On Sunday, Nepal Police arrested five Chinese nationals on the charge of hacking bank data and stealing millions of rupees from automated teller machines (ATMs) from various banks in the capital. Police also arrested three Nepali nationals in this connection on Monday. Police have recovered 132 counterfeit visa cards, 17 genuine visa cards of foreign banks, one card printer, six mobile phones, one laptop and one data card from those arrested, who are found to have used counterfeit cards to withdraw money from the ATMs. Huge amount of money including some foreign currency—Rs 12.62 million, US$ 9,108, Chinese Yuan 1,191, Cambodian currency 5,000 and 80 Hong Kong dollars—has been recovered. This is perhaps the largest hacking scandal of recent times and it has raised concerns among Nepali public regarding if their money deposited in banks is safe. Largely, this case has raised the question of whether our banks are safe from hacking at all and our overall security system. The Chinese nationals had entered Nepal via Tribhuvan International Airport on Friday and their plan was, according to the investigation, to fly back Monday after theft.
Sunday’s incident has shown how vulnerable Nepali banking system is to cyber-attack. Nepali banking executives claim they have necessary security measures to protect their banks from cyber-attacks. But the reality disproves this claim. It would not have been possible to withdraw money from the ATMs without obtaining information from our banks. Again it should be noted that this is not the first case of cyber hacking on banks. Back in November, 2017, cyber attackers had made illegal transfer of $4.4 million from NIC Asia Bank, by hacking the SWIFT server. They had transferred this huge amount of money to the US, Britain, China, Japan and Singapore when the bank was closed for annual festival holidays. On and off, we come to hear about various Nepali and foreign nationals attempting to transfer or withdraw money from Nepali banks by tampering with data or through cyber attacks. Thus it is already getting late for Nepali banks and financial institutions, including the government of Nepal, to work on enhancing Nepal’s cyber security.
Bankers have accepted structural weakness in our IT system, which has allowed hackers to easily infiltrate a computer, software or hardware of our banks and steal money. Part of the problem is that Nepali banks rely on third parties for critical infrastructures and software. Banks need to maintain high-level security, preserve valuable and precious data and choose the best IT system besides updating their system regularly. Setting up an information technology regulatory body to supervise all technology service providers and IT-related aspects of financial and non-financial institutions will be a step in the right direction. Nepali private banks have adopted innovations in banking system. They provide online banking and mobile banking system and through such innovations they have saved the consumers from having to be physically present in the banks for transactions. But along with such benefits, our banking system has also become vulnerable to various types of attacks. Saturday’s incident should serve as a strong wake-up call for Nepal to improve its banking security system so that people who deposit their earning in banks can rest assured that their hard-earned money is safe and banks themselves can become fully confident that nobody can take away money from their vaults.