Around 30 per cent of the banks are exposed to 'very high' risks of online fraud and security threats, according to a study. Automated Teller Machine (ATM) and plastic card transactions account for 43 per cent of the frauds, the highest, followed by mobile banking at 25 per cent, it said.
The study points out that investment in the banking sector on information technology (IT) professional development is not adequate. This poses a significant threat of online digital frauds and may also trigger serious security threats for the entire banking sector.
The study, covering 14 banks that have been offering centralised online banking through data centre (DC) and disaster recovery site (DRS) over a period of two years, found that around 60 per cent of the IT budget in 2012 was used to procure hardware and 18 per cent in networks. About 66 per cent of the DCs, it said, and 44 per cent of the DRSs were located in high-rise buildings, meaning they are vulnerable to earthquakes and fire.
Around 40 per cent of the surveyed banks believe that they have high risk of information loss at any moment. The study also found that most banks do not conduct IT auditing by qualified professionals, due to which most of the security threats go unnoticed.
Banking analysts say a number of disasters occurred in the banking sector due to poor security systems. However, the banking sector has, of late, stepped up its efforts. But what is required now is that there should be an increase in IT budget to ensure risk-free transactions in the banks.
ATM skimming is a high-tech crime in which a criminal electronically steals or skims the cardholder's personal financial information during routine ATM transactions. Globally it is a common crime which forces the banks to ensure security of IT and regulators to force banks to focus on it.
Skimmers fit a portable electronic card reader right over the ATM's card reader slot, to capture the card information. They install mini cameras in the ceiling above the ATM or on the walls or in literature racks beside the ATM to capture the customer's PIN (personal identification number) keystrokes. The average cardholder has no knowledge that the skimming device is there because it does not interfere with the operation of the ATM.
In Bangladesh, most ATM frauds were allegedly committed in connivance with the insiders in the banks and outsiders. The regulator has apparently failed to ensure a standard security policy for the banks to protect the interest of customers. Many such cases have gone unreported, as there is no mechanism to get information on this type of fraudulence.
After the high-profile skimming off four ATMs in the capital last week, police claimed to have identified at least four foreigners involved in the incident. They looked like foreigners in the CCTV footage setting up a skimming device in an ATM booth. This is for the first time that skimming off ATMs has happened in the country.
The scam has undoubtedly affected the confidence of customers as well as bankers. The Bangladesh Bank (BB) data shows that after the scam hit news headlines, transactions through ATMs went down by 40 per cent early last week. However, the trend has become normal now.
Earlier, a major incident of credit card fraud was discovered in 2012, at the United Commercial Bank Limited (UCBL) - with over Tk 100m withdrawn from it illegally. The money was withdrawn over a period of six years -- between sometime in 2007 and 2012 -- by a gang of high-tech swindlers, using 21 credit cards.
After those past incidents, the central bank had conducted a probe on the ATM scams and identified some ways that might lead to a client getting cheated of his or her money. These include withdrawal of money from ATM booths without the clients' knowledge, account statements not showing up money debited in this way, and unauthorised purchase and transaction through internet banking.
However, many identify the lack of proper implementation of standard security policies in the commercial banks, knowledge gap among bank officials from the top to the bottom and vested interests inside the card division as the main reasons behind the ATM scams. In most cases, they say, banks fail to maintain security parameters in their card divisions.
In the meanwhile, the central bank has come up with a number of measures, including introduction of chip-based cards and a uniform limit per transaction per day for all banks. It has asked banks to issue chip-based debit cards as soon as possible to protect customers from frauds.
A few banks have already moved to EMV (Europay, MasterCard, and Visa) chip cards and PIN issuance, but a large number of banks continue to issue magnetic stripe cards vulnerable to frauds. EMV cards and PINs usually protect against both counterfeit (skimming) and lost and stolen card fraud.
Using devices that can write and read cards, the information is then transferred to a new card with a blank magnetic stripe, according to bankers. Many banks claim that the use of National Payment Switch (NPS) left their systems vulnerable to card frauds. The NPS is the common platform through which electronic payments originating from different channels like the ATMs, points of sales, internet and mobile devices, take place.
Of the 56 banks operating in the country, 48 are connected with the NPS. At present, there are 9.8 million cards that are used in ATM and point-of-sales centres in the country. In almost all cases of debit and credit card fraud, it was found that bank employees were involved in those, either directly or indirectly, and they provided the fraudsters with information about clients.
To deter online frauds and security threats in the banking sector, IT experts suggest, the central bank should ensure proper installation of IDS-IPS in banks. This measure should be backed by properly executed IT security policy defining who should get access to what information.
In the absence of proper rules, regulations and standard practices, there is every possibility that some bank employees will be tempted to join the criminal gangs in defrauding the banks.