A major case of cybercrime engulfed Pakistan’s financial hub of Karachi recently. A debit card scam that targeted several consumers of three private banks emerged right before Eidul Fitr, prompting complaints with the Federal Investigation Agency’s (FIA) Cybercrime Unit of strange financial activities.
Hundreds of customers of one of Pakistan's largest banks reported that they had lost money over the previous few days due to a technical fault with the bank's services. The targeted customers also said were left in the dark about certain bank transfers, bill payments, and online purchases that were notified to them without their knowledge or approval. The bank's staff informed the irate clients that their services were experiencing problems and that the bank was working hard to resolve the problems. Customers also stated that their cards had been momentarily disabled.
As the complaints piled up, debit card fraud was suggested as a likely explanation for the shady transactions. This particular type of fraud is committed by robbing and modifying ATMs so that they replicate debit card information whenever a user enters their card into the machine. The card's key pins are also taken using key loggers, and the cards are then utilised on the Internet.
Overseas thieves utilised compromised data from many debit cards to execute fraudulent financial transactions in foreign currencies to steal from a leading bank in Pakistan that offers online banking services. The financial organisation had to block foreign financial transactions using debit cards for practically all of its customers as a result of the incident.
As the fraudulent transactions were made in dollar denominations instead of Pakistani rupees, any customer who wanted to use a debit card for Internet banking had to first activate the service. Failure to do so resulted in the transaction being denied and online service suspended for the account for safety reasons.
There were multiple fraudulent transactions of minor sums from multiple accounts. However, it was unclear how much money cyber criminals operating from abroad stole from how many bank accounts in Pakistan.
Pakistan, a lucrative target
As the use of digital banking has grown in Pakistan over the last two years, data breaches have correspondingly become increasingly common in the country, despite the banking regulator and relevant ministry issuing a strong cyber security strategy. Over the past six months, data breaches have affected not just banks, but also numerous government organisations, such as the Federal Board of Revenue (FBR) and the Ministry of Finance, necessitating the need for both public and private financial institutions to develop and implement a comprehensive strategy to secure their customers and systems from hacking attempts.
Almost all of Pakistan's banks were hacked in 2018 and huge sums of money were stolen from people's accounts by the perpetrators. The cyber-security incident exposed over 19,000 card details from 22 Pakistani banks. The discovery came in response to a tip by Group-IB, a multinational cyber security group, which claimed that hackers had exposed a massive number of Pakistani individuals' credit and debit cards on dark web forums. Among these, krebsonsecurity.com reported that over 8,000 account holders from roughly ten Pakistani banks had lately been sold on the dark web.
K-Electric, the city of Karachi's energy provider, was targeted by a Netwalker ransomware attack in September 2020, which disrupted billing and online services. The attackers stated that unless the management paid a $7 million ransom, all of KE's customers' information, including names, addresses, CNICs, NTNs, credit cards, and bank account numbers, would be leaked in the dark web.
Hackers stole the personal information of 260,000 users from a Pakistani music streaming site in January 2021. In August 2021, hackers attacked Pakistan’s largest data center controlled by the Federal Board of Revenue (FBR) and managed to crack the hyper-V software by Microsoft, shutting down all the official websites operated by the tax machinery.
Despite the fact that the FBR's official website and tax-related operations were restored, hackers sold the FBR's data for $30,000 on a Russian forum. A cyberattack on the NBP's servers was detected in the late hours of October 29th and early hours of October 30th, 2021, affecting some of its online services.
At least three other notable cyber-attacks are the Careem security breach in April 2018, which compromised the data of customers from Pakistan and other countries; the attack on Peshawar ATMs in December 2020; and the breach of various websites, including those belonging to the Sindh High Court in July 2021 and PTV Sports in August 2020, among others.
Some senior Pakistani officials' cellphones were hacked in 2019 for covert surveillance. The attack was carried out using a particular sort of malware known as "Pegasus," which was purportedly developed by Israeli spyware firm NSO Group. The spyware might acquire access to messages, emails, contacts, and passwords by making a missed call to the targeted WhatsApp number and turning on the phone's camera and microphone. The malware was also capable of determining a user's GPS position. Following the hacking incident, rumors stated that the Pakistani government was working on an alternative to WhatsApp for securing sensitive or confidential material.
An ideal environment for criminals
The COVID-19 pandemic has created ideal conditions for several sorts of financial fraud to flourish. Millions of people have been compelled to alter their daily habits, particularly the way they work, shop, and communicate, which has accelerated fraud in the following ways.
Many office workers, including bank employees, have shifted to remote working, which has necessitated remote access to company networks — often with inadequate security safeguards in place. In the home-working environment, some internal controls and confidentiality requirements have also become more difficult to enforce.
As branches and businesses close, a dramatic shift in banking transactions to digital channels has forced banks to rely on digital and telephone channels to keep services running. This is especially true in underdeveloped countries, where banks have rushed to embrace digital innovation while overlooking security concerns in some circumstances.
For example, transaction limits on digital channels have been raised, implying that account takeover can now result in larger thefts. The rise in-home delivery for retail orders has given rise to new phishing scams employing email or text warnings, as well as a general increase in communications via digital channels that can be faked and exploited for phishing.
During lockdowns, there was a large surge in retail participation in financial markets, which presented opportunities for online investment.
The most serious threats
The usage of technology, notably the Internet, is used in many aspects of a bank or financial institution's activities. Your bank's sensitive data may be at risk if you don't have strong cyber security procedures in place. The five most serious dangers to a bank's cyber security are listed below:
- Unencrypted Data: The usage of technology, notably the Internet, is used in many aspects of a bank or financial institution's activities. Your bank's sensitive data may be at risk if you don't have strong cyber security procedures in place. The five most serious dangers to a bank's cyber security are listed below.
- Malware: Malware-infected end-user devices, such as PCs and cell phones, represent a threat to your bank's cyber security every time they connect to your network. Sensitive data goes across this connection, and if the end-user device has malware installed on it, that malware could attack your bank's networks if it is not secured properly.
- Third-party services that are not secure: To better serve their customers, many banks and financial institutions use third-party services from external providers. However, if those third-party companies don't have adequate cyber protection in place, your bank could be the one to bear the brunt of the damage. Before deploying third-party solutions, it's critical to consider how you can defend yourself from the security vulnerabilities posed by them.
- Data that has been manipulated: To better serve their customers, many banks and financial institutions use third-party services from external providers. However, if those third-party companies don't have adequate cyber protection in place, your bank could be the one to bear the brunt of the damage. Before deploying third-party solutions, it's critical to consider how you can defend yourself from the security vulnerabilities posed by them.
- Spoofing: Spoofing is a newer sort of cyber security problem in which hackers imitate a banking website's URL with a website that appears and functions similarly. When a user submits his or her login information, hackers steal it and store it for later use. Worse, new spoofing techniques don't just employ a slightly different but similar URL; they can also target consumers who have already visited the correct URL.
As a bank or financial institution, they must identify solutions to prevent cyber security threats while still providing easy, technologically sophisticated options to their consumers.
To combat the growing number of cyberattacks, public and private sector organizations should use all available resources, including specialists and technology tools, to upgrade their cyber security systems.