CLICK TO ENLARGE
As losses to scammers mount, users and service providers such as banks need to drastically raise security levels.
There is a need for heightened awareness and education about scams among the public
ONLINE banking fraud is a hot topic of the day. Not only are the case numbers rising, the amount of money being scammed is reaching eye popping levels.
Many Malaysians with online banking facilities are increasingly worried about cybercrime.
In the first seven months of 2022, Malaysians have lost about Rm415mil to scammers.
The problem had become so bad that Bank Negara stepped in this week to issue a strict directive to all Malaysian banks to migrate away from the use of Sms-based authentication in online banking services.
The police are getting more vocal about the problem, providing updates on arrests being made and constantly dishing out advice to the
public on ways to avoid getting scammed.
The banks, in the past few days, have also issued statements, talking about how they are raising their defences against cybercrime.
But, what went wrong in the first place for the situation to reach this level?
And, will the new steps that banks are taking help stem the problem?
Datuk Khairussaleh Ramli, the group president and chief executive officer of Malaysia’s biggest bank, Malayan Banking Bhd (Maybank) tells Starbizweek this: “With the rise in ecommerce activity spurred by the Covid-19 pandemic, and as more consumers prefer to transact online, fraudsters are taking the opportunity to find new ways to scam unsuspecting users.
“The increasing risk of cyber attacks and the potential impact on banks and their customers is a top concern. This has been elevated with the rise in more sophisticated scams such as ‘smishing’ (phishing via SMS) and malicious software (malware) scams impersonating banks recently.”
Ho Siew Kei, cyber risk leader of Deloitte Malaysia, reckons that 70% of commercial crime cases now can be categorised as cybercrime cases.
It appears that the problem lies with the usage of SMS in online banking transactions.
Many Malaysian banks have been using SMS one-time passwords or dubbed OTPS for online financial services.
Users need to key-in authentication OTP codes, obtained through SMS, to a browser or a mobile application to carry out their online banking transactions.
However, fraudsters have been able to get control of these codes from the devices of some customers.
It all starts when a user unknowingly downloads malicious applications or clicks on links that eventually leads to the installation of malware.
Such users are enticed to follow such links sometimes due to a promise of receiving a reward or other benefits.
Fraudsters, through the malware, will then be able to intercept sensitive information, including banking credentials and credit card numbers.
It also allows fraudsters to intercept messages being sent to the device such as the OTPS received for online transactions.
Upon obtaining the OTPS, fraudsters may also delete the SMS from the device, which often leaves victims believing they did not receive any SMS.
With this method, fraudsters are able to get control over users’ bank accounts. This can lead to financial scams that often occur without the knowledge of the victims.
Sea: The better technology is widely available ranging from the use of QR codes to the use of external dongles
According to Sea Chong Seak, chief technology officer of cyber security firm Securemetric Bhd, t
he problem seems to lie not so much with attacks against banks’ systems or networks but rather due to the weaknesses that exist in the security of end users’ devices.
Users that download suspicious apps or go into questionable links through their mobile devices create an entry point for the fraudsters, owing to the low security control, he says.
“This is why banks need to move away from the usage of SMS OTPS in the authentication processes. The better technology is widely available ranging from the use of QR codes to the use of external dongles,” says Sea.
Sea cites the case of Citibank Malaysia that uses QR codes and biometrics in it authentication processes as an example.
Meanwhile, Maybank points out that it has introduced the usage of Secure2u since April 2017 for an alternative secure authentication method.
“It is a safer and more convenient way for Maybank customers to authorise transactions relating to account opening, fund transfers and payments on its online banking services mobile applications, using onetap approval and a six-digit transaction authorisation code (TAC) number generated on its applications,” says Khairussaleh.
For better protection against cybercrimes, Khairussaleh says: “Currently, we only allow one Secure2u device per account holder to prevent fraudsters completing financial transactions without authorisation from the registered device.”
However, it should be noted that while more secure authentication technologies have been available to banks, the usage of SMS OTP has been largely used because of the ease of use for customers. This also helped banks migrate its customers into online banking. The usage of dongles or other technologies would have also meant higher costs to the banks.
Ho Siew Kei, cyber risk leader at Deloitte Malaysia, says that while Bank Negara’s decision to nudge financial institutions towards more sophisticated authentication methods is a step in the right direction, there will be challenges due to the widespread use of more traditional devices at this point in time.
“However, as older devices are replaced by devices that are affordable yet are more advanced and able to support the latest technology, we should see adoption of the advanced security features become commonplace,” he says.
In replies to questions from Starbizweek with regard to the usage of SMS OTP in online financial transactions, Mohd Rashid Mohamad, group managing director and CEO of RHB Bank Bhd, says: “It takes into account the needs of various segments of customer demographics, including those who do not own smartphones or do not have access to data and Internet connections.”
Rashid says RHB Bank views fraudulent activities and financial scams very seriously, and is consistently enhancing its security measures.
However, he believes there is a need for heightened awareness and education about scams and frauds among customers.
“It is equally important that customers are kept informed on the latest scam and fraud trends so that they are aware of potential threats and therefore able to avoid becoming victims,” he says.
RHB Bank uses Secure Plus for its customers’ transaction authorisation process, which uses QR codes and biometrics for authentication.
Rashid notes that RHB Bank plans to fully migrate all transactions into Secure Plus by next year.
Technology firm Marco Kiosk Bhd, which provides Sms-based OTP services to banks, shares a different view. CEO Datuk Kenny Goh, says: “Cyber criminals target individual consumers or financial institutions irrespective of the authentication method or the underlying technology deployed.”
Despite welcoming the central bank’s decision to get financial institutions to move out of the SMS OTPS, Goh says: “There is nothing insecure about using SMS OTPS as experience has shown that often the gaps were in either compromised devices, scammers tricking consumers to download apps or getting unsuspecting users to forward SMS OTPS.”
Goh says that knowledge on scam prevention for the public is more crucial.
“Educating and instilling knowledge of how to prevent cyber-based scams is key rather than discarding a long-standing tool that has been proven effective,” he says.
Goh adds that Bank Negara’s decision to nudge banks to migrate away from SMS OTPS will not have any significant impact on Macro Kiosk’s earnings because of its wide product base and the fact that Sms-based services are only a small portion of its earnings.
Notably, Bank Negara has also directed financial institutions to implement other measures.
These include further strengthening of fraud detection rules and triggers for blocking suspected scam transactions and a cooling-off period to be observed for the first-time enrollment of online banking services or secure devices.
Additionally, the central bank said customers should be restricted to one mobile device or secure device for the authentication of online banking transactions and banks will be required to set up dedicated scam hotlines.
Meanwhile, Securemetric’s Sea refers to Fast Identity Online (FIDO) Authentication, which is a security standard that is increasingly recognised internationally for its capability to replace password-only logins with a more secure and fast login, owing to its multi-factor authentication.
According to Sea, FIDO Authentication is simpler for consumers to use, easier for service providers to deploy and is more secure than passwords and SMS OTPS.
Its multi-factor authentication includes the use of biometrics, QR codes as well as unique PINS.
FIDO Authentication is not new in Malaysia, as the National Cyber Coordination and Command Centre (NC4) was the first to adopt it, Sea points out.
Clarence Chan, partner, digital trust and cybersecurity at PWC Malaysia, adds that FIDO’S passwordless authentication stemmed from the goal of minimising phishing attacks, as passwords are the root cause of most data breaches based on various studies.
Ubaid Mustafa Qadiri, head of technology risk and cyber security for KPMG in Malaysia, says: “FIDO is a more secure approach compared to Sms-based OTPS.”
“With FIDO, customers can be restricted to using only one registered device for authentication and online transactions and as a result, will help in reducing financial frauds and scams while performing online transactions,” he adds.
Deloitte’s Chan adds that FIDO standards are seeing greater adoption in recent years, including Malaysia.
Nevertheless, even something like FIDO will not be able to totally eradicate cybercrime.
“Overall security for online transactions is still heavily dependent on the security of the user’s device. So, no authentication method can guarantee 100% safety,” Chan adds.
Meanwhile, Malaysia’s InspectorGeneral of Police Tan Sri Acryl Sani Abdullah Sani has been providing constant updates of the online fraud situation.
He said this week that the Rm415mil losses from January to July this year is the result of 12,092 online fraud cases.
For the whole of last year, losses accumulated to about Rm560.8mil coming from 20,701 cybercrime cases.
For 2019 and 2020, there were a total of 13,703 and 17,227 cybercrime cases with losses of Rm539mil and Rm511.2mil respectively, according to the IGP.
“From 2019 to July 2022, a total of 33,147 suspects in cyber fraud cases were arrested, with 22,196 cases charged in court,” he said.
It should be noted that online banking fraud is not limited to Malaysia.
Globally, cybercrime is the common type of fraud in most industries, based on a survey by PWC titled “Global Economic Crime and Fraud Survey 2022”. (see table)
PWC also notes that cybercrime poses the biggest threats across organisations of all sizes, followed by customer fraud and asset misappropriation.
Additionally, a recent report by S&P Global, titled “Asia-pacific Banks’ Digital Opening Raises Cyber Risks”, notes that threats of cyberattacks are soaring in the Asia-pacific region and globally too.
The report says that for banks, data breaches not only create a direct monetary loss but also damages the reputation of a bank and can hit a bank’s credit profile.
“To prevent attacks, Asia-pacific regulators will need a dogged determination to understand and manage risks. This points to the need for collaboration, and cross-border information sharing to build cyber resilience across entities to prevent systemic risk,” the report notes.
In a separate report, the global rating agency says data breach appears to be the biggest cyber risk for banks, with association to high losses, for both emerging and developed markets. (see table).
Hence, in all likelihood, cybercrime is likely to remain part of the risks that will always exist, more so as online transactions keep growing.
KPMG’S Ubaid points out that the increasing audacity of cybercriminals will keep this threat on an upward trend.
It is left to be seen if the rising tide of cybercrime in the Malaysian financial landscape will reduce following the wide publicity it is getting and the actions being taken by all concerned.
- StarBiz
Stories by kirennesh Nai
Cybersecurity experts share their views
THE rise in cybercrime especially in financial services is a huge talking point today.
But is it something that was predicted to happen considering the rise of online banking services?
And is Malaysia being particularly hit hard?
Does the problem lie with the usage of less secure authentication methods such as Sms-based onetime passwords (OTPS) and what can banks do to fix the problem?
Some consultants share their views on these issues.
On the rise of online banking fraud. Ubaid Mustafa Qadiri, head of technology risk and cyber security for KPMG in Malaysia:
Cybercrime in banking or any other sectors will only continue to grow due to technological changes (including digitalisation) and organisational advancements with the introduction of new technology to improve process efficiencies.
Further, the increasing audacity of cybercriminals will also keep this threat on an upward trend.
With the accelerated rate of digitisation as a result of the pandemic, cybercrime has grown more rapidly than it would have, and criminals have evolved their techniques to target more enterprises and individuals to the point that banks have to implement more effective controls.
Ho Siew Kei, cyber risk leader of Deloitte Malaysia:
This is an expected result, not only because of financial institutions’ rapid shift to online banking but a general trend as organisations continue to move towards digital transformation.
It is estimated that 70% of commercial crime cases now can be categorised as cybercrime cases.
Clarence Chan, partner, digital trust and cybersecurity at PWC Malaysia:
There is a difference between cybercrime originating from a successful customer scam, and a cybercrime due to lapses in banking IT infrastructure.
Generally, most of the cybercrimes reported lately are due to the former, rather than the latter.
Most of these crimes, if not all, were only successful because the customers gave away their OTP or credentials via the scammer’s phishing attempt.
However, it is fair to assume that local banking customers may eventually be targeted after a similar modus operandi was used against a leading bank in Singapore, which amounted to more than S$13mil (Rm42.07mil) in losses.
Is Malaysia being particularly hit hard?
Ubaid: Online banking fraud is happening everywhere in the world, and it is expected to grow as criminals keep evolving new techniques.
According to the latest statistics, online fraud accounts for 68% of commercial crime in Malaysia. As the use of financial technology (fintech) and e-wallets have rapidly increased over the last four years, online fraud cases have also risen as the rate of adoption increased.
Ho: As a whole, banking fraud is definitely a global phenomenon – various countries have reported a general upward trend in banking fraud over the recent years, and this would apply to Malaysia as well, as Malaysian banks continue down the path of digitisation.
Chan: Online banking fraud is prevalent throughout the banking industry globally where industry players are constantly faced with the challenge of combating constantly evolving fraud techniques.
Looking closer to home, Singapore faces similar challenges as the scamming scene is largely similar. Anti-scamming divisions within the Malaysia and Singapore police force have been actively collaborating in tackling transnational scamming syndicates, participating in Project Icons (International Cooperation On Negating Scams).
In 2019, Bank Negara also introduced the Risk Management in Technology (RMIT) Guidelines, one of the most comprehensive technology and cyber risk management guidelines in this region, with the aim of elevating the banking industry’s security measures and standards, to ensure that online banking services are kept safe and secure for customers.
Since then, plenty of efforts have been made by banking institutions to improve their cyber resilience.
Does the problem lie with the usage of less secure authentication methods such as Sms-based OTPS and what can banks do to fix the problem?
Ubaid: Yes, but it also depends on the central bank’s guidance and the banks’ capability to develop secure mobile banking applications (which requires investment to produce) that would be able to authenticate and authorise transactions more securely.
Recently, the central bank of Malaysia announced that financial institutions should take additional measures to block suspicious transactions, and customers to be asked to confirm if the transactions are genuine before they are unblocked.
Some of the advanced features include:
> Secure TAC
> QR code scan
> Mobile app authentication/ approvals for transactions
> Facial recognition/biometric authentication through banking application
> Device fingerprinting
Ho: OTP and Sms-type authentication is widely supported by most devices, especially older devices. Banks tend to focus on a wider userbase, and rightly so, so as to not cut out different market segments, notably those without access to more modern devices.
Bank Negara’s recent push for financial Institutions to migrate away from SMS OTP toward more sophisticated authentication methods is a step in the right direction. However, there will still be challenges for certain market segments who use the more traditional device at this point in time.
However, as older devices are replaced by devices that are affordable yet are more advanced and able to support the latest technology, we should see adoption of the advanced security features become commonplace.
We are seeing a shift towards soft tokens on mobile devices, where transaction authorisations are sent through push notifications. This means that transactions can only be authorised from a customer’s registered device, and only after the customer has authenticated, typically with their biometrics.
These methods will also see certain restrictions such as customers authentication being bound to a specific registered device.
Chan: In general, there is a visible trend in financial institutions adopting multi-factor authentication technologies which are no longer reliant on SMS OTP.
This includes in-app, certificate-based or biometric authentication, which provides a more secure authentication mechanism and prevents potential OTP hijacking or other phishing and scamming attempts.
With Bank Negara’s directive of moving away from SMS OTPS by 30 June 2023, we can only expect the adoption of these measures to be accelerated.
Is cost holding back Malaysian banks from enhancing their level of security?
Ubaid: Any upgrades, enhancements or technology integration, be it security or others, will always have a cost component as well as skills requirements attached to it.
Typically, each organisation has its technology plans and budgets based on its business strategy, and banks will follow their approved business plans along with budgets in accordance with the guideline from the central bank.
Ho: There is certainly a cost element to enhancing security. However it should be noted that cyber risk and customer fraud have in recent years become a top risk for banks and doing well to combat these risks can also be seen as a competitive differentiator.
While cost is a consideration, I would think that this is an area that banks are fully prepared to spend on given the focus around regulatory expectations, consumer protection and preventing cybercrime.
Chan: We don’t believe that cost is a particular factor holding Malaysian banks back from enhancing their level of security.
If we consider the results of Pwc’s 2023 Global Digital Trust Insights survey, in which banking and capital markets make up the second highest proportion of Malaysian C-suite respondents, 19% of respondents say that their organisation’s cyber budget is increasing by 6% to 10% in 2023.
Also worth noting, 49% of Malaysian respondents agree to a great extent that their cybersecurity budget is allocated well against the risks they face in the next 12 months.
However, banks can continuously explore and enhance their security posture to aid in curbing scams, focusing on educating customers to combat online banking fraud.
To build customer trust, banks should invest in continuous awareness efforts to ensure that their customers remain informed and updated on the latest scam tactics, and modus operandi observed in the industry. - StarBiz
Related posts:
