Cybersecurity Vulnerabilities in Southeast Asia’s Banking and Financial Services Sector

A recent study by cybersecurity firm Tenable has uncovered over 26,500 vulnerabilities in the external attack surfaces of the top 90 banking and financial services organizations in Southeast Asia. Among these, Singapore’s elite institutions account for more than 11,000 exploitable internet-facing assets.

The assessment highlighted issues such as weak SSL/TSL encryption, misconfigured internal assets, inconsistent URL encryption, and older APIs within the banking and finance industry across countries like Thailand, Indonesia, Malaysia, Vietnam, the Philippines, and Singapore. The evaluation included domain names, subdomains, IP addresses, web servers, IoT devices, network printers, and other internet-connected devices.

Singapore experiences most exploitable exposures

Singapore topped the list with over 11,000 vulnerabilities found in its top 16 banking, financial services, and insurance companies. The assessment also revealed similar vulnerabilities in other markets:

• Thailand: 5,000
• Indonesia: 4,600
• Malaysia: 4,200
• Vietnam: 3,600
• The Philippines: 2,600

Risks reside in software, encryption, APIs, and configurations

The assessment by Tenable identified various vulnerable points within the banking, finance, and insurance organizations in Southeast Asia. Weak SSL/TLS encryption, misconfigured internal assets, inconsistent URL encryption, and older APIs were pinpointed as key areas of concern.

Weak, outdated SSL/TLS encryption

Tenable reported that a significant number of assets were still using the outdated TLS 1.0 protocol, posing a considerable security risk to the organizations.

Misconfiguration of internal assets

Thousands of internal assets were found to be misconfigured, making them accessible to external threats.

Inconsistent final URL encryption

Over 900 assets were discovered with unencrypted final URLs, exposing sensitive information to potential interception.

API v3 being used by institutions

The report highlighted vulnerabilities in API v3 implementations, pointing out weaknesses in authentication, input validation, and access controls.

Weaknesses reside in Southeast Asia’s top banks and insurers

The study focused on the largest firms in Southeast Asia, indicating that even the most prominent institutions in the sector are susceptible to cybersecurity vulnerabilities.

Nigel Ng, Tenable’s senior vice president for Asia Pacific and Japan, expressed concern over the security gaps in these critical assets, highlighting the need for a stronger cybersecurity posture.

Cyber risk prominent for banking and financial sectors in APAC

S&P Global’s analysis also underscored the growing cyber risks faced by the banking and finance sector in Asia-Pacific, particularly affecting smaller lenders and institutions with limited cybersecurity expertise.

Despite efforts by regulators and banks to mitigate risks, the potential for cyber threats remains a significant concern, with implications for the sector’s overall ratings.

It is crucial for organizations in the banking and financial services sector to address these vulnerabilities promptly to safeguard their data and protect against cyber attacks.