Cyber-security systems of banks seen not failsafe

A record number of both Bangladeshi public and private banks are currently in peril of unprecedented cyber-attacks mainly for their indifference and fragile cyber-security systems, prompting experts to suggest immediate action, sources say.

Stakeholders and experts say a large percentage of banks are not taking enough precautionary measures to fend off the possible large-scale, hazardous attacks, and avert bigger financial loss, which they deemed imminent.

The malicious actors behind such trans-border invasion include not only increasingly daring criminals-such as the Carbanak group, which targeted financial institutions to steal more than $1.0 billion during 2013-18 period-but also states and state-sponsored criminal gangland, according to a 2021 report published by the International Monetary Fund (IMF).

The country has yet to measure its financial losses caused by cybercrimes--the most outrageous being the theft of its reserves from the US Fed by an international cybercrime gang.

Earlier in June 2022, the Bangladesh Institute of Bank Management (BIBM) conducted a study based on the situation of the banking sector as of 2020 which found nearly 52 per cent of banks at grave risk of cyber-attacks.

In April 2020, the Financial Stability Board (FSB) warned that "a major cyber-incident, if not properly contained, could seriously disrupt financial systems, including critical financial infrastructure, leading to broader financial stability implications."

On March 3 in 2016, the Bangladesh Bank (BB) issued a guideline asking the banks to boost their cybersecurity capabilities after the bank's never-seen-before type of orchestrated reserve heist.

The regulator also had directed them to form security operation centre (SOC) to oversee security measures round the clock.

But most banks have yet to install SOCs, sources added, leaving such vigil a far cry.

With this phenomenon in view, experts also sought regulator's heightened measures to strengthen the enfeeble cybersecurity scenario in Bangladesh's banking sector, stressing the banks' need to build their employees' capacity and enhance logistics support for the security shield .

Terming those financial institutions (FIs), particularly banks, most desirable target to cybercriminals, the state-run Bangladesh e-Government Computer Incident Response Team (BGD e-Gov CIRT) made a horrendous disclosure that about 99 per cent of both private and public banks suffered major cyber-attacks very recently.

The report, titled 'Sectoral Cyber Threat Intelligence for Banking Industries', also identified that most users of banking applications and portals (both internal and external) were not properly aware of cyber- hygiene.

The research also finds insecure uses and/or access of internal application/portal by the employees' mobile devices may raise risk of exposure of organisations' critical assets.

In 75-percent cases, credential stealing is possible due to insecure uses of mobile or computing devices, it says.

In another report styled Common Vulnerabilities in Cyber Space of Bangladesh, it says the vulnerability level of cyberspace is increasing day by day in the country.

''To mitigate the impact, new technologies and services must be adopted to cope with the situation as well as competition," it adds.

Nearly 70 per cent of the attacks on FI firms targeted banks, Research by IBM X-Force says, adding that some 16 per cent targeted insurance companies while 14 per cent targeted other financial institutions in 2021.

The Intelligence unit of BGD e-GOV CIRT has also found that managed applications/ devices by vendors influence a great exposure of organisations' assets.

It also detected that enforcement of strong password policy was absent from many banking applications and portals.

Talking to the FE, Tarique M Barkatullah, BCC director (data centre), said almost all the banks were found to be running one or more vulnerable services and weak authentication systems which may lead to potential cyber-attacks.

''The worst part is that these risky services can be identifiable with simple reconnaissance techniques by threat actors using the internet," he lamented.

In addition, different types of applications, devices and other assets are also found to be identified on the internet which is running risky services, he says, citing the report.

Routers are on top of the list which is lagging on required security hardening, he warns.

In February 2020, Christine Lagarde, president of the European Central Bank and former head of the IMF, warned that a cyberattack could trigger a serious financial crisis, the IMF report stated.

Cybersecurity expert Tanvir Hassan Zoha suggests installing the ISO 27001 and the Payment Card Industry Data Security Standard (PCI DSS) to thwart the rampant cyber- threats.

Both ISO 27001 and PCI DSS) help organisations manage and protect their information assets so that they remain safe and secure.

''A large percentage of the banks are not using those tools to ensure their information security currently,'' Zoha, who is also managing director of Backdoor Private Limited, told The Finsncial Express.

Saying that the central bank's role is the key to building up strong ecosystem of banks, Tanvir says, "If the BB's directions are not followed, banks' operations should be halted".

Dr Md Mahbubul Alam Joarder, Professor at the Institute of Information Technology, the University of Dhaka, feels that every bank should form a fully professional response team like the BGD e-Gov CIRT to forestall all kinds of threats.

"If it happens regularly, the banking system may face a hazardous and grave situation in the coming days", he forewarns.

The BB must take steps and action for proper implementation of its guidelines to minimise the probable risk, Dr Mahbub stated.

''All the stakeholders concerned, including regulatory bodies, must understand and identify the existing problem, and seek the sustainable solution in greater interest of the important bank sector," he added.

On September 13, 2020, the Bangladesh Bank issued an alert to a probable hacking attempt in the country's ATM network.

The report also urged the banks to establish and maintain an organisation-wise dedicated Cyber Security Operation Center (Cyber SOC) to enhance security operations as a whole.

Tarique also underlined the need for continuous collaboration, cooperation, and threat info sharing among the community as well as law- enforcement organisations and government entities to combat cyber- threats mutually and in an organised manner.

Omar Faruk Khondaker, ex-chief technology officer at Sonali Bank, suggests developing a well-built monitoring system as most of the banks have yet to build it properly.

"Based on this, action plan should be well- prepared by each bank," he says.

The BGD e-GOV CIRT report recommends that the banks be cautious about unwanted exposure of all ad-hoc and core applications and services.

Jamuna Bank's ICT head Syeed Zahid Hossain says the BB should prepare new and time-befitting guidelines based on the incessant and widespread cyber-threat on the FIs, including banks.

"Even so, he did not notice any action taken by the central bank against those banks that have fragile security systems," Mr Hossain adds .

However, the BB has been arranging some training programmes occasionally to curb the attacks, he noted.

[email protected]