Digital threats

Commercial bank customers hit by online fraud

Digital threats


onsumers from three private banks were affected by an online debit card scam just before Eid ul-Fitr. The victims filed complaints with the Federal Investigation Agency’s (FIA) cybercrime unit.

Hundreds of customers of one of Pakistan’s largest banks reported that they had lost money through unapproved bank transfers, bill payments and online purchases. The bank staff informed the irate clients that their services were experiencing problems and that the bank was working hard to resolve the problems. Customers also stated that their cards were disabled. So far, the affected banks and authorities have been unable to pinpoint the cause of the data breach. It could be a technical glitch or the result of online fraud.

The most likely explanation is debit card fraud by bugging ATMs. When debit cards are entered into a machine, the information on them is replicated. The card’s key pins are obtained using key loggers. The cards are then utilised for internet-based transactions.

With the growing use of digital banking over the last two years, data breaches have become increasingly frequent in Pakistan, despite the banking regulator and relevant ministry issuing a strong cybersecurity strategy.

In the last six months, data breaches have affected not just banks, but also numerous government organisations, including the Federal Board of Revenue (FBR) and the Ministry of Finance. Financial institutions should have a comprehensive strategy to secure their customers and systems from hacking attempts.

Overseas hackers utilised compromised data from debit cards to execute fraudulent financial transactions in foreign currencies to steal from a leading bank in Pakistan.

The financial organisation had to block foreign financial transactions using debit cards for practically all of its customers as a result of the incident. All the fraudulent transactions were dollar denominated. Anyone who now wants to use a debit card for internet banking must first activate the service, otherwise, they are denied the facility due to the service being suspended for safety reasons. There have been many fraudulent transactions of minor sums.

It is unclear so far how much money was stolen from how many bank accounts by the cyber criminals operating from abroad. The cybercriminals are known to have used Google searches to plan and execute frauds.

In 2018, a similar attack had affected almost all Pakistani banks. Huge sums of money were then stolen from people’s accounts by hackers.

In November 2018, a private bank reported that the data breach had cost it approximately $6 million in direct losses and the suspension of various operations, including internet banking. In February 2019, a private bank’s database of 69,189 bank cards was put up for sale on the dark web. The bank lost $3.5 million as a result of the data leak. According to media reports, the bank management was quick to respond to the situation and instructed its customers to alter their PIN number and other security measures to avoid losing money.

As conditions change, banking fraud evolves, producing new vulnerabilities and challenges for banks as well as opportunities for fraudsters. Staying on top of this fast-moving target is critical if banks are to develop systems that can detect and prevent such scams, especially considering the pandemic’s impact on the banking sector. Everything on the internet nowadays can be hacked. 

The cyber-security incident exposed over 19,000 card details from 22 Pakistani banks. The discovery came in response to a tip by Group-IB, a multinational cyber security group, which claimed that hackers had exposed a massive number of Pakistani individuals’ credit and debit cards on dark web forums. Among these, reported that information about more than 8,000 accounts from roughly 10 Pakistani banks had been sold on the dark web.

K-Electric, the electric power company was targeted by a Netwalker ransomware attack in September 2020 that disrupted billing and online services. The attackers threatened to leak all KE’s customers’ information, including names, addresses, CNICs, NTNs, credit cards and bank account numbers on the dark web unless the K-Electric management paid a $7 million ransom.

Hackers stole personal information of 260,000 users from a Pakistani music streaming site in January 2021. In August 2021, hackers attacked Pakistan’s largest data centre controlled by the Federal Board of Revenue (FBR) and managed to crack the hyper-V software by Microsoft, shutting down all official websites operated by the tax machinery.

After the FBR’s official website and tax-related operations were restored, the hackers sold the FBR data for $30,000 on a Russian forum. A cyber attack on the National Bank of Pakistan’s servers was detected on October 29-30, 2021, affecting some of its online services.

A security breach in a ride-sharing company in April 2018 compromised the data of customers from Pakistan and other countries. The attack on Peshawar ATMs in December 2020 was also widespread. The breach of various websites, including those belonging to the Sindh High Court in July 2021 and PTV Sports in August 2020 also made waves.

Some senior Pakistani officials’ cellphones were hacked in 2019 for covert surveillance. The attack was carried out using a malware known as Pegasus, purportedly developed by Israeli spyware firm NSO Group. The spyware might acquire access to messages, emails, contacts and passwords by making a missed call to targetted WhatsApp numbers and turning on the phone’s camera and microphone. The malware was also capable of determining a user’s GPS position.

A majority of bank frauds target the bank’s customers. Covid-19 aided the growth of internal banking fraud. The pandemic created ideal conditions for several sorts of financial fraud to flourish. Millions of people were compelled to alter their routines, particularly the way they worked, shopped and communicated. This accelerated fraud in the following ways:

Many office workers, including bank employees, shifted to remote working, which necessitated remote access to company’s networks—often with inadequate security safeguards in place.

In the home-working environment, some internal controls and confidentiality requirements became more difficult to enforce.

•As branches and businesses closed, a dramatic shift in banking transactions to digital channels forced banks to rely on digital and telephone channels to keep the services running. This was especially true in underdeveloped countries, where banks rushed to embrace digital innovation while overlooking security concerns in some circumstances.

For example, transaction limits on digital channels were raised, implying that account takeover could now result in larger thefts. The rise in-home delivery for retail orders gave rise to new phishing scams employing email and text warnings, as well as a general increase in communications via digital channels that can be faked and exploited for phishing.

• During lockdowns, there was a large surge in retail participation in financial markets, which presented opportunities for online investment.

The internet is used in many aspects of a bank or financial institution’s activities. Your bank’s sensitive data may be at risk if you don’t have strong cyber security procedures in place. There are around five serious dangers to a bank’s cyber security.

Malware-infected end-user devices, such as PCs and cell phones, represent a threat to your bank’s cyber security every time they connect to your network. Sensitive data goes across this connection, and if the end-user device has malware installed on it, that malware could attack your bank’s networks if it is not secured properly.

To better serve their customers, many banks and financial institutions use third-party services from external providers. If those third-party companies don’t have adequate cyber protection in place, your bank could be the one to bear the brunt of the damage. Before deploying third-party solutions, it’s critical to consider how you can defend yourself from the security vulnerabilities posed by them.

Spoofing is a new cyber security problem. Here the hackers imitate a banking website’s URL with a website that appears and functions in a similar way. When a user submits his or her login information, hackers steal it and store it for later use. Latest spoofing techniques don’t just employ a slightly different but similar URL; they can also target consumers who have already visited the correct URL.

As a bank or financial institution, they must identify solutions to prevent cyber security threats while still providing easy, technologically sophisticated options to their consumers.

To combat the growing number of cyberattacks, public and private sector organisations should use all available resources, including specialists and technology tools, to upgrade their cyber security systems.

The writer is a   researcher and analyst in the field of cyber security

Digital threats