Recent attacks highlight the rising risk of cyber fraud for SE Asian banks

Editor's Note: This article originally appeared on the Access Asia Consulting blog on June 6, 2016.

A series of cyber fraud attacks targeting financial institutions through the SWIFT global messaging system has prompted an industry-wide review of IT security measures and has highlighted the rising risk of cyber fraud against financial institutions in Southeast Asia and beyond. SWIFT has responded with a five-part Customer Security Programme to reinforce the security of the global banking platform, yet its CEO has warned “there will be more attacks.”

Cyber fraud risk is heightened in developing countries that often lack the technological resources to detect and thwart such attacks. In addition, geo-political dynamics and the presence of sophisticated transnational criminal networks also play into the risk equation, all making certain areas of the world more vulnerable than others. In light of these factors, Access Asia views Southeast Asia as a region of heightened risk for cyber fraud targeting financial institutions due to socio-economic conditions, proximity to suspected centers of cyber fraud operations in North Korea and China, and the existence of strong transnational criminal networks.

Indeed, the most recent case to come to light involves an attempted attack on Vietnam’s Tien Phong Bank (‘TP Bank’), while the money trail of an $81-million cyber heist from the State Bank of Bangladesh’s account at the New York Federal Reserve in February has been traced to the Philippines. Hong Kong (which lies on the periphery of Southeast Asia) is the reported end of the money trail for a US$2 million cyber theft on an Ecuadorian bank in early 2015, while the Philippines was also the target of an earlier attack in October 2015.

North Korean involvement?

Many cyber security experts believe these SWIFT attacks have been conducted by the same group of hackers due to the similarities of the malware used and link the same group with the 2014 hacking attack on Sony Pictures Entertainment. The FBI concluded the 2014 attack was perpetrated by North Korea, which makes the rogue nation a key suspect in these SWIFT attacks. However, many security experts outside the IT realm refute direct North Korean involvement in these SWIFT attacks, questioning why a nation-state would engage in cyber theft, particularly given the relatively small amount of money involved in them (with the exception of the attack on Bangladesh Bank.) “DPRK is usually vilified given their ‘last rogue nation standing’ status, however there are some underlying changes at work that most outside do not realize due to the media’s lack of positive coverage,” noted one of Access Asia’s China-based security partners who recently co-authored a report on the internal political dynamics of North Korea. “I’m hearing that it’s more likely Russian or Chinese hackers,” the source added.

Still, Access Asia believes the possibility of North Korean involvement should not be ruled out, yet greater emphasis should be placed on enhancing security defenses to protect against future attacks.

New fraud detection models needed:

“The recent SWIFT attacks definitely point to the need for tighter cyber-security protocols, but even such tighter measures may not be enough,” explained Keith Furst, founder and financial crimes technology consultant at Data Derivatives. “There are other ways to initiate payments through social engineering or even by holding a key employee’s family hostage in an extreme example – so when the security measures fail what else can be done?”

Furst suggests developing a model in which banks could detect fraudulent activity to the SWIFT payment traffic before the messages leave the bank’s network. Using the example of detecting credit card fraud through historical profiling and blocking transactions that are deemed to be a deviation from that profile, Furst believes similar fraud detection models could potentially be applied to SWIFT traffic before the messages leave the bank’s network. Furst explained:

“Think of it kind of like an expected range of values where the currency, amount, banks and countries involved in the payment activity all contribute to the historical profile. So, in the case of Bangladesh Bank, if they had these type of models running for all SWIFT messages then they may have detected that something was off when $951 million worth of instructions were requested. The final beneficiaries of the transfers could also be a strong indication of fraud because why would the Bangladesh Bank send such high value transfers to beneficiaries they don’t normally deal with on a regular basis? In essence, it is taking what financial institutions have learned from anomaly detection and fraud models and applying it to SWIFT traffic before the transfers leave the bank’s network.”

As heightened security measures are being debated and developed, financial institutions should remain vigilant and aware that the group or groups responsible for these recent bank attacks will likely strike again. Security software company Symantec warns that these attacks are part of a “wide campaign against financial targets in the region” and that recent publicity of the attacks “may prompt other attack groups to launch similar attacks.”

Access Asia views Cambodia, Myanmar, Indonesia and the Philippines as the countries most at risk in Southeast Asia for future cyber fraud attacks targeting financial institutions due to a perception of lax IT security measures, weak governance and law enforcement, high-levels of corruption that could facilitate inside collusion, and the existence of well-established transnational criminal networks.

SWIFT officials are warning all banks to review their security controls and to take special care with PDFs.