An analysis with a focus on cyber-security challenges

In Bangladesh, Core Banking Software (CBS) is a crucial component for banks and financial institutions, automating processes, centralising operations, and enhancing service efficiency. With the financial landscape evolving towards digitalisation, CBS systems have become indispensable for operational agility and customer convenience. However, with these advantages comes a heightened risk of cyber threats, which poses significant challenges for banks and financial institutions.

OVERVIEW OF CORE BANKING SOFTWARE (CBS) IN BANGLADESH: Core Banking Software refers to the suite of applications used by banks to facilitate day-to-day transactions, account management, loans, deposits, and more. Leading commercial banks and financial institutions in Bangladesh use various CBS platforms such as Temenos, Flexcube, and Finacle, while some institutions have developed proprietary solutions tailored to their specific needs.

The adoption of CBS enables banks to streamline services, reduce operational costs, and ensure real-time updates across different branches and ATMs. It also supports multiple channels, including internet banking, mobile banking, and agency banking, creating a seamless experience for end-users. However, while CBS has revolutionised banking operations, it has introduced complexities and vulnerabilities that can be exploited if not properly secured.

KEY CYBER-SECURITY CHALLENGES IN CBS: Despite the advantages of CBS, cyber-security concerns are increasingly prominent due to various factors like increased connectivity, interbank dependency, and integration with third-party services. Let's delve into some of the primary limitations and challenges in CBS systems concerning cybre-security.

1. Data breaches and unauthorised Access: One of the primary cybre-security risks is unauthorised access to customer data, including sensitive personal and financial information. Many CBS platforms in Bangladesh lack robust access control measures, which, if exploited, can lead to data breaches with severe financial and reputational consequences. Without strong multi-factor authentication and user-access management, attackers can potentially infiltrate CBS systems and gain unauthorised access to sensitive data.
2. Legacy systems and compatibility issues: Many banks in Bangladesh continue to use legacy CBS solutions that may lack advanced security features, such as encryption and intrusion detection systems, making them more vulnerable to cybre-attacks. Furthermore, integrating CBS with modern fintech applications often results in compatibility issues, leading to security gaps that cybre criminals can exploit.
3. Weak encryption standards: Encryption is critical for protecting data both in transit and at rest. Some CBS platforms in Bangladesh utilise outdated or weak encryption standards, making it easier for hackers to intercept and decipher data. Insecure encryption methods put customer data, transaction details, and financial records at risk, and without encryption upgrades, banks remain exposed to cybre threats.
4. Inadequate real-time monitoring: Real-time monitoring and anomaly detection are essential for identifying suspicious activities early and preventing data breaches. However, many CBS systems lack robust real-time monitoring and analytics tools, which limits the institution's ability to detect and respond to potential cybre attacks immediately. This delay in threat identification can increase the impact of breaches.
5. Lack of proper network segmentation: Network segmentation limits the spread of cybre threats within the bank's internal network, containing damage if an intrusion occurs. However, in many cases, CBS implementations in Bangladesh lack effective network segmentation, meaning that once an attacker gains access, they can move laterally across systems and access sensitive data. Proper segmentation can isolate critical functions and reduce the risk of large-scale data breaches.
6. Vendor and third-party risks: Banks often rely on third-party vendors for CBS solutions, which can introduce additional risks, as these vendors may not meet stringent cybre-security standards. Poorly secured APIs, supply chain vulnerabilities, and lax security practices from third-party providers can expose the bank's CBS to potential threats. In some instances, third-party applications can be a backdoor for cybre criminals, compromising the CBS infrastructure.
7. Social engineering and phishing attacks: Although not a direct fault of CBS itself, social engineering and phishing attacks target bank employees to gain credentials and access to CBS systems. Financial institutions in Bangladesh lack adequate employee training on identifying phishing attempts, leaving them susceptible to these types of attacks. Enhanced training and phishing simulations are crucial to mitigate this risk.

Improving cybre-security in CBS-- recommendations: To address these limitations, financial institutions in Bangladesh need a multifaceted approach focusing on modernising systems, enhancing security protocols, and fostering a culture of cybre-security awareness.

1. Implementing strong authentication mechanisms: Multi-factor authentication (MFA) should be made mandatory for CBS access, particularly for critical functions. This will prevent unauthorised access even if login credentials are compromised. Additionally, biometric authentication and dynamic one-time passwords can add an extra layer of security.
2. Upgrading to modern CBS solutions: Banks should consider upgrading legacy CBS systems to modern, cloud-compatible solutions with advanced security features. Cloud-based CBS offers scalability and regular updates, ensuring that security patches are promptly applied. Solutions like Temenos T24 or Finacle's latest versions provide enhanced security tools that meet global standards.
3. Implementing strong encryption protocols: Financial institutions should upgrade to stronger encryption standards, such as AES-256, to protect sensitive information both in transit and at rest. Regularly updating encryption protocols is essential to staying ahead of evolving cyber threats.
4. Strengthening real-time monitoring and incident response: Installing advanced monitoring and threat detection tools can significantly reduce the response time to potential cybre attacks. Real-time monitoring, coupled with Artificial Intelligence and Machine Learning, can help detect anomalies, flag suspicious transactions, and generate alerts for quick action.
5. Improving network segmentation: Implementing network segmentation in CBS systems can reduce the attack surface and limit the spread of malware or ransomware. By isolating sensitive data and critical operations, banks can contain cyber threats and minimise the impact of breaches.
6. Conducting regular vulnerability assessments and penetration testing: Regular vulnerability assessments and penetration testing are crucial to identifying security gaps within the CBS environment. These tests should be conducted periodically to ensure any potential vulnerabilities are addressed before cybre criminals can exploit them.
7. Establishing strong third-party risk management: Banks should develop strict cybre-security guidelines for third-party vendors and conduct regular audits to ensure compliance. This involves reviewing vendor security policies, ensuring that APIs are securely configured, and maintaining a high level of visibility over any third-party integrations with CBS.
8. Employee training and awareness: Regular training sessions and cyber-security workshops for employees can significantly reduce the risk of social engineering attacks. Banks should also implement phishing simulations and drills to improve employees' ability to recognise and respond to suspicious emails and messages.

Core Banking Software has become integral to the operations of banks and financial institutions in Bangladesh, providing improved customer service, streamlined processes, and better financial management. However, as digital adoption grows, so does the potential for cybre threats. By taking proactive measures to strengthen CBS security, adopting modern practices, and fostering a culture of vigilance, Bangladesh's financial sector can build a more resilient banking ecosystem capable of withstanding the evolving cyber threat landscape.

Mohammed Imran Chowdhury is a Chattogram based freelancer. [email protected]