Can you give us an update on the Wanna Decryptor cyber attack, also known as WannaCry? How secure is Vietnam’s cyberspace in light of this attack?
The major WannaCry ransomware attack used the network infection vector Eternal Blue, which exploits vulnerabilities in Microsoft’s implementation of the Server Message Block protocol, to spread itself, and there is likely more damage to come. The presence of a ‘kill switch’ and the low ‘turnover’ of ransom payments indicates that this attack was possibly testing the waters and may be followed up with something more serious in due course.
The group responsible for WannaCry has yet to be identified. However, many researchers conclude that the attack was not very sophisticated and may have used code samples published by other hackers.
International peers do not currently consider Vietnam as a safe Internet environment. Due to the high prevalence and adoption rate of new technologies, Vietnam is currently ranked the number-one most-attacked country in the world, with a malware encounter rate of over 40 per cent – the global average is 20 per cent. Awareness levels in Vietnam are still low for both the general public and IT professionals, since cyber security issues do not make headlines very often.
This view is confirmed by the various engagements that KPMG runs for our clients and the problem areas that we assist our clients with. That said, cyber security has become a growing concern for a lot of organisations in Vietnam after a number of attacks on Vietnamese airports, airlines, and banks in 2016.
Speaking of banks, recent scandals on card fraud and identity theft have caused Vietnamese cardholders to worry. What should banks do, and can firms in financial technology (fintech) help?
We can see that the banking sector is taking steps to make itself more secure. The State Bank of Vietnam now expects all Vietnamese banks to include a chip in their cards, which promises stronger security features to combat card fraud.
Other notable initiatives include more stringent identity verification and card centre operations that inform cardholders about their transactions. Many banks are planning, or already undergoing audits and certifications in line with the Payment Card Industry Data Security Standard, which introduces more than 300 controls that must be present to protect cardholder data and prevent card fraud.
We believe that only mature and large fintech companies are in a position to effectively protect customer information or to have their own internal identity verification controls. KPMG works with a number of banks on IT transformation projects, which aim to figure out how fintech can be integrated into the delivery channels and IT architectures securely.
It is also important to ensure that fintech companies cannot access sensitive customer information from the banks’ database. An emerging standard for data exchange is ISO 20022, in which banks can classify what information to pass on to fintech firms and what to keep private.
Likewise, resultant technologies in Format Preserving Encryption and Secure Stateless Tokenization ensure that banks do not share sensitive customer information with third-party technology partners.
Not only banks, but Internet users in Vietnam are vulnerable to losing their personal information in the era of social media and online shopping. How severe is this problem, and what can be done to solve it?
It is true that people’s online data is being exploited by companies. There are many ways in which people can divulge their personal information, such as through social media or by sending their bank information to various websites, including online shopping sites.
Browsing logs, search queries, or content on Facebook can be automatically processed to infer potentially more intrusive details about an individual, such as sexual orientation, political and religious views, race, substance use, intelligence, and personality. Agencies are hired to exploit this information for advertising purposes, or worse, for phishing and other scams.
Several social networking sites try to protect the personal information of their subscribers, but many do not. The best control is to discuss Internet privacy in open forums and disseminate information to educate the general public about safe practices. It is also advisable to educate Internet users as early as possible, since children already use such systems and services from an early age.
In your opinion, is the current legal framework on cyber security in Vietnam up-to-date? What regulations should be introduced or strengthened?
The Vietnamese government has issued several laws and regulations, namely the 2015 Internet
Security Law and Circular No.31/2015/NHNN, which outlines the minimum cyber security controls that every bank in Vietnam must implement.
Having said that, Vietnam can always enjoy benefits from increasing cyber laws and regulations to protect Vietnam’s critical infrastructure providers as digital disruption continues to transform businesses and cyber threats are on a rise. As seen from the latest WannaCry attack, once affected, the compromised systems can cause significant chaos or even harm to people or property. Therefore, we believe that this area should be addressed in the near future.