Remittance transactions in the UAE continue to be vulnerable to hackers and financial institutions must work closely with intelligence units in order to mitigate the risk of customers losing millions of dirhams to cybercriminals, a currency firm said.
The UAE is one of the leading sources of funds for various countries around the world. In 2016, some Dh70 billion in cash were wired from the UAE to various destinations..
But huge value transactions come with major risks, and as banks and financial companies are increasingly becoming connected, the more likely it is for fraudsters to orchestrate attacks.
“Financial institutions across the globe are connected using complex networking protocols. So the threat or vulnerability could be seen at many levels,” said Santhosh KJ, who takes care of Xpress Money’s compliance policies.
“Web applications are the most vulnerable area of security for the financial services industry.”
A report released on Friday had claimed that the United States National Security Agency has managed to break into the Middle East Swift financial platform, which is being used for global money transfers.
The leaked information contains code that could aid hackers in infiltrating financial transactions and steal millions of money, similar to what happened at a Bangladesh Bank whereby fraudsters stole $81 million.
The threat isn’t confined to companies in the region. In fact, organisations around the world are dealing with huge financial costs due to cyberattacks.
According to new data released by Kaspersky Lab and B2B International, financial firms incur a million dollars in losses every year for each cybersecurity incident they face. Criminals can use various strategies, from deploying viruses to compromise networks or using malware to steal data, to infiltrating video feeds to collect information.
“The most-costly type of incident for financial organisations are threats that exploit vulnerabilities in point-of-sale systems, in which an organisation typically loses $2,086,000. Attacks on mobile devices are the second most costly ($1,641,000), followed by targeted attacks ($1,305,000),” Kaspersky said in a report.
Santhosh said the attacks are only bound to happen again, unless more effective solutions are in place and greater collaborations among stakeholders exist.
“One would definitely see such attacks again and again, as hackers are not going to give up their options. There should be ongoing assessment of system control and enhancement of three-dimensional security layers built around it,” he added.
“There should be more collaboration between financial institutions and FIUs (financial intelligence units), so that unusual activities are identified at various check points. The fight against fraud has become an ongoing and evolving process. Organisations should bring in more controls and checks in place and be more pro-active by encouraging a positive risk attitude. This must be a top down approach.”
EastNets, the Dubai-based company that manages Swift, had earlier dismissed the report that claims money transfers in the Middle East have been compromised.
The company said it has done a complete check of its servers and found no hacker compromise or any vulnerabilities.
“While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way. EastNets continues to guarantee the complete safety and security of its customers’ data with the highest levels of protection from its Swift certified service bureau,” Hazem Mulhim, CEO and founder of EastNets.
Fraudsters devise various schemes for stealing money from financial institutions, including average-income consumers through money transfers. The tactics range from traditional to complex. Here are just a few examples:
In 2016, cybercriminals infiltrated the computer systems in Bangladesh’s central bank and accessed credentials needed to make cash transactions. The hackers were able to install a malware that helped them gain remote access to the bank’s computer systems and learn how the bank withdraws funds from its account in the United States. They managed to transfer a total of $81 million to fake accounts in Sri Lanka and the Philippines. With hackers leaving no trace, the money hasn’t been recovered since.
In 2003, a businessman lost some $50,000 from his bank account. It was believed that a “keylogging virus” infected his personal computer and hackers were able to get their hands on the login credentials for his bank account. The bank reportedly refused to take responsibility for the missing cash.
In a span of about 11 years, between January 2004 and August 2015, Western Union logged more than half a million (550,000) complaints from customers who were scammed by fraudsters, according to cbsnews.com. In some instances, a customer would get a call from someone who would instruct them to send cash in order to help a family member or claim a prize. Customers were not able to recover the money once transferred.
For scams likely to be staged by hackers, Kaspersky Lab recommends ways on what financial institutions can do:
1.Beware of the targeted attacks
Targeted attacks on financial organisations are likely to be conducted through using third parties, or contractors. These companies can often have weaker or no protection at all and can be used as an entry point for malware or a phishing attempt.
2. Do not underestimate less sophisticated threats
Fraudsters can strike at mass and benefit from the scale using simplest tools. Social engineering might contribute to 75 per cent of fraudulent incidents while only 17 per cent could be caused by malware.
3. Do not pick compliance over protection
Budgets are usually allocated in favor of compliance, but strengthening security and introducing new protection technologies requires a more balanced approach to the allocation of resources.
4. Do regular penetration testing:
Unseen vulnerabilities are real nevertheless. With implementation of sophisticated detection tools and penetration testing, vulnerabilities and incidents will emerge. Ensure your eyes are open to all weaknesses and threats – before it’s too late.
5.Pay attention to insider threats
Employees can be exploited by cybercriminals — or decide to become ones. Effective security strategies should go beyond perimeter protection to include techniques that can detect suspicious activity within organisations.