Verizon’s 2019 Data Breach Investigations Report shows a majority of security breaches are financially motivated, with 32 per cent involving phishing, 29 per cent the use of stolen credentials, and 56 per cent staying undiscovered for months or longer. While cyber attacks have increased, physical attacks against ATMs are down, as are frauds in the case of EVM chip-based cards. Here, Ashish Thapar, managing principal and regional head, APJ, Verizon Enterprise Solutions, speaks to M C Vaijayanthi on lessons India can learn. Excerpts:
What does your report say about the situation in India?
What we see is that a majority of the breaches are financially motivated. Close to 70 per cent... That is why we see a lot of financial institutions getting attacked by threats of a varying nature. In India, there is a lot of social engineering. The three musketeers as we call them -- social engineering, malware, and stolen credentials -- close to 80 to 90 per cent of breaches have these ingredients...
There are ambitious targets being talked about for digital payments and growth in India, and large parts of it go through mobile devices...
We do see a wide variety of attack vectors... The SWIFT attack that happened, that was basically a cyber-security attack that started with social engineering sometimes... sometimes vulnerability of systems. Companies need to get their act together. A lot of times you see organisations putting a lot money in shiny tools... they buy this, buy that and at the end of the day lose focus on very important aspect, that is people and process control, procedural controls.
How does the SWIFT attack reflect on banks’ network and system integrity?
Security needs to be driven in a layered concept... You cannot depend on a single control or system to give you security... In these kinds of attacks, mostly, you will have environmental systems, you will have a third party connecting into your network, you will have your staff working remotely. There are a lot of exposure points that actually give ample opportunity for bad guys to pick and choose from. Once they are inside, they basically make lateral movements from one system to another and if you do not have adequate security mechanisms isolating critical networks... You cannot just blame a cocoon system called Swift... there are other satellite systems that connect to that system and that ends up compromising the security of the whole thing. At the end, security is only as strong as the weakest link in the chain.
Banks are already saying they want to move away from chip-based cards...
Chip imprint technology, when it was brought in, really did quite a lot to decrease the number of breaches on the card cloning side of things. But then, cyber criminals are also quite smart... because they could see that this particular avenue is getting tighter, they have started moving towards online transactions.
What kinds of safeguards can be put in place now?
One very important thing is that the RBI has referred to PCIDSS (payment card industry data security standard)... A very similar standard can be adopted on the India level if you do not want to adopt the global standards in PCIDSS. On a national level, from a legal statute perspective, I think we need to do more to create deterrence in the minds of people who defraud gullible individuals. The IT Act had certain provisions, but the personal data protection act has still not been notified in India… pending in the Rajya Sabha for many, many years.
Virtual banks, and mobile wallets need special attention. It is easy money in and out, and it is also easy for cyber criminals because all they have to do is to trick you into sharing your PIN or OTP with them. Before we go too digital, we need to make sure the systems are inherently secure. More importantly, cyber-security awareness needs to be imparted from the grassroots level.