Cybercriminals zeroing in on Singapore banks

Banks in Singapore are increasingly being targeted by cybercriminals, experts said, given the growing sophistication of the dark web that has developed into a bustling marketplace for malware, complete with money-back guarantees.

While other financial centres - and certainly non-financial corporations - are also at risk, Singapore stands out as a significant number of banking customers read Chinese, and that, according to IBM, has made it more vulnerable to the rising Chinese-language hacks on the dark web.

"Tech-savvy consumers in Singapore are getting more and more reliant on mobile and online banking services but continue to be unaware of evolving cyber threats and risks," said Vincent Loy, Asia Pacific financial crime and cyber leader, PwC Singapore. "As one of the top financial centres in the world, Singapore banks will continue to face the risk of being more vulnerable, as technologies continue to evolve to keep pace with business and consumer needs."

As it is, a PwC study at the end of 2015 showed Singapore banks put tech-related crimes and risks at the top over all other concerns. When asked about the level of preparedness in dealing with risks, respondents' answers out of Singapore led to an overall score of 2.9 out of a possible 5. This is lower than the study's global average of 3.13.

Late last year, the Association of Banks in Singapore cautioned against a software update for messaging app WhatsApp that targeted mobile- banking customers here. The malware infected about 50 Android smartphone users over a three-month period, with customers reporting losses of up to several thousand dollars after clicking on a suspicious pop-up window that sought their credit-card details to complete a software upgrade.

Banks said then they would only refund money to customers if there was proof that customers were careful in protecting their banking credentials.

Cybercriminals infiltrate mainly using spear-phishing, that is, by sending an email that looks to be from an individual or business with which the receiver has association.

Data from IBM showed the most common banking cyberattack in Singapore is through a redirection technique via a trojan - a malware disguised as legitimate software - that sends victims to a fake website when they try to access their online banking site. Bank customers are fooled into revealing, among other things, authentication codes.

Banking customers may also be fooled into revealing their two-factor authentication code over the phone, or be hit by the smallest malware to date - known appropriately as the tiny banker, or tinba - that expands itself once downloaded onto the computer, and seizes banking information by tracking keystrokes when the victim accesses his or her account, said IBM Security's executive security adviser Diana Kelley in an interview.

Cybercriminals are attacking employees within organisations such as banks, too. They may be checking LinkedIn to get a sense of the corporate hierarchy, and crafting legitimate-looking emails in hopes that employees will introduce malware into systems, said Ms Kelley. She recounted a case experienced by a senior executive at a global financial services firm. "He said to me, 'I got an email, and it was so good, I would have clicked on it. And the only reason I didn't, is that it was supposedly coming from me'."

She noted that there is much more collaboration on the dark web today, which makes malware a lot smarter, and better, than before.

This also means cybercriminals no longer need to be technical experts, and can buy services on the dark web, said Ben Wootliff, managing director, Hong Kong, of cybersecurity advisory firm Control Risks. "They come with a rating. They come with a money-back guarantee. They come with a helpdesk. It's a very sophisticated marketplace," he said at the Credit Suisse Asian Investment Conference this month.

The black market for information, such as credit card details, has also evolved, he observed. Now, buyers can customise their searches for details from cards stolen in a certain country, and within a certain period.

Companies are still grappling with "conceptualising the return of investment" on cybersecurity, said Mr Wootliff, noting that organisations need to spend to lock away critical information assets such as customer data.

"Most organisations are pretty ill-prepared. There's an awareness at the board, but they see it as a technical problem."

PwC's 2016 study on information security showed about 25 per cent of banks in Asia had an information security budget of about at least US$10 million. As a very rough benchmark, the percentage of cybersecurity spending of the total IT budget for banks averages between 4 and 10 per cent, said PwC's Mr Loy. "To minimise the impact of attacks, organisations should look at their governance, processes, people and technology in totality," he added.

Singapore banks would not comment on how much they spend on cybersecurity, but said they treat the risk seriously, highlighting that cybersecurity is the subject of board-level discussions.

For security reasons, UOB's latest mobile banking app cannot be launched on phones that are jailbroken or infected with malware, said UOB's head of group technology and operations Susan Hwee.

OCBC, like other banks, would constantly alert customers of potential cyberattacks, said Eugene Lau, head of group technology services at the bank, adding that the threat of cyberattacks is evolving rapidly.

IBM's Ms Kelley said banks should watch out for hackers doing reconnaissance - checking on account balances, and making changes to contact details. These log-ins could be at unusual times for users. Banks could also tap IBM's large IP network to limit fraud, and share anonymised cases of attacks, so more businesses learn of the latest forms of breaches.

This collaboration should extend to one between governments, in preventing a cyberattack, said former chief of MI6, John Sawers, at the Credit Suisse Asian Investment Conference.

"Every government feels much more vulnerable than they feel there's an opportunity here," he said, when asked about governments using cyberattacks as a means of security.

"If we did have a major incident that brought down the banking system, or the power structure, or the medical system of a country, which is entirely possible, then we would be having the cyber equivalent of 9/11," added Mr Sawers, now chairman of consultancy Macro Advisory Partners. "In nuclear terms, we're in the 1950s. We've got the power, we've got the capability, but we've got no real means of controlling that power in an inter-governmental or legal basis."

Likewise, DBS's head of legal, compliance and secretariat Lam Chee Kin noted that cybersecurity is a global issue impacting all business sectors, governments and the community. "It's important that there is a collective approach to addressing this risk and Singapore is treating this as a priority."

Singapore will soon introduce a new Cybersecurity Bill, the Ministry of Communications and Information said this month. This is meant to ensure operators of Singapore's critical information infrastructure secure such systems. It will also empower the Cybersecurity Agency to manage cyber incidents and raise standards of cybersecurity providers here.

This article was first published on April 18, 2016.
Get The Business Times for more stories.