S2E13: iPay88 breach and notification - Part 2/2

Ladies and gentlemen, welcome to SecurityLah podcast. Season 2. So the banks can't detect, they can't track and then they can't find users. They can track. It's information they can track, but it is not reflected. So what do you think, what should banks do in your opinion? What do you think, what more can they do after besides just tracking the transaction? And I don't know to the source. The first thing they do is if they find that there are certain source that's been used to launder the payments, they will just blacklist those source. Say, for example, if somebody is buying a certain T-shirt from a certain website and they use that as a means for them to launder the money, they'll just block the site. Secondly, they have to reissue the cards because now the secrecy of that card information is no longer there. It's no longer secret. But you know, what's the the the the chia-lat part about getting your cards changed? You now have to remember which sites that you actually use that cards on for recurring payments and go in and then change. You know, that's if you ask me, that's the worst thing. For me, I have a number of recurring payments. I got Netflix, I got Amazon Prime, just to name a few. And, you know, it's it's I had a... Thank goodness I don't use online services like you do, Doc. No, my my my whole life revolves around online. You guys know that. So for me, it's like bread and butter every day. I do stuff, you know, so it's not something that I can say, oh, I'm going to stop using online. For me, it's come to a point where there's no option of offline. It's online and beyond. Same here. I mean, I don't know if you guys have got it, but immediately after that, I think I got a message from my bank. Your card debit will expire on September 30, 2022. Change your card debit at any kiosks without charge for the smooth use. Mine also. Mine as well. I got a notice also. All your cards have expiry, you know, so you need to make sure you change it before you expire it. Yeah. So I don't know if it is an expiry or is a reaction to this. OK, I checked my card, my physical debit card, and sure enough, actually the expiry date is there. So it's correct. Oh, OK. So that means you're not affected. It's just on course. Cat is always safe. Cat is offline, so it won't affect her. Yeah. Don't forget I keep my passwords in the 555 book. Yeah. Make sure you don't lose the 555 book. Exactly. I was about to say that. And your 555 book would have smell and crumpled. And yes, yeah. Just make sure it's readable because otherwise you'll be like, is that an O or is that a zero? OK, I'll stop using my left hand to write. And then just a couple of days after that, there was another incident also in the same field, KipplePay. Oh, yeah, I heard a little bit about that. Do you have any details about that, Sky? Yeah, it's the same payment gateway, but they are smaller player, I suppose. All right. They were saying that they had a breach and they came forward. But again, the marketing stuff of reporting, you know, so what happened was they issued a press statement and they say that they began they have begun notifying affected card holders and advising them to come forward. And they will their card will be replaced free of charge. Yeah. I'm looking at the notice right now and sure enough, the standard mandatory phrase is there. We take a serious view on our security compliance measures in line with the BNM's policies, directives and requisite security standards. See, Chad, you monitor that phrase. It will appear everywhere, right? You will get the latest breach notification. You don't even have to subscribe. You don't have to find the website. You just put that in your Google News feed. I'll tell you, you will get it. You know, I bet. I bet. So the joke is is they they are saying it in such a way that it is IPay88. It's for this this last paragraph. Of course, it's not just people pay users who are affected by the IPay88. It's oh, yeah. Yes, I'm reading that line, too. Your bank may be or might already have contacted you over your card data being potentially compromised. Oh, burn, man. Burn, burn, burn. So it's like, hey, not my fault, right? The guy is the other fellow. Burn, man. This one really hanging out to dry already. So now, can you imagine if any of the breaches on those Visa cards and all that, they can just turn around and say, hey, you know, in line with the previous breach. That is so bad. I think this one is under the belt. Yeah. And I don't know. Someone was mooting the idea of establishing a royal commission of inquiry. Our PM, our PM. I'm like, please. Poor guy. We have we have so many calls for RCI now. And I'm like, I really don't know where this is going to. If you ask me, the most effective thing the government could do today is to actually enact or make a modification to an existing law to make cybersecurity reporting mandatory. And they could look at, for example, SEC filings as a model for them to to say that, you know, this is what it is. Yeah. And if you ask me, that will go a long way than just say, are we going to do an inquiry? Yeah. You know, either your site got hacked, your guys got phished or something. Fine. It's not going to change anything. The data is leaked. Now you're left with this mess to handle, which is what all the banks and everyone else around the ecosystem has to handle. Fine. We understand that. So now the important thing is if you really want to do or make a difference, enact the law, make it mandatory for all companies, all companies. You must report a breach. And it's not just personal data. You know, it's it can be critical information, it can be anything. If your organization gets breached, you should at any point inform the public to say, yes, we have been breached. You know, and this is what I expect. The least you should say is what is the breach about? You don't have to go into technical details. Right. And the thing is, is I can tell you very confidently, IP 88 or any organizations will never, ever publish a detailed brief, a detailed, sorry, a detailed information about what their breaches, what they learn, what the IOCs are, who the attackers. I can bet you that's never going to happen because it's Malaysia, it's Asia. You know, we never like to say these kind of things until and unless it's made mandatory. So the best way, the best thing you could do right now, if you really want to remedy the situation, is to enact the law to say that if you had a security incident, you are required to disclose. These are the parameters you should be disclosing. And upon the completion of the incident, you need to publish a final report. I love how Singapore does it. For example, the IHS breach, they were completely transparent about it. Yeah, completely transparent about it. And there were a lot of things that you could pick up from that report and say, oh, these are the lessons learned and these are the things I can implement in my organization to improve my security posture. And if you ask me, that helped a lot. That made a difference. Whereas here it's like, yeah, you know, there's a breach. I can't tell you much, but there's a breach. I have to tell you because I have to tell you there's a breach. I'm not sure where the value in that, but okay. You know, the key thing that you mentioned about Singapore, Thailand just enacted their law, PDPA law. And within the PDPA law, there is actually a clause that says a cyber breach must be reported within 72 hours. That's a good start. That's a good start. That's June 2022, just a couple of months back. And going back to IP88's breach, the joke was they went ahead and appointed a vendor from Singapore to do the study, to do the investigation. Really? IP88 appointed a vendor from Singapore? Yeah, it's in the article. So I'm not saying something internal. I'm like, you know what? That's really a serious problem for me because I feel that we tend to look down on our local players. I've met a lot of people through my time, both in financial sector and also other industries. And you don't need to look far to get really good, really experienced people. You know, I'm really curious, Dong. You mentioned that when IP88 actually came out with the notice, there was a PR agency that was mentioned at the bottom. May I know which agency this is? Well, this is what's written at the bottom, prsync.com. Sorry, syncpr.com. I mean, it's there on the notification. So I'm not sharing anything that's not secret. It's on the notice. My thought was, you see, you already have a breach, right? But you're getting a company outside of Malaysia. The datas are all Malaysians. But you are getting another country's vendor to come in and investigate this breach, disclosing the information even further. Am I right to say that, Dong? Yeah, true. Because I know that they may find files, logs. They may have information relating to the credit card, the PAN numbers or even the CVV numbers. So, yeah, obviously they're going to say, ah, see all this data. Ah, here it got exfiltrated. We found logs with portions of this data here. So obviously the investigator who's doing a technical analysis is going to say, ah, you know, this one, this data, probably half the data is going to be in the Philadelphia Chaps laptop. Right. And yeah, and the very cursey part of the very sad or wasted, OK, Malaysian slang, wasted part about this is this Singapore based vendor may have a very detailed report. That is like with the IOCs and whatever indicators of compromise and all the information that's required to be able to, I don't know, to help IP 88 move forward. But usually when information goes through this kind of information, information goes through a PR agency, a public relations agency. Their objectives may be different, as in like they may not. They may actually decide to withhold information instead. Enjoying the show so far? Subscribe now so that you don't miss out on the latest episode. We are available on Spotify, Apple Podcasts, Google Podcasts and many other platforms. Visit podcast.securitylah.asia to get the links to subscribe. Absolutely right, because their focus is to focus is safe face, you know, tell as little as possible, but you have to tell them something. So you tell them something or you confuse the public and let them be confused. And you guys do what you need to do, you know, which is which is what to me occurred to me when I when I read that notice. And I'm like, I'm sorry, I know you had a breach. But what breach? How detailed? What information? Am I the first question that I had is, am I affected? And and the notice was never able to discuss or share any information for me to validate if my information was breached. Which to me, if you ask me, is a very poor notification, minding the fact that it's released three months after the incidents. If you had released that notice, say one week or two weeks after, oh, we are still investigating. We may have a potential breach. We will get back to you. That's a different story. Yeah, because then I then I can say that, oh, you're still investigating. Fine, you take your time, investigate, then you come back to me. So at least I know this is the one thing I need to follow up here. You had three months and you had nothing to account for means either the vendor you got from Singapore or whatever country. You know, in Hokkien, we say hau-siaw la, you know. Yeah, so unfortunately, so I don't know what to say. So the industry is like this, right? So and I've had the privilege of working with esteemed colleagues in the PR agent, PR industry. They do their best. I mean, they're well-meaning and they've got good intentions, right? But at the end of the day, you have to think about also it's more than you want to control the damage. Fine, you want to you want to damage control fine, but it has to I mean, it has to have there has to be information that people can act on upon as well. You know, so just saying that there's a breach and then repeating the word breach five times is not going to cut it. I like how you mentioned repeating the word breach five times. It's like a sacred mantra, you know. You know, it's a breach. I tell you, there's a breach. Sure got breach. I get the point and read and hear this. He says here, CISA's investigation is still ongoing. It's still ongoing. It's like now I announce it. I know about it like four months ago, but the investigation is still ongoing and will inform you all the results when it is done. Yeah. So that's so I think I think in even if we were to conclude, you know, at this point, I think I agree with Doc. The only way forward, I mean, I mean, frankly speaking, we tell people, you know, you must assume breach. So having a breach is no no big thing. But how do you come back from it? How do you meet and move forward, you know, and share the experience so that the rest can learn is very key. And the only way now is you must enact that law so that everyone will need to report a breach with the proper guidelines. Yeah, absolutely. We take the bounce back man. Yeah. So the idea is we know breaches is inevitable. Like what you said, Sky, perfectly took the words out of my mouth. You know, important thing is how do you come back? What is it that you are going to do differently to prepare yourself not just for the next breach, but maybe to prevent? What are the lessons learned and how could you share this information? Remember in one of our previous episodes, Sky, we're talking about sharing information. Yeah. No. How do you how are you going to put it out so that you can help everyone else secure a business? Because it has to start from somewhere. If you're going to say, I'm not going to be the first, I'm going to wait for someone to do it. Nobody's going to do it. Yes. To start somewhere and at least take the first step and say, this is what we are seeing. Guys, ladies, girls, they, whomever, please take note, you know, and use this to secure your environment. And that's how we help each other because otherwise, I'm not sure if this is going to be able to go out. But, you know, I would like to send a shout out to Tan Sri Annuar Musa, who is the minister of MCMC, you know, and the personal data protection department. You know, it's about time we enact a law to protect the users. Definitely, man, long overdue, long overdue. OK, so what you guys do is like is alien to me, right, because I'm from a different industry. But I remember some years ago when there was actually a local automaker in this company that was also involved in something similar. So when I actually spoke to some people about it, they were sharing best practices about how there should be crisis management and then not just the management of the crisis, but also the communication of the crisis. And then part of the whole the whole plan also had to include something called business continuity. So I. Yeah. So when I saw that notice from I.A.A. it was like, that's it. Was there anything else that was going on in the behind the scenes? Do you guys have any information about whether there was any of this implemented? I'm very sure they would have been contacted by their clearinghouse banks and also regulator because this is a regulated industry. I'm not sure how far it goes, because usually in a breach like in such even PCI DSS, the council may get involved. So they may want to know what actually happened, why it happened, because what they do is true breaches. They identify what the issues are and then they strengthen the PCI DSS requirements. So maybe in the next version of PCI DSS, you might see some additional controls which may actually relate to what happened in IP. 88. So why was it that they were breached? What was the issue? And the question will always be, is that did they take adequate steps to secure their environment? So if they have good, they must be able to show that by identifying how the breach happened. If they didn't, then they need to identify what was their gaps and they have to fix it. So, for example, classic example would be target in the US when they were breached and their critical information stolen. It was identified that it was done through an insecure Wi-Fi that had access to a payment system. So one of the requirements is you shall not have insecure Wi-Fi as part of your PCI DSS standards. So that way you are actually closing the gaps as you find more breaches. And obviously, Bank Negara Malaysia, which is the central bank for Malaysia, will also issue a requirement to maybe all the payment gateways or the banks to say, OK, we have identified this. We are issuing a new circular. Please make sure you meet compliance. Let me read this to you, Doc. Meanwhile, BNM Governor Tan Sri Nosh Amsia said that the central bank was only made aware of the breach in late July, adding that IPay88 is not technically supervised by BNM. Yeah, payment gateways are not because payment gateways rely on banks. Then who? Who supervises them? Technically, nobody for the time being. Oh my goodness. They are. You have to treat them like an e-commerce site or anyone else because they don't hold a banking license. Payment gateway today. You can start your own sky pay and become a payment gateway. Sounds nice man. Sky pay. Yeah, not bad. So you can start your sky pay and you can become a payment gateway. As long as you have a bank that clears your transaction, you can just route it to whichever bank you want. You know, because at the end of the day, the banks are the ones that have the lease line to Visa and MasterCard and all that. And they'll be able to route. So technically what happens is sky pay gets a just say I make a payment through sky pay. Sky pay gets my credit card payments. Just say, oh, the first four digits says must be Visa. So routes it through the bank to Visa. Visa says, oh, this one is from Bank Cap ayam. Then routes that payment to Bank Cap ayam. Then Bank Cap ayam reverts back to sky pay to say this payment is cleared. That's in a nutshell, very simply put, how the payment ecosystem works. But there will be a loophole then in the entire payment transaction flow. True, but sky pay will be governed by PCI DSS. The banks will audit sky pay based on PCI DSS. So for them to say that, oh, you're storing credit card information or you must meet level four of PCI DSS, for example. Right. Which means all stringent requirements. The twelve controls. All that. So they will make it mandatory for you to meet all those requirements. Then my question is who made IPay88 pass PCIDSS? Ah, not me. Not me. Not my customer. Not me. Not you. That much I can tell you. That much I can tell you. Oh, so they have to be governed by PCI then. That's for sure. As a payment processor, you are definitely governed by PCI DSS. And the way it works is your clearing bank will ask you this question. So which one do you fall under or you're a payment processor? OK, then you give me your PCI DSS checklist. Usually no one goes and audit. Oh, my goodness. From what I know, again, I may be wrong, but usually no one goes and audit. So which means that you give me the checklist. OK, I take it as is. Right. Because otherwise the banks are going to take a long time to onboard a customer. It's more of a backend processor. Again, I don't know where the problem is. I don't know if that is the problem. But again, I'm just sharing the... No, you see, because as far as I know, even if you have a bridge, you see some of the banks that I know who is governed by PCI, they are supposed to mask their database. Absolutely. So even if you lose your database with all the names and all that, you will not have a full, clear text Excel sheet because the data is supposed to be masked. Yep. So this is where I'm a bit curious. You know, the transaction was like hundreds of thousands, you know, but not a lot of money each, just less than ten ringgit. I think honestly, we've torn this issue about left, right, center, up, down, to a point where I think we've just exhausted all means to trying to understand an issue that is not even explained properly. And I think we've gone to the limits of our understanding and ability of how this whole issue is. So I guess maybe if someone in IP88 wants to talk to us about this, we are happy to talk to you and, you know, feature this in our show. We'd like to hear your version of the story. I'm sure you would have something. And you can use this as an opportunity for you to set right what you think has been the wrong conception that probably myself or Sky or even Kat might have said, you know. So we welcome IP88 on our show to give your point of view, but also you give us the right to grill you la. Fair enough, right? I know who to ask and his name is... He's ***. I don't know which *** so... Yes.***. Who, whoever la. So again, we issue this invitation to IP88. So use this as an opportunity for you to share and, you know, indirectly in PR terms, damage control. So we open it up to you la. Okay, so with that, Kat, thank you very much. Thanks. I will see you guys soon. Alright, ciao. Ciao. Thanks for joining us this week on SecurityLah. Make sure to visit our website at securitylah.asia where you can subscribe to the show in iTunes, Spotify or via RSS so you'll never miss a show.(music) You