Following the news about breach of consumer trust with credit card data being stolen from 20 million South Koreans, we got in touch with Raed Taji, Head of Global Fraud Consulting, Asia Pacific, FICO to find out more about the threat landscape in Asia and what can companies do to protect themselves and their customers.
We have heard of data theft cases involving US retailers. But now, recently, we saw the theft of credit card information of 20 million South Koreans. This is unprecedented. What does it mean for Asia and what does it portend?
Taji: The scale may be unprecedented, but make no mistake; Asia has not been immune to data theft even before this. In the right conditions, the thefts can be on a very large scale, as you have seen in Korea.
We've seen incidents even closer to home. In December last year, it was discovered that a breach had occurred at Fuji Xerox, which prints credit card statements for Standard Chartered bank, leading to the theft of confidential information from 647 of Singapore's private wealth clients at Standard Chartered. Earlier in February, credit card users from four banks in Singapore were billed fraudulently by Taiwan's Neweb Technologies, another example of a data breach incident.
Figures from the Malaysia Computer Security Response Team for January 2014 note that 717 incidents were reported, including 109 intrusions, 3 intrusion attempts and 150 fraud incidents. In Malaysia, mandatory notifications of data breaches are not required, so it's fair to assume even more companies have been affected.
Asia continues to be a target for hackers and as part of their IT strategy, companies should look to put in place preventive measures before they fall victims to a hack, and potentially lose customers, incur severe losses and damage their market reputation.
The best way to approach this is to engage in a threat and vulnerability analysis. The organisation should also have a contingency plan in place in case a breach does occur that covers all aspects of the business such as response, operational, public relations and so on.
Two kinds of attacks are happening. One is the criminal kind, which is for profit. The other is the hacktivist variety of attack and data theft. We saw a recent case in Singapore too. What do you read in this? What is the weakest link here?
Firstly, it's clear that hackers have become much more aggressive about detecting vulnerabilities at corporations, so companies need to protect themselves more thoroughly than before.
Secondly, many companies have not been doing enough to protect themselves in the first place.
Thirdly, companies may not be monitoring their systems closely enough. Intruders can still be halted in their tracks as soon as suspicious activities have been detected. Analytic technology can detect fraud and alert companies very quickly based on changes to expected patterns.
The weakest link could be anywhere along this chain, but as you can see, there are many potential points of vulnerability. While the motivations for the hacking may be different, the results are the same. Hacking and data theft will lead to damaged reputations for brands, operational losses, and missed sales opportunities.
A third kind of attack, well, not actually an attack, is coming from the state itself. We saw what Edward Snowden had to share with the world. How can citizens negotiate a new social contract with the state as an agency, where corporates are also playing a very big role (as collaborators sometimes). Today we talk about globalisation and data sovereignty rather than state sovereignty. What are your thoughts on this?
From our perspective, the anti-hacking fundamentals here are the same, even though the motivation for this type of hack was different, in that was political rather than for financial gain.
In terms of reducing data theft and fraud, what steps should be taken by enterprises, especially retailers and banks?
What we advocate is prevention over cure. Risk mitigation is all about balancing the investment against the danger to the business. Organisations like banks, prioritise data security and invest in several layers of protection to ensure that the data they have remains safe. Examples of this include two-factor authentication and intrusion detection systems. Further to this, analytics software solutions from FICO can look at historical activity to determine whether current activities are suspicious, or predict what will happen next.
Educating employees and making them aware of data breach protocols is another important part of the solution. A 2013 global study from Symantec and the Ponemon Institute found that human errors and system problems caused two-thirds of the data breaches in 2012. Issues included employee mishandling of confidential data, lack of system controls (no requirement to change the password from the default password etc.), and violations of industry and government regulations - most of which can be prevented.
Technology innovations continue to help in the race against the hackers as well. For example, at Singapore Management University, a professor is working on a way to make passwords invisible to browsers and operating systems while still allowing users to log into a website, and sensitive documents invisible to the rest of the system.
Do you think data theft will be more common when more people start using mobile banking?
New channels mean an added avenue for hackers to reach victims. There will definitely be attempts, both directly through the mobile platform or the software, along classical means such as phishing attempts or scams with faked mobile versions of banking websites.
Another area of vulnerability is phone theft. If people choose not to secure their phones with passwords they could be opening themselves up to instant plundering of their bank accounts when their phone is stolen. Companies should invest in measures like a remote wiping service if a corporate phone is stolen.
How can banks and retailers allay customers' fears that it is safe to use plastic money or do mobile banking?
They should ensure they are secure in multiple ways. What reassures a customer most, is knowing that the financial institution has the proper tools and is doing everything it can to protect them. This can be achieved to by contacting them when a potentially unusual activity is made on their account. This shows that the bank or retailer is monitoring and flagging unusual activity and is able to stop suspicious activity from going any further.
FICO's analytic offerings can detect suspicious activity in real-time and also detect fraud earlier, with fewer false positives (saying there is fraud when there is not).
Companies also have to practise good data management. Ensuring that data is protected through different types of computer security; enforcing data confidentiality guidelines at the office; educating customers about unsafe data practices; and monitoring computer systems to check for suspicious activity are some ways to ensure that the data remains safe.
What should a company do after a breach has happened?
If you do suffer a breach, the first thing to do is to halt the damage by ensuring that the vulnerability is addressed, so that no one else can take advantage of it. At the same time, the extent of the breach should be studied, and customers informed as soon as possible.
The nature of the theft will shape what the next steps are - banks may want to cancel credit cards and issue new ones, or users may be requested to change their passwords and look out for suspicious activity on their credit card statements. Next, invest in strengthening the system and investigating if there are other vulnerabilities to address. Finally, decide what form compensation will need to be taken.
Be aware that your competitors are likely to benefit if existing customers decide that they cannot trust you anymore. Work on your strengths while announcing what new measures you are taking to ensure that customer data is going to be more secure in the future.
Anything else you would like to add?
Security breaches are becoming more common, because crime syndicates realise the incredible 'honeypot' that exists in cyber-fraud. They can stand to steal millions of dollars at very little physical risk or possibility of prosecution. For this reason, it is important for organisations to remain vigilant and plan for investment in security systems, especially if handling large amounts of sensitive customer data. The opportunity cost is that dollars saved along the way will seem insignificant if they suffer a breach. Disaster recovery and reputation management is a costly business, so it is best not to be penny-wise, but pound-foolish by investing in cheaper, weaker security in the hope that hackers will ignore you.