Nepali banks ‘not prepared’ to ward off cyber threats

Oct 25, 2017-A day before cybercriminals hacked into the IT server of NIC Asia Bank to reportedly steal millions of rupees, another major commercial bank had witnessed suspicious activities of similar nature.
That commercial bank, according to sources, had come under “denial of service attack”. Under this type of attack, hackers flood the server with fake requests, making the network slow. During this time, hackers penetrate into the system and steal information. Fortunately, hackers did not get entry into that particular bank’s server, preventing the entity from suffering losses.

“Banks face this type of attack from time to time,” at least two senior officials working in IT Departments of banks told the Post on condition of anonymity. “But if precautionary measures are not taken, huge losses may have to be incurred.”

Today, technology is fundamental to raise people’s access to banking service. But the cases of NIC Asia Bank and another commercial bank that came under “denial of service attack” have exposed banking sector’s vulnerability to threats posed by cybercriminals, who can launch lethal attacks and sneak away with millions or billions of rupees at any time of the day.

“The only way we can control these problems is by following IT safety protocols in a proper manner,” Himalayan Bank CEO Ashoke Rana said. “A breach of simple procedure can raise banks’ vulnerability to cyber attacks.”

In the case of NIC Asia Bank, which reportedly lost millions of rupees last week in the biggest-ever cyber heist in Nepal, severe breaches of safety protocols have been reported. The bank, for instance, allowed staff of the IT Department to use computers meant for SWIFT transaction to perform tasks like checking personal e-mails.

This may have allowed hackers to infect computers with malware sent through e-mails, enabling the cybercriminals to gain control over the bank’s server.

“The bank also did not turn off the SWIFT server after office hours, which is a normal practice in most of the banking institutions here,” said a source. “Plus, the staff of the IT Department did not have time-bound usernames and passwords to gain access to the server.” Time-bound usernames and passwords allow users to gain access to servers during certain time of the day, such as 10 am to 5 pm. After that period, access will be denied.

“Also, the bank never used to disable remote terminals-computers that are used to gain remote access to servers,” the source added.

These vulnerabilities were exploited by unidentified hackers, who reportedly stole millions of rupees from the bank on Thursday, a public holiday when Nepal was celebrating Laxmi Puja. The money was stolen by “issuing around 31 fake instructions” via SWIFT, the global interbank payment system.

“We are still conducting an investigation into the cyber heist at the bank,” said Chinta Mani Siwakoti, deputy governor of the Nepal Rastra Bank, the banking sector regulator. “We will introduce measures to minimise such incidents after we gather all the information on what exactly happened.”

Earlier in 2015, international cybercriminals had attempted to attack financial institutions in Nepal using a malware called Carbanak, according to a report prepared by Russia-based computer security firm Kaspersky Lab.

The malware had the capability to record everything happening on bank employees’ computer screens. This provided hackers with every last detail of bank employee’s work, allowing them to mimic staff activity to transfer money and even steal cash from automated teller machines. Although such heists were not reported in Nepal, hackers have continued to pose a threat to the country’s banking sector.

“The only way to ward off those threats is by empowering chief technology officers,” said Sanjib Subba, CEO of National Banking Institute, a national-level banking and finance academy.

“But, unfortunately, many Nepali banks do not have such a position [of chief technology officer], as they still consider staff of the IT department as less important. This has prohibited IT personnel from taking part in decision-making processes, leaving banks vulnerable to cyber attacks.”