The rise of SMS phishing attacks is an issue that is continuing to destabilize long-term consumer trust.

Today, phishing is no longer confined to email. Aided by the rise of digital banking and sophisticated social engineering, phishing remains a top threat to financial service institutions (FSIs) in the Asia Pacific region.

Threat actors are becoming more creative and baiting users through frequently used applications such as WhatsApp and more recently, SMS messaging, a trusted communication channel for decades.

According to Akamai’s latest State of the Internet (SOTI) – Phishing for Finance report, text messaging continues to be a basic part of today’s mobile usage in the region.

SMS is one type of messaging format that users are known to respond to quickly and consistently. This creates an opportunity for threat actors to increasingly exploit users’ trust, overwhelming phone devices with phishing messages impersonating bank, reward companies, package delivery services, online retailers, and more.

Apart from SMS phishing (also known as ‘smishing’) attacks being inexpensive to develop and deploy, there is free infrastructure available in domains and readily available methods of carrying it out.

Are FSIs in the region effectively mitigating smishing and credential stuffing threats? Is consumer trust in FSIs improving as a result? CybersecAsia sought out some insights from Siddharth Deshpande, Director of Security Strategy, Akamai Technologies.

Siddharth Deshpande, Director of Security Strategy, Akamai Technologies

What are some fresh security concerns amidst the rise of digital banking in Asia Pacific?

Siddharth Deshpande (SD): While digital banking is on the rise, exposed application programming interfaces (APIs), insecure customer mobile devices, insider fraud, and other criminal activities all are ongoing security concerns in the digital banking domain. Cybercriminals are cleverly using pandemic as a distraction to hack into systems and target employees and customers of banks, payment providers, online retailers, and other businesses at a worrying pace.

Credential abuse, often with a goal of account takeover, remains one of the top attack vectors in a criminal’s arsenal. These types of attacks remained high last year and show no signs of slowing down. 

According to our recent SOTI report, in 2020, there were 193 billion credential stuffing attacks globally, with 3.4 billion of them in the financial services space alone.

Throughout last year, criminals leveraged COVID-19 and the promise of financial assistance, or the stress of financial hardship, to target people across the globe via phishing. These attacks, in turn, fueled the credential stuffing boom, as newly collected credentials, freshly sorted data breaches, and old collections were combined, tested, traded, and sold on the various markets on the web.

Phishing campaigns – especially ‘smishing’ – are not showing any sign of slowing down. What should FSIs, banks, fintechs and governments do to protect customers against such threats?

SD: With the APAC region seeing an increase in users accessing digital banking services, exposed application programming interfaces (APIs), insecure customer mobile devices, insider fraud, and other illegal activities are growing concerns in the FSI sector.

While various businesses were dealing with remote work migration last year, cybercriminals took advantage and adjusted their phishing kits and directed them to COVID-19 issues, including government aid and work-related problems, such as email access or service status.

With more organizations migrating business-critical functions to the cloud, the inherent threats to their operations are becoming more apparent as intruders look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures by them. In turn, the industry is witnessing a rise in Phishing campaigns by these bad actors.

Organizations need to remember that merely having two factor authentications does not automatically provide security – their authentication factors need to be ‘phish proof as well. The most effective way to achieve this is to leverage phishing resistant multi factor authentication (MFA)  technologies that use the FIDO2 protocol. Protocols such as FIDO2 that cryptographically bind user credentials will make phishing harder and make tricks near impossible to pull off.

How could multi-factor authentication (MFA) be a security illusion? How are cybercriminals bypassing or evading MFA?

SD: Multi-factor authentication solutions can help prevent unauthorized access to financial services applications if a cybercriminal gets their hands on valid login credentials. MFA is beneficial, but it does not always prevent credential stuffing. On the contrary, MFA can help attackers in a lot of cases.

Today’s criminals have evolved and become more sophisticated. This change includes elements that target 2FA and MFA protections, where victims are tricked into filling out their one-time password (OTP) or revealing it to the threat actor during a conversation.

With various MFA implementations, users enter a user ID and password combination. Then they are prompted to verify another step-in identification like a code sent via email or SMS. A cybercriminal can take advantage of MFA to verify a user’s ID/password combination. With the user ID/password confirmed, the attacker can easily target the victim directly via a spear-phishing attack. He then sells the validated credentials on the dark web or goes on to attempt another malicious act.

However, to eliminate the security risks associated with current MFA approaches, enterprises should consider enhancing their authentication by deploying an MFA solution that is based on FIDO2 standards

For example, Akamai MFA is a multi-factor authentication solution that leverages FIDO2, the strongest standards-based verification method available, via a smartphone app can offer a strong first layer of defense for FSI organizations. It integrates with Akamai’s Zero Trust Network Access (ZTNA) and secure web gateway (SWG) solutions, providing a foundation for Zero Trust security for businesses in the FSI sector.

Why is credential stuffing difficult to detect? What should FSIs and businesses look out for?

SD: Hackers are continuously evolving and refining their tactics to steal and sell user data. As users move more and more to digital platforms at work and home, there is certainly an increased threat around online account credentials. The pandemic has increased the volume, frequency, and value of digital transactions, in turn attracting cybercriminals’ attention to user accounts and credentials that facilitate these transactions.

Credential stuffing attacks can damage a firm’s reputation and result in regulatory fines, legal payouts, and customer churn. They can also impair the performance of the organization’s website and online applications by overwhelming the infrastructure with bogus bot traffic. To make matters worse, attackers are always sharpening their techniques, distributing login attempts across thousands of bots, using proxy servers, spreading out login attempts over time to evade detection.

Blocking known malicious IP addresses from launching bot attacks is important but is only a small part of the solution. Given the frequently changing deception tactics used by bot operators, defenders also need to look at analyzing behavioral patterns to distinguish malicious bots from legitimate traffic. Malicious bots need to be stopped while allowing legitimate user traffic to continue uninterrupted. In the digital word, customer experience should never be sacrificed in the quest for improved security.

For comprehensive protection, FSI’s and businesses can introduce a multilayered, defense-in-depth security architecture, combining MFA with other safeguards. Some of them are:

  •   Re-examine applications and website login pages: Constantly Revisit authentication workflows and login pages to update any loopholes.
  • Augment MFA solutions: Multi-factor authentication solutions can help prevent unauthorized access to financial services applications if a cybercriminal gets their hands on valid login credentials.
  • Implement a bot management solution for multilayered protection: Bot management solutions detect and control illegitimate bot traffic at the network edge, blocking attackers before they can get to your applications or overwhelm your infrastructure. Best-of-breed bot management platforms use artificial intelligence and machine learning to detect and thwart advanced credential stuffing attacks.