Is Our Cyber Security Non-Existent?

The issue of the Latin American gang that hacked into some of Malaysia’s ATM’s (automated teller machines) and absconded with a little over RM 3 million is both frightening and eye-opening. It should be an indication to us that our cyber security is grossly lacking and perhaps our money and personal information are not as safe as we once thought them to be.

If you have been following the news, you will know that the people who carried out this heist did it in a very simple manner, so much so that it is quite a shock that they were able to get away with so much of our money. In short, the criminals installed a malware onto the ATMs that allowed them to withdraw money from the ATMs every time they inserted a code into the ATMs. They were able to install the malware by way of the CD slot under the ATMs top panel which they simply popped open. All this was done out in the open and still nothing was discovered amiss until much later.

All the news reports of the investigation highlight certain aspects that led to the criminal’s success which include:

> Most ATMs still use Windows XP (up to 95%). It is an unprotected operating system as it has been discontinued by Microsoft and is no longer receiving security updates.

> Old models of ATMs (NCR5587) that can be easily tampered with.

> Most Machines have not been updated in five years.

> There is nothing stopping unauthorised access to ATMs beyond what the standard customer should be capable of.

To top this off, there is also a possibility that online banking and any monetary transactions carried out online could be very unsafe. With online banking comes the danger of phishing sites that collect personal information and hacking – money and personal information can be stolen if a compromised device such as a laptop or a mobile phone is being used for online transactions.

It is an emerging trend among Malaysians to conduct many of their monetary transactions online such as bill payments, shopping, money transfers and investments. This trend is a little worrying as according to the Sophos Security Threat report 2013, Malaysia ranked fifth most vulnerable country to cyber attacks.
Nevertheless, despite our obviously lax cyber security, citizens are being encouraged to conduct more and more of their transactions through online banking and e-payments; which is honestly a mind –boggling notion. Proof of this includes the topic earlier this year where there was talk of banks charging a 50 sen processing fee per cheque starting April 1, 2014, which was then postponed to January 2, 2015 as many banks were still not equipped to accept e-payments.

As the issue of cyber security concerns both our money and personal information when it comes to the banking industry we have to ask, what is being done to increase Malaysia’s cyber security and make our online banking safe? How can we conduct e-payments with confidence when even our ATMs are easily tampered with? How many of us have already suffered because we have been rushed into online banking without looking at the possible repercussions and have not prepared for them?

One thing is for sure, the “basic layer” of protection that banks provide for their online and mobile banking is no longer enough. Its seems the only options we have until responsible parties decide to strengthen our cyber security are to cower in fear of the cyber criminal; to be constantly looking over the virtual shoulder or to spend hefty sums on bank processing fees for physical transactions that are sure to increase the more we are “encouraged” to use e-payment. Until our cyber security is not compromised, Bank Negara Malaysia should defer the implementation of any mandatory online banking and e-payments systems.

Press release, 8 Oct 2014