Internet dependence is increasing, and so is the amount of money that is moved around online. Criminals are constantly developing strategies to fraudulently access that money, making banks the biggest target of online financial crime.
With more than four million active Internet users in Cambodia, financial institutions are investing heavily in the development of online platforms and network infrastructure in the race for new technologies to attract and retain customers. Internet banking, mobile banking, fast and secure payment transfers (FAST), and online payment gateways are among the innovations that are quickly being integrated into daily life, as businesses and individuals streamline their operations and lifestyles.
While the vast online world has made it easier to do business, it has also created a space where nameless, faceless threats lurk, waiting to steal credit card numbers, in infiltrate bank accounts and shut down online infrastructure. As a result, financial institutions have stepped up and developed their own prevention measures–token devices, SMS verification and two-step authentication– to secure online information and transactions from cyber criminals. But in a world that is always changing, the threat remains.
Cyber attackers use different techniques to exploit their targets, including infiltrating applications and network infrastructures to gather information, and also by playing on human vulnerability. Most financial institutions have already implemented basic security controls, yet, there are many more levels of security that can be explored and implemented, as there are many methods of attack, including:
1. DDOS, or digital denial of service
This is a popular method of cyber intrusion where a group of IP addresses, often thousands, is used to target an organisation’s online function by simultaneously crowding the virtual entry to the business, disrupting normal operations. When a website is flooded with this level of activity, it can become disabled for hours or even days, potentially at great cost to the target. To affect the greatest damage, these types of attacks are often launched at a time when the target can least afford a disruption.
2. Financial Malware
These are malicious programs designed to in infiltrate databases and systems, bypassing the security technology that has been developed specifically to protect the monetary assets of financial institutions and their customers. These programs (there are many different types, some known as Trojans) intercept information from the web browser–credit card details, account information, file sharing directories–and can even allow the criminal access to webcams and microphones. The most common way for a system (PC, smartphone, POS) to be- come infected is via “drive-by downloads”, where the program has been implanted in an insecure website and is downloaded without the victim knowing. Several multinational banks are known to have been infected by financial malware.
Recently, automated teller machines (ATM) have become a focal point for cybercriminals. They attach “skimming” devices at the point where the bank card enters the machine. The devices then gather all the information that pass through, giving the attacker full access to the target’s bank accounts.
4. Spear Phishing
Lastly, “spear phishing” is perhaps the most devious type of attack. It begins with the target receiving a seemingly harmless email from an individual or business that they are familiar with. The email, however, is from an attacker who has gathered all the publicly available information of a financial institution in order to pose as someone from inside the institution or a business partner, for example. After establishing the trust of the target, the attacker gathers information from them in order to profit.
In a race to adopt the newest technologies, banks and other financial institutions have undoubtedly increased their exposure to cyber attacks. Given the focus on the Internet and its increasing necessity in daily life, this is a neverending race, not only for the banks, but for other businesses and individuals as well. In that case, as they take on new technologies, banks must also take a proactive approach in securing their monetary assets and data from online threats.
Deloitte Cambodia subscribes to four key elements for mitigating the risk:
1) “Governance” – In today’s business environment where cyber threats are a real and present danger, banks need a team dedicated to cyber security management.
2) “Secure” – A bank’s infrastructure must be protected, as must the applications and information on all devices, with the best possible security systems.
3) “Vigilant” – Threats should be managed proactively and there should be ongoing analysis of online systems and security to allow this.
4) “Resilient” – The response to security breaches must be fast and comprehensive, and the point of intrusion should be found.
Contribution by Vandy Ly, Risk Advisory Senior Consultant at Deloitte Cambodia