Current spate of fraudulent transactions across the banking industry in ASEAN

Digital payment in Southeast Asia is expected to reach US$1 trillion by 2025 . Consumers enjoy the convenience and rewards that come with electronic payments, a trend that has been accelerated by the pandemic. However, there are costs to this convenience. Fraudulent transactions across the banking industry have multiplied due to poor cyber hygiene. Institutions are struggling to detect bad transactions given the fast-processing speed, novel attacks and hiding these attacks amidst the volume of legitimate transactions.

The position in Southeast Asia

What’s interesting about these bank-related fraud campaigns in Southeast Asia is the messaging from the regulators and banking associations. Despite the prevalence of fraudulent transactions, there is very little regulation that clearly sets out the rights and responsibilities of the individual consumer, the financial institution, and any other intermediaries in the transaction.

Singapore saw almost a 30-fold surge in bank-related phishing scams to 898 in the first half of 2021, from just 34 in the same period last year, resulting in a loss of SG$102 million. In Thailand, about 130 million Baht has been withdrawn from over 40,000 debit and credit card accounts in unauthorised transactions during the first half of October. The Bank of Thailand (BOT) and Thai Banker’s Association (TBA) insisted bank databases had not been hacked, but that these transactions transposed from ‘foreign online stores’.

Bank fraud shock – How did it happen?

Data on dubious bank transactions from BOT revealed that over 10,700 debit and credit accounts had large volumes of small but high frequency transactions. For example, multiple US$1 transactions were made in the duration of an hour across multiple accounts. As these transactions were small, the banks did not issue a One Time Password (OTP) to authenticate the order, and consumers were unaware of these transactions until they checked their transaction history.

Some articles indicated that this could be first person fraud, where the account owner performed these transactions and claimed their account details have been compromised. While this is a possibility, the likelihood of organising such a large-scale manual fraud of over 40,000 individuals is difficult to orchestrate and manage.?

A more feasible approach is that the account data could be exfiltrated at the online store via data harvesting. These threats known as Magecart specializes in cyberattacks involving digital card theft by skimming online payment forms and posting to legitimate destinations.

Most websites have scores of JavaScript (JS) running on the website for tracking, advertising, affiliates, and marketing, so it is common that a digital owner is not aware of every single JS that is running on the site. Hackers take advantage of this and inject the malicious skimming code typically on checkout pages or target third parties that supply code to websites, hiding the malicious code inside other code that looks benign to avoid detection. In some cases, the attackers leveraged Google Analytics[1] to be the destination server which receives the data from all the victims’ browsers; so even if the website owner tried to identify malicious code, they see the URL as a trusted destination, and it flies under the manual or automatic periodic review of code.

Once it’s running in the browser, it listens on the victims’ computers for credit card form submissions, intercepts it and sends a copy off to the attacker’s ingestion server. There are multiple ways a fraudster can cash out – in this scenario, they’ve opted to automate large numbers of very small transactions.

The responsibility

To contain the losses, the BOT responded as follows:

1.????Banks will monitor transactions and suspend cards which incurred high volumes of small transactions

2.????The banks will perform multi-factor authentication (MFA) for each transaction

3.????Fraudulent transactions will be waived off debit cards after five days; credit cards will be cancelled, and a new card will be issued

4.????Banks will enforce MFA for debit card transactions as well.

In th Magecart type of attack, these controls will not stop the data loss, card data will continue to be exfiltrated. What’s also strange is that it seems that only banks in Thailand were attacked in this instance. If the transactions indeed came from ‘foreign online stores’, it would also impact banks outside of this country.

The loss of card data triggers data privacy and personally identifiable information (PII) protections in foreign countries; so not only is there fraud to be concerned about, but also fines due to breach of privacy rules.

F5’s recommendations

A good defence against Magecart attacks is preventing access, and this is the responsibility of everyone.

Banks: The banking, financial services, and insurance (BFSI) industry experience multiple attacks, including phishing, ransomware, and DDoS attacks. By leveraging F5 Shape Security, our customers have been able to prevent data loss from Magecart-style attacks, account takeovers, application layer attacks and manual fraud. 50 percent of all global internet facing apps run on F5, and we protect 250 billion client-app transactions per day and 1.8 trillion application programming interface (API) endpoint transactions per day. We harness machine learning and data scientists to look for automated and fraudulent traffic and can reduce fraud by 3x with minimal false positives.

?

Online merchant: Data loss from Magecart is a huge deal and it is tough to identify these attacks using traditional security controls and monitoring. F5’s Client Side Defence solution specifically prevents exfiltration from the client device. In conjunction with F5 Fraud capability, it will increase user experience by reducing friction, so users end up spending up to 20 percent more time on your site, resulting in a five to 10 percent increase in topline revenue.

Consumers: Bank customers need to take reasonable steps to protect their own interests – these include adopting good security practices such keeping your device up to date, ‘hang up, lookup, callback’ phone calls supposedly coming from your bank and consider every device is compromised, what would you do differently?

?

Want to learn more about the current security landscape and tips and tricks to protect your business? Check out our 2021 Application Protection Report . Alternatively, feel free to drop a comment below or DM me on your thoughts on Magecart – I’d love to hear what you think!

[1] https://www.bleepingcomputer.com/news/security/hackers-use-google-analytics-to-steal-credit-cards-bypass-csp/