Cybersecurity experts share their views
THE rise in cybercrime especially in financial services is a huge talking point today.
But is it something that was predicted to happen considering the rise of online banking services?
And is Malaysia being particularly hit hard?
Does the problem lie with the usage of less secure authentication methods such as Sms-based onetime passwords (OTPS) and what can banks do to fix the problem?
Some consultants share their views on these issues.
On the rise of online banking fraud. Ubaid Mustafa Qadiri, head of technology risk and cyber security for KPMG in Malaysia:
Cybercrime in banking or any other sectors will only continue to grow due to technological changes (including digitalisation) and organisational advancements with the introduction of new technology to improve process efficiencies.
Further, the increasing audacity of cybercriminals will also keep this threat on an upward trend.
With the accelerated rate of digitisation as a result of the pandemic, cybercrime has grown more rapidly than it would have, and criminals have evolved their techniques to target more enterprises and individuals to the point that banks have to implement more effective controls.
Ho Siew Kei, cyber risk leader of Deloitte Malaysia:
This is an expected result, not only because of financial institutions’ rapid shift to online banking but a general trend as organisations continue to move towards digital transformation.
It is estimated that 70% of commercial crime cases now can be categorised as cybercrime cases.
Clarence Chan, partner, digital trust and cybersecurity at PWC Malaysia:
There is a difference between cybercrime originating from a successful customer scam, and a cybercrime due to lapses in banking IT infrastructure.
Generally, most of the cybercrimes reported lately are due to the former, rather than the latter.
Most of these crimes, if not all, were only successful because the customers gave away their OTP or credentials via the scammer’s phishing attempt.
However, it is fair to assume that local banking customers may eventually be targeted after a similar modus operandi was used against a leading bank in Singapore, which amounted to more than S$13mil (Rm42.07mil) in losses.
Is Malaysia being particularly hit hard?
Ubaid: Online banking fraud is happening everywhere in the world, and it is expected to grow as criminals keep evolving new techniques.
According to the latest statistics, online fraud accounts for 68% of commercial crime in Malaysia. As the use of financial technology (fintech) and e-wallets have rapidly increased over the last four years, online fraud cases have also risen as the rate of adoption increased.
Ho: As a whole, banking fraud is definitely a global phenomenon – various countries have reported a general upward trend in banking fraud over the recent years, and this would apply to Malaysia as well, as Malaysian banks continue down the path of digitisation.
Chan: Online banking fraud is prevalent throughout the banking industry globally where industry players are constantly faced with the challenge of combating constantly evolving fraud techniques.
Looking closer to home, Singapore faces similar challenges as the scamming scene is largely similar. Anti-scamming divisions within the Malaysia and Singapore police force have been actively collaborating in tackling transnational scamming syndicates, participating in Project Icons (International Cooperation On Negating Scams).
In 2019, Bank Negara also introduced the Risk Management in Technology (RMIT) Guidelines, one of the most comprehensive technology and cyber risk management guidelines in this region, with the aim of elevating the banking industry’s security measures and standards, to ensure that online banking services are kept safe and secure for customers.
Since then, plenty of efforts have been made by banking institutions to improve their cyber resilience.
Does the problem lie with the usage of less secure authentication methods such as Sms-based OTPS and what can banks do to fix the problem?
Ubaid: Yes, but it also depends on the central bank’s guidance and the banks’ capability to develop secure mobile banking applications (which requires investment to produce) that would be able to authenticate and authorise transactions more securely.
Recently, the central bank of Malaysia announced that financial institutions should take additional measures to block suspicious transactions, and customers to be asked to confirm if the transactions are genuine before they are unblocked.
Some of the advanced features include:
> Secure TAC
> QR code scan
> Mobile app authentication/ approvals for transactions
> Facial recognition/biometric authentication through banking application
> Device fingerprinting
Ho: OTP and Sms-type authentication is widely supported by most devices, especially older devices. Banks tend to focus on a wider userbase, and rightly so, so as to not cut out different market segments, notably those without access to more modern devices.
Bank Negara’s recent push for financial Institutions to migrate away from SMS OTP toward more sophisticated authentication methods is a step in the right direction. However, there will still be challenges for certain market segments who use the more traditional device at this point in time.
However, as older devices are replaced by devices that are affordable yet are more advanced and able to support the latest technology, we should see adoption of the advanced security features become commonplace.
We are seeing a shift towards soft tokens on mobile devices, where transaction authorisations are sent through push notifications. This means that transactions can only be authorised from a customer’s registered device, and only after the customer has authenticated, typically with their biometrics.
These methods will also see certain restrictions such as customers authentication being bound to a specific registered device.
Chan: In general, there is a visible trend in financial institutions adopting multi-factor authentication technologies which are no longer reliant on SMS OTP.
This includes in-app, certificate-based or biometric authentication, which provides a more secure authentication mechanism and prevents potential OTP hijacking or other phishing and scamming attempts.
With Bank Negara’s directive of moving away from SMS OTPS by 30 June 2023, we can only expect the adoption of these measures to be accelerated.
Is cost holding back Malaysian banks from enhancing their level of security?
Ubaid: Any upgrades, enhancements or technology integration, be it security or others, will always have a cost component as well as skills requirements attached to it.
Typically, each organisation has its technology plans and budgets based on its business strategy, and banks will follow their approved business plans along with budgets in accordance with the guideline from the central bank.
Ho: There is certainly a cost element to enhancing security. However it should be noted that cyber risk and customer fraud have in recent years become a top risk for banks and doing well to combat these risks can also be seen as a competitive differentiator.
While cost is a consideration, I would think that this is an area that banks are fully prepared to spend on given the focus around regulatory expectations, consumer protection and preventing cybercrime.
Chan: We don’t believe that cost is a particular factor holding Malaysian banks back from enhancing their level of security.
If we consider the results of Pwc’s 2023 Global Digital Trust Insights survey, in which banking and capital markets make up the second highest proportion of Malaysian C-suite respondents, 19% of respondents say that their organisation’s cyber budget is increasing by 6% to 10% in 2023.
Also worth noting, 49% of Malaysian respondents agree to a great extent that their cybersecurity budget is allocated well against the risks they face in the next 12 months.
However, banks can continuously explore and enhance their security posture to aid in curbing scams, focusing on educating customers to combat online banking fraud.
To build customer trust, banks should invest in continuous awareness efforts to ensure that their customers remain informed and updated on the latest scam tactics, and modus operandi observed in the industry.