The banking sector in Bangladesh is at risk amid increasing incidents of cyber threats and hacking attempts, as most banks operating in the country do not have the resources and strategies to deal with them and lack skilled manpower and the monitoring system needed to prevent such attacks. Cyber security is now a major area of concern for the banking industry, with repeated hacking attempts, phishing attacks, malware attacks, OTP bypassing, and exposure of banking-related data to dark websites.
Syed Mahbubur Rahman, managing director and chief executive officer of Mutual Trust Bank Limited, said that the cyber security vulnerabilities in Bangladesh’s banking sector are similar to those in other countries. He insisted that due to lower investments in technology, banks in Bangladesh were at a higher risk of cyber-attacks. As the former chairman of the Association of Bankers, Bangladesh, Mahbubur suggested that banks continue investing in technology and upgrading their systems to adapt to evolving hacking patterns.
He emphasized the importance of proactive system modifications rather than waiting for attacks to occur. According to a study in 2022 by the threat intelligence unit of the Bangladesh Government’s Computer Incident Response Team (BGD e-GOV CIRT), almost all banks have been running one or more vulnerable services and weak authentication systems, which may lead to potential cyber-attacks. The study found that financial services were at 300 times higher risk of being the victim of cyber-attacks than other organizations.
After the $81 million reserve heist from the Bangladesh Bank account to the Federal Reserve Bank in the United States in 2016, there have been many discussions about ensuring cyber security in the banking sector. The sector, however, has hardly made desirable progress in securing the system, said cyber security firm Backdoor Private Limited managing director and cyber security researcher Tanvir Hassan Zoha.
Installing the Security Operation Centre was one of the key instructions from Bangladesh Bank to secure the banking sector, as hackers were out to steal money by using malware and ransomware. Most of the banks, however, have yet to install the SOC in compliance with the central bank’s instructions, resulting in an increase in incidents of cyber-attacks, said Tanvir.
He said that phishing attacks, OTP bypassing to collect banks’ data and users’ banking card details, and ransomware attacks are among the most common practices.BGD-e-GOV CIRT data showed that the banking sector has been facing an increasing number of cyber-attacks. Bangladesh Bank and other financial institutions faced 31 cyber threat alerts in 2021, while the number increased to 46 the following year.
Amid cyber attack threats recently, Bangladesh Bank shut down some web-based services of the central bank from 8:00 pm on August 14 to 8:00 am on August 16. In 2019, three local private banks in Bangladesh suffered major cyber-attacks where hackers stole up to $3 million from cash machines in Cyprus, Russia, and Ukraine using cloned credit cards, according to BGD e-GOV CIRT’s report titled Bangladesh Cyber Threat Landscape-2022.
The government agency’s cyber surveillance in 2022 discovered 3,639 bank cards on the dark web issued by different Bangladeshi banks. In addition, BGD e-GOV CIRT identified vulnerabilities in bank infrastructure. Financial institutions in Bangladesh may lose up to $4,36,68,000 if these cards are found on the dark web. An official of the Criminal Investigation Department involved in the investigation process of the Bangladesh Bank reserve heist told New Age that there had been many incidents of cyber-attacks in banks, but the authorities suppressed those incidents in fear of reputational damage.
The CID officer said that the banking authorities surprisingly don’t show enthusiasm for investing in strong cyber security measures and hiring highly skilled manpower. The banks don’t have forensic labs. So, identifying the sources and nature of the cyber-attacks remains difficult, the CID officer said. ‘A huge number of malware and phasing links illegally entered the network systems of various banks in our country. If we cannot identify and pull out the malware on time, it may cause disaster,’ he warned.
Police investigators said that due to a poor security system, inside actors also get involved at times to manipulate the system and swindle money. In late January 2022, 10 persons, including Zakir Hossain, the then SME sales team manager at Dutch-Bangla Bank’s Karwan Bazar branch, were arrested allegedly for attempting to transfer Tk 6 crore from the account of a director of Walton with the bank to another account by forging signatures and information through the electronic funds transfer system.
Bank card hacking remains another major concern for digital financial security, as such forgeries have become more widespread. Dhaka Metropolitan Police Detective Branch deputy commissioner for cyber and special crimes, Tarek Ahmed, told New Age that there had been an increasing number of complaints about financial crimes, including scams and swindling with Mobile Financial Services and bank card forgery. He said that hackers manipulate cards through phishing attacks and put those on dark websites, and sometimes bank officials also get involved in card forgery by taking the OTP password.
BGD-e-GOV CIRT media official Sukanta Chakraborty told New Age that bank cards get hacked at both the user and bank ends. ‘During our cyber surveillance and monitoring, we detected many card details on dark websites and immediately informed the relevant banks to take action,’ said Sukanta.
Cyber security researcher Tanvir said that the Payment Card Industry Data Security Standard (PCI DSS) was required to avoid bank card hacking, but Bangladeshi banks had yet to introduce the security system. Due to the fear of cyber hacking, Tanvir said most banks are restricting their cards and strengthening their security measures. But most of these banks have no idea what the actual risk is.
BGD e-GOV CIRT officials said that during regular surveillance, they found core banking systems and internet banking gateways accessible through the internet, which exposes the total deposits of these financial institutions to hacking.
According to a study conducted in 2022 by the Bangladesh Institute of Bank Management, 52 percent of banks in the country are at high cyber security risk.The risk of cyber hacking increases mainly due to a shortage of investment in strengthening security measures and a lack of skilled human resources, said Md Mahbubur Rahman Alam, an associate professor at BIBM who was involved in the research.
Mahbubur told New Age that over the years, many recommendations were made to the authorities of different banks, but most recommendations remained unimplemented. He said that most of the banks have yet to install a SOC or forensic lab. A few banks have installed those security measures but on a small scale. ‘The banking sector does not get enough skilled human resources from universities with high knowledge of cyber security. There are some skilled manpower, but banks cannot keep them in service for long as they go abroad or switch jobs with better facilities,’ said Mahbubur.
The banks also don’t feel interested in investing a large amount in cyber security, and they don’t feel pressure until the central bank exerts force on them, he said.
Bangladesh Bank spokesperson and executive director Md Mezbaul Haque told New Age that banks had been instructed to establish technological infrastructure in line with the ICT guidelines.
By diligently adhering to these guidelines, banks have the potential to significantly reduce cyber threats, he stated.
He, however, said that no one could guarantee that cyber-attacks would never occur.
He explained that the capacity of technological infrastructure varied from one bank to another, depending on their financial capabilities and business operations.
Furthermore, banks were told to develop their infrastructure while taking into account their operational patterns and risk factors, he said.
He said that Bangladesh Bank was continuously monitoring potential cyber-attacks on banking systems and providing advice to banks on the matter.
Currently, there are 61 scheduled banks operating in the country, with 50 being commercial banks, two specialized banks, and nine foreign banks.
Image by: Pexels
