Cyber security is a vast topic, which is gaining more attention as the growing cyber-crime trend is worrisome.

The vulnerability of cyber systems is increasing and in my previous article on cyber security published on 19th of November 2018, I had tried to summarise the description, types, and vulnerability and landmark cyber incidents of the world. I received lot of messages appreciating the article from the readers but at the same time they demanded also that I should come up with some more information and proposals to secure the confidentiality of the clients, banks as well as the commercial and national institutions.

This article is the follow-up of the said previous article in which I am going to further illustrate how damaging it is to the individuals and the state along with the potential threats and proposed ways to deal with the issues.

Cyber security issues and banking frauds being universal are taking a toll on digital privacy and financial matters of the common individuals of the state as well as the bank account holders and regulators of different banks. Despite taking a number of protective security measures yet the frauds have not stopped. The criminals always find new ways to outsmart the security protective layers by new fraud smart techniques

It is essential to comprehend distinction between three separate issues relevant to the cyber security phenomenon that are commonly being faced by the people in our country:

a.  Card skimming: it basically happens when a customer hands over their card for billing after shopping or dinning is swiped at some restaurant instead of giving cash. The card is then swiped at a POS machine and card information from the Magnetic stripe is stolen. This is happening worldwide, more often in few countries than the others. As we travel abroad, the card information can be stolen in any country by any dealer.

b.  Fraudulently impersonating client’s identity through different cyber cons like Phishing (fake websites), smishing (sending messages to attract clients to visit scam websites) and Vishing (calling clients pretending to be someone concerned enough to provide them with financial assistance and extracting their confidential data through this.

c.  Hacking – This happens when hackers break in to banking systems and get access to customer’s data by hacking their accounts. This is what exactly happened to banks in Pakistan a few weeks ago when a number of people became victim of hacking and lost their data and information.

Card skimming and fraudulent embezzlement of customer’s identity have been the principal issues being faced by Pakistanis for years. In case of hacking as well, there have been numerous groups that have been busted by the law enforcement organisations of our country for pretending to be government officials and requesting data from customers. Approximately 8,000 to 10,000 out of 25 million Bank account holders have fallen prey to hackers across the industry.

I, in the capacity of being Chairman Senate Standing Committee of Interior took notice of the stolen bank data and directions were issued to FIA for detailed inquiry as well as asked for a comprehensive report by the Governor of State Bank.

It should have been made mandatory through an Act of the Parliament for the implementation of IT administration including digital security, Card information insurance including becoming EMV and enabling Chip & PIN for cards as well as guidelines for internet and mobile banking. There are regulations but there is no enactment with enabling provision for legal action making it a cognizable offence.

All across the country, different banks are still in process of implementing the cyber security and EMV compliance because of required investment and very limited skilled resources in the country and once law is in place and banks will be under strict compliance only then we can expect the desired results.

The “Dark Web” takes false benefit of the hype made in the market and after that drift, loads of fake information is made available to be purchased to cash in on the hype. The dark web basically is a term referring to websites and networks that are heavily encrypted and “hidden” from the average internet user. Dark web has earned a reputation mainly as a sort of immense black market, associated with drugs, guns, porn, hacking, and conspiracies. It requires something special to be able to access it, specific proxy software or authentication to gain access like (TOR). These pages require additional sub-network like Freenet, I2P or TOR.

The other issue is that dark web already has the cards information from all the major global banks that is gathered by them through skimming and this skimming is done through hacking and with connivance of some banking staff. The banks and credit service providers are also hit by credit fraud and both the banks and credit card servers have failed to protect their clients completely.

It is unfortunate Pakistani Banks have so far failed to provide PIN coded cards locally or abroad to protect the card holders against any cyber-attack. This is why a Pakistani credit card holder has to sign instead of using PIN code as being used by all other International banks.

I am of firm opinion that, in consultation with international and local banking experts, the following measures are needed to be taken to deal with the current cyber issues and future potential dangers which are likely to encounter the national cyber security:

a. Efforts are required by the banks to brief the clients against the potential types of cyber-attacks/threats by the fraudsters.

b. Regulators may have to guarantee either through above suggested law or strict SOP that in case there is a confirmed hacking / stolen data, immediate action be taken by the banks to execute the cyber security and IT governance and follow certain rules as under:

1. Banks are required to urgently replace non-compliant cards/ Manila cards with Chip and PIN for complete security of the cards. I suppose that if the banks do not comply with the orders of State Bank then State bank should suspend the banking license of the respective bank. This matter relates to the security, hence the Government needs to have the compliance through the Ministry of Finance as this is the only way to ensure that Chip & PIN cards are issued.

2. The non-compliant POS machines should be withdrawn quickly from the Market and POS machines be replaced by Chip and PIN cards.

3. All ATM machines must be customised to only accept Chip and PIN enabled cards for banking service.

4. Banks must follow global standards like PCI, DSS and State Bank should ensure the compliance of international banking standards.

5. The establishment of data collection and protection is a major task and it needs effective governance through a proper structure in the banks and its compliance should be ensured through an Act of Parliament.

6. Banks are required to have normal vulnerability and penetration risks audit to be done on regular basis through professional testing by the IT experts and the State Bank should have annual audit to ensure the compliance.

7. A profile based monitoring is required to be introduced and a constant monitoring by experts need to be done enabling the said teams to identify and block suspicious transactions. Basically IT based banking has to be monitored and controlled through technical IT hardware and software.

Our banking system is vulnerable and it stands exposed as soft target by the hackers or other cyber-crime experts. Similarly we need to bring our all the institutions together on the subject of cyber security and one cyber security law should cover the whole cyber fiasco.

The new act of parliament in addition to banking sector should also give cyber protection to the following institution as well:

Airline travel data; NADRA data base; passport and immigration; data of all three defence forces; police and special branches; respective inland provincial / Federal revenue record; all ministerial record of respective ministry; all judicial proceedings / judicial websites; all State web sites; and future E- filing.

In addition to Cyber security enactment, there should be additional enactments for data protection to ensure the privacy of people.

We also need to create a special penal of trained judges to deal with cases related to Cyber security and the judges must have complete knowledge of Cyber world, Vulnerabilities and cautions.

 

The writer is Chairman of think tank “global eye” & former Interior Minister of Pakistan.