No Hacking or Security Breach in Pakistani Banks

Advisory by Digital Arrays (Private) Limited | November 06, 2018

1- No bank in Pakistan has reported any security breach or hacking attempt (successful or unsuccessful) during the last two weeks.

2- Bank Islami Pakistan reported fraudulent transactions worth 26 lacs rupees, for which the bank has already compensated its affected customers without waiting for complains from the customers. These fraudulent transactions initiated from outside Pakistan

3- Bank Islami Pakistan claimed to have disconnected its international link from where the fraudulent transactions were coming to the bank’s network. However, the bank is in dispute with international card brand (visa) with respect to another set of transactions amounting to USD 6 million. The bank has claimed that the question of approving these fraudulent transactions does not arise because it had already disconnected the international link. However, visa insisted that the bank also approved these fraudulent transactions worth USD 6 million and wanted Bank Islami to pay for the same. To resolve this dispute, Bank Islami and visa are already in the Sind High Court and the next hearing is scheduled on 12th November 2018.

4- The dispute between Bank Islami and VISA is already in litigation, therefore, both the parties are not forthcoming with further details about internal investigations for public consumption, which is obviously the right approach till the dispute is settled inside or out of the court. Therefore, at this point in time, it is not known if the bank or VISA or any other entity suffered a cyber-attack or not. Nevertheless, it can be said with a degree of confidence that the cards’ data of Bank Islami customers was copied / skimmed via ATMs or POS terminals or leaked from within the bank etc. Such copied data of cards has been used from outside Pakistan to do fraudulent transactions

5- It is important to understand the difference between fraudulent transactions and hacking attempt. Fraudulent transactions can be successful without hacking the bank. When a cheque book or a leaf of cheque book is lost, it can be used by fraudsters to steal money. Likewise, if a credit or debit card is lost or stolen, it can also be used in fraudulent transactions. Such fraudulent transactions, if successful, does not mean that the technology infrastructure of the bank has been hacked. Exactly in the same way, if the data stored in the debit or credit card is fraudulently copied or stolen then such data can be saved on a duplicate fake card. Such a fake card can also be used to do frauds especially if the fraudster also finds out the PIN associated with the original card.

6- Dark Web on the internet is a market to buy or sell illegal items or services e.g. user-IDs/passwords, bank account details, credit/debit card details, passports, nationalities etc. There are a number of such black markets on the internet where the credit/debit cards data from almost all the countries are available for sale. You name a bank in any country, and one can get you the card details belonging to that bank. Pakistan and its banks are no exception

7- According to the annual report of Payment Systems Department (PSD) of the State Bank of Pakistan, there are 1,453,867 credit cards and 21,712,069 debit cards as of June 2018. Some unprofessional and irresponsible individuals or organizations have claimed during the last week or so that there are 10,000 to 20,000 cards’ data of Pakistani banks available for sale on the Dark Web. The validity of such non-sense claims cannot be established and relied upon. If we assume, for the sake of an argument, that such data is valid even then it can be seen that it does not make even 0.5% of the total cards issued and used in Pakistan

8- It is ironic to note that Capt. (Retd) Shoaib, Director NR3C-FIA has communicated to media that ALL the banks in Pakistan have been hacked without giving any evidence whatsoever. He also fell short of naming any bank where NR3C has done any investigation during the last two weeks, yet he re-iterated as a layman that all the banks in Pakistan have been hacked. The cause and motive behind such irresponsible and sweeping statements must be unearthed because it has hit the trust and reputation of the banking industry of the country

9- Due to the prevailing situation, some banks have dis-allowed the use of cards from outside Pakistan to avoid any untoward incident. However, customers can individually call their respective banks to allow their cards to be used on international links if the customer has a need.

10- The State Bank of Pakistan has issued Regulations for Payment Card Security more than two years’ ago, Regulations for Internet Banking Security few years back, and also Technology Governance and Risk Management Framework in 2017. The banks should review the implementation status of these regulations themselves to safeguard their reputation and customers’ confidence. It is high time that Pakistan Telecommunication Authority (PTA) for telco industry and Security and Exchange Commissionof Pakistan (SECP) for listed companies issue the Information Security compliance requirements.

11- The recent events have exposed that humans are the weakest link, which can be strengthened by regular training and workshop. Training and workshop should not be offered by those who themselves are not trained, knowledgeable and experienced. Other weaknesses include irresponsible reporting, relying on rumors, incompetent humans impersonating as professionals