Finance & Banking , Geo Focus: Asia , Geo-Specific
Security Issues Could Threaten Asia's Digital Banking Story
Asia’s Growing Digital-Only Banks Face Triple Onslaught of Major Security ThreatsDigital banking in the Asia-Pacific region is poised to expand rapidly this decade, thanks to large underbanked populations, a young demographic that is becoming increasingly digitally savvy, and the demand for 24-hour banking services.
See Also: Real-World Strategies for Securing Remote Workforces and Data
Boston Consulting Group said 20% of the world's digital banks were based in the Asia-Pacific region in 2021, and the banking sector in Vietnam, the Philippines and Indonesia could experience double-digit growth by 2024.
Indonesia had seven licensed digital banks in 2021. Malaysia's central bank, Bank Negara Malaysia, in April 2022 issued licenses to five consortiums to operate as the country's first digital-only banks. BNM said these entities demonstrated they had robust underlying technologies to support cloud risk management, business continuity and cyber risk management.
But some security observers fear these entities may lack robust protections to defend customers against cybercriminals.
The Menace of Web Application Attacks
Web application attacks are among the most concerning challenges facing digital-only banks. Verizon's Data Breach Investigations Report 2023 found that web application attacks, along with system intrusion and social engineering, accounted for 93% of breaches in the Asia-Pacific region in 2022.
Anshuman Sharma, Verizon's associate director for CSIRT and investigative response in the APJ region, told Information Security Media Group that web application attacks not only encompass advanced techniques such as cross-site scripting and SQL injection but also credential theft, which gives hackers the keys to an organization's digital infrastructure.
Today's digital-only banks can't robustly defend against web application attacks unless they have a plethora of security solutions in place that are tailor-made for specific attack vectors, said Umesh Bhapkar, senior director of IT and information security at global technology consulting firm Synechron.
A digital-only bank's cybersecurity strategy must comprise a web application firewall to detect and block malicious traffic, SQL injection attempts and DoS attacks; regular vulnerability assessment and pen tests; secure authentication and authorization; secure coding practices; rate limiting and denial-of-service protection; input validation and sanitation, to enable monitoring and logging; and employee awareness and training - which is often the weakest link in the chain.
"Proactive security measures, robust development practices, continuous monitoring and a well-defined incident response plan can help digital-only banks to significantly enhance security across their website and mobile applications - making them resilient against a variety of web application attacks," Bhapkar said. "It's important to note that cybersecurity is an ongoing process, and it requires constant vigilance and adaptation."
API Security: The Next Frontier
Today's digital banks have multiple API integrations with third-party applications to enable fund transfers, online sales and purchases and to process investments and loans. An open banking API enables third-party financial services providers to build customer profiles and offer curated products by monitoring an individual's transactions and engagements with banks and other non-bank financial institutions.
APIs, however, commonly feature many vulnerabilities such as misconfigurations, insufficient logging and monitoring, excessive data exposure, and broken user-level authorization. A malicious actor could exploit any of these flaws to access banking applications, steal users' personal and financial information, or inject malware to cause further damage.
Bhapkar said continuous monitoring of APIs for all suspicious activities - such as unusual login attempts or data exfiltration - could help digital-only banks communicate with software intermediaries in a secure manner. These organizations must also ensure they adopt secure coding methods and conduct regular security assessments of their APIs to identify and fix vulnerabilities.
Additional security measures, such as using two-factor authentication, encrypting sensitive data, using API gateways to filter out malicious traffic, and enhancing employee awareness of cybersecurity risks to the API infrastructure can also help digital banks prevent malicious activities, he said.
Growing Threat of Supply Chain Attacks
Today's digital banks use a variety of third-party applications and software to ensure operational efficiency and provide the best financial services to customers, but this also exposes them to supply chain attacks. South Bend, Indiana-based financial services firm 1st Source announced in July that about 450,000 data records had been compromised in a breach involving Progress Software's MOVEit Transfer application.
Cybersecurity company Checkmarx also reported in July that it had detected, for the first time, several open-source software supply chain attacks that specifically targeted the banking sector. Two of these attacks involved hackers uploading malicious open-source packages to the NPM platform that contained preinstall scripts with specific functions.
Checkmarx also observed threat actors using an advanced post-exploitation command-and-control framework known as the Havoc Framework to bypass Windows Defender and manage, coordinate and modify attacks on banks.
"Traditionally, organizations primarily focused on vulnerability scanning at the build level - a practice no longer adequate in the face of today's advanced cyberthreats," said Tzachi Zornstein, the head of CxDustico at Checkmarx. "Once a malicious open-source package enters the pipeline, it's essentially an instantaneous breach, rendering any subsequent countermeasures ineffective. In other words, the damage is done.
"This escalating gap underscores the urgency to shift our strategy from merely managing malicious packages to proactively preventing their infiltration into our software development life cycle in the first place. Organizations need to adopt a proactive, integrated security architecture, incorporating protective measures at every stage of the SDLC," he said.
Is Cloud Storage the Answer?
The cloud has become the go-to platform for organizations worldwide that find on-premises data storage and management prohibitively expensive and inefficient. Organizations choose between single or multi-cloud strategies and pick cloud vendors based on cost, the features offered, and their unique requirements.
Today's cloud vendors advertise many native security capabilities, but cloud customers are responsible for the security of data stored and must guard against misconfigurations or inadvertent data exposure. Many traditional banks have been slow to adopt cloud for core systems due to risks such as data loss, vendor lock-in and potential data breaches.
According to Bhapkar, digital-only banks are more likely to store their core data in the cloud. This is because they aren’t subject to the same regulatory requirements as traditional banks, and they are more comfortable with the security of cloud computing.
"There are several benefits to storing core data in the cloud, including rapid scalability, flexibility, disaster recovery and annual cost savings," Bhapkar said. "Overall, there are both benefits and risks to storing core data in the cloud. Digital-only banks need to carefully consider their needs and risks before deciding whether to store their core data in the cloud."