‘In Pakistan, banking sector most vulnerable to cyber attacks’
Today, everything on the internet is hackable. In this context, the most vulnerable sector in Pakistan, where data security against fraud attempts is as fragile as a cobweb, is banking, a moot on cyber security was told.
Pakistan, which stands 67th on the Global Cyber Security Index 2017, faced its latest cybercrime attack some weeks ago when 559 accounts of Habib Bank Limited were hacked through ATM cards in China and Rs10.2 million were stolen, experts at a symposium organised by Pakistan Academy of Engineering (PAE), titled “Cybersecurity – Where do we stand?”, said on Saturday.
It was perhaps negligence or incompetence of the government, state institutions and banks that they failed to cope with the threat of online financial frauds even after some Chinese nationals were caught installing skimming devices at ATMs of Bank Al Habib in Karachi in June last year.
Is the threat over? Or have the Pakistani banks and their regulator, the State Bank of Pakistan, been successful in thwarting the hackers attempt on their systems? There’s no absolute guarantee to it – and, according to some cyber experts, may be no one can give it. The attacks may likely continue to occur from the anonymous, apparently uncontrollable, underworld of cybercrime.
The internet is growing faster than the government or industry’s ability to secure it, said PAE President Dr – Ing Jameel Ahmed Khan at Saturday’s event. Having stating earlier that the country’s banking sector was the most vulnerable to cybercrime, Khan, added that the financial institutions had enough resources to come up with a system to keep up with the global network.
Hussein Hassanali, the Chief Information Security Officer at Bank Al Habib, believed the same. According to Hassanali, the ATM attacks were not a new phenomenon – in 2010 they happened in Europe in nearly the same manner, the hackers used skimming devices.
“The skimming devices are easily available in the market and cost around USD2,000 [roughly Rs220,000],” he said. “To counter their use, a mechanism of human checking is necessary. Simply installing controls is not efficient enough.”
The Bank Al Habib CISO said that “attacks will continue to happen… and no security can be 100 percent.” However, he added, the country’s banking regulator is urging implementation of ample security measures and allocation of adequate resources to thwart the [skimming device installation] attempts in a timely manner when hackers try to malfunction machines.
According to Wajahat Rajab, a consultant with Singapore-based cyber security firm Trend Micro, the attackers usually know what security controls are installed in the system of a targeted organisation and how to bypass them. “A hacker usually takes 146 days to finally launch his attack. Meanwhile, the organisation can prevent it,” he said.
Commenting on incompetency on the part of a targeted organisation’s own IT team, Rajab said that 53 percent of the time, it is the user who reports a cyber attack, which means that the professionals fail in detecting it most of the time. “Ransomware programmes such as WannaCry and others that are floating in Pakistan take 60 seconds to encrypt a computer, after which it starts communicating with an outside server,” he explained.
US-based IT research company, Gartner, Inc., says that there are now 6.4 billion connected devices globally and by 2020 this figure will balloon to 20.8 billion. Similarly, Russian cyber security company, Kaspersky Lab, states that the next world war will be a cyber war.
“Therefore, it becomes absolutely necessary for us to make a comprehensive assessment of the international efforts being undertaken to face the most complex situation,” said PAE President Khan. He added that the US was finalising plans to revamps its cyber command, Germany was building a cyber army of 13,000 soldiers by the next year, while China had recently introduced a cyber security law and India has built a computer emergency response team.
Khan further said that PAE has taken the initiative of establishing an institute of cyber security management “to act as a catalyst agent” in attack situations. He called on the government to “wake up” and take necessary steps immediately to establish a national cyber security command, do comprehensive legislative framework and create a certifying agency at the state level to bring uniformity of standards in maintaining IT and digital systems and computer servers across the country.