Banks clueless about new hacking technology

Khalid Hussain - an account holder with the local branch of an international bank - was surprised to find out from his monthly credit card account statement that a $20-dollar payment had been made from his card in June from Uzbekistan.

He immediately brought the matter to the attention of the bank. Later, he came to know from the bank authorities that the amount had been stolen by forging his card.

The bank replaced his card and compensated the amount.

Such small-scale cyberattacks go unnoticed as affected banks appear reluctant in reporting it to the central bank, fearing a loss in reputation.

Such incidents of cyber-hacking came to the fore recently when a few private banks, including Dutch Bangla Bank and Prime Bank, fell prey to such scams.

In the latest hack, cybercriminals adopted a never-seen-before technology to steal money from the banks. 

They first planted a malware in a bank’s switch – card management system – and created a replica of the switch.

When hackers from abroad carried out transactions, the proxy switch gave instructions to release funds, keeping the bank in the dark.

Banks are frequently falling victim to cyberattacks as they are not prepared to fight the new kind of malware.

It appears the malware detection system in most banks is inadequate to combat cyberattack, said Md Mahbubur Rahman Alam, associate professor of Bangladesh Institute of Bank Management (BIBM).

It is true that some new malwares are beyond control, but banks will have to strengthen their monitoring and controlling system to avert largescale attacks, opined Mahbubur Rahman, who conducted a research on IT security of banks in Bangladesh last year.

The study found that 62 percent of the banks are not fully prepared to handle largescale cyberattacks.

Furthermore, banks hardly bother to invest in IT security and training; instead they are interested in procuring hardware.

Last year they spent a mere 7.32 percent on security and 2.6 percent on training, out of their total expenditure of Tk2,021 crore, according to another research on IT operations of banks conducted by the BIBM.

The report said that each year more advanced technologies are being developed. The technology department should constantly be aware of these changes.

Security may be hampered anytime in absence of the latest technological knowledge. So banks should arrange regular training for their employees at home and abroad.

But it is a matter of regret that most banks do no conform to such practices.

The recent largescale cyberattack on Dutch-Bangla Bank Limited (DBBL) raised grave concerns over cybersecurity in the banking sector as the bank was unable to detect the malware.

Even Bangladesh Bank does not have any expertise in protecting their system from such attack.

DBBL was a big victim as hackers from 60 countries made off with $1.4 million from the bank in May.

The transactions were made through unidentified cards, mostly from East European countries like Uzbekistan, Ukraine, Cyprus, Kazakhstan etc.

DBBL IT experts are yet to identify the mechanism used in the attack and their existing security loopholes.   

Before this hacking incident, Prime bank suffered a similar attack from Cyprus.

The bank authorities claimed they were able to avert financial losses by shutting down their server immediately after receiving an alarm.

But central bank sources said around $3 lakh was taken out by criminals in that attack.

The major concerning aspect of the new kind of cyberattack is that all the transactions of Dutch-Bangla bank were made through chip-based cards which Bangladesh Bank introduced in 2017 to make card transactions more secure.

DBBL launched a forensic investigation to detect how the attack was actually carried out.

People came to know about the cyberattack after police arrested six Ukrainians from a city hotel for their involvement in withdrawing cash from an ATM through card fraud.

The foreigners withdrew around Tk 16 lakh from different ATM booths of Dutch-Bangla Bank in the city but the bank did not get any information about the transaction in the server.

It is a new method of hacking which is unknown to banks, said Ahmed Jamal, deputy governor of Bangladesh Bank.

The central bank urged the ICT Ministry to take necessary measures in order to tackle this new kind of cyberattack, he said.