Nepal has to develop a comprehensive national cyber security strategy if it i s serious about protecting itself from cyber threats
Earlier this month, the Central Investigation Bureau (CIB) of Nepal Police arrested three Romanian nationals for supposedly stealing ATM card details of 1,600 unsuspecting ATM card-holders in Kathmandu and trying to illegally retrieve their hard-earned money.
Luckily, the banks and the law enforcement agency were able to avert big losses this time. They did so by urging ATM users to change their PIN codes. But the bank customers might not be as lucky next time. If ATM-related crimes are to be curbed, the banks, the police and the citizens have to remain constantly vigilant, but, more importantly, the government has to be serious about securing the cyberspace.
The government needs to take cyber security seriously as every aspect of our life is getting digitized and, at the same time, banking related crimes are increasing. In reality, even countries that are ICT savvy fall victims to cyber crimes. Recently, ATM-related details were stolen in large numbers from Indian banks as well. It was reported that details of close to 3.2 million debit cards were stolen from State Bank of India, HDFC Bank, Yes Bank, ICICI Bank and Axis. Luckily, the banks were able to detect the data breach quickly and advise their customers to change their ATM PIN codes, avoiding further losses. Law enforcement agencies later revealed that hackers had used a malware to compromise the Payment Services Platform used to power ATMs, point of sale (POS) machines and other financial transactions to steal details of the debit cards.
ATM-related crimes are increasing by the year. According to the European ATM Crime Report, ATM attacks went up by 80 percent in the first six months of this year compared to the same period last year. It is estimated that ATM skimmers around the world have already swindled as much as US $3 billion. In case you are wondering, there are several ways criminals can steal ATM card details. They can hack into the bank IT systems and steal data. They can install malware in the payment system platforms to steal data from ATMs and POS machines at the stores while the ATM cards are being used. They can also steal ATM PIN codes and magnetic data from ATM booths.
There are primarily four steps while stealing ATM card-related information from ATM booths. First, a small device used for copying the data on ATM card’s magnetic strip is inserted into ATM card slots. The card easily passes through the device and inside the ATM machines without any holdup. Since everything appears to function normally, the ATM card data gets copied without user’s knowledge.
The second step is to install a small camera above the ATM number keypad to capture PIN codes. People often mistake the camera for the ATM’s security camera as the ATM appears to be functioning normally. Covering the keypad while typing PIN codes is one way to thwart this type of scheme. Unfortunately, criminals have already developed tools that can do the job without a camera. A fake keypad can be laid over the ATM’s real keypad. When the buttons on the keypad overlays are pressed, PIN codes are logged.
Since the real buttons on the ATM keypad are also activated, cash withdrawal goes ahead as usual, and fake keypads remain undetected.
The third step is to return to ATM booths and retrieve data-capturing accessories. Then software installed on a portable computer is used to copy the ATM card’s magnetic strip data into bogus cards. The final step is to withdraw money using the ATM cards with the corresponding PIN codes.
One reason ATM-related crimes are increasing is added emphasis of banks on speed and convenience of technology over security when ATMs were first installed, mainly because the internet was not ubiquitous back then. In many cases, security measures adopted by some banks are already obsolete; not that banks don’t care, but technology is changing at the speed of thought. Furthermore, smaller banks do not have a team of dedicated cyber security professionals and risk-mitigation strategists. Above all, bank executives are usually hesitant to allocate budget to upgrade technologies and human capacity.
The banks have to adhere to the Standards and Guidelines on Electronic Banking and also proactively update security technology as criminals are good at using the latest and the best technologies. For example, ATM skimmers traditionally needed access to physical cash-out machines. But now criminals have started transmitting ATM data wirelessly over Bluetooth or even cellular data connections. One simple way to prevent this type of crime is to equip ATMs with finger vein technology and facial recognition. Unfortunately, this security measure could also soon be obsolete.
This year, ATMs from a dozen or so European countries were remotely attacked using malware that forced machines to spit out cash. Since the criminals were operating remotely, it was possible for them to target large number of machines in what law enforcement agencies call “smash and grab” operations designed to drain large amounts of cash before banks find out. This type of cyber robbery is challenging for law enforcement agencies as the crooks could be anywhere in the world operating over the internet. One thing is for sure, capturing criminals in the new environment will require collaboration with regional and international law enforcement agencies.
Nepal has to develop a comprehensive national cyber security strategy if it is serious about protecting itself from cyber threats that come in many forms. But what can the government realistically do at this stage? Well, for one, it can learn from Singapore.
Singapore, a country which offered the first self-driving taxi service in the world, is continuously preparing to harness the potential of the digital economy; the Singapore Government feels cyber security will be the key enabler of digitally-enabled economy and society.
Just last month, Prime Minister Lee Hsien Loong launched Singapore’s Cyber Security Strategy that outlines the country’s plan to strengthen the cyber-security resilience. The four main pillars underpinning the Strategy are i) Building a resilient infrastructure ii) Creating a safer cyberspace iii) Developing a vibrant cyber-security ecosystem and iv) Strengthening international partnerships.
We have learned that the Nepal Telecom Authority (NTA) is busy working on a cyber security strategy with the International Telecommunication Union (ITU). We hope NTA comes out with a strategy that is future-oriented, so that it is useful for at least the next five years. More importantly, the strategy has to pave the way for new cyber security laws as the Electronic Transaction Act that came out in 2008 will soon be obsolete.
Nepal has to embrace the New Digital Age and prosper at all costs. And it can only do so if the cyberspace is made safe for economic activities.
Kathayat is an Associate Professor of Computer Engineering at Kathmandu Engineering College, Tribhuwan University and Shah was a fellow at the Center for Electronic Governance under the United Nations University- International Institute for Software Technology