Repeated cyber attacks reflect the weakness of banking system security in Nepal
KATHMANDU: Nepal’s banking system has been the victim of cyber attacks repeatedly. Millions of rupees have been withdrawn from ATMs of banks and financial institutions using fake ATM cards.
The latest incident is that of Siddhartha Bank. Jagat Bahadur Gurung, who is currently living in Solukhumbu, Kathmandu, and Sabitra Gurung, who is living together with him, have withdrawn more than Rs 3.4 million using an expired ATM card of Floyd Bank in London.
According to the police, the money was withdrawn within five days using Siddhartha Bank’s ATM booths around Chabahil, Naxal and Bhatbhateni areas. They have withdrawn money using the ATM card more than 100 times.
According to a provision of Nepal Rastra Bank, a maximum amount of Rs 25,000 at a time and more than Rs 100,000 daily cannot be withdrawn from an ATM. Thus, Rs 3 million can be withdrawn from ATMs per month. However, Gurung has challenged the NRB’s rule and withdrawn more than Rs 3.4 million in 5 days.
Only five days after they withdrew the money, Siddhartha Bank informed the Metropolitan Police Range, Teku. Both were arrested within two hours of the police report.
Chinese hackers
At 11 midnight on Saturday, 31st August 2019, Chinese hackers hacked more than Rs 35.8 million from banks including Prabhu bank. The hackers infiltrated the visa network system with a virus malware and blocked access to the bank’s information system.
That is why Prabhu Bank changed its system. They started using SCT cards instead of visa cards, and the account numbers were also changed.
At that time, ATM cards of 7 banks were used.
According to Nepal Rastra Bank, about Rs 19 million was hacked from 68 ATMs of 17 banks and Rs 35.8 million was hacked from India using Nepal’s network, including Rs 16 million indian currency. Police had arrested six Chinese hackers involved in the incident along with around Rs 12.7 million and currency of different countries. Along with them, the police also seized genuine and fake ATM cards, ATM printing machines, laptops and other items.
At that time, the hackers used ATM machines of not only Prabhu Bank, but also Nepal SBI Bank, Kumari Bank, Nepal Investment Bank, Sunrise Bank and Citizen Bank to withdraw money from NIC Asia Bank, Global Bank, Sunrise Bank and Citizen Bank accounts.
Similarly, there are other cases of such withdrawals from the banking system in Nepal.
Nepalese deposits at risk
Nepal’s banks and financial institutions have purchased their internal systems from various countries. They have been providing features like QR code, money transfer through mobile banking apps.
Banks have been providing mobile banking services through their own websites. For this, banks have been using Connect IPS, Phone Pay and various payment service providers, especially eService and Pocket technology. Similarly, ATM cards like Visa, SCT, MasterCard are being used in Nepal. Banks have been charging exorbitant fees from customers for availing these services. However, the recurrence of such cyber crimes by banks and financial institutions has proved that Nepal’s banking system is very weak.
Financial economist Anil Raj Bhattarai says such cyber attacks are caused by the weak cyber security of Nepal’s banks and the lack of skilled staff and systems within Nepal Rastra Bank. He said that although Nepal Telecom, Nepal Rastra Bank and some other companies look after the payment system of Nepal, there is no separate integrated system for this.
“There is nobody that knows how the data of the financial sector flows and how it is regulated and controlled,” he said. “It is necessary to build financial sector infrastructure to make Nepal’s financial sector safe and reliable.”
Although Nepal Rastra Bank has made legal and policy arrangements for digital payment and its use, it needs to be further modernized, he said.
According to Bhattarai, Nepal Rastra Bank should implement the European Standard ‘Payment Service Directive Two, PCD’ to strengthen its banking information technology.
“This is a standard of banking information systems, which will make the system secure and reliable,” he said.
Chairman of the Nepal Internet Foundation Bikram Shrestha also suggested adopting international standards to make Nepal’s banking system secure.
“The recent cyber attack on the system of banks including Siddhartha Bank, has not met international standards. Also, such incidents are happening due to lack of skilled human resources, weak regulatory role of Nepal Rastra Bank and weak internal operating system of banks,” he said.
Shrestha says that such problems occur even when banks do not evaluate their shortcomings in their internal system from time to time. He also stressed on the formulation and implementation of strict laws related to cyber crime in Nepal. He said that the issue of acquittal of cyber criminals should be stopped.
Nepal Rastra Bank does not seem to agree with the statement that there is a weak regulatory role in cyber crime. Spokesperson of Nepal Rastra Bank Deb Kumar Dhakal said that new types of criminal incidents are natural as the use of new technology is increasing.
“It’s not that we don’t have adequate laws on digital payments. With the use of new technology, new types of crimes are happening all over the world. Nepal has succeeded in regulating such crimes,” he said.
Banks and financial institutions periodically submit information system audits to Nepal Rastra Bank.
He also said that the construction work of National Switch is progressing rapidly for the security of the payment systems.
