F5 Predicts: Identity theft going viral in Southeast Asia

According to a Symantec report, in Singapore alone, cybercrime cost the average victim S$1,448 (US$1,056) in 2013, three-and-a-half times the global average of US$298. By 2020, the overall impact of cyberattacks on the global economy is estimated to be as high as US$3 trillion.

The continued rise in these figures is driven by several key trends: more people spending more time online, thanks to the proliferation of broadband connectivity; an increase in financial transactions online, including e-commerce; and rapid adoption of mobile devices, often with fewer security measures in place than traditional computers. Trend Micro’s report The Invisible Becomes Visible anticipates that in 2015 data breaches will more frequently hit the mobile devices that carry consumer data, and the companies that store it.

Southeast Asia is a nexus of all of these developments – which is why we can expect identity theft to explode in the region in the coming few years. Smartphone and tablet penetration is skyrocketing there, bringing online millions of new users; 62% of Internet users in Indonesia and 41% in Thailand use only a smartphone to connect, compared with 11% and 6% in the US and UK respectively. And 37% of Singaporeans and 32% of Malaysians made their latest purchase online, beating out the 29% in the US (Google Consumer Barometer).

While shopping and entertainment services, as well as public services, increasingly move online, education and awareness about online privacy and safety remains low. More people are routinely sharing data loosely with more organizations than ever, and through unsecured channels, putting personal identity data at greater risk than ever.

What does this mean for my business?

Business IT infrastructure and applications continue to be the main targets of hackers, who often aim to acquire user data and financial records from enterprises. The dire consequences an attack can have on a business have become increasingly apparent; one recent EIU study indicated that almost 40% of firms have experienced significant economic loss as a result of data security breaches.

From a macro perspective, the survival of online commerce and services relies on continued consumer confidence that they can share their information online without exposing themselves to a significant risk of identity theft. Already, privacy and security are major barriers in the take-up of online and mobile payment services.

Businesses need to counterbalance with strong, proactive security measures that reflect the increasing sophistication, frequency, and diversity of today’s attacks. Conventional stateful security devices at the edge of the data center are ill-equipped to handle such attacks, there is a need for modern threat mitigation platforms that provide complete protection from the bottom to the top of the network stack, from apps hosted in on-premise data centers to apps sitting in the cloud.

Hackers use poorly protected public facing web channels as a means of entry into an organization – compromising servers, stealing data and performing mischievous defacement – as such, these channels have to be sufficiently protected.

Replicating and enforcing consistent and proven web application security policies across traditional and cloud (i.e. hybrid) environments, however, involves significant cost and complexity; organizations must choose between employing specialized IT security teams in-house or adopting solutions such as F5’s hybrid security offerings and offloading complex policy management and compliance to drive efficiencies. F5 Silverline Web Application Firewall (WAF), for example, is supported by highly specialized security experts who build and maintain WAF policies for organizations to defend against web attacks and help achieve regulatory compliance in hybrid environments.

Corporations are at risk when their employee’s identities or accounts are compromised as well. The underground financial marketplace was recently buzzing with activity with the launch of the Dyreza or Dyre malware, which has targeted hundreds of bank websites and stolen over US$1 million from corporate bank accounts, becoming one of the most dangerous banking Trojans ever. After successful infection of the endpoint, Dyre is able to steal users’ login credentials and perform illicit financial transactions, unbeknownst to the user. F5’s anti-fraud solution, WebSafe, is able to prevent such man-in-the-middle and man-in-the-browser attacks where hackers intercept unencrypted web traffic allowing users mistakenly believe they have a secure connection with their online banking site. 

Malware also has the ability to perform web injections and embed fake fields into the seemingly real website, tricking users into entering details like credit card information, birth dates and other personal information. They also perform automated transactions to steal or transfer funds to unauthorized accounts. F5’s WebSafe has the added ability to proactively detect phishing websites as they are being set up, allowing organizations to arrest these in almost near real time.

Full name. Date of birth. Occupation. Phone number. Address. We encounter these form fields and blank spaces online almost every day, but how many of us think before filling them in? Or stop to question where that information is going, how it’s being transmitted and stored, and what security measures are in place?

We may not be thinking too much about the questions – but hackers certainly are. They are constantly identifying vulnerabilities and exploiting them, stealing our Personal Identifiable Information, and if the proper gates are not put in place to mitigate these, the consequences will be insurmountable.