A series of cyber fraud attacks targeting financial institutions through the SWIFT global messaging system has prompted an industrywide review of IT security measures and has highlighted the rising risk of cyber fraud against financial institutions in Southeast Asia and beyond. SWIFT has responded with a five-part customer security program to reinforce the security of the global banking platform, yet its CEO has warned “there will be more attacks.”
Cyber fraud risk is heightened in developing countries that often lack the technological resources to detect and thwart such attacks, while geopolitical dynamics also play into the risk equation. In light of these factors, Access Asia views Southeast Asia as a region of heightened risk for cyber fraud targeting financial institutions due to socioeconomic conditions, proximity to suspected centers of cyber fraud operations in North Korea and China and the existence of strong transnational criminal networks.
Indeed, one of the most recent cases to come to light involves an attempted attack on Vietnam’s Tien Phong Bank (TP Bank), while the money trail of an $81 million cyber heist from the State Bank of Bangladesh’s account at the New York Federal Reserve in February has been traced to the Philippines. Hong Kong (which lies on the periphery of Southeast Asia) is the reported end of the money trail for a US$2 million cyber theft on an Ecuadorian bank in early 2015, while the Philippines was also the target of an earlier attack in October 2015.
Access Asia views Cambodia, Myanmar, Indonesia and the Philippines as the countries most at risk in Southeast Asia for future cyber fraud attacks targeting financial institutions due to a perception of lax IT security measures, weak governance and law enforcement, high levels of corruption that could facilitate inside collusion and the existence of well-established transnational criminal networks.
North Korean involvement?
Many cybersecurity experts believe these SWIFT attacks have been conducted by the same group of hackers due to the similarities of the malware used and link the same group with the 2014 hacking attack on Sony Pictures Entertainment. The FBI concluded the 2014 attack was perpetrated by North Korea, which makes the rogue nation a key suspect in these SWIFT attacks. However, many security experts outside the IT realm refute direct North Korean involvement in these SWIFT attacks, questioning why a nation-state would engage in cyber theft, particularly given the relatively small amount of money involved in them (with the exception of the attack on Bangladesh Bank.) Moreover, these attacks would have required a number of agents operating in numerous countries to coordinate both the attacks and retrieval of the money, likely with the cooperation of other international criminal networks – a modus operandi not fitting with North Korea in Southeast Asia. The North Koreans tend to be tightly nationalistic and unwilling to trust other ethnic groups – especially criminals – and are most unlikely to be dealing with international crime groups in Southeast Asia.
“DPRK is usually vilified given their ‘last rogue nation standing’ status; however, there are some underlying changes at work that most outside do not realize due to the media’s lack of positive coverage,” noted one of Access Asia’s China-based security partners who recently co-authored a report on the internal political dynamics of North Korea. “I’m hearing that it’s more likely Russian or Chinese hackers,” the source added.
A recent investigative report in the Epoch Times, which cited an insider with reportedly direct knowledge of the recent attacks, puts the blame on former Chinese state hackers who identified the initial vulnerability and then sold the information to cyber crime groups.
No matter who is responsible for these recent attacks, greater emphasis should be placed on enhancing security defenses to protect against future attacks. In Vietnam, the country’s leading network security firm BKAV believes 30 percent of Vietnamese commercial banks’ websites have vulnerabilities, two-thirds of which are at medium or high risk for cyber attacks. This figure is likely much higher in lesser developed Southeast Asian countries, such as Cambodia and Myanmar.
New fraud detection models needed
“The recent SWIFT attacks definitely point to the need for tighter cybersecurity protocols, but even such tighter measures may not be enough,” explained Keith Furst, founder and a financial crimes technology consultant at Data Derivatives. “There are other ways to initiate payments through social engineering or even by holding a key employee’s family hostage in an extreme example – so when the security measures fail, what else can be done?”
Furst suggests developing a model in which banks could detect fraudulent activity to the SWIFT payment traffic before the messages leave the bank’s network. Using the example of detecting credit card fraud through historical profiling and blocking transactions that are deemed to be a deviation from that profile, Furst believes similar fraud detection models could potentially be applied to SWIFT traffic before the messages leave the bank’s network. Furst explained:
“Think of it kind of like an expected range of values where the currency, amount, banks and countries involved in the payment activity all contribute to the historical profile. So, in the case of Bangladesh Bank, if they had these type of models running for all SWIFT messages, then they may have detected that something was off when $951 million worth of instructions were requested. The final beneficiaries of the transfers could also be a strong indication of fraud, because why would the Bangladesh Bank send such high-value transfers to beneficiaries they don’t normally deal with on a regular basis? In essence, it is taking what financial institutions have learned from anomaly detection and fraud models and applying it to SWIFT traffic before the transfers leave the bank’s network.”
As heightened security measures are being debated and developed, financial institutions should remain vigilant and aware that the group or groups responsible for these recent bank attacks will likely strike again. Security software company Symantec warns that these attacks are part of a “wide campaign against financial targets in the region” and that recent publicity of the attacks “may prompt other attack groups to launch similar attacks.”
“The recent SWIFT attacks may be only the beginning of a larger scale campaign where cyber criminal organizations systemically target weak banks and exploit known vulnerabilities,” said Data Derivative’s Furst. “Recent events may accelerate discussions surrounding groundbreaking technological innovations, such as using a blockchain ecosystem as an alternative for high-value, cross-border money transfer,” he added.
Meanwhile, SWIFT officials are warning all banks to review their security controls and to take special care with PDFs.