News of security breach in the overseas payment systems of a local bank broke over the weekend. A notification was issued by the central bank on Sunday, setting off alarm bells in the close circle of bank-watchers. However, as the central bank had kept the language of the press release on the down low, the story did not make it to airtime on TV or social media, which tend to turn molehills into bank runs.
Back to the subject: it appears that hackers made into bank’s payment cards database, skimming funds off by conducting transactions overseas. The episodes brought to life memories of a similar breach at Pakistan’s largest private bank last year, where conmen cloned customer’s debit cards to withdraw funds via ATMs.
What sets the case apart is that the alternate delivery channels were used overseas, with SBP identifying ATM and POS as two sources. This “non-event” is big on two accounts. First, if this were a plain vanilla identity theft of customer’s personal information via a singular hacking event used to commit wire fraud online, the bank alone may not have been at fault.
Recall that customer credit card information stored with a major ride-sharing service was lost in a hacking event earlier this year. If information is lost in this manner due to a data security breach at a third-party merchant (specially one providing e-commerce services), payments system of just about any bank in the world is vulnerable.
However, since physical delivery channels were used to run the con, at the very least hackers would have had to clone bank cards. In that case, local ATM and POS machines could have been used too to withdraw funds. Considering the troubling lack of capacity at our investigative agencies, risk of arrest and conviction is highly diminished. When the cyber crime wings are busy with fifth generation warfare, who has time to fight wire fraud?
Why go through the trouble of running an international scam then? The upside is restricted due to scale. One, overseas transactions are monitored more closely by not just the bank but also the clearing systems e.g. Via, MasterCard, UnionPay. The benefit is thus limited because customers are alerted more promptly in case of unusual activity; against the cost of committing a cross border white collar crime bringing down the wrath of a myriad of international agencies.
This brings us to the second reason of why the security breach may be bigger than anything before. Even if the cards were cloned, anyone who has used bank cards outside the country is aware that use outside home country is not permitted by default; instead, banks require advance instructions, and prefer that a maximum time limit is set on the use (which for frequent travelers, may be the expiry date of the card).
This raises the specter of a compromise at bank’s internal database infrastructure. Those of us who have ever had the neat experience of calling up a bank’s helpline are aware that banks go to lengths protecting customer’s information from themselves. To protect against identity fraud, banks use secondary information for verification that is not readily available through customer’s ID. As a rule, bank staff does not ask or can find out customer’s card number or security pin.
ADC operations can at best identify last 4-digits. Those who do, cannot trace it back to customer’s bank account held with the back. The layering is not just to safeguard the customer. Bank’s reputation is on the line too. How then, were overseas transactions enabled on customers’ cards on such a large scale, and managed to go unnoticed internally before a customer raised hue and cry?
The truth is, in an age of crypto currency, Pakistan’s banking industry is still living in bizarre world. ATMs deduct balance but ‘forget’ to dispense money. Incomplete transactions take months to reverse. And the disease does not afflict retail and consumer customers alone.
One banker privately admits that there have been past instances of repeated ‘ghost’ transactions in operation accounts of big-ticket corporate customers. In one case, these transactions went up to the tune of hundred of millions, leading to temporary loss of business for one leading bank. While these were “credit balances”, firms have to worry about auditors too. Who knew?
Leading banks boast of multiple external audits, plethora of independent committees; multiple departments to monitor business and operational risks; periodic risk reviews; compliance guidelines from AML/CFT down to how many glasses of water a day an employee must have.
Both industry and the regulator often speak of banking the unbanked; yet at the same time, a basic TUC shop owner has to fill out FATCA compliance information for account opening akin to applying for a US visa in 90s. While Pakistan’s grey economy and low digital banking use may have many reasons, banks’ “ease of doing business” is one of them.
Similarly, while the industry may have privatized, the attitudes have not. Staff’s customer “friendliness” at even corporate branches drives customers away from brick and mortar (and rightly so!). While lower footfall works for both the management and customers in theory, banks would be ignorant to believe that the pitiful state of IT infrastructure will drive customers to use digital interface channels.
In the past, enforcement of WHT drew banking customers out of the documented economy to cash houses in Lahore (read “Doing away with the transaction tax published in this section on October 30, 2018). If businessmen’s past behaviour is any guide, banks’ poor security infrastructure is one hacking away from driving out many more.
So far, the industry could afford to be lazy because the victims have only been consumer banking customers with little nuisance value. Hell will freeze over the day business and corporate customers are defrauded.
The industry could not only see mass exodus of depositor base, but may also suffer a reputational setback globally. As the custodian of depositors, the regulator also needs to do some soul searching. But who is listening?
Comments
Comments are closed.