Earlier this month,
the Central Investigation Bureau (CIB) of Nepal Police arrested three Romanian
nationals for supposedly stealing ATM
card’s details of some unsuspecting 1,600 ATM card holders in Kathmandu and illegally
retrieving their hard earned money.
Luckily, the banks
and the law enforcement agency were able
to avert losses amounting to large amounts of money this time around. They did
so by urging ATM users to change their PIN codes as soon as they suspected
theft. But, we might not be so
lucky next time. So, if ATM
related crimes are to be curbed in the future, the banks, police, and citizens have
to remain constantly vigilant, but, more importantly, the government has to be
serious about tackling the security aspect of digital transformation.
The
government needs to take cyber security seriously as every aspect of our life
is getting digitized and, at the same time, banking related crimes are
increasing by the day. In reality, even countries that are ICT savvy are not free from cyber crimes. ATM related
details in large numbers were also stolen recently from Indian banks earlier
this year. It was reported that details of a close to 3.2 million debit cards
were stolen from State Bank of India, HDFC Bank, Yes Bank, ICICI Bank and Axis.
Luckily, the banks were able to detect the data breach quickly and advise their
customers to change their ATM PIN codes avoiding further losses. The law
enforcement agency later revealed that hackers had used a malware to compromise
the Payment Services Platform used to power ATMs, point of sale (POS) machines,
and other financial transactions to steal details of the debit cards.
ATM
related crimes are increasing every year. According to the European ATM Crime Report,
ATM attacks went up by 80% in the first six months of this year compared to the
same period last year. It is estimated that ATM skimmers around the world have
swindled as much as 3 billion USD. In
case you are wondering, there are several ways criminals can steal ATM Card details.
They can hack into the system and steal data. They can install malware in the
payment system platforms to steal data from ATMs and POS machines at the stores while the ATM cards
are being used. They can also steal
ATM’s PIN codes and magnetic data from ATM booths.
There
are primarily four steps to stealing ATM
Card related information from ATM booths. First, a small device used for copying the ATM
card’s magnetic strip’s data is inserted
over or into ATM card slots. The card easily
passes through the device and inside the
ATM machines without any holdup. Since, everything appears to be functionally normally, the ATM card’s data gets copied without unwary
user’s knowledge.
Second step is to install a small camera above the number keypad to capture PIN codes. People often mistake the
camera with the ATM’s security camera, because the ATM appears to be functioning
normally. Covering the keypad while
typing PIN Codes is one way to thwart this type of scheme. Unfortunately, criminals
have already developed a tool that does not need a camera. A fake keypad is
laid over ATM’s real keypad. When the buttons on the keypad overlays are
pressed to logs the PIN Codes. Since the real buttons on
the ATM keypad are also activated at the same time, cash withdrawal goes as
usual making extremely difficult to detect fake keypads.
The third step is to return to the ATM booths and
retrieve data capturing accessories. Then software installed on a portable
computer is used to copy the ATM’s card’s magnetic strip’s data into bogus
cards. The final step is to withdraw money using the ATM Cards with the
corresponding PIN codes.
One of the main reasons behind increase
ATM related crimes is due to the fact that the banks have traditionally put
more emphasis on speed and convenience of technology over security when ATMs
were installed a while back. In many cases, security measures adopted by some
banks are already obsolete, not that banks don’t care, but because technology is
changing at the speed of thought. Also, some banks are reluctant to adhere to the Standards and Guidelines on
Electronic Banking.
Besides following he standards and
guidelines, the banks have to proactively update security technology because
criminals are always good at using the latest and greatest technologies. For
example, traditionally, ATM skimmers traditionally needed access to physical
cash out machines. But, now criminals have started transmitting ATM data
wirelessly over Bluetooth or even cellular data connections. One simple way to
prevent this type of crime is to equip ATMs with finger vein technology and facial
recognition. Unfortunately, it looks as though this security measure is also
soon to be obsolete.
ATMs from a dozen or so European countries were remotely
attacked using malware that forced machines to spit out cash. According to
Diebold Nixdorf and NCR Corp, the world’s two largest ATM makers, the recent
heists in Europe were run from remote command centres. This allowed criminals
to target large number of machines in what law enforcement agencies call “smash and grab” operations designed to drain
large amounts of cash before banks find
out. It will be increasingly difficult
to catch the perpetrators in the coming days, because they could be operating over
the Internet from anywhere in the world. One thing is for sure, capturing
criminals in the new environment will require collaboration with international
law enforcement agencies.
Nepal has to develop a comprehensive
national cyber security strategy if it is to think about protecting itself from
cyber threats that come in many forms. But,
what can government do at this stage? Well, for one, it can learn from
Singapore. Singapore, a country to have offered the first self driving taxi
service in the world is continuously preparing
to harness the potential of the digital economy. Just last month, Prime
Minister Lee Hsien Loong launched Singapore’s Cyber Security Strategy that outlines the country’s plan to strengthen
the cyber-security resilience.
The Strategy spells out Singapore’s
vision, goals, and priorities in the area of cyber security and outlines the
country’s commitment to build a resilient and trusted cyber environment. The
Singapore Government feels cyber security will be the key enabler of digitally
enabled economy and society. The four main pillars underpinning the Strategy are (i) building a
resilient infrastructure, (ii) creating a safer cyberspace, (iii) developing a
vibrant cyber-security ecosystem, and (iv) strengthening international partnerships.
We have learned the Nepal Telecom
Authority (NTA) is busy working on a cyber security strategy with the support of
the International Telecommunication Union (ITU). It seems has though it will
take NTA forever to formulate a Cyber Strategy. It will take ages to implement
the strategy. We hope NTA comes out with the Cyber Security Strategy that is
future centric, so that is remains valid when and if does come out.
The fact of the matter is Nepal has to embrace the New
Digital Age and prosper at all cost. And, it can only do so if the cyber space is
made safer for economic activities.