External service providers make banks vulnerable to cyber attacks

Attacks on payment systems and third-party service providers, as well as vulnerabilities in underlying system technologies are some of the greatest concerns faced by Asia’s banks and financial institutions this year, according to the Financial Services Information Sharing and Analysis Centre (FS-ISAC).

FS-ISAC is a non-profit industry consortium dedicated to reducing cyber-risk in the global financial system.

The first-semester 2019 Asia Pacific Cyberthreat Review shows that FS-ISAC members are consistently concerned about threats or attacks against payment systems, especially international systems, including how attacks against payment systems in less experienced countries may directly affect them.

This includes disruptions to capabilities regarding financial services, the reputational risk to the targeted institutions and the loss of consumer confidence in the sector that could impact economic situations in their home countries. Several banks in Bangladesh encountered attacks on payment systems in the first half of this year. 

Also, FS-ISAC members have seen significant increases in business email compromise attempts and this remains a growing concern for firms in the region. Cyberthreat actors are becoming more creative in their attempts to use “social engineering” to infiltrate organisations through email.

Further, financial institutions are increasingly apprehensive over the security postures of third-party service providers with recent events such as the Wipro breach (India), ASUS Live Update attack (Taiwan) and LandMark White (Australia).

Complex systems include unforeseen vulnerabilities for banks and financial institutions. For example, IBM announced it had four vulnerabilities, dubbed Microarchitectural Data Sampling (MDS), consisting of four different attacks. Another recent one is Microsoft’s announcement of a detected Remote Code Execution Vulnerability in Remote Desktop Services.

“We are seeing more time spent on preparation and reconnaissance prior to initiating attacks to ensure attacks are successful and against the best targets, be it a person or information system on a network,” said Brian Hansen, executive director of FS-ISAC APAC.

“These threat actors are also increasing collaboration on the dark web, selling and seeking services that can be used against financial institutions,” Hansen said.