December issue 2018
Breaking the Bank
On November 27, BankIslami announced that it had secured its payment system, almost a month after falling victim to the greatest bank hack attack in Pakistan’s history. The cyber attack that saw data from 22 Pakistani banks being stolen, had cost BankIslami Rs 2.6 million.
While the banks themselves have refused to comment on the attack, or even acknowledge that it took place, breaches have been reported by independent firms and the Federal Investigation Agency (FIA).
Cyber-security firm PakCert’s ‘Threat Intelligence Report’ noted that details of around 20,000 debit cards belonging to customers of these banks were sold on the dark web for over $100 each. Similarly, the FIA’s cyber crime wing said in the aftermath of the attack that data from ‘almost all’ Pakistani banks had been hacked.
FIA officials confirm that the attack originated outside Pakistan as the hack attacks targeted the data from individual bank accounts and also orchestrated frauds through Inter Bank Fund Transfer (IBFT). This prompted many major banks to temporarily delink the international payment switch, which is reported to have cost the International Payment Scheme $6.1 billion.
“The security systems of almost all banks in Pakistan were breached by hackers from outside the country and compromised the data of local users, which allowed them to transfer money from these accounts,” said FIA Cyber Crime Head Captain (R) Mohammad Shoaib. “This shows the vulnerabilities in our banking systems which need to be urgently addressed.”
PakCert’s ‘Threat Intelligence Report’ reveals the two ways in which these vulnerabilities allow the hackers to steal money.
The first involves copying of the data encrypted on the debit and credit cards, exclusive to a particular client and card, which is then reproduced on the web to complete online transactions.
The second is the physical replication of a scanned card, the details of which were captured by ATM or merchant machines that had been compromised by the hacker. Such cards can be used at other ATMs or merchants to withdraw cash or to complete purchases.
PakCERT Chief Executive Officer Qazi Muhammad Misbahuddin Ahmad revealed that his firm regularly monitors the dark web, which is not publically accessible, and requires specific tools for the information to be unearthed.
He further revealed that the cybersecurity firm is currently working on enhancing their report which discussed the details of the hack attack.
“We are collaborating with the State Bank to further expand how the attack has impacted Pakistan’s banking sector. It is only after completing the investigations that we will shed more light on the matter,” said Ahmad.
The hack attack that penetrated banks across the board has impacted many customers individually, with businesses being separately hit as well. A major concern for many of those hit by the hacking, or the banks’ reaction, is the uncertainty over the legal course that they should take.
Said one of those affected, “We have had problems with international banking transactions throughout the past month, and have suffered because of that,” notes an online business owner. “The banks aren’t even willing to engage with us. Who is going to compensate us for the loss that we have suffered owing to suspensions in online banking transactions?”
Among those affected by the ostensible remedial measure by the banks is Digital Rights Foundation founder, Nighat Dad.
“I was travelling and tried to complete a transaction through my card, but neither the credit, nor the debit card, was working. I was at an international airport and was left in limbo,” she said.
Dad, who is still overseas as part of her work commitments, says she plans to file a writ petition on behalf of those who have been impacted by the hack attack and its aftermath.
“Hundreds of thousands have suffered because of the hacking, but no one took to the courts, because almost nobody knows how to approach this case,” she said, adding that the Digital Rights Foundation is planning to pursue it.
Dad continued, “This is because, PECA [The Prevention of Electronic Crimes Act, known commonly as the cyber crime law], gives banks the legal right against hackers, but doesn’t provide the means for customers to call out the banks after their data has been compromised.”
Nighat Dad maintains that while the upcoming Data Protection Act will hopefully address this, there is still a long way to go to address the legal loopholes.
“The banks still do not have any standard operating procedures when it comes to dealing with the aftermath of hack attacks. There is no transparency at all,” Dad contended.
While Dad concedes that one can do little when vulnerabilities in banking systems are exploited by hackers, she still urges users to take all the security measures possible in their digital transactions. “Always use VPN during online banking, and make sure you have strong passwords in place. Also, watch out for banking encryptions – which are present whenever you see ‘https’ on the URL.” Good advice certainly, but unfortunately for those who were affected, after the event.