Global Editions

Understanding Pakistan’s cybersecurity woes

After reports surfaced last year in October that the banking system had been hit by its biggest skimming attack to date, the central bank issued a comprehensive set of directives. Will these be enough to meet the challenge?
by Wasay Ibrahim

It may not be unreasonable to say that Pakistanis do not trust banks. According to a study carried out by Standard Chartered Bank and independent research agency GlobeScan in 2017, 50 percent of emerging affluent Pakistanis prefer to save cash at home rather than use banking services.

This trend may not change in the near future given recent reports of ATM fraud, phishing and people’s banking information being sold on the dark web. In late October 2018, Pakistan was hit by the biggest mass skimming attack in the country’s history. The Pakistan Computer Emergency Response Team (PakCERT), a Karachi-based cybersecurity group, reported that by October 31, the details of 22,000 debit and credit cards from 22 Pakistani banks were sold on the dark web. The attack was classified as an Advanced Persistent Threat (APT), which means hackers were able to get past banks’ firewalls and remain in their systems for an extended period of time. And while the PakCERT report may have brought a greater degree of media attention to the vulnerability of Pakistani banks to cybercrime, it is hardly the first such incident. The Interior Ministry informed the Senate on December 19, 2018, that 1,244 cases of online fraud had been reported in the first 10 months of the year. Of this, 524 were turned into regular inquiries and 35 into FIRs while 463 were being verified at the cybercrime wing of the Federal Investigation Agency (FIA). Only 76 suspects were arrested.

Perhaps in an effort to salvage the little trust that Pakistanis have in the local banking systems, the State Bank of Pakistan (SBP) denied that the attack had been this widespread. The central bank stressed that it had already instructed all banks to strengthen cybersecurity measures after the issue was reported to it by a lender a week prior to PakCERT’s report, and that only Bank Islami’s online system was compromised.

Read more: SBP takes first steps to counter cybersecurity threats

Regardless, enough feathers seem to have been ruffled for the SBP to issue new directives four weeks later, telling all banks to enhance measures taken to protect their clients against fraud, skimming and other forms of cybercrime. Banks were directed to conduct extensive vulnerability assessments to identify and fix all weak spots in their Alternative Delivery Channels (ADC), including card systems and internet banking. Furthermore, banks have also been directed to arrange third party reviews of their ADCs. Other steps include keeping clients informed about all transactions from their accounts through SMS and email free of cost, and remote activation and deactivation of accounts will be discontinued, with clients having to be physically present at the bank for biometric verification to do either. Staff is also to educate clients on the various forms of online fraud and other cybersecurity threats. Bank cards using magnetic strips will also have to be replaced by cards using EMV chips by June 30, 2019. Card issuing banks will also have to acquire real-time fraud monitoring tools and alert mechanisms to detect all criminal activities as they occur.

Source: Pakistan Computer Emergency Response Team (Pakcert)

However, speaking to MIT Technology Review, a former employee of Bank Alfalah, which was one of the banks breached in the hack according to PakCERT report, says audits have always been a part of protocol in competent banks. Speaking about ATM frauds and skimming, he says, “Black Box and White Box testing have always been routine for banks.”

“As far as I know, all major banks conduct these kinds of vulnerability assessments regularly,” he said, but adding that some banks may not have been as diligent as others. When asked if he thought the recent cybersecurity breaches were a consequence of lax security on the part of banks or people being careless with their own banking information, he stresses that it was likely a bit of both that resulted in these breaches. However, commenting on the SBP’s requirement of clients having to be present at banks to deactivate or reactivate their accounts, he says that unnecessarily inconveniencing people wouldn’t accomplish anything. “Banks need to learn from each other and adopt the best possible practices rather than waiting for the regulator to step in,” he stressed.

Regardless, others disagree. Finja CEO Qasif Shahid for example, says that the problem is that Pakistani banks continue to rely on outdated physical databases on the bank premises. In his opinion, banks need to cease their reliance on such systems and move towards storing data on specialty clouds as they tend to keep up to date with emerging digital security threats.

Read more: Cybersecurity: Work in Progress

The view of a branch manager at a local bank adds credence to Shahid’s claim. “Real solutions are expensive, locally nobody provides the solutions that are needed hence corners are cut to keep costs down” he says.

When we spoke to the former Bank Alfalah employee again to ask him if specialty clouds maybe the solution to the country’s cybersecurity woes, he said, “whoever is telling you that moving databases to clouds will solve all of these problems has some kind of stake in that business!”

He did, however, add that while it is true that remote servers is the future and ultimately Pakistani banks will have to make the shift to storing data on the cloud, simply moving to the cloud alone is not a solution to this problem.

Source: Pakistan Computer Emergency Response Team (Pakcert)

According to the Chief Information Officer (CIO) of a notable bank, the issue is regulation. “Major banks all monitor digital transactions and analyze the clients spending behavior, when we see something out of the ordinary we take notice and let the client know, and at times even deactivate their accounts. This is also in line with the requirements of international payment technology companies such as Visa and MasterCard. However, not all Pakistani banks have these mechanisms right now. But this will likely change following the directives issued by the SBP in November,” he says.

He maintains that there is very little even the best banks can do when the clients themselves have failed to protect their banking information. He acknowledges that the SBP has done well to mandate that banks play a bigger role in educating their clients about the importance of keeping their banking information confidential, but says that it will take time to change client behavior when it comes to protecting them from scammers.

On the issue of banks using specialty cloud services or onsite physical servers, the CIO says that the SBP itself mandates that all customer data be stored in-house. Storage of data overseas in particular is specifically prohibited.

But how easy is it for a hacker to get into a Pakistani bank anyway? According to Shahmir Amir, who was dubbed the 11th best hacker in the world by HackerOne, a California based vulnerability assessment company, it is “very easy.”

“Most Pakistani banks use the same payment gateways and have very vulnerable core banking systems,” he adds. He went on to say that Pakistani banks need to be open to responsible disclosure, meaning that when vulnerabilities are discovered they ought to be addressed and patched before they can be exploited rather than waiting for a breach to happen.

Read more: FIA and SBP lock horns over scale of bank data theft

However, the CIO the MIT Technology Review spoke to disagrees with this view. He says that smaller banks may all be relying on the same gateways but all bigger banks have their unique architecture. Further, he adds that it doesn’t matter if all banks use the same payment gateways as long as they monitor transactions, keep up to date with emerging digital threats and manage their security properly.

All of these experts and industry insiders agree that the PakCERT report from last October should be taken as a warning, otherwise Pakistan may find itself in a situation like Bangladesh did in February 2016, when hackers made off with $81 million in a matter of hours using the Society for Worldwide Interbank Financial Telecommunication (SWIFT) credentials of Bangladesh Central Bank (BCB) employees. They managed to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. Had an employee of the Federal Reserve Bank of New York not noticed a typo in one of these instructions (foundation spelt as “fandation”) they would have been able to make off with even more money.

The International Telecommunication Union (ITU), a specialized UN agency responsible for issues concerning information and communication technologies, ranked Pakistan 67 out of 165 in the ITU Global Cybersecurity Index 2017. India ranked 23 on the index while Bangladesh ranked 53.  While Pakistan seems to be at par with India in terms of laws on cybercrime, it lags behind in cybersecurity legislation, training and strategy. Essentially, Pakistan has laws to punish people for cybercrime, but it has failed to make organizations keep their clients safe from cybercrime. And this is why we lag behind in terms of cybersecurity training and strategy. It will have to be seen if the instructions handed out by the SBP in November will be able to push us a few points up in the GCSI.

The writer is a journalist based in Lahore.