Cyber
security is a vast topic, which is gaining more attention as the growing
cyber-crime trend is worrisome.
The
vulnerability of cyber systems is increasing and in my previous article on
cyber security published on 19th of November 2018, I had tried to summarise the
description, types, and vulnerability and landmark cyber incidents of the
world. I received lot of messages appreciating the article from the readers but
at the same time they demanded also that I should come up with some more
information and proposals to secure the confidentiality of the clients, banks
as well as the commercial and national institutions.
This
article is the follow-up of the said previous article in which I am going to
further illustrate how damaging it is to the individuals and the state along
with the potential threats and proposed ways to deal with the issues.
Cyber
security issues and banking frauds being universal are taking a toll on digital
privacy and financial matters of the common individuals of the state as well as
the bank account holders and regulators of different banks. Despite taking a
number of protective security measures yet the frauds have not stopped. The
criminals always find new ways to outsmart the security protective layers by
new fraud smart techniques
It is
essential to comprehend distinction between three separate issues relevant to
the cyber security phenomenon that are commonly being faced by the people in
our country:
a. Card
skimming: it basically happens when a customer hands over their card for
billing after shopping or dinning is swiped at some restaurant instead of
giving cash. The card is then swiped at a POS machine and card information from
the Magnetic stripe is stolen. This is happening worldwide, more often in few
countries than the others. As we travel abroad, the card information can be
stolen in any country by any dealer.
b.
Fraudulently impersonating client’s identity through different cyber cons like
Phishing (fake websites), smishing (sending messages to attract clients to
visit scam websites) and Vishing (calling clients pretending to be someone
concerned enough to provide them with financial assistance and extracting their
confidential data through this.
c. Hacking
– This happens when hackers break in to banking systems and get access to
customer’s data by hacking their accounts. This is what exactly happened to
banks in Pakistan a few weeks ago when a number of people became victim of
hacking and lost their data and information.
Card
skimming and fraudulent embezzlement of customer’s identity have been the
principal issues being faced by Pakistanis for years. In case of hacking as well,
there have been numerous groups that have been busted by the law enforcement
organisations of our country for pretending to be government officials and
requesting data from customers. Approximately 8,000 to 10,000 out of 25 million
Bank account holders have fallen prey to hackers across the industry.
I, in the
capacity of being Chairman Senate Standing Committee of Interior took notice of
the stolen bank data and directions were issued to FIA for detailed inquiry as
well as asked for a comprehensive report by the Governor of State Bank.
It should
have been made mandatory through an Act of the Parliament for the
implementation of IT administration including digital security, Card
information insurance including becoming EMV and enabling Chip & PIN for
cards as well as guidelines for internet and mobile banking. There are
regulations but there is no enactment with enabling provision for legal action making
it a cognizable offence.
All across
the country, different banks are still in process of implementing the cyber
security and EMV compliance because of required investment and very limited
skilled resources in the country and once law is in place and banks will be
under strict compliance only then we can expect the desired results.
The “Dark
Web” takes false benefit of the hype made in the market and after that drift,
loads of fake information is made available to be purchased to cash in on the
hype. The dark web basically is a term referring to websites and networks that
are heavily encrypted and “hidden” from the average internet user. Dark web has
earned a reputation mainly as a sort of immense black market, associated with
drugs, guns, porn, hacking, and conspiracies. It requires something special to
be able to access it, specific proxy software or authentication to gain access
like (TOR). These pages require additional sub-network like Freenet, I2P or
TOR.
The other
issue is that dark web already has the cards information from all the major
global banks that is gathered by them through skimming and this skimming is
done through hacking and with connivance of some banking staff. The banks and
credit service providers are also hit by credit fraud and both the banks and
credit card servers have failed to protect their clients completely.
It is
unfortunate Pakistani Banks have so far failed to provide PIN coded cards
locally or abroad to protect the card holders against any cyber-attack. This is
why a Pakistani credit card holder has to sign instead of using PIN code as
being used by all other International banks.
I am of
firm opinion that, in consultation with international and local banking
experts, the following measures are needed to be taken to deal with the current
cyber issues and future potential dangers which are likely to encounter the
national cyber security:
a. Efforts
are required by the banks to brief the clients against the potential types of
cyber-attacks/threats by the fraudsters.
b.
Regulators may have to guarantee either through above suggested law or strict
SOP that in case there is a confirmed hacking / stolen data, immediate action
be taken by the banks to execute the cyber security and IT governance and
follow certain rules as under:
1. Banks
are required to urgently replace non-compliant cards/ Manila cards with Chip
and PIN for complete security of the cards. I suppose that if the banks do not
comply with the orders of State Bank then State bank should suspend the banking
license of the respective bank. This matter relates to the security, hence the
Government needs to have the compliance through the Ministry of Finance as this
is the only way to ensure that Chip & PIN cards are issued.
2. The
non-compliant POS machines should be withdrawn quickly from the Market and POS
machines be replaced by Chip and PIN cards.
3. All ATM
machines must be customised to only accept Chip and PIN enabled cards for
banking service.
4. Banks
must follow global standards like PCI, DSS and State Bank should ensure the
compliance of international banking standards.
5. The
establishment of data collection and protection is a major task and it needs
effective governance through a proper structure in the banks and its compliance
should be ensured through an Act of Parliament.
6. Banks
are required to have normal vulnerability and penetration risks audit to be
done on regular basis through professional testing by the IT experts and the
State Bank should have annual audit to ensure the compliance.
7. A profile
based monitoring is required to be introduced and a constant monitoring by
experts need to be done enabling the said teams to identify and block
suspicious transactions. Basically IT based banking has to be monitored and
controlled through technical IT hardware and software.
Our banking
system is vulnerable and it stands exposed as soft target by the hackers or
other cyber-crime experts. Similarly we need to bring our all the institutions
together on the subject of cyber security and one cyber security law should
cover the whole cyber fiasco.
The new act
of parliament in addition to banking sector should also give cyber protection
to the following institution as well:Airline
travel data; NADRA data base; passport and immigration; data of all three defence
forces; police and special branches; respective inland provincial / Federal
revenue record; all ministerial record of respective ministry; all judicial
proceedings / judicial websites; all State web sites; and future E- filing.
In addition
to Cyber security enactment, there should be additional enactments for data
protection to ensure the privacy of people.
We also
need to create a special penal of trained judges to deal with cases related to
Cyber security and the judges must have complete knowledge of Cyber world,
Vulnerabilities and cautions.
The Article has been Published in ‘’The Nation’’
on December 07th, 2018
The Link to Article is: https://nation.com.pk/07-Dec-2018/cyber-security-for-banks-and-national-institutions
No comments:
Post a Comment