Tuesday, July 14, 2009

Cyber frauds, depositor’s risks

by Sher Baz Khan

The hacking of the Automated Teller Machine (ATM) system of the National Bank of Pakistan (NBP) believed to have involved withdrawals of over Rs84million from the industrial zones of Punjab alone, has added a new risk to the country’s banking system.

The two ATM cards of another bank with zero balance accounts were misused by a gang of well-organised hackers in Multan, Lahore, Faisalabad and Sialkot to defraud the state-run bank.

Primary investigations indicate the alleged involvement of an employee of the cyber wing of the bank’s headquarters in Karachi who knew about tons of ATM related data and the bank’s online money supply security system. Now he has vanished from the scene. The gang seems to have mastered the whole security modules of the bank’s online money supply service and cracked its codes to the level that they even made the ATM machines respond positively to commands for which the machines are programmed to respond negatively.

More shockingly, the gang withdrew just within hours millions of rupees through these machines which were programmed for not issuing any amount beyond Rs20,000 in a single day.

The Federal Investigation Agency (FIA) suspects that committing such cyber-cum-financial crimes was not easy without involvement of those who served as the administrators of the bank’s One-Link – the NBP’s ATM sharing service with 14 other banks. The agency has also arrested a retired employee of another bank, whose zero-balance account was mis-used. The search is on for the suspected head of the gang, Ali Hassan alias Bacha. The FIA has also warned other banks of similar cyber robberies if they fail to improve their security systems for online money transactions. The news has sent shock waves across the country as bank account holders now feel more vulnerable.. The question arises as to who will be responsible (the bank management or the client?) in case, a client’s cash card is misused.

ATMs are vulnerable because many of them are in isolated locations. Those in safer locations are still vulnerable to surreptitious damage — so even under observation it should be impossible to tell who was sabotaging the ATM equipment..

Now, the questions being asked is: Are the banks capable to win this battle against cyber gangs? The frequency of cyber crimes involving financial institutions and the general public has increased. However only few know about the existing anti-cyber crimes law and where to lodge a complaint in case any such crime was committed. .

It was in December last year that the Prevention of Electronic Crimes Ordinance, 2007 was promulgated. Under the ordinance, the FIA’s National Response Centre for Cyber Crimes (NR3C) is empowered to enforce the law. The NR3C was established in the FIA in March 2003 Till the formation of NR3C, Pakistan mainly relied on the US Central Investigation Agency (CIA) for detecting cyber crime and militant websites.

The NR3C now deals with 14 major categories of cyber crimes including, financial crimes, email treating, denial of service attack and DDOS attack, virus/worm attacks, internet time thefts, unauthorised access, credit card frauds, anti Pakistan/Islam material on websites, ATM frauds, mobile communication, theft of systems, web SMS, pornography and Interpol cases.

Those involved in crimes of stealing codes and misusing online data or hacking can be punished for three to five years imprisonment if found guilty by special tribunals.

Syed Ammar Jafri, head of the NR3C told Dawn that the agency has started an awareness campaign against cyber crimes by organising workshops and seminars on cyber security challenges and solutions. The NR3C provides single point of contact for local and foreign organisations for matters related to cyber crimes It is imparting training and related security education to persons of government/semi-government and private sector organisations.

Mr Jafri however warned that what happened at the NBP could happen at any other bank. The NBP was targeted for the lack of security. He said cyber crime was a reality. In majority of the developing countries, where cyber crimes are on the rise, the clients have been demanding of the banks to bear the burden of money fraudulently withdrawn from its ATMs by mis-using a client’s cash cards.

The business community in Hong Kong has demanded that in cases where the gross negligence of the account holders was not involved, banks must bear the full loss incurred. Otherwise, it may undermine customers’ confidence in the use of ATMs. It is in the interests of banks to prevent ATM frauds and bear the losses where the clients are not responsible for any negligence.

There is also a need to take precautionary measures for giving greater protection to ATMs, particularly those located in less secure areas. It is, of course, for the individual banks, exercising their own judgement, to determine the appropriate precautionary measures needed. The security features of ATMs can be ensured by monitoring these machines continuously after installing closed-circuit television; implementing a mechanism that records relevant information on

ATM cards or credit cards so that banks can determine whether an unauthorised ATM transaction is carried out through a counterfeit card; patrolling ATMs more frequently during and after office hours; encouraging customers to report any suspicious devices detected on ATMs and providing them with the relevant telephone number to do so at the ATMs; and alerting customers if any unusual transaction patterns are noted.

There is a need also for depositors to exercise greater care in protecting their cards and PINs. For handling cases involving customers who may have the bad luck to be victims of ATM frauds, banks must introduce complaint handling procedures. They should have systems in place to ensure that customer complaints are promptly investigated and resolved in a satisfactory manner. While the FIA should be notified as soon as possible, given the suspicion of fraud involved, the internal investigation of the banks should be conducted promptly and the complainants kept informed. (Courtesy PBA)

No comments: