Share This

Showing posts with label online banking. Show all posts
Showing posts with label online banking. Show all posts

Wednesday 5 October 2022

THE FIGHT AGAINST CYBERCRIME IN FINANCIAL SERVICES

CLICK TO ENLARGECLICK TO ENLARGE


As losses to scammers mount, users and service providers such as banks need to drastically raise security levels.  

There is a need for heightened awareness and education about scams among the public

ONLINE banking fraud is a hot topic of the day. Not only are the case numbers rising, the amount of money being scammed is reaching eye popping levels.

Many Malaysians with online banking facilities are increasingly worried about cybercrime.

In the first seven months of 2022, Malaysians have lost about Rm415mil to scammers. 

The problem had become so bad that Bank Negara stepped in this week to issue a strict directive to all Malaysian banks to migrate away from the use of Sms-based authentication in online banking services.

The police are getting more vocal about the problem, providing updates on arrests being made and constantly dishing out advice to the public on ways to avoid getting scammed.

The banks, in the past few days, have also issued statements, talking about how they are raising their defences against cybercrime.

But, what went wrong in the first place for the situation to reach this level?

And, will the new steps that banks are taking help stem the problem?

Datuk Khairussaleh Ramli, the group president and chief executive officer of Malaysia’s biggest bank, Malayan Banking Bhd (Maybank) tells Starbizweek this: “With the rise in ecommerce activity spurred by the Covid-19 pandemic, and as more consumers prefer to transact online, fraudsters are taking the opportunity to find new ways to scam unsuspecting users.

“The increasing risk of cyber attacks and the potential impact on banks and their customers is a top concern. This has been elevated with the rise in more sophisticated scams such as ‘smishing’ (phishing via SMS) and malicious software (malware) scams impersonating banks recently.”

Ho Siew Kei, cyber risk leader of Deloitte Malaysia, reckons that 70% of commercial crime cases now can be categorised as cybercrime cases.

It appears that the problem lies with the usage of SMS in online banking transactions.

Many Malaysian banks have been using SMS one-time passwords or dubbed OTPS for online financial services.

Users need to key-in authentication OTP codes, obtained through SMS, to a browser or a mobile application to carry out their online banking transactions.

However, fraudsters have been able to get control of these codes from the devices of some customers.

It all starts when a user unknowingly downloads malicious applications or clicks on links that eventually leads to the installation of malware.

Such users are enticed to follow such links sometimes due to a promise of receiving a reward or other benefits.

Fraudsters, through the malware, will then be able to intercept sensitive information, including banking credentials and credit card numbers.

It also allows fraudsters to intercept messages being sent to the device such as the OTPS received for online transactions.

Upon obtaining the OTPS, fraudsters may also delete the SMS from the device, which often leaves victims believing they did not receive any SMS.

With this method, fraudsters are able to get control over users’ bank accounts. This can lead to financial scams that often occur without the knowledge of the victims

Sea: The better technology is widely available ranging from the use of QR codes to the use of external dongles

According to Sea Chong Seak, chief technology officer of cyber security firm Securemetric Bhd, the problem seems to lie not so much with attacks against banks’ systems or networks but rather due to the weaknesses that exist in the security of end users’ devices.

Users that download suspicious apps or go into questionable links through their mobile devices create an entry point for the fraudsters, owing to the low security control, he says.

“This is why banks need to move away from the usage of SMS OTPS in the authentication processes. The better technology is widely available ranging from the use of QR codes to the use of external dongles,” says Sea.

Sea cites the case of Citibank Malaysia that uses QR codes and biometrics in it authentication processes as an example.

Meanwhile, Maybank points out that it has introduced the usage of Secure2u since April 2017 for an alternative secure authentication method.

“It is a safer and more convenient way for Maybank customers to authorise transactions relating to account opening, fund transfers and payments on its online banking services mobile applications, using onetap approval and a six-digit transaction authorisation code (TAC) number generated on its applications,” says Khairussaleh.

For better protection against cybercrimes, Khairussaleh says: “Currently, we only allow one Secure2u device per account holder to prevent fraudsters completing financial transactions without authorisation from the registered device.”

However, it should be noted that while more secure authentication technologies have been available to banks, the usage of SMS OTP has been largely used because of the ease of use for customers. This also helped banks migrate its customers into online banking. The usage of dongles or other technologies would have also meant higher costs to the banks.

Ho Siew Kei, cyber risk leader at Deloitte Malaysia, says that while Bank Negara’s decision to nudge financial institutions towards more sophisticated authentication methods is a step in the right direction, there will be challenges due to the widespread use of more traditional devices at this point in time.

“However, as older devices are replaced by devices that are affordable yet are more advanced and able to support the latest technology, we should see adoption of the advanced security features become commonplace,” he says.

In replies to questions from Starbizweek with regard to the usage of SMS OTP in online financial transactions, Mohd Rashid Mohamad, group managing director and CEO of RHB Bank Bhd, says: “It takes into account the needs of various segments of customer demographics, including those who do not own smartphones or do not have access to data and Internet connections.”

Rashid says RHB Bank views fraudulent activities and financial scams very seriously, and is consistently enhancing its security measures.

However, he believes there is a need for heightened awareness and education about scams and frauds among customers.

“It is equally important that customers are kept informed on the latest scam and fraud trends so that they are aware of potential threats and therefore able to avoid becoming victims,” he says.

RHB Bank uses Secure Plus for its customers’ transaction authorisation process, which uses QR codes and biometrics for authentication.

Rashid notes that RHB Bank plans to fully migrate all transactions into Secure Plus by next year.

Technology firm Marco Kiosk Bhd, which provides Sms-based OTP services to banks, shares a different view. CEO Datuk Kenny Goh, says: “Cyber criminals target individual consumers or financial institutions irrespective of the authentication method or the underlying technology deployed.”

Despite welcoming the central bank’s decision to get financial institutions to move out of the SMS OTPS, Goh says: “There is nothing insecure about using SMS OTPS as experience has shown that often the gaps were in either compromised devices, scammers tricking consumers to download apps or getting unsuspecting users to forward SMS OTPS.”

Goh says that knowledge on scam prevention for the public is more crucial.

“Educating and instilling knowledge of how to prevent cyber-based scams is key rather than discarding a long-standing tool that has been proven effective,” he says.

Goh adds that Bank Negara’s decision to nudge banks to migrate away from SMS OTPS will not have any significant impact on Macro Kiosk’s earnings because of its wide product base and the fact that Sms-based services are only a small portion of its earnings.

Notably, Bank Negara has also directed financial institutions to implement other measures.

These include further strengthening of fraud detection rules and triggers for blocking suspected scam transactions and a cooling-off period to be observed for the first-time enrollment of online banking services or secure devices.

Additionally, the central bank said customers should be restricted to one mobile device or secure device for the authentication of online banking transactions and banks will be required to set up dedicated scam hotlines.

Meanwhile, Securemetric’s Sea refers to Fast Identity Online (FIDO) Authentication, which is a security standard that is increasingly recognised internationally for its capability to replace password-only logins with a more secure and fast login, owing to its multi-factor authentication.

According to Sea, FIDO Authentication is simpler for consumers to use, easier for service providers to deploy and is more secure than passwords and SMS OTPS.

Its multi-factor authentication includes the use of biometrics, QR codes as well as unique PINS.

FIDO Authentication is not new in Malaysia, as the National Cyber Coordination and Command Centre (NC4) was the first to adopt it, Sea points out.

Clarence Chan, partner, digital trust and cybersecurity at PWC Malaysia, adds that FIDO’S passwordless authentication stemmed from the goal of minimising phishing attacks, as passwords are the root cause of most data breaches based on various studies.

Ubaid Mustafa Qadiri, head of technology risk and cyber security for KPMG in Malaysia, says: “FIDO is a more secure approach compared to Sms-based OTPS.”

“With FIDO, customers can be restricted to using only one registered device for authentication and online transactions and as a result, will help in reducing financial frauds and scams while performing online transactions,” he adds.

Deloitte’s Chan adds that FIDO standards are seeing greater adoption in recent years, including Malaysia.

Nevertheless, even something like FIDO will not be able to totally eradicate cybercrime.

“Overall security for online transactions is still heavily dependent on the security of the user’s device. So, no authentication method can guarantee 100% safety,” Chan adds.

Meanwhile, Malaysia’s InspectorGeneral of Police Tan Sri Acryl Sani Abdullah Sani has been providing constant updates of the online fraud situation.

He said this week that the Rm415mil losses from January to July this year is the result of 12,092 online fraud cases.

For the whole of last year, losses accumulated to about Rm560.8mil coming from 20,701 cybercrime cases.

For 2019 and 2020, there were a total of 13,703 and 17,227 cybercrime cases with losses of Rm539mil and Rm511.2mil respectively, according to the IGP.

“From 2019 to July 2022, a total of 33,147 suspects in cyber fraud cases were arrested, with 22,196 cases charged in court,” he said.

It should be noted that online banking fraud is not limited to Malaysia.

Globally, cybercrime is the common type of fraud in most industries, based on a survey by PWC titled “Global Economic Crime and Fraud Survey 2022”. (see table)

PWC also notes that cybercrime poses the biggest threats across organisations of all sizes, followed by customer fraud and asset misappropriation.

Additionally, a recent report by S&P Global, titled “Asia-pacific Banks’ Digital Opening Raises Cyber Risks”, notes that threats of cyberattacks are soaring in the Asia-pacific region and globally too.

The report says that for banks, data breaches not only create a direct monetary loss but also damages the reputation of a bank and can hit a bank’s credit profile.

“To prevent attacks, Asia-pacific regulators will need a dogged determination to understand and manage risks. This points to the need for collaboration, and cross-border information sharing to build cyber resilience across entities to prevent systemic risk,” the report notes.

In a separate report, the global rating agency says data breach appears to be the biggest cyber risk for banks, with association to high losses, for both emerging and developed markets. (see table).

Hence, in all likelihood, cybercrime is likely to remain part of the risks that will always exist, more so as online transactions keep growing.

KPMG’S Ubaid points out that the increasing audacity of cybercriminals will keep this threat on an upward trend.

It is left to be seen if the rising tide of cybercrime in the Malaysian financial landscape will reduce following the wide publicity it is getting and the actions being taken by all concerned. 

-  StarBiz Stories by kirennesh Nai

 

Cybersecurity experts share their views

 

THE rise in cybercrime especially in financial services is a huge talking point today.

But is it something that was predicted to happen considering the rise of online banking services?

And is Malaysia being particularly hit hard?

Does the problem lie with the usage of less secure authentication methods such as Sms-based onetime passwords (OTPS) and what can banks do to fix the problem?

Some consultants share their views on these issues.

On the rise of online banking fraud. Ubaid Mustafa Qadiri, head of technology risk and cyber security for KPMG in Malaysia:

Cybercrime in banking or any other sectors will only continue to grow due to technological changes (including digitalisation) and organisational advancements with the introduction of new technology to improve process efficiencies.

Further, the increasing audacity of cybercriminals will also keep this threat on an upward trend.

With the accelerated rate of digitisation as a result of the pandemic, cybercrime has grown more rapidly than it would have, and criminals have evolved their techniques to target more enterprises and individuals to the point that banks have to implement more effective controls.

  Ho Siew Kei, cyber risk leader of Deloitte Malaysia:

 

This is an expected result, not only because of financial institutions’ rapid shift to online banking but a general trend as organisations continue to move towards digital transformation.

It is estimated that 70% of commercial crime cases now can be categorised as cybercrime cases.

Clarence Chan, partner, digital trust and cybersecurity at PWC Malaysia:

 

There is a difference between cybercrime originating from a successful customer scam, and a cybercrime due to lapses in banking IT infrastructure.

Generally, most of the cybercrimes reported lately are due to the former, rather than the latter.

Most of these crimes, if not all, were only successful because the customers gave away their OTP or credentials via the scammer’s phishing attempt.

However, it is fair to assume that local banking customers may eventually be targeted after a similar modus operandi was used against a leading bank in Singapore, which amounted to more than S$13mil (Rm42.07mil) in losses.

Is Malaysia being particularly hit hard?

Ubaid: Online banking fraud is happening everywhere in the world, and it is expected to grow as criminals keep evolving new techniques.

According to the latest statistics, online fraud accounts for 68% of commercial crime in Malaysia. As the use of financial technology (fintech) and e-wallets have rapidly increased over the last four years, online fraud cases have also risen as the rate of adoption increased.

Ho: As a whole, banking fraud is definitely a global phenomenon – various countries have reported a general upward trend in banking fraud over the recent years, and this would apply to Malaysia as well, as Malaysian banks continue down the path of digitisation.

Chan: Online banking fraud is prevalent throughout the banking industry globally where industry players are constantly faced with the challenge of combating constantly evolving fraud techniques.

Looking closer to home, Singapore faces similar challenges as the scamming scene is largely similar. Anti-scamming divisions within the Malaysia and Singapore police force have been actively collaborating in tackling transnational scamming syndicates, participating in Project Icons (International Cooperation On Negating Scams).

In 2019, Bank Negara also introduced the Risk Management in Technology (RMIT) Guidelines, one of the most comprehensive technology and cyber risk management guidelines in this region, with the aim of elevating the banking industry’s security measures and standards, to ensure that online banking services are kept safe and secure for customers.

Since then, plenty of efforts have been made by banking institutions to improve their cyber resilience.

Does the problem lie with the usage of less secure authentication methods such as Sms-based OTPS and what can banks do to fix the problem?

Ubaid: Yes, but it also depends on the central bank’s guidance and the banks’ capability to develop secure mobile banking applications (which requires investment to produce) that would be able to authenticate and authorise transactions more securely.

Recently, the central bank of Malaysia announced that financial institutions should take additional measures to block suspicious transactions, and customers to be asked to confirm if the transactions are genuine before they are unblocked.

Some of the advanced features include:

> Secure TAC

> QR code scan

> Mobile app authentication/ approvals for transactions

> Facial recognition/biometric authentication through banking application

> Device fingerprinting

Ho: OTP and Sms-type authentication is widely supported by most devices, especially older devices. Banks tend to focus on a wider userbase, and rightly so, so as to not cut out different market segments, notably those without access to more modern devices.

Bank Negara’s recent push for financial Institutions to migrate away from SMS OTP toward more sophisticated authentication methods is a step in the right direction. However, there will still be challenges for certain market segments who use the more traditional device at this point in time.

However, as older devices are replaced by devices that are affordable yet are more advanced and able to support the latest technology, we should see adoption of the advanced security features become commonplace.

We are seeing a shift towards soft tokens on mobile devices, where transaction authorisations are sent through push notifications. This means that transactions can only be authorised from a customer’s registered device, and only after the customer has authenticated, typically with their biometrics.

These methods will also see certain restrictions such as customers authentication being bound to a specific registered device.

Chan: In general, there is a visible trend in financial institutions adopting multi-factor authentication technologies which are no longer reliant on SMS OTP.

This includes in-app, certificate-based or biometric authentication, which provides a more secure authentication mechanism and prevents potential OTP hijacking or other phishing and scamming attempts.

With Bank Negara’s directive of moving away from SMS OTPS by 30 June 2023, we can only expect the adoption of these measures to be accelerated.

Is cost holding back Malaysian banks from enhancing their level of security?

Ubaid: Any upgrades, enhancements or technology integration, be it security or others, will always have a cost component as well as skills requirements attached to it.

Typically, each organisation has its technology plans and budgets based on its business strategy, and banks will follow their approved business plans along with budgets in accordance with the guideline from the central bank.

Ho: There is certainly a cost element to enhancing security. However it should be noted that cyber risk and customer fraud have in recent years become a top risk for banks and doing well to combat these risks can also be seen as a competitive differentiator.

While cost is a consideration, I would think that this is an area that banks are fully prepared to spend on given the focus around regulatory expectations, consumer protection and preventing cybercrime.

Chan: We don’t believe that cost is a particular factor holding Malaysian banks back from enhancing their level of security.

If we consider the results of Pwc’s 2023 Global Digital Trust Insights survey, in which banking and capital markets make up the second highest proportion of Malaysian C-suite respondents, 19% of respondents say that their organisation’s cyber budget is increasing by 6% to 10% in 2023.

Also worth noting, 49% of Malaysian respondents agree to a great extent that their cybersecurity budget is allocated well against the risks they face in the next 12 months.

However, banks can continuously explore and enhance their security posture to aid in curbing scams, focusing on educating customers to combat online banking fraud.

To build customer trust, banks should invest in continuous awareness efforts to ensure that their customers remain informed and updated on the latest scam tactics, and modus operandi observed in the industry. - StarBiz 

 

Related posts:

 

Cybercriminals beware: public must be aware of how scams work, Putting the brakes on cybercrime

Friday 30 September 2022

Cybercriminals beware: public must be aware of how scams work, Putting the brakes on cybercrime

 A day after The Star’s page one story on the increasing number of online financial crimes, Bank Negara announces it is joining forces with the police to stem the rising tide. The central bank is instituting tighter security controls while the cops are intensifying efforts to make the public more aware of cybercrimes. 

https://www.thestar.com.my/news/nation/2022/09/27/putting-the-brakes-on-cybercrime?dmplayersource=share-link

  Public must be more aware of how scams work

KUALA LUMPUR: Cybercriminals are very good at quickly adopting and exploiting new technological changes to stay ahead of law enforcement while they scam millions from the public.

This is why the number of online financial crimes is rising around the world and in Malaysia, according to Inspector-general of Police Tan Sri Acryl Sani Abdullah Sani.

Such crimes can have terrible consequences, he pointed out in his speech before he and Bank Negara governor Tan Sri Nor Shamsiah Mohd Yunus launched a virtual Financial Crime exhibition yesterday.

“Financial crimes can devastate the victim and lead to more mule accounts being created for the purpose of scams. It can also have a negative impact on the nation’s economy in the long term,” said Acryl Sani.

Loan scammers and Ah Long (loan sharks) use social media sites and chat applications to advertise their loan offers with fast approvals.

“The syndicates will deal with the victims online and demand various documents and fees before duping them,” he explained.

Bukit Aman expects the syndicates will still employ similar tactics, but they will focus on a younger victim pool – students and youths – to pull off illegal money lending and mule account scams now.

“We are cooperating with banking institutions to ensure investigations, especially those involving mule accounts, can be completed faster,” Acryl Sani said.

Fraud in online purchases, loan and investment scams, the Macau and African scam

In 2019, there were 13,703 cases recorded with Rm539mil in losses; followed by 17,227 cases in 2020 and Rm511.2mil in losses; and 20,701 cases last year with Rm560.8mil lost. As at July this year, 12,092 cases had been recorded, resulting in Rm414.8mil in losses, he said.

Bukit Aman has rounded up 33,147 suspects between 2019 and July this year, while 22,196 cases have been prosecuted.

While there is some awareness among members of the public of such crimes nowadays, it is still not strong enough to prevent increasing numbers.

The Royal Malaysia Police has various programmes and campaigns to raise awareness about cybercrimes among the public, such as the “Let’s Fight Scammers Together” campaign.

“We will step up such activities this year,” Acryl Sani added.

The IGP advised the public to safeguard their personal information and avoid downloading files or applications from unverified sources onto mobile devices.

Account holders who encounter suspicious transactions involving their bank accounts should immediately notify their banks, contact the CCID infoline via Whatsapp at 013211 1222, or the CCID Scam Response Centre at 03-2610 1559/1599 or BNMTELELINK at 1-300-88-5465.

“They should also lodge a police report to facilitate the investigation,” said Acryl Sani.

The virtual Financial Crime exhibition by Bank Negara Malaysia Museum and Art Gallery, which can be accessed at bit.ly/bnm_ crime, lays out various types of financial crimes and how they have evolved over time.

It features interactive exhibits that allow the public to simulate financial scam scenarios. Through the various exhibits, the public will be able to learn strategies – such as Spot, Stop and Share, aka 3S – to protect themselves and others from becoming victims. 

 

Putting the brakes on cybercrime

 Banks to further tighten security control to stay one step ahead of scammers

KUALA LUMPUR: If you notice your online banking transactions taking a little longer in the future, don’t complain. It’s a sign that your bank is trying to protect you from cybercriminals.

Concerned by the rising number of scams and online financial crimes globally and in Malaysia, Bank Negara is directing the banking industry to undertake tighter security controls, its governor Tan Sri Nor Shamsiah Mohd Yunus said.

ALSO READ:  Public must be more aware of how scams work

The level of concern is great enough to bring about a rare high-level meeting between Nor Shamsiah and Inspector-General of Police Tan Sri Acryl Sani Abdullah Sani yesterday, when they also launched a virtual Financial Crime Exhibition.

“Bank Negara requires banks in Malaysia to adopt high standards of security, especially for Internet and mobile banking services,” Nor Shamsiah said in her speech at the event.

ALSO READ:Watch out! There are many ways in which we get duped

This will include measures such as migration of SMS one-time-passwords (OTPs) to a more secure form of authentication; further tightening of detection rules and triggers for blocking scam-related transactions; and subjecting first-time enrolment of online banking services and secure devices to a cooling-off period.

Customers will also be restricted to one mobile device or secure device for authenticating online banking transactions, and banks will also be required to set up dedicated scam hotlines.

ALSO READ: Consumers must become more aware of scams

While the control measures may entail some inconvenience, they are important to protect customers.

“These controls may lead to some friction or inconvenience in the online banking experience of customers.

“For example, online banking transactions might take a little longer to process. Financial institutions will also conduct more checks when customers request to change or register a new phone number,” Nor Shamsiah said.

Fighting crime: Bank Negara Governor Tan Sri Nor Shamsiah Mohd Yunus and Inspector General of Police Tan Sri Acryl Sani Abdullah Sani at the virtual launch of Bank Negara Malaysia Museum and Art Gallery’s ‘Financial Crime: Scan Before You’re Scammed’. — Bank Negara

Fighting crime: Bank Negara Governor Tan Sri Nor Shamsiah Mohd Yunus and Inspector General of Police Tan Sri Acryl Sani Abdullah Sani at the virtual launch of Bank Negara Malaysia Museum and Art Gallery’s ‘Financial Crime: Scan Before You’re Scammed’. — Bank Negara

However, she said, when implementing these measures, Bank Negara and the financial industry will continue to carefully balance between security considerations and customer convenience.

She also said that financial institutions have been directed to be more responsive to scam reports lodged by customers and to facilitate efforts to recover and protect stolen funds, including working with relevant agencies to prevent further losses.

CLICK TO ENLARGE

“Bank Negara will also continue to monitor and take appropriate action with financial institutions to ensure that the highest levels of controls and security standards are observed.

CLICK TO ENLARGECLICK TO ENLARGE 

 https://cdn.thestar.com.my/Content/Images/cybercrime.jpg

“We will also continue to take effective preventive measures against ever-evolving financial scams.”

Together with the financial industry, Bank Negara will continue to ensure that banking and payment channels remain secure and equipped with the latest security controls, she said.

Acknowledging that criminal tactics change all the time, she said that Bank Negara continuously intensifies deterrent efforts and introduces additional controls as well as safeguards and collaborates with other stakeholders to keep ahead of scammers.

These include rolling out preventive measures, pursuing more effective and coordinated enforcement actions, and raising public awareness.

“The effort to eradicate financial scams requires cooperation and concerted action from all parties – not just from Bank Negara and the financial industry, but also from law enforcement agencies and relevant ministries and agencies, as well as the public,” she added.

Bank Negara, together with the police, Malaysian Communications and Multimedia Commission and National Anti-Financial Crime Centre, will work together to further elevate the Commercial Crime Investigation Department’s Scam Response Centre into a more systematic information-sharing platform that will enable quicker action to prevent further losses.

Nor Shamsiah said the cooperation of law enforcement agencies is key, especially in sharing information and intelligence.

The public also has a role to play in protecting themselves by making sure to be aware of scams.

“An important aspect of dealing with financial scams is raising public awareness about tactics used by criminals and the steps that the public can take to avoid becoming victims.

“In this regard, Bank Negara, the financial industry and law enforcement agencies will continue efforts to enhance the effectiveness of awareness programmes and improve on the dissemination of information to the public,” she said.

The virtual Financial Crime Exhibition launched yesterday is an example of such efforts as it seeks to educate the public about financial scams. It can be viewed at bit.ly/bnm_crime. 

By FARIK ZOLKEPLIRAGANANTHINI VETHASALAM    

Source link

PUTTING THE BRAKES ON CYBERCRIME - PDRM

United States: Putting Brakes On Cybersecurity Threats

Related stories:

Public must be more aware of how scams work

Watch out! There are many ways in which we get duped

Consumers must become more aware of scams

 

Related posts:

 

ONGOING CYBER THREATS

 

Hackers in your heads, Cybercriminals preying on gullible

 

Sunday 19 May 2013

Online banking Trojans going after your money!


Online banking users in Malaysia need to be wary of sophisticated Trojans. 

IMAGINE a burglar hiding in your house and slowly cleaning out your valuables, bit by bit, without you even realising it.

According to security firm Symantec, that is the common modus operandi of banking Trojans today, which have grown so sophisticated that they are almost impossible to detect and very difficult to get rid of.

As its latest white paper the World of Financial Trojans reveals recently, malware (short for malicious software) attacked over 600 financial institutions worldwide last year.

With this growth, bank hold-ups or ATM robberies, the bank heist of choice in Malaysia these days will soon be a thing of the past.

The phenomenon is no doubt partly due to the growing trend of online banking. As banks move online to make their transactions fast, easy and convenient for customers, cyber criminals are also finding the digital route the faster, easier and more convenient mode for looting.

A big threat, the report highlights, is the rate at which banking Trojans are now developed: with state-of-the-art mechanisms to circumvent the more complex security systems and exploit their weaknesses.

“Trojans have indeed evolved and the attackers have become more specialised and sophisticated,” Symantec Corporation (Malaysia) Sdn Bhd director (systems engineering) Nigel Tan concurs.

Most worrying, is that while the United States and Japan remain top of their target list, the banking Trojans are increasingly targeting emerging economies with high Gross Domestic Products (GDP) in Asia and the Middle East like Malaysia.

Tan notes, “Malaysia is on the radar of these cyber criminals and our financial institutions experienced attacks out of the 600 reported globally last year. We are not in the top 10 of countries attacked but the threat for Malaysia is no less dangerous.”

Internet banking has grown steadily in Malaysia since it was first launched in June 2000, and is now offered by 29 banks in Malaysia. As of September last year, there were 12.8 million registered users, rising from 3.2 million in 2006 and eight million in 2009.

Predictably, cyber crimes in Malaysia have also increased, with some RM2.75bil losses recorded over five years, from 2005 to 2010, especially in the financial sector.

The fact that cyber criminals are starting to eye Malaysian banks means we need to be more vigilant and tighten up our cyber security, says Tan.

End-users need to keep abreast with what security measures there are. - Nigel Tan End-users need to keep abreast with what security measures there are. - Nigel Tan
“They need to look at the malware threats they are risked to and look for measures to mitigate them because any organisation will face these threats.”

However, one problem is that many of these institutions cannot keep up with the constantly evolving sophisticated attacks. Another is the gap in the ability of certain organisations to detect threats on customers systems, according to the report.

Tan concedes that the security of our financial institutions can be improved.

Another challenge is that the Trojans are beginning to work out which banks have less security, and going after them, he warns.

“There is a difference in quality between the different banks in terms of how much of the protection and fraud detection methods they put in place.

“And if you are a robber trying to decide between two houses one big house with full security or one smaller house with minimal security; it is secured with only a padlock and chain which one will you target?” Tan quizzes.

As the report sums it, banking Trojans now “enter through the backdoor, strike with clinical precision, and have evolved to a degree of sophistication that allows attackers to conduct high-value transactions while evading traditional fraud-detection measures.”

It is not that banks have been unaware of this growing threat. Since online banking was first introduced in 1994, cyber criminals have looked for various ways to attack them. By 2003, around 20 distinct banking Trojans have existed including simple keylogging Trojans and phishing, said the report.

In response, the banks bolstered their security and fraud detection capabilities.

The problem is, the cyber criminals started adapting, until most security systems and measures were neutralised.

Tan calls these cyber criminals a specialised hacking community that is no longer searching for notoriety and fame, but is in it for the money.

“Hackers now are less noisy than five years ago, but just because there is less noise right now, it does not mean that they are not there. Trojans now stay in your computer as quiet and as long as possible to steal as much money as possible,” Tan cautions.

As mentioned, an attack technique increasingly used is called “man-in-the-browser” which basically involves an application hooking into the browser and manipulating data before it is displayed.

Sophisticated thievery

The report explains, the users will not be able to detect any malicious activity but the Trojan will intercept their transactions and inject a form in the browser requesting sensitive information. Once the user submits the requested personal information, it steals the data for future thievery.

The more sophisticated Trojans can automatically execute transactions in the background, the report highlighted.

What makes it difficult to notice with the naked eye, says Tan, is that “the domain is legitimate and the security page is accurate. It is your computer that is affected, so it can steal your personal data or attack your bank.”

One thing that makes it difficult to clamp down on the attackers behind these Trojans is that it is not easy to pin the crime on them.

“Just writing malware is not an offence. It is hard to pin it as a crime, as long as the writer does not go out and sell it,” Tan points out.


It also does not help that they are reportedly organised underground groups who are not only experts at scripting and automating attacks, but are also knowledgeable about the sophisticated global financial industry and supported by a service industry of widely available malware.

It is akin to organised crime, he opines.

As the report puts it, “The financial fraud marketplace is also increasingly organised. It is a service industry where a wide variety of financial Trojans, webinjects, and distribution channels are bought and sold. Services being offered are dedicated to each aspect of a financial fraud campaign. These offerings will improve effectiveness of established techniques.”

The Top Three of the “Most Wanted” malware list in 2012 were the Zeus Trojan, also known as Zbot (+ Gameover), having compromised more than 400,000 computers worldwide; followed by Cridex at more than 250,000 computers compromised and Spyeye at more than 50,000.

Symantec also points to third-party remote webinjects which can circumvent security countermeasures, targeting a large number of financial companies “concurrently and intelligently” as posing a threat to financial companies.

According to the report, it is not only the main financial organisations like commercial banks that are high on the list of targets, but also organisations that perform online financial transactions such as automated clearing house payments systems and payroll systems.

It is thus crucial for the “good guys” to be alert all the time. They can't slip up and must put in place adequate security mechanisms and take strong measures to deter attackers from targeting these institutions, Tan urges.

Ultimately, users cannot leave the responsibility for security solely to the institutions, he warns.

“End-users need to raise their awareness of the threats out there as at the end of the day, the criminal will go through the end-user to attack the financial institutions.”

The best measure, he stresses, is not to get infected in the first place, so installing a good anti-malware programme on your personal devices is crucial.

As he puts it, anti-malware solutions can stop the malware, even if you were already infected, shares Tan.

“The scanning will pick it up and delete it off your system.”

Tan also emphasises ongoing education in security, as the threats are constantly evolving.

“There will not be a point where you can say this is it. This is what everyone should do. End-users need to keep abreast with what security measures there are.”

Good practice needs to be adopted such as reading the message box or running an anti-virus before downloading anything from a website.

“Most of the time when people get a pop-up to say that you have a malware, they just cancel it or click it close, or when it says your computer is infected, they just ignore it.”

Significantly, Tan says this is not a call to say that Internet banking is bad.

“Quite the contrary. Internet banking has a lot of benefits.

“But as we embrace any new technology or media, we just have to be aware of what the threats are on the Internet. As long as we take adequate protection, we will be safe.”

By HARIATI AZIZAN sunday@thestar.com.my

Rightways