Cybersecurity: Staying ahead of cybercriminals

This article first appeared in Digital Edge, The Edge Malaysia Weekly, on March 22, 2021 - March 28, 2021.

"When it comes to cybercrime, humans are more vulnerable to exploitation than machines. It is critical that networks and systems are robust, resilient and secure. However, it is equally important for people to be the same.” - Abrar (Photo by Standard Chartered)

-A +A

As financial institutions push out more digital products focused on speed and convenience, it creates additional points of vulnerability that fraudsters could exploit online. As a result, financial institutions are also expected to stay agile and deploy the latest technologies to protect their customers.

In fact, the Movement Control Order (MCO) period last year presented a case study of what could happen as more financial transactions move online. Cybercrime shot up 82.54% in Malaysia in the past year, according to a report by global fraud specialist GBG. Globally, a record-high number of scam and phishing sites were detected in 2020, according to Atlas VPN. 

“Propelled by the pandemic, there has been a significant shift towards digital transactions and real-time payments. This new normal has brought [not only] unprecedented efficiency and convenience but also an increase in payment-related fraud,” says Abrar A Anwar, managing director and CEO of Standard Chartered Malaysia. 

“The pandemic has led to a significant increase in cyberthreats, with a surge in Covid-19-related phishing campaigns, business email compromise, ransomware and denial-of-service attacks reported.”

Abrar observes that social engineering scams utilising emails were rampant during that period. “Cybercriminals are manipulating victims to make real-time payments to bank accounts controlled by fraudsters,” he says.

The use of social engineering by cybercriminals highlights a crucial point about cybersecurity. However advanced the cybersecurity measures that financial institutions implement, it has to be complemented with user awareness and cybersecurity training for employees. For instance, a hacking attempt via phishing will not succeed if a user double-checks the URL of hyperlinks before clicking on them. 

“When it comes to cybercrime, humans are more vulnerable to exploitation than machines. It is critical that networks and systems are robust, resilient and secure. However, it is equally important for people to be the same,” says Abrar.

Preventing fraud

According to GBG’s survey of 324 financial institutions in Asia-Pacific last year, identity verification, prevention of new cyber fraud attacks and scaling fraud detection for transactions were the most challenging factors in growing digital transactions in Malaysia. 

Many cyber fraud attacks in Malaysia are carried out using the Transaction Authorisation Code (TAC) and through Macau scams, according to reports. The former usually involves a criminal, who already has the victim’s bank account and password, and tricks the victim into revealing his TAC. 

The latter is conducted by scammers who pretend to be a bank official or other authority who inform the victim through a phone call that their loved ones have been kidnapped or that they have unpaid fines. To get out of this situation, the victim would need to transfer funds into a bank account. 

Meanwhile, a phishing attack is successful when someone clicks on a link sent in an email or message and downloads malware into their device. If it is a ransomware, it will encrypt the data of the device and the criminal will demand payment to unlock it. There is also malware that can track the user’s IDs and passwords. 

To reduce these incidents, a lot rests on consumer awareness. But financial institutions also put in place technology to monitor abnormal transactions and identify suspicious accounts, bots or malware.

Standard Chartered Malaysia launched its Collective Intelligence and Command Centre (CnC) six years ago for this purpose. The centre provides information on technical and process status in real time so the bank can respond quickly to incidents. 

“We screen our customers’ interactions as comprehensively as possible, covering transaction fraud, account security and cyberthreats. Every interaction is assigned a consolidated risk score, and based on this, if the interaction is deemed suspicious, we will reach out to the client for further validation,” says Abrar.

Transaction monitoring using technology is an area that some industry players are looking into in Malaysia, according to GBG. Imagine being able to immediately freeze suspicious transactions while the money is in the process of being transferred to be cashed out by the criminals. 

Location-based tracking to detect fraud is also gaining popularity, according to GBG. Standard Chartered has this solution as well. 

“We use it to check on the distance between the card owner’s current and last transaction locations, with respect to time. If the distance is greater than a particular threshold, we will look closely at its authenticity, and if a possible case of fraud is suspected, we proactively engage with the cardholder to validate the transaction,” says Abrar.

The bank also uses advanced technologies like big data analytics and artificial intelligence (AI) to fight financial crime. It partnered with fintech Silent Eight in 2018 to use its AI-based platform to spot financial crime risks across transactions. 

“Advances in big data analytics, biometrics and blockchain have enabled automated detection of patterns, reducing false positives that distract from genuine risks and uncovering false negatives overlooked by existing systems,” says Abrar.

Overall, Abrar believes that a multi-layered approach will be needed to effectively reduce cybercrimes. “Banks have put in controls, but as we have seen, fraudsters aren’t targeting banks. They’re targeting individuals and corporates,” he says.

Customers have to follow best practices like using multi-factor authentication, never disclosing credentials or passwords, avoiding opening emails from unknown senders or links from spam emails, and installing anti-virus or anti-malware software.

The e-wallet perspective

As cashless payments gain ground in Malaysia, it also becomes more important to scrutinise the cybersecurity measures of e-wallets. 

Digital Edge spoke to Touch ‘n Go eWallet to find out what it is doing to protect its users.The e-wallet is widely used by Malaysians as it can be used for toll payments, which is its unique feature. 

TnG launched its money-back guarantee feature in 2019, promising full compensation within five working days if the user’s TnG eWallet is charged with unauthorised purchases or reloads. According to TnG Digital CEO Ignatius Ong, this feature was created to establish trust among its users. 

“To be eligible, users must first verify their e-wallet account through the account verification process. If there is an unauthorised transaction, the source of funds must come from the user’s own e-wallet account and the user has to submit the claim within 60 days,” says Ong in an email interview. 

The company says it uses artificial intelligence (AI) and machine learning to track and analyse data to prevent unauthorised transactions. “To prevent identity (ID) theft, our fraud detection system uses the behavioural pattern identification method,” says Ong. 

When unusual activities are detected, its model will suggest an outcome, which could result in the rejection of a transaction, or validation of a transaction through a One-Time Password (OTP). OTPs are generated when there is a password change or when a high-risk transaction is detected, he adds. 

Some consumers have questioned online whether TnG’s use of a 6-digit pin is secure enough. According to Ong, if a transaction is deemed abnormal, a second authentication method like OTP will be required.

Additionally, each time the attacker attempts to login, it will result in a five-minute delay before he can attempt another attack until a maximum threshold is reached. 

“We use a dynamic MFA (multi-factor authentication) rather than a single authentication method as it provides additional security layers and decreases the chances of a user identity getting compromised,” says Ong. TnG is also educating users to not use simple passwords or share sensitive information. 

Ong adds that identification document forgery is a common scam. To deter it, TnG uses a primary e-know your customer (e-KYC) system based on ID image, optical character recognition and spoof detection mechanism. The latter prevents people from using a photo or video to trick the authentication algorithms.

“Our e-KYC method is supported by a biometric detection mechanism to authenticate several security checkpoints to prevent forged ID documentation cases,” says Ong.

Going forward, the company is planning to introduce biometric verification via facial recognition for login purposes. “Unlike the other facial recognition tools widely used in the market that matches the face against a photo saved in the phone, ours is matched against the photo on the ID and photo saved in our e-KYC system” says Ong.