Table of Contents
Massive Breach on POS Security While Risking Millions
Internet-banking provides you the capability to manage your transactions online through your device. You don’t have to visit any banks or ATMs. Payment of utility bills, transfer of funds, shopping and viewing your previous transactions became easier with internet and mobile banking.
They make life easier and less expensive. They are also preferable for tracking your expenditures. There are many advantages of online banking, some are as follows;
- Pay your Bills online
- View your transactions
- Transfer money between accounts
- Mobile banking
- Syncing with your money applications
- Protect yourself online
- Permanent access to the bank
- Access anywhere using computer or mobile
- Less time consuming
As online services make the life easier, it also makes the banking network a target of evaluation (TOE). Banking networks are the most favorite target for attacker. Each and every branch of a bank pays a handsome amount to secure their systems and network. They have their own security departments, additionally they get security support and third-party security services including physical and network security. Even implementing the most powerful security framework, actively monitoring the traffic and security support, security breaches and data leaks from their systems.
According to the Federal Investigation Agency (FIA), around 20 Pakistani banks have suffered cyber-attack. On 27th October 2018, BankIslami noticed suspicious transactions of Rs2.6 million through its international payment card scheme. The bank immediately suspended its international transaction by shutting down its international payment scheme. The bank has credited all monies withdrawn from the accounts on 27th October i.e. Rs2.6 million to their respective accounts.
After suspending the internation transactions, the international payment scheme claimed that transactions of around 6 million USD were made on international ATM through Bank’s issued cards, however these transactions were not seen on bank’s system.
Afterwards, some more banks issued security alerts. They either blocked their customers’ credit/debit cards or blocked their online and international use. Customers were forwarded SMS notifications of the changes.
The threat intelligence and anti-fraud firm, Group-IB, reported the security breach of Pakistani banks including Habib Bank, MCB Bank, Allied Bank and many more on November 13, 2018. Prior to this incident, Group-IB detected the compromise of Pakistani bank’s card information uploads.
“Card dumps are usually obtained by using skimming devices and through Trojans infecting workstations connected to POS terminals. The large part of compromised card data is sold in specialized card shops, such as Joker’s Stash”
Dmitry Shestakov
Head of Group-IB сybercrime research unit
A data dump was posted on the Darkweb with over 9,000 to 12,000 debit cards information, the majority of the customers belonged to the Pakistani banks. Even though BankIslami came in the limelight and initially the media reported the neglect of a single bank but the dump showed a dissimilar story as it contained thousands of debit card information of various other Pakistani banks.
The Darkweb is an encrypted online platform that does not appear on conventional search engines. A particular web browser is required to access the deep web. The Darknet constitutes the dark web. The Darkweb concept is achievable with the help of anonymity tools like; Tor (“The Onion Routing” project) and I2P (invisible internet Project). It is popular for both user protection and black market. In a nutshell, Darkweb is an online market of drugs, human trafficking, exchange of stolen goods (financial and credential) and much more. All transactions on the Darkweb are often made in bitcoins or through purchasing goods in a way that both the buyer and seller are both protected from being tracked.
State bank of Pakistan press release ERD/M&PRD/PR/01/2018-93 on November 6,2018 clarifies that there is no evidence banks data being hacked except for one. SBP also issued ERD/M&PRD/PR/01/2018-91 i.e. the directives to banks about the security breach of payment cards and to take necessary measures to trace the threats and vulnerabilities. And also, to secure different delivery channels like ATM and POS. Furthermore, SBP also issued the directive to secure and monitor all transaction on real-time basis especially overseas transactions.
State-bank of Pakistan provides the Regulation of the security of Internet banking which develops the standard internet banking security framework. This security framework covers administrative, technical and physical safeguards. Internet banking security framework includes development of security policies, their implementation and testing inorder to acheive security, integrity, confidentiality, availability and accountability. Any unauthorized access must be detected, alerted and blocked with proactive approach. Framework also includes risk assessment, implementation of security controls, and monitoring to keep an eye on any abnormal behavior.
Bank’s responsibilities for risk assessment includes following the section 32 (Availability of documentation and proof), section41 (Burden of proof), section 43 (Liability of banks/Authorized parties), section 70 (privacy and secrecy) and other relevant provisions of the payment systems and Electronic Fund Transfers Act 2007.
The bank must ensure that appropriate security controls are followed to protect IT assets (for example networks, data, systems, applications, and communication systems). The bank must develop a set of controls based on the Security Risk Assessment or the bank must baseline security controls that involve Operating Access Controls, Application, and Remote Access controls. In order to authenticate IBAN customers, the bank must implement at least the Two Factor Authentication (2FA), comprised of passwords, one time tokens, dongles, etc. The bank must conduct a periodic risk assessment of authentication control to identify vulnerabilities and threats based on changes in applications.
The bank must implement an approved mechanism for monitoring security control. The bank must also ensure the aspects which cover security control monitoring mechanisms like monitoring of bank’s network activity by analyzing the network and host data associated with security events, methods for proactive monitoring of IDS/IPS and for responding to security breaches must be listed in monitoring mechanism, monitoring and reporting mechanism of authentication controls, time required for restoration of bank’s systems, identification and listing of bank’s policy violations, unauthorized configuration which can increase the risk of security breaches.
A formal customer awareness program to minimize frauds and Identity Theft risks must be developed by the banks. Such as, explanation of liabilities, responsibilities and roles of bank and customer also using Internet Banking services, Compliance of disclosure requirement under section 30 (Terms and conditions of transfers) of payment systems and Electronic Fund Transfer Act 2007, process for re-authentication of customers Internet Banking, regular issuance of guidelines to customers and regular review and evaluation of the customer awareness programs by management.
The incident and analysis reports of security breaches must be furnished on the basis to Payment Systems Department. All established security breaches must be reported to the payment system department, State Bank of Pakistan.
These regulations are subject to all relevant rules, laws and regulations issued by SBP from time-to-time such as, Guidelines on the Outsourcing Arrangements (BPRD Circular No 9 dated July 13,2007), information technology security (BSD Circular No 15 dated September 29,2004), Information Systems (BSD Circular No 8 dated December 12,2005), “Guidelines on Business Continuity Planning” (BSD Circular No 13 dated September 04, 2004).
References
http://www.na.gov.pk/uploads/documents/1432894244_956.pdf
http://www.sbp.org.pk/psd/2015/C3-Annexure-A.pdf
https://www.group-ib.com/media/pakistani-banks-ard-dumpss/
http://www.sbp.org.pk/press/2018/Pr-06-Nov-18.pdf
http://www.sbp.org.pk/press/2018/Pr-CardsSecurity-28-Oct-18.pdf