Popular Posts

Thursday, November 24, 2016

Cyber Security- Mahesh Singh Kathayat & Bimal Pratap Shah

Earlier this month, the Central Investigation Bureau (CIB) of Nepal Police arrested three Romanian nationals for supposedly stealing  ATM card’s details  of some unsuspecting  1,600 ATM card holders in Kathmandu and illegally retrieving their hard earned money.
Luckily, the banks and the  law enforcement agency were able to avert losses amounting to large amounts of money this time around. They did so by urging ATM users to change their PIN codes as soon as they suspected theft. But, we might not be so  lucky  next time. So, if ATM related crimes are to be curbed in the future, the banks, police, and citizens have to remain constantly vigilant, but, more importantly, the government has to be serious about tackling the security aspect of digital transformation.   
The government needs to take cyber security seriously as every aspect of our life is getting digitized and, at the same time, banking related crimes are increasing by the day. In reality, even countries that are ICT savvy are not free from cyber crimes. ATM related details in large numbers were also stolen recently from Indian banks earlier this year. It was reported that details of a close to 3.2 million debit cards were stolen from State Bank of India, HDFC Bank, Yes Bank, ICICI Bank and Axis. Luckily, the banks were able to detect the data breach quickly and advise their customers to change their ATM PIN codes avoiding further losses. The law enforcement agency later revealed that hackers had used a malware to compromise the Payment Services Platform used to power ATMs, point of sale (POS) machines, and other financial transactions to steal details of the debit cards.
ATM related crimes are increasing every year.   According to the European ATM Crime Report, ATM attacks went up by 80% in the first six months of this year compared to the same period last year. It is estimated that ATM skimmers around the world have swindled as much as 3 billion USD.  In case you are wondering, there are several ways criminals can steal ATM Card details. They can hack into the system and steal data. They can install malware in the payment system platforms to steal data from ATMs and  POS machines at the stores while the ATM cards are being used. They can  also steal ATM’s PIN codes and magnetic data from ATM booths.
There are primarily four  steps to stealing ATM Card related information from ATM booths.  First, a small device used for copying the ATM card’s magnetic strip’s  data is inserted over or  into ATM card slots. The card easily passes through the device and inside  the ATM machines without any holdup. Since, everything appears to  be functionally normally,  the ATM card’s data gets copied without unwary user’s knowledge.   
Second step is to install  a small camera above the number keypad to  capture PIN codes. People often mistake the camera with the ATM’s security camera, because the ATM appears to be functioning normally.  Covering the keypad while typing PIN Codes is one way to thwart this type of scheme. Unfortunately, criminals have already developed a tool that does not need a camera. A fake keypad is laid over ATM’s real keypad. When the buttons on the keypad overlays are pressed  to  logs the PIN Codes. Since the real buttons on the ATM keypad are also activated at the same time, cash withdrawal goes as usual making  extremely difficult to  detect fake keypads.  
The third  step is to return to the ATM booths and retrieve data capturing accessories. Then software installed on a portable computer is used to copy the ATM’s card’s magnetic strip’s data into bogus cards. The final step is to withdraw money using the ATM Cards with the corresponding PIN codes.
One of the main reasons behind increase ATM related crimes is due to the fact that the banks have traditionally put more emphasis on speed and convenience of technology over security when ATMs were installed a while back. In many cases, security measures adopted by some banks are already obsolete, not that  banks don’t care, but because technology is changing at the speed of thought. Also, some banks are reluctant to  adhere to the Standards and Guidelines on Electronic Banking.
Besides following he standards and guidelines, the banks have to proactively update security technology because criminals are always good at using the latest and greatest technologies. For example, traditionally, ATM skimmers traditionally needed access to physical cash out machines. But, now criminals have started transmitting ATM data wirelessly over Bluetooth or even cellular data connections. One simple way to prevent this type of crime is to equip ATMs with  finger vein technology and facial recognition. Unfortunately, it looks as though this security measure is also soon to be obsolete.
ATMs from  a dozen or so European countries were remotely attacked using malware that forced machines to spit out cash. According to Diebold Nixdorf and NCR Corp, the world’s two largest ATM makers, the recent heists in Europe were run from remote command centres. This allowed criminals to target  large number of machines  in what law enforcement agencies call  “smash and grab” operations designed to drain large amounts of cash  before banks find out.  It will be increasingly difficult to catch the perpetrators in the coming days, because they could be operating over the Internet from anywhere in the world. One thing is for sure, capturing criminals in the new environment will require collaboration with international law enforcement agencies.
Nepal has to develop a comprehensive national cyber security strategy if it is to think about protecting itself from cyber threats that come in many forms.  But, what can government do at this stage? Well, for one, it can learn from Singapore. Singapore, a country to have offered the first self driving taxi service in the world  is continuously preparing to harness the potential of the digital economy. Just last month, Prime Minister Lee Hsien Loong launched Singapore’s Cyber Security Strategy  that outlines the country’s plan to strengthen the cyber-security resilience.
The Strategy spells out Singapore’s vision, goals, and priorities in the area of cyber security and outlines the country’s commitment to build a resilient and trusted cyber environment. The Singapore Government feels cyber security will be the key enabler of digitally enabled economy and society. The four main pillars  underpinning the Strategy are (i) building a resilient infrastructure, (ii) creating a safer cyberspace, (iii) developing a vibrant cyber-security ecosystem, and (iv) strengthening international partnerships. 
We have learned the Nepal Telecom Authority (NTA) is busy working on a cyber security strategy with the support of the International Telecommunication Union (ITU). It seems has though it will take NTA forever to formulate a Cyber Strategy. It will take ages to implement the strategy. We hope NTA comes out with the Cyber Security Strategy that is future centric, so that is remains valid when and if does come out.   

The fact of the matter is Nepal has to embrace the New Digital Age and prosper at all cost. And, it can only do so if the cyber space is made safer for economic activities.