted his last name), and a phone icon to call the account manager. This shows careful understanding and catering to clients with the smallest details.

There are 3 main menus: Transfers, Payments and eServices.

The human icon takes you to the beneficiaries list directly. The clock icon takes you to the recurring transaction menu of that function directly.

I've already described most of these functions, so I'll skip to one that I didn't: opening accounts. You can open a a savings account, a premium savings account, or a fixed deposit (many types are available). Additionally, it calculates the profits of your money for the fixed deposit option you choose right there in the same place you're opening the account. Instant and less time wasted interacting with a human who might give wrong info.

Above the 3 categories, you can see 4 icons: inbox/messages, promotions, notifications/alerts, rate an employee, and settings.

NBK

NBK service menu

NBK service menu - continued

Most of the menu is wasted on NBK's promotional stuff or brochures and campaigns. Everything lumped into one long menu. No quick-access icons to certain functions.

You can open an account with NBK from the app, but is limited to either a Current Account or a foreign currency account. No fixed deposit options. A term deposit calculator is provided under a different menu: NBK Tools, but no option to open a deposit account.

Score

BB: 7
NBK: 0

Name of account manager and contact, proper use of screen space, categorization of functions, account opening options, quick access icons, recurring transaction option, and messaging within the app.

Card Management

Managing your existing debit and credit cards.

BB

BB card management

You can request issuing a new card, renew an expiring one, block and replace a card, and change the pin code of a current debit or credit card. The change of a pin code is instant.

When issuing a new card, you can receive/print the card instantly from any Boubyan Direct ATM. These machines are accessible 24/7 (when inside the bank's building).

When I opened my account, I received my debit card on the spot, and my credit card was issued first on the spot, and then the account manager called me on the same day when he got the approval to activate it. This meant you get the card, and then deal with approvals, so you won't have to go to the branch twice.

NBK

NBK card management

You can only restrict a card and report it as either lost or stolen.

Score

BB: 4
NBK: 1

Issue card, renew, block and replace and change pin code.

Life-Style Integration

See how the bank understands its audience and stay up to date with new tech and gadgets.

BB

BB enable UTap and Android watch integration

BB Msa3ed - 1

BB Msa3ed - 2

BB Msa3ed - 3

First, UTap. As new cards have wireless/NFC support, where you can tap the card onto a Point of Sale (PoS) machine rather than insert it, it also adds risk, as someone could scan your card while it's in your wallet. UTap feature allows you to use your Android phone to tap into a PoS as if it's a card you've previously chosen, as Android supports NFC.

This is also useful in case you forgot your wallet, or prefer not to give your card to a waiter who's going to wander off with it and can take a picture of it and use it to scam you later. Obviously, only works when the PoS supports NFC/cardless/wireless cards as well.

Second, Android Wear, is basically supporting payment by tapping/scanning smart watches. This is similar to Apple Pay with Apple Watch, but as that requires the company to pay apple a foot and a kidney, choosing Android is a free option. Who knows, maybe they'll add Apple support if there's sufficient demand to subsidize the fees.

Last but not least, is Msa3ed, the chat bot. You type what you want and it executes commands for you as seen above where I list my credit card history. In case you don't bother remembering where a function is located, you could simply type and it'll show/execute what you need. It can save time, and it can waste it, depending on your usage, I guess.

NBK

Apart from providing discounts at more shops, there's nothing in the "banking experience" to show for it.

Score

BB: 3
NBK: 0

Use phone for payment, use watch for payment, and chat bot.

Summary

Boubyan Bank's consumer services team understands what the people want and delivers on that. Cardless withdrawals, pin code change, issuing cards on the spot, ease of adding beneficiaries, ease of transfers, and many other functions.

The team behind deciding the user interface elements and usage is also worthy of praise, as they know how to make use of a phone's limited space in a very practical and effective way.

NBK on the other hand is unfortunately still dealing with banking and services' consumers as it was in 1995. I've been with NBK for 23 years and have used their "online" services when they first launched it by dialing in via modems in the late '90s. I have seen their web portals, and believe me, the improvement is minuscule, especially for a bank the size of NBK (one of the largest in the Middle East).

Also, from observing the multiple portals and services that NBK delivered over the years, it seems that management is completely disconnected from its consumers. Whatever banking services being delivered, are delivered based on necessity only. I presume this happens because management doesn't use the application (nor portal) itself, and instead rely on personal account managers to do everything for them.

As for the team(s) behind the application, it feels as if a bunch of engineers and coders were forced to deliver a feature, but no User Experience (UX) or User Interface (UI) person was involved to properly do a layout design to make things accessible and easy to use.

NBK needs to shift its mindset to treat banking as an instant service, rather than a service that revolves around a branch (a building), tellers and account managers. Consumers don't care about these things and simply want fastest way to consume a service, and fastest way to reach answers, should they have any.

I know this post seems harsh towards NBK, but I wanted to highlight feature differences, hoping NBK would finally put enough effort into catching up and exceeding its clients' expectations, assuming it cares about clients such as myself and my friends: the so called millennials, rather than focus on private banking and multi-million KWD clients *only*.

Score

BB total score: 37
NBK total score: 8

What does this score mean? It means Boubyan Bank has 37 advantages over NBK, and NBK has only 8 advantages against Boubyan.