The two recent cash-out attacks on banks have exposed significant security vulnerabilities in the Nepali banking system. This raised a series of questions such as whether the banks are really serious to safeguard depositors’ money, is the role of central bank up to the mark as a regulator or how well prepared is the government mechanism to fight back similar types of technological threat in the future.
Only after these incidents, the fragile state of cybersecurity in Nepal’s banking system came into the light.
On September 2, the police arrested Zhu Lianang, a Chinese citizen from a Nabil Bank ATM booth in Durbar Marg while attempting to withdraw cash. In a separate incident on September 25, just a few weeks after the case of ATMs hacking, over Rs 47 million was stolen from the Agricultural Development Bank. A group of people gaining transferred out the amount through illicit access into the bank’s system.
Nature of problems
In both cases, it has raised concerns about the weak security system implemented by the banks along with the possibility of alliance of the bank’s staff to leak the data of banks’ customers to the hackers.
In the ATMs hacking by Chinese citizens, the hackers were found involved in stealing cash from ATMs by using cloned debit cards to breach processing systems. The hackers used cloned debit cards to break the connection of core banking software with the Nepal Electronic Payment Systems (NEPS), the service provider interface that allows the transaction of money deposited in a bank by using cards issued by other member banks.
As per Nepal Rastra Bank, two companies — Smart Choice Technologies (SCT) and NEPS — have been handling electronic payment systems of a majority of commercial banks in Nepal. NEPS, which has incorporated 11 commercial banks as of now, facilitates the ATM system to work in coordination with the Visa card system and the core banking software.
Hacking the pin number and security codes of the banks’ customers was among the common problems seen in the past that the hackers used to steal money from ATMs. However, this time the Chinese hackers were found to use malware, a type of software, to infiltrate and damage the entire network system, according to the Nepal Rastra Bank report. Ransomware variants encrypt the files on the affected computer making the files inaccessible to the concerned authority. The hackers mainly use the software to block access to a computer system or computer files until a sum of money is paid.
Nepal’s banking sector seems to be constantly upgrading their technological infrastructure to digitally facilitate their customers. This has also prompted hackers to opt for more sophisticated methods to gain access to the banking software and customer information. A sector as vulnerable as banking needs to constantly stay up-to-date with technology, according to analysts.
“The incident was an outcome of weak digital security in the banking business, which calls for adequate investment in both technology and human resources by banks,” said Hempel Shrestha, member of the Federation of Computer Associations Nepal. “Although the central bank has made it mandatory for banks to conduct information security audits, many banks have not been allocating an adequate budget for a proper audit,” said Shrestha.
Despite banks making record profits year after year, investment in digital security is minimal, said, former bankers. In the last fiscal year, commercial banks made a net profit of over Rs60 billion in total, with almost all of them posting net profits of more than Rs1 billion each, according to the Nepal Rastra Bank.
Although most banks have transitioned to debit and credit cards with microchips, there are still a few banks that still use magnetic strips in their cards, which poses a vulnerability, said Sashin Joshi, former chief executive officer of Nabil Bank. “Banks fail to follow security protocols for Swift and governance risk compliance systems for the Nepal Electronic Payment Systems (NEPS). These banks face problems,” said Joshi, who has worked as an executive at a number of banks.
However, the case of the Agriculture Development Bank was something different. In this case, some unauthorized persons had misuse the password/pin code of banks to heist money.
Tej Bahadur Budhathoki, former chief executive officer of the state-owned Agriculture Development Bank, said the banks with the pressure of hiring inefficient manpower is also one of the main causes behind the procedural risk in the banking business. “In addition, the management just on targeting to reduce the cost, also purchases the software from the vendors that have no credit history, also leads to the leakage of data and malfunctioning of the system,” said Budhathoki.
Gyanendra Dhungana, president of the Nepal Bankers’ Association, admitted that there was a need to improve security but that threats were persistent due to rapid changes in technology worldwide. “Based on the recent two incidents, it has been noted that Nepali banks are mainly under threat of procedural risks and systemic risks,” said Dhungana.
Most banks still consider building up security systems as an unrewarding and unnecessary expense that has led to the recent problems, according to the analysts.
Initiatives take after cash-attack
Following the incident, Nepal Rastra Bank has reduced the daily cash withdrawal limit at ATMs to Rs60,000, down from Rs100,000. Furthermore, ATMs will only dispense a maximum of Rs20,000 per transaction instead of Rs25,000.
Through issuing a circular on September 10, the central bank asked the banks to take necessary measures to minimize external risks such as spam, phishing, and spoofing, among others that could result in the loss and theft of data. Nepal Rastra Bank has also pointed out cyber attack, malware viruses, and ransomware as the major risks in the information technology being enforced by the banks
If it is to consider the Nepal Rastra Bank’s repeated pleas on the banks to invest more money in the cybersecurity, banks are reluctant to allocate a notable amount for the purpose. Right after the incident of Chinese hackers, the central bank’s Governor Chiranjibi Nepal asked the banks not to hesitate investing in cybersecurity or the banks would have to regret later.
Nepal Rastra Bank had also asked banks to prepare a Preventive, Detective and Responsive IT Security Strategy while conducting a security audit of the existing IT system. Implementation of the international best practices in the banking system along with capacity development of banks’ employees and awareness among cards users are also among the concerns of the central bank.
In a separate circular, Nepal Rastra Bank also asked the banks to recruit security guards at each of their ATM counter, which the bankers, however, have turned down, saying that the provision would increase their operating costs.
Despite having taken the nominal measures, both the regulatory authority and the banks, however, are not yet much concerned with possible threats in the future.
Shrestha of the federation said banks need to invest in both technical and non-technical human resources, all of whom need to be trained on preventive security measures. “As non-technical officers are responsible for conveying security codes, they too need to be trained to check possible loopholes in the system,” said Shrestha.
“It is the negligence of banks that has provided ample room for hackers to steal cash from ATMs,” he said. “As advancements in technology are major challenges in modern banking, banks need to increase investment to secure their systems, apart from just tackling the leakage of pin codes.”
Former banker Joshi stressed on the need for strong management oversight agency in banks and an independent audit system as part of NEPS.
Nepal Bankers’ Association’s President Dhungana said the bankers are ready to cope with the guidance of the central bank. “We have urged the member banks to remain alert in their security systems all the time, especially in the long holidays of festivals,” he said.
The Nepal Rastra Bank also mulls to enforce policymaking the banks mandatory to invest a certain portion of their net profit in up-gradation of technology, which however is yet to be materialized. Provision of rapid response team in banks, capacity building of bank-related IT to prepare forensic investigation and setting up the ATM lounges to minimize the cost of vigilance of the ATMs can be among the solutions to check such malpractices in future, opined the experts.
The banks are also needed to strengthen their system in perimeter defense, access control, encryption, antivirus and firewall along with remaining updated in the information sharing and improving the payment order system. The central bank has to gear up its regular monitoring and to make banks responsible to carry out an instant reporting system on suspicious transactions to prevent such incidents in the future.