MORE than 25 per cent of banks in the Asia-Pacific region have been hit by phishing attempts over the last 12 months, a study by security software specialist ReadiMinds reveals.

And while Singaporean banks have been fortifying their defences to counter the relentless onslaught of new Internet threats, their regional counterparts may be lagging behind with their online security efforts, the new report shows.

In such Internet scams, crooks typically spoof or pose as the websites of financial institutions and attempt to "phish" for information such as user names and online banking passwords from unsuspecting visitors.

ReadiMind's survey was conducted via Web and telephone polls across 11 Asian countries including Singapore, Hong Kong, Malaysia, Bangladesh, Vietnam and Cambodia.

The company tabulated the findings at a regional level without revealing individual country breakdowns to protect the confidentiality of the banks involved.

"In most Asian countries, Singapore being one of the exceptions, regulators are still catching up with the strengthening of their online security regime. Asian countries with weaker regulatory frameworks have therefore attracted the extra attention of online fraudsters," a ReadiMinds spokesman told BizIT.

The survey highlighted that online security is still not seen as a prime concern by the majority of regional banks, with 75 per cent of respondents indicating that they are not aware of the impact of cyber security on their operations.

The low level of awareness translates into having weaker Internet safety practices. Over 60 per cent of the banks polled did not set aside a budget for online security, choosing instead to lump this component into the company's overall technology budget.

In addition, only 20 per cent of them have adopted measures to strengthen Internet-based transactions. As further evidence of the lax security stance, 80 per cent of the banks polled said they have no formal plans for raising customer awareness against Internet threats like identity theft and financial fraud.

"Among the countries covered, Singapore and Hong Kong are countries that are clearly leading in implementing stronger and more progressive online risk and security frameworks," the ReadiMinds spokesman added.

All banks in Singapore have been using two-factor authentication (2FA) to confirm the identities of Internet banking customers since December 2006 as a result of a government mandate.

Most are using hardware tokens to generate one-time passwords for user log-in, while some are also offering a software- based approach by installing applications on a user's mobile phone.

Hong Kong authorities have issued a similar directive, with banks there opting to enhance security through digital certificates and one-time passwords that are delivered through tokens as well as mobile text messages.

While hardware devices have emerged as the most popular way of implementing 2FA, the study showed that regional banks are increasingly warming up to the idea of using software to generate passwords for Internet banking.

"Twenty per cent of respondents seem to have already adopted it (software-based 2FA)," ReadiMinds said in its report.

This story was first published in The Business Times on 7 July 2008.