Composition by Soonhal Khan
Composition by Soonhal Khan

THERE was a cyber attack on BankIslami last week that cost them Rs2.6 million. While the amount was rather modest, the incident rang alarm bells regarding information security measures within the financial sector, exposing further vulnerabilities.

As a precautionary measure, around 10 local banks blocked international transactions on their debit and credit cards.

With that, a possible crisis seemed to have been averted but on Nov 4, a report by PakCert— a local cyber security company—on a data breach involving 20,000 Pakistani bank accounts started making the rounds across all media, causing panic amongst everyone, from bankers to consumers.

The ‘PakCERT Threat Intelligence Report’ claimed that on Oct 26, there was a data dump of 9,000 bank account details—including full name, card number and CVV among others—on the darknet. A second dump occurred, this time involving 11,000 Pakistani cards from 21 banks, on Oct 31. The Federal Investigation Agency confirmed this, while the State Bank of Pakistan (SBP) denied the allegation straight out, calling them mere rumours.

The Pakistan Banks’ Association on Nov 7 also gave its official statement regarding the matter. Giving further weight to the SBP, the banks’ body said that IT security of only one bank had been breached. It also pointed out the difference between fraudulent transactions and a security breach: the former can be done without compromising the IT security of a bank.

And this is exactly what a cyber security expert Dawn spoke to said. “The attack on BankIslami was very sophisticated — Advanced Persis­tent Threat (APT), as we call it — even though the loss was pretty small.

“As for the darknet dump reports, it could be that account details were stolen through compromised individual browser histories and other fraudulent activities, which obviously has nothing to do with banks’ cyber security system.

“There was no breach on other banks, only that the dump took place recently while the information was collected a long time back,” explained Muhammad Abbas Rajani, CTO of DigitLabs, a local software and security solutions firm.

A very good example of APT would be the cyber heist at Bangladesh Central Bank in 2016 that attempted to transfer $1 billion to the New York Federal Reserve and was successful in stealing $81m. “These hackers study the system, observe patterns for months and bypass security measures; a ‘skid hack’ is generally basic,” he says.

Hence, while the claim that a data breach of most Pakistani banks took place seems to be false, it has nonetheless raised flags within the sector.

The SBP also mandates on issues regarding cybersecurity. So far, the central bank has mostly provided guidelines through various circulars, such as subjecting all banks and development finance institutions to an annual external audit of their IT security system.

However, much of that is limited to best practices and implementation eventually comes down to individual discretion of these companies. “There is actually a lot of investment in IT security by these organisations and in my experience, the standards are fairly high within finance, especially compared to other sectors like pharmaceuticals or insurance,” says Mr Rajani.

“They usually buy the most expensive or best system but the processes and implementation are generally weak and even the people in charge often don’t have the right skill set. If the processes are kept tight, even with a cheaper system, there is a 70-80 per cent chance of containing threats.”

A national-level watchdog or regulator would go a long way to ensure process competency, similar to what Computer Emergency Response Team in India does. “Such a body can set the standards for all sectors which can then be coordinated by other regulators like the SBP,” Mr Rajani concludes.

In Pakistan the organisation currently overseeing cyber crime is National Response Centre for Cyber Crime, but its role has been rather limited to dealing with cyber bullying or harassment—nothing nearly sophisticated enough to counter APTs.

No wonder then that in the 2017 Global Cybersecurity Index, the United Nations International Telecommunication Union ranked Pakistan 67th, compared to Bangladesh at 53 and India 23.

In the technical head, the country was placed in the “initiating” category for two components relating to the private sector—“Standards for Organisations” and “Standards for Professionals” while also faring poorly in terms of “Standardisation Bodies” and “R&D” programmes, amongst others.

Published in Dawn, The Business and Finance Weekly, November 12th, 2018

Opinion

PML-N bad cop outfoxed
Updated 13 Jun 2021

PML-N bad cop outfoxed

The feel-good factor can cancel out some of the very negative perceptions about the PTI among low-income voters.
Sink or swim
13 Jun 2021

Sink or swim

What have schools learnt during Covid?
Decoding Digitisation
Updated 12 Jun 2021

Decoding Digitisation

The scope of information technology or digitisation continues to be discussed in a rather limited manner in mainstream discourse.

Editorial

Covid strategy
Updated 13 Jun 2021

Covid strategy

It is critical for govt to demonstrate to the public how badly health, business and education have suffered during the pandemic.
13 Jun 2021

Women in Balochistan

THE Balochistan government seems to be taking steps to improve women’s integration into society and the workforce...
13 Jun 2021

Deprived of cricket

THE federal cabinet has disallowed PTV to enter into an agreement with an Indian company for broadcast rights to...
12 Jun 2021

Feel-good budget

WE have been here before. Every time a government gets some fiscal space it immediately shifts gears to growth,...
Rep Omar’s tweet
Updated 12 Jun 2021

Rep Omar’s tweet

Over the last several decades, America has been instrumental in destabilising a number of Muslim states.
12 Jun 2021

Poor health indicators

IF the coronavirus has taught the world anything, it is that the old maxim ‘health is wealth’ is true. Though...