News Desk |
Authorities have confirmed that Pakistan’s banking system underwent a widespread data breach where over 8,000 bank accounts were compromised. The Federal Investigation Agency (FIA) Cybercrimes division affirmed that sensitive information from almost all local banks has been leaked. According to a spokesperson, financial data of National Bank of Pakistan (NBP) clients remained safe.
The first reported breach happened on 26th of October and cost Bank Islami around Rs2.6 million when reports of unverified international transactions were reported by customers. Despite being a relatively small amount, the event has caused concern among the financial and security community. It has brought about a need for revamping cybersecurity measures and plugging systemic vulnerabilities.
It would be wise for other banks to follow NBP’s example and invest into more modern methods of data encryption, protection and surveillance.
In order to avert further crisis, 10 local banks took up State Bank directives and blocked international transactions on their debit and credit cards. It is noted that clients had their debit or credit card data stolen which was then used to conduct fraudulent transfers to overseas accounts. According to experts the Bank Islami data theft was pretty sophisticated – known as an Advanced Persistent Threat (APT).
The FIA is currently investigating over a hundred cases related to the identity theft. However, the problem they face in the case of banking fraud is that banks hide the theft to while compensating the clients who tend to report the theft to the banks only. An intelligence report from PakCERT one of the country’s leading cyber security firms pointed out that personal details for more than 8,000 bank accounts were discovered on the dark web.
This data dump is actually bank account details being sold by hackers on the darknet. However, the company also reported a second dump was made on October 31 consisting of 11,000 Pakistani cards from around 21 different banks. Despite confirmation from the FIA the State Bank of Pakistan (SBP) has dismissed the report as rumors. While the State Bank did confirm a single breach – of Bank Islami’s database – the data dump revealed that far more banks had been compromised.
It is possible that the data was collected over an extensive time period or sometime in the past. However, it has been confirmed from insider sources that client of National bank of Pakistan has been fortunate to have avoided any loss of cash or data. NBP had been working overtime on revamping its IT infrastructure recently by signing partnerships both Dell and Microsoft.
Authorities have confirmed that Pakistan’s banking system underwent a widespread data breach where over 8,000 bank accounts were compromised.
NBP which happens to be Pakistan’s largest state bank has invested heavily in database solutions, cloud computing and web security acquiring some of the leading tools in the market. The Pakistan Banks’ Association (PBA) issued an official statement on November 7 in this regard confirming that the hack of only one Bank system took place in October.
It also outlined the difference between a fraudulent transaction and a security breach as a result of hacking. Fraudulent transactions can be successful without hacking the bank system, since the acquisition of data needed to make a transaction on a credit or debit card is only required. Once that data is stolen it can be sued to conduct illegal transactions until the alarm is rung.
It is noteworthy to mention that several scammers have been recently arrested for impersonating officials and stealing personal financial details. Another recent report was that when a number of foreign individuals were arrested by FIA for ATM skimming where devices were used to spy on ATM transactions and collect valuable data.
Such groups can exploit the mobile banking platform or even a phone call without compromising the infrastructure of the bank to eventually sell the data on the dark web. Indeed banks tend to invest heavily in IT security solutions at a standard that is usually employed internationally in matters of finance.
The State Bank did confirm a single breach – of Bank Islami’s database – the data dump revealed that far more banks had been compromised.
In comparison to other sectors, banks make sure that the best infrastructure is being used to protect its customers and consequently its reputation. Most local banks lack the experienced staff and skill in handling and running the system; something which foreigners might be more familiar with.
If bank processes are kept consciously tight even a sub-par security system would still stand a 70-80% chance of sustaining itself against threats until the authorities are notified. Pakistan also lacks the institutional infrastructure that is the norm in the global world for regulating cyber activity.
A National Response Centre for Cyber Crime does exist, but its role is more limited to the issues cyberbullying or online harassment, leaving it severely lacking when dealing with sophisticated attacks like APTs. In 2017 UN ranked Pakistan 67th on the Global Cybersecurity Index, while Bangladesh came at 53rd and India clinched the 23rd spot.
So far, the country’s central bank has issued guidelines through numerous media to the populace as well as the banks on remaining watchful of identity theft. Most possibly the motion to ensure that all transactions occur through biometric verification will become necessary, even if for international transactions only. All banks and finance institutions are also subject to an annual external audit of their IT security system.
With the industry moving steadily and finally into the digital era, Pakistan’s cyber system has gotten a rude awakening. Financial institutions will now have to reckon with risks and threats, by continuously developing, strengthening and implementing crisis-based controls in their systems. It would be wise for other banks to follow NBP’s example and invest into more modern methods of data encryption, protection and surveillance.