Global Editions

FIA and SBP lock horns over scale of bank data theft

by Wasay Ibrahim

The State Bank of Pakistan (SBP) has strongly denied the claim made by the Federal Investigation Agency (FIA) that data from “almost all” Pakistani banks was stolen in a recent security breach. According to the FIA, this data was being sold on the dark web.

However, according to a press release from the SBP, “except for the incident of October 27th 2018 in which reportedly the IT security of one bank was compromised, no breach has been reported”. 

The SBP’s claim is being refuted by PakCERT, a leading cyber security firm based in Karachi, who claims that there were two data dumps on the dark web that contained details of debit cards from various Pakistani banks. This data was then sold on the darknet. By October 31, the data of 12,000 debit cards — out of which 11,000 were from Pakistan — was added to this data dump. Each debit card was sold for between $100 and $150.

A meeting between officials from the State Bank, the FIA and the heads of all major banks has been scheduled for next week where a joint strategy will be devised to tackle the issue.  

Read more: Cybersecurity: Work in Progress

Speaking to MIT Technology Review, Finja Pakistan CEO Qasif Shahid said that Pakistani banks were more vulnerable to hacker attacks and phishing because they tended to “fetishize physical proximity, continuing to live in the old world.” He said that by allowing banks to maintain their own digital security infrastructure, State Bank regulators were doing Pakistani banking a great disservice as digital security is not a bank’s forte.

The Finja CEO recommended that banks use speciality clouds, as such data centres have strong “immune systems” and are far more “security hardened” than the physical data centers being used by most Pakistani banks today. Such cloud services also tend to keep up to date with emerging digital security threats and add patches to their databases accordingly. He said that in comparison, Pakistani banks tended to react to emerging threats in a knee jerk fashion, allowing hackers and phishers to come back with increasingly sophisticated methods, always staying one step ahead of bank security systems.

Local banks may also be using outdated methods to cut costs. Speaking on condition of anonymity, a branch manager from a notable Pakistani bank told MIT Technology Review that local banks didn’t spend the money that they needed to on digital security.

“Real solutions are expensive, locally nobody provides the solutions that are needed hence corners are cut to keep costs down” he said.

Shahid also stressed that the Pakistani people needed to be educated about keeping their own financial security data safe. He said people needed to be told about all the ways sensitive banking information could be stolen from them and the importance of never sharing passwords and PINS. He recommended the kind of public awareness campaigns being run in India which use celebrities to educate the public.

This latest data breach comes hot on the heels of an earlier attack in October, when Bank Islami clients were targeted, with unaccounted for transactions totalling Rs. 2.6 million.