Three banks crack by cyberattacks

:: Peoples Time Online ::

BB opens probe as hackers steal $3m from cash machines abroad last month raising concern about banks’ security systems.

At least three local private banks suffered major cyberattacks last month, raising concern about the robustness of their security systems against a growing threat of scammers.

Of the three, Dutch Bangla Bank Limited (DBBL) was the biggest victim, losing as much as $3 million (around Tk 25 crore) to global cybercriminals, according to sources in the banking sector.

Two other banks — NCC Bank and Prime Bank — also faced cyberattacks, but they claimed they were able to avert financial losses.

Following last month’s cyberattack, the BB formed an eight-member committee to probe the matter. Intelligence agencies are also investigating it separately.

Usually, hackers use malware to steal customer data from a bank’s server and then use that information to clone credit and debit cards.

When hackers went for transactions last month, the proxy or the shadow switch gave instructions to release funds, keeping the bank completely in the dark.

Initially, the bank refused to pay as its server didn’t show any of the transactions. Then Visa came up with “solid proof”, and the bank was compelled to pay, said sources in the DBBL.

The DBBL reported the matter to the BB which held two meetings with the heads of IT, retail banking and card divisions of all banks in the middle of last month to discuss the issue.

Around a couple of weeks later, the DBBL’s nine ATMs fell prey to an international hacker group that stole around Tk 16 lakh on May 31. Law enforcers later arrested six Ukrainians in connection with the theft.

A senior BB official, who attended the meetings last month, said the latest incident of cyberattack is a matter of concern for all banks as it exposed vulnerabilities in their cybersecurity controls.

“It can happen to any bank if it doesn’t protect its IT system with updated software and anti-virus,” the official told The Daily Star, seeking anonymity.

Contacted, DBBL Managing Director Abul Kashem Md Shirin declined to comment.

But the other two banks that faced cyberattacks admitted that their cybersecurity systems were compromised.

“Somebody tried to break into our security system recently, but failed. We didn’t incur any financial losses,” said NCC Bank Managing Director Mosleh Uddin Ahmed.

After the hacking attempt, the bank suspended payments through the automated cheque processing system for a few days, he added.

Prime Bank Managing Director Rahel Ahmed said they had faced a hacking attempt but was able to avert financial losses.

However, multiple sources confirmed to this newspaper that the two banks lost money. The amounts, however, were not that big.

Voicing concern over the latest cyberattack, a number of experts have criticised banks for their lax attitude towards strengthening their IT systems, and said this left them vulnerable to fraud.

Out of 58 banks in the country, only three — Eastern Bank Limited, City Bank and Mutual Trust Bank Limited — have got certification for complying with the Payment Card Industry Data Security Standard (PCI DSS) set by Visa, MasterCard, Discover Financial Services, JCB International and American Express.

The only other local firm that has the certification is IT Consultants which runs Q-Cash, a payment processing consortium.

The DBBL has the largest network of cash machines and the highest number of debit cards in circulation, but it does not have the PCI DSS certification.

Banks are not making enough investments to strengthen their IT security and human resources, and this is one of the key reasons for vulnerabilities in their cybersecurity systems, said the head of the IT department of a leading private bank.

“Many banks use below par and pirated software, which is very vulnerable to fraud,” the official told this newspaper on the condition of anonymity.

Another senior banker blamed a lack of awareness among boards of directors and top management of banks for poor investment in IT security.

In a study last year, Bangladesh Institute of Bank Management (BIBM) found 28 percent of the banks had no preparation to tackle a largescale cyberattack.

Talking to The Daily Star, Mahbubur Rahman Alam, associate professor of the BIBM, said banks in Bangladesh got automated without adequate preparation.

“Many banks went for automation without sufficient IT infrastructure. The time has come to address these crucial issues. The banks should hire skilled IT professionals,” he added.

Peoples Time/HG

WARNING: Assigned ad is expired! Extend the term or Delete it.
WARNING: Assigned ad is expired! Extend the term or Delete it.