ISLAMABAD: The Federal Investigation Agency (FIA) cybercrime wing has recently confirmed that data around client information was stolen from almost all Pakistani banking sector entities. The hackers, who are reportedly outside Pakistan, managed to breach security arrangements and steal money from account holders. What is concerning is that nobody, including the FIA, knows when this security breach took place and if another such bank pilferage can be prevented in the near term. The hackers are not just after the bank deposits or balances on credit cards. They are also selling data containing information about Pakistani depositors, credit and debit card holders globally. This implies that the most immediate measure by 10 Pakistani banks - blocking global transactions via debit cards - may not be enough. Other online services have also been temporarily stopped. This is a mere reactive move, which must have been preempted by the hackers.
While of course the IT-related security systems at commercial banks need to be questioned, the financial sector regulator, in this case the State Bank of Pakistan, also needs to be held responsible for not ensuring the safety of bank accounts. It is unfortunate that guidelines related to security measures at the banks are not adequately updated and their compliance is not monitored as a priority. The real-time monitoring of card operations also does not seem to be working in a manner which could prevent future cyber-attacks.
The central bank’s complacency is incomprehensible. The availability and use of card skimming devices remains on the rise across the country and there have been recent warnings by several international institutions. The Global Risk Report, published by the World Economic Forum (WEF), has described such cyber attacks in the top five global risks. The report states:
“Most attacks on critical and strategic systems have not succeeded – but the combination of isolated successes with a growing list of attempted attacks suggests that risks are increasing. And the world’s increasing interconnectedness and pace heightens our vulnerability to attacks that cause not only isolated and temporary disruptions, but radical and irreversible systemic shocks.”
Unfortunately these recent events could have negative implications for the central bank’s ambitions to promote financial inclusion in the country. There have been ongoing advocacy efforts to convince people to move away from cash-based business models and towards more digitized ways of conducting transactions. The new government was also keen to promote the flow of remittances by Pakistanis abroad through formal online transfers to Pakistani banks.
The inadequacy of the financial sector’s cybersecurity will also discourage technology-based startups in the country. Those in the FinTech sector – enterprises aiming to use technology and innovate the delivery of financial services – have long raised concerns regarding lack of protection against cyber threats, unfavourable regulatory environment for FinTech startups, threats to intellectual property and an unpredictable tax regime. They have also spoken about the lack of an effective grievance redressal mechanisms for victims of cyber-attacks in Pakistan – one of several reasons why firms like PayPal are not coming to the country. While the private sector is ready to contribute its share in improving systems, the investment required in the overall oversight of the financial sector remains a public sector responsibility.
The same challenges are also faced by online payment platforms in Pakistan. While there has been a growth of business to consumer e-commerce on the back of improved internet access, increased branchless banking, provision of 3G/4G services, and a youth bulge, consumers remain comfortable with the cash-on-delivery mode and are reluctant to use online payment options. Given the weak implementation of laws around cyber security, businesses themselves are reluctant to invest in costs related to putting in place online security-related measures for their consumers.
Going forward Siraj Ahmed Sheikh, Professor of Security Systems at Coventry University in the UK, provides a three-pronged approach involving: a) the standard operating procedures at financial institutions including measures that curtail the impact of the attack and prevent propagation across known and unknown networks. The banking sector needs to understand specific measures to disable and de-escalate such situations; b) banks need to ensure that clients are reassured to avoid panic and run-on-banks. A tremor in one market can easily cause negative ripple effects in other markets including the domestic stock market; and c) capacity to conduct forensic audits which help in evidence generation may be enhanced. In the case of missing local capacity, development partners and international institutions responsible for financial surveillance may be requested.