PETALING JAYA: With most of the world having now gone through a full year of remote working, our understanding of cybersecurity should, in theory, be much better.
Unfortunately, it may not seem so going by a recent advice by police to banks.
A cybersecurity expert and a criminologist agreed that staff awareness in regard to cybersecurity should be invested in to reduce chances of banking scams.
Criminologist Shankar Durairaja noted that staff should be properly educated and trained in their responsibility for keeping banks secure from cyberattacks.
“Besides that, software solutions such as anti-phishing web browsing software – to prevent phishing emails – should be considered. Banks may also implement policies for location and the devices staff can log in from, as well as the type of access they’re allowed,” Shankar told theSun.
Other suggestions include implementing multi-factor authentication between suppliers, automated solutions and outsourcing and refined testing and firewalls.
Shankar was commenting on Selangor police chief Comm Datuk Arjunaidi Mohamed urging banks to beef up the security system of their internet banking services to avoid infiltration by cyber criminals.
Arjunaidi cited a case reported to Selangor police recently where a local company lost RM2.9 million to cyber criminals.
The company’s email account, which was used for online banking transactions, was hacked by cyber criminals where the scammers used the email address and sent out a message to a bank requesting for the company’s online banking username be changed.
Shankar also said it is possible for bank insiders or bank staff to be complicit with scam syndicates when it comes to cases such as this, whether directly or indirectly.
“A direct way would include staff leaking confidential information to the syndicates for money while indirect methods could be through information leakage through phishing emails or hacking by the criminals. However, so far, we don’t have any news on that,” he said.
Fong Choong Fook, CEO of LGMS, a specialised cybersecurity testing firm, said the issue can be seen from both a technical and logical perspective.
“Technically, most banking systems in Malaysia are quite secure so when you hear someone say their bank account has been hacked or there has been an issue with money being syphoned out, it is typically an issue on the client’s end,” he said.
“The hackers are basically leveraging the weakness on the client’s end.”
He noted the biggest problem here is not so much about the bank’s cybersecurity systems but more so on the human process.
“In the cases that have been mentioned by the police, these hackers or scammers target our biggest weakness, which is human verification,” he said.
Fong noted what banks should do is beef up on the human verification processes to avoid such incidents from recurring.
“All requests to change personal information should be filtered through a tight and secure process to verify and make sure that it is the client who wants these changes to be made,” he said.
“Banks overall are quite secure as they are required to conduct a vulnerability and penetration testing as well as report any cyberattacks to Bank Negara itself. The loopholes we are seeing here are based on human weaknesses such as the failure to follow the standard operating procedures.”