In the face of emerging Internet security challenges, Pakistan’s banking sector is poised to safeguard its depositors from threats of massive frauds and this objective calls for foolproof information technology (IT) systems and continuous upgrade of protection protocols and firewalls.
At a time when total deposits of all scheduled banks in the country have swelled from Rs1,532 billion in 2002 to Rs13,031 billion till November 2018, the sector along with its regulator is responsible for ensuring safety of depositors’ details as well as their hard-earned money.
Armed with the latest technology and adept at detecting loopholes in the porous security protocols, cyber heisters are committing draining people’s bank accounts through different modi operandi including skimming, phishing and hacking.
Skimming, which is an ATM-related fraud, is simply a debit card identity theft. It involves concealed electronics or readers, which are placed over the ATM’s real card slot. When a victim inserts a card into the machine, he/she actually slides it through the counterfeit device, which scans and steals the data stored on it along with the personal identification number (PIN) entered. Later, the perpetrators use this information to draw all the cash available in the bank account. Some Chinese nationals were caught committing this type of fraud in Pakistan recently.
On the other hand, in phishing a target or targets are approached by email, telephone or text message by imposters posing as officers of a legitimate institution.
They bait their victims into disclosing sensitive data like personal identification information, banking, debit, and credit card details, and also passwords. The result is not only financial loss, but also identity theft.
On this front, thousands of complaints are pending before Banking Ombudsman, while now around 1500 complaints were piled up before Federal Investigation Agency (FIA) involving an amount of Rs260 million. The investigators say the banking sector data was either stolen by hackers or leaked by the complicit banking personnel, which necessitates more security checks to bring the financial criminals to book.
Thirdly, reportedly a racket of professional international hackers broke into the IT systems of around 20 banks, stole the data of around 20,000 customers’, and then they put it on sale on the dark web in the range of $100 to $125/card. According to the FIA, the BankIslami data was sold on dark web and around $6 million was withdrawn from the customers’ accounts by breaking the limits of the victims’ ATMs cards.
These transactions were made in different parts of the world including Poland, Estonia, USA, Turkey, Russia, and many others. After getting these details, the FIA plans to write a letter to their counterparts in respective countries about the occurrence of banking fraud committed in their jurisdiction, seeking their help to combat financial crime through international cooperation.
In the wake of this staggering breach, other banks have taken preemptive safety measures and some of them have suspended their operations abroad. The State Bank of Pakistan (SBP) argued that fraud in one bank was surfaced and there was no report of any other occurrence of such episode in any other banks so there was no need of spreading panic.
The SBP has informed the FIA team that they had established contacts with Visa Card for ascertaining facts regarding stolen data of the ATM cards. Both SBP and Visa Card were in the process of undertaking modalities for undertaking forensic audit through third party firms to determine what went wrong that led to this breach, that too, at such a massive scale without setting off any alarm bells at any stage.
The findings of forensic audit will be shared with the FIA for proceeding with the investigation to fix some responsibility so that such incidents could be averted down the line.
The FIA came into loop when one person in Islamabad lodged a complaint before them that he had lost around Rs2.9 million in just 17 hours after someone swept his accounts clean by breaking all the withdrawal limits.
The agency wrote a letter to State Bank of Pakistan, apprising them the data of 20 banks was stolen by hackers and was available on the dark web so there was need to undertake detailed investigation on this matter.
The deputy governor SBP and the FIA officials met last week and shared details of around 1500 complaints of bank frauds. The FIA has now recommended to the regulator to enhance security checks and cited an example that there should be a double PIN for withdrawal of money from the ATMs.
The FIA team argued that the accounts of all the banks were vulnerable as the data of almost all banks operating in the country was vulnerable to attacks by international hackers.
It is a fact that banks use secrecy clauses to hide facts but there are some apparent realities that needs to be improved. For instance, there is a need to focus on the IT system and ensure it is upgraded every now and then. The SBP will have to ensure compliance on this account on regular basis.
Also, there is a huge disparity in salaries in the banking sector so a leakage at the hands of some begrudging staffers to fill this emolumentary void with dirty money cannot be ruled out. The SBP, following BankIslami incident, directed to all banks to beef up due diligence to protect customers.
The central bank has divided all banks operating in Pakistan into three main categories. In the first category there as are banks which have all safety protocols in place and there was nothing to worry about. In the second fall those banks, where information technology was in place, but these banks were asked to verify strength of their systems so they were put into risk-prone category.
All such banks have suspended their operations from abroad and have advised their customers to inform the banks prior to their departure if they wanted to use their credit cards and ATM cards abroad. In the third category, there are banks where the installed system was too weak and all these banks were directed to install state-of-the-art system with all safety protocols till the end of this week or face punitive action.
The SBP in a statement showed concern at the news items reporting that the data of most banks has been hacked. Dismissing such reports, the central bank said there was no evidence to this effect nor has this information been provided to the SBP by any bank or law enforcement agency.
"We would like to emphasise that except for the incident of October 27, 2018 in which, reportedly the IT security of one bank was compromised, no breach has been reported," the statement said.
Nevertheless, the SBP has already instructed all banks to take steps to identify and counter any cyber threat to their systems in coordination with international payment schemes.
Representatives of payment schemes have also assured that all steps are being taken to help banks in identifying any such threat on card systems and have offered additional controls to them.
Commenting on the subject, Zafar Sheikh, former DG Debt Office, Ministry of Finance, said Pakistan’s banking and financial sector would continue facing attacks so there was a need to upgrade IT system by focusing on strengthening security protocols and firewalls.
Keeping in view the whopping amounts of deposits, he said, banks must invest on ensuring the safety of amounts lying with the banks.
The writer is a staff member