Cashing in on cyber crime
On a quiet Sunday in May, as dawn was breaking over Tokyo, a 100-strong army of hooded ‘withdrawal mules’ rolled up at convenience stores across Japan and began a bank robbery that the country had never imagined possible.
Exactly three hours, 14,000 ATM cash withdrawals and ¥1.8bn ($18m) of theft later, the gang stopped work and melted away, the only immediate trace being some ill-defined CCTV footage and virtual footprints to credit card data stolen from a bank in South Africa.
Cyber security is a growing concern globally but it is creating particular anxiety in Asia after a flurry of attacks affecting Bangladesh, the Philippines, Taiwan, Thailand and Vietnam. Experts say the spike is driven partly by growing political tensions, such as China’s dispute with its neighbours over islands in the South China Sea, but the other key trigger is the attraction of increasingly lucrative, but patchily defended, banks and companies.
Surveys suggest tens of billions of dollars were lost in revenues last year alone. The problem has become so acute that the 10-member Association of Southeast Asian Nations, a bloc of almost 600m people and some of the world’s fastest growing economies, will meet in Singapore next month to try to improve co-operation and strengthen security.
Companies in Asia lost $81bn in revenues last year to cyber crime — more than in the US or Europe. Now observers warn that under-investment is making the region even more vulnerable to new forms of attack
The new frontline
The execution of the Tokyo heist caught the headlines, but Itsuro Nishimoto, chief technical officer of LAC, the Japanese information security group, says it is the nature of the digital crime underpinning it that is more significant.
The ATMs belonged to Seven Bank, the only institution in Japan offering 24-hour cash machines that allow withdrawals on a foreign-issued credit card with a magnetic strip rather than the more secure integrated-circuit chip. The timing of the attack exploited loopholes in the fraud analytics software at both the Japanese and South African end of each transaction.
The reaction of the Japanese authorities suggests that the robbery has been a wake-up call. This year, Japan will introduce reforms that will allow the country’s banks to invest directly in fintech and develop online financial services technologies in-house.
Experts in online security say Asia is on the front line of an emerging category of cyber crime where thieves quickly convert the digital crime into real money. While US and European systems have been under attack for longer they have found ways to survive. Asia is more exposed.
A dangerous combination of a lack of awareness and investment has resulted in institutions that are poorly protected, say observers. The string of direct attacks on Asian banks — including some that exploited weaknesses in how institutions use Swift, the international financial messaging service — are proof of the heightened risk, they add.
Up to 90pc of Asia-Pacific banks and companies surveyed by LogRhythm reported an attack of some form this year, according to Mr Taylor. They ranged from customers being swindled out of remittances to direct hacks on the banks’ core systems. In 2015 the number was 76pc; the year before that, two-thirds reported incidents.
The cost is enormous. Business revenues lost to cyber attacks in the Asia-Pacific region came to $81.3bn in the 12 months to September 2015, according to a survey by Grant Thornton, the professional services company. It based its report on a survey of 2,500 businesses globally. The toll from attacks in Asia exceeded those in North America and the EU by about $20bn each and accounted for more than a quarter of the $315bn cost of attacks globally during the period.
In a recent analysis of the threat in Japan, Chikai Tanaka, a software industry analyst at Nomura Securities, says the emphasis in cyber attacks had swung towards the extortion of money or the theft of information providing access to money.
The pillaging of Seven Bank’s ATMs came just months after another audacious bank heist. Attackers used malignant software to beat the system at the Bangladesh Central Bank to send $951m of payment instructions into the broader Swift network. Investigators say of the $101m that was reportedly stolen, $80m was laundered through casinos in the Philippines.
Much of the evidence about increased vulnerability in Asia is anecdotal and some of the publicity comes from cyber security businesses that have a vested interest in selling their services to worried companies. However, more groups are admitting that there are problems as the frequency of raids increases.
Large-scale ATM heists have taken place in Taiwan, Malaysia and Thailand. In July the Bangkok-based Government Savings Bank closed almost half its 7,000 cash machines nationwide after thieves targeted 20 machines and took $350,000.
Owning the problem
The extent of Asia’s vulnerability is difficult to quantify because of the lack of laws that would compel companies or governments to disclose attacks. But a report on the region by FireEye found that organisations allowed attackers to ‘dwell in their environments’ for a median of 520 days before discovering them — more than three times the global median of 146 days.
Despite such cases, there is reluctance in Asia and beyond to put too much emphasis on the problem being regional when the criminals and the crime are global.
Gottfried Leibbrandt, chief executive of Swift, acknowledged that several of the recent heists targeted Asian banks using his company’s network, but he told the Financial Times it was ‘dangerous’ to point the finger at any particular region.
Mr Leibbrandt is, however, in no doubt about the damage such incidents can cause. After the Bangladesh attack he said: “Banks that are compromised like this can be put out of business. It’s not like retailers losing credit card details or telcos losing customer details. Telcos and retailers will take reputational hits and may face some financial liabilities but things will move on.
“When banks lose control of access to their payment channels, it’s different. In the recent cases, thieves were able to move just some of those banks’ overseas assets. As a result, for the banks concerned, the events haven’t been existential. The point is that they could have been,” Mr Leibbrandt added.
For the financial services industry in Asia, regulatory compliance has often appeared more important than actual defences, say observers. As a result, too few companies have rehearsed what to do if hit by a major cyber crisis.
Silent attacks
Hackers have now zeroed in on techniques such as the use of ‘ransomware’ to encrypt targets’ data. They then contact the company to sell the key for a fee rather than auctioning the information to a third party.
According to FireEye, ransomware demands have spiked since March. They have increased in other regions too, but the rise was much more pronounced in Asia, where more than 40pc of its government and corporate clients suffered an attack.
Like other cybercrimes in Asia, the Japan ATM heist was notable for its combination of digital know-how with old-fashioned larceny: a triumph of technology, planning and physical execution.
Published in Dawn, Business & Finance weekly, September 26th, 2016