KARACHI: Pakistan’s banking system lost Rs2.6 million in cyberattacks as online security measures failed to prevent breach of security in which overseas hackers stole customers’ data.
BankIslami Pakistan, which was a victim of the cyberattack, however, claimed it managed to avert a bigger financial loss which, international payment managers suggest, was to the tune of $6 million, following its exit from the international payment system.
The bank paid the lost amount to its customers immediately and also restored the biometric-enabled ATMs network in the country, but it had yet to reinstate the international payment system.
To remain on the safe side, a couple of other banks also restricted their international payments for the time being, including JS Bank which sent alert messages to its customers.
The message reads, “JS Bank has temporarily blocked all debit cards for online and international usage as a security precaution. Customers who wish to use their cards abroad may call us to unblock their cards…”
The latest attack is the third major cyber security breach in the country and the second within the banking sector in less than 10 months.
Earlier, Habib Bank Limited and Careem, the ride-hailing app, have faced such security risks, following which an expert advised the account and ATM card holders to change their passwords as soon as possible to prevent more financial frauds.
BankIslami was the first bank to begin Shariah-compliant operations in Pakistan in 2006 and is listed at the Pakistan Stock Exchange (PSX).
Its share price improved 0.44%, or Rs0.06, and closed at Rs13.85 with trading in 4,000 shares at the PSX on Monday.
In its immediate response to the security breach that happened on Saturday, the State Bank of Pakistan (SBP) temporarily suspended the use of BankIslami ATM and POS (Point of Sale) cards for “overseas transactions (only)”, the central bank said in a statement late on Sunday night.
“As a result of the security breach of payment cards of one of the banks in Pakistan yesterday (Saturday) and their unauthorised use on different delivery channels ie at ATMs and POS in different countries, the bank has temporarily restricted the use of its cards for overseas transactions,” stated the central bank.
In a notification to the PSX, BankIslami stated that it detected certain abnormal transactions valuing Rs2.6 million in one of its international payment card schemes on the morning of October 27, 2018.
“All the money withdrawn from the accounts ie Rs2.6 million has been credited in the respective accounts of valued customers,” said BankIslami Unit Head Corporate Affairs Muhammad Shoaib.
“Transactions of approximately $6 million as claimed by the international payment schemes are not acknowledged by the bank as the bank was actually logged off the international payment schemes at that time.”
The notice stated that all cash withdrawal transactions using the bank’s biometric service were restored on the same day ie Saturday.
Shoaib, however, added that the international payment schemes would be restored after mitigating all the risks.
The SBP has instructed the bank to take all necessary measures to trace the vulnerability and fix it immediately. “The affected bank has also been instructed to issue advisory on precautionary measures to be taken by customers,” the statement added.
Furthermore, the central bank has also issued directives to all banks to foster arrangements to ensure security of all payment cards in the country and monitor on real-time basis the use of their cards, especially overseas transactions. “The SBP will continue to assess these developments in coordination with banks and take further measures, if required.”
The following directives have been issued to all banks in Pakistan to ensure that; security measures on all IT systems including those related to card operations are continuously updated to meet any challenges in future, resources are deployed to ensure the 24/7 real-time monitoring of card operations’ related systems and transactions, and immediately coordinate with all the payment schemes, switch operators and media service providers the banks are integrated with to identify any malicious activity of suspicious transactions.
“In case of any unusual incidents, banks are advised to immediately report to the SBP,” the statement read.