FIA, SBP at odds over theft of bank accounts data

Published November 7, 2018
State Bank denies reports of hacking.— Reuters/File
State Bank denies reports of hacking.— Reuters/File

ISLAMABAD: Amid conflicting reports about a wide breach of bank accounts data, the top investigation agency of the country and the State Bank of Pakistan were found at odds on Tuesday, with the latter claiming that neither any bank nor any law-enforcement agency came up with such information.

The Federal Investigation Agency said ‘international’ hackers were behind the data breach of all major banks and they were asked through the SBP to protect their data and money of their clients. But the State Bank categorically denied such reports and claimed that no such information or evidence had been provided to it.

The issue concerning bank account holders across the country also reverberated in the National Assembly on Tuesday when chairman of the Senate standing committee on interior Rehman Malik sought a comprehensive report from the SBP, the interior ministry and the FIA on the matter within 10 days.

To sort out the matter and devise a joint strategy to handle the issue, an important meeting of the heads of all major banks, the SBP and the top investigation agency is scheduled for next week though a couple of banks moved in the late evening hours to assuage consumer concerns by announcing that their data was completely safe.

State Bank denies reports of hacking; banks cyber security issue echoes in NA

According to the FIA, there is a surge in number of complaints that people have lost their money, running into millions, from their bank accounts due to hacking.

When contacted, FIA’s Cyber Crime Director retired Capt Shoaib told Dawn that complaints regarding online stealing of money from the bank accounts had increased over the past few weeks. He said, “It is the responsibility of the banks to protect the money of their clients.”

He said the data of all main banks of the country had been hacked by ‘international’ hackers and the management of the banks through the SBP had been asked to protect their data and money of their clients.

Only last week, he added, a resident of Islamabad was deprived of Rs2.7million by the hackers and due to FIA’s intervention, that bank paid back the money to the victim.

He said the managements of the banks had been advised to make their data security fool-proof, otherwise, they would lose confidence of account holders.

“The FIA has no mandate to provide shield to the banks against hackers, because it is the sole responsibility of the banks to make their own arrangements to prevent stealing of their data and money of their clients,” he explained.

Later on Tuesday evening, the State Bank finally broke its silence in a press release and denied the reports of a wider data breach.

“SBP categorically rejects such reports” it said. “There is no evidence to this effect nor has this information been provided to the SBP by any bank or law enforcement agency.”

But the IT security firm whose report triggered the entire affair, PakCert, told Dawn that they had indeed shared their report with the SBP on Nov 5. “The report was shared with the State Bank via email at 4:30pm,” said Qazi Mohammad Misbauddin Ahmed, whose name appears on the top of the report. “We even received a response from the recipient a half hour later acknowledging receipt.”

Asked about this report, the SBP spokesperson confirmed receiving the report in question, but said it contained no evidence of a breach of data. “Look at the report carefully,” he said. “All it contains is the name of a bank, the number of cards supposedly in the position of the fraudsters, and price at which the bin containing all these cards can be purchased. Quite likely this data itself is fake,” the SBP spokesperson added.

In order to verify the authenticity of the data contained in the PakCert report, he continued, a bank would need to purchase the data in the bin, then go through the data and match it with what they have in their own database. If there was a match, next step would be to see if any unusual transactions had been reported, he told Dawn. “The banks might carry out some sort of verification at their end, but until that is done, there is no way to say that this is authentic information” in the threat intelligence report produced by PakCert.

As the dark net is full of material of this sort and its authenticity is always difficult to establish, the FIA claimed that a meeting of SBP and all major banks had been called next week to devise a joint strategy to tackle the issue.

Taking a serious notice of the reported hacking of data of the country’s major banks, the opposition drew the attention of the government towards the issue and demanded effective steps to ensure security of bank data.

While speaking on the point of order, former federal minister Ahsan Iqbal raised the issue and urged the government to take effective measures to save the savings of account holders. He said it was quite serious that data of all major banks had been hacked by the hackers in other parts of the world.

“This is a serious matter and the government should address it,” he said.

In response to the concerns, Federal Education Minister Shafqat Mehmood assured the house that the government would take effective steps to protect the money of the account holders. “It is a very serious problem and the government will take action on it,” he added.

Earlier during the day, chairman of the Senate standing committee on interior Rehman Malik sought report from the interior ministry, SBP and FIA on the matter within 10 days. He directed the FIA to probe as to how the data of banks was hacked. “It is quite alarming that bank accounts details of hundreds of thousands of Pakistanis have been stolen,” he added.

Mr Malik, who served as interior minister from 2008-13, said banks were responsible for the security of bank accounts of people. “Ironically, the banks failed to protect the money of their clients,” he said.

Meanwhile, individual banks moved to assuage consumer concerns. MCB issued a late night statement saying “customers’ data is completely safe. Not a single customer has been affected in the incident/ report publicized in media.” Likewise, Sindh Bank assured its customers that “their data is completely secure and is not subject to any internal or external risk”. Other banks are expected to follow suit.

Published in Dawn, November 7th, 2018

Opinion

Elite privileges
20 Apr 2021

Elite privileges

Elite bargains provide a powerful view of our political economy.
A conjurer of limitless hope
20 Apr 2021

A conjurer of limitless hope

Rehman Sahib came across as a battle-scarred soldier who was perpetually planning to regroup after a setback.
Cabinet lotto
Updated 20 Apr 2021

Cabinet lotto

To return to finance, the second change in the key ministry is interesting for how it differs from the first.
Election ex machina
Updated 19 Apr 2021

Election ex machina

Neither EVMs nor i-voting are new innovations, yet their use remains deeply controversial.

Editorial

Media blackout
Updated 20 Apr 2021

Media blackout

A free flow of information is the best way to counter rumour-mongering and fake news.
20 Apr 2021

Gas utilities’ reluctance

THE government has ‘ordered’ state-owned gas companies SSGC and SNGPL to remove impediments hampering the...
20 Apr 2021

Saudi-Iran talks

EVER since the 1979 Islamic Revolution in Iran, ties between Tehran and Riyadh have been increasingly strained,...
19 Apr 2021

Vaccine shortfall

THE hope that the slew of Covid-19 vaccinations approved for use since the end of last year would vanquish the ...
Another package
Updated 19 Apr 2021

Another package

Sindh has not seen much development worth the name during the PPP’s more than decade-long rule in the province.
19 Apr 2021

Cricket triumph

TEAM Pakistan have a number of reasons to rejoice after their 3-1 T20 series win over hosts South Africa on Friday....