With increasing online financial transactions and the digitisation of banking processes, the need for systematic measures to combat hacking and cybercrimes has become imperative in Bangladesh’s banking and financial sector. This became more apparent after three local private banks were hit by major cyber-attacks last month, raising concern about the robustness of their security systems against the growing threat of scammers.
Of the three, surprisingly Dutch Bangla Bank Limited (DBBL), which is known as the most tech-savvy among local banks in the country, was the biggest victim, losing as much as USD 3 million (around Tk. 25 crore) to global cybercriminals, according to sources in the banking sector.
The two other banks—NCC Bank and Prime Bank—also faced cyber-attacks, but they claimed they were able to avert financial losses.
This was the biggest cyber-attack after hackers made off with USD 81 million from the Bangladesh Bank (BB) account with the Federal Reserve Bank of New York around three-and-a-half years ago.
Voicing concern over the latest cyber-attack, a number of experts have criticised Bangladeshi banks for their lax attitude towards strengthening their IT systems, saying that this left them vulnerable to fraud. Experts said the absence of a centralised body to coordinate cyber security measures, such the Computer Security Incident Response Team (CSIRT), for the banking and finance sector was the main reason behind the repeated attacks on financial institutions in the country.
Out of the 58 banks in the country, only three—Eastern Bank Limited, City Bank and Mutual Trust Bank Limited—have got certification for complying with the Payment Card Industry Data Security Standard (PCI DSS) set by Visa, MasterCard, Discover Financial Services, JCB International and American
Express. The only other local firm that has the certification is IT Consultants that runs Q-Cash, a payment processing consortium.
But DBBL, the bank with the largest network of cash machines and highest number of debit cards in circulation, does not have the PCI DSS certification.
Banks are not making enough investments to strengthen their IT security and human resources—this is one of the key reasons for vulnerabilities in their cyber security systems, said the IT department head of a leading private bank.
Experts said the absence of a centralised body to coordinate cyber security measures, such the Computer Security Incident Response Team (CSIRT), for the banking and finance sector was the main reason behind the repeated attacks on financial institutions in the country. CSIRT is considered as one of the most important mechanism in modern banking and a main protection measure against malware. It is an organisation that receives reports of security breaches, analyses the reports and responds to the senders.
A CSIRT can be an established group or an ad hoc assembly.
There are various types of CSIRTs, including a National CSIRT that oversees incident handling for an entire country. There can be sector-wise CSIRTs: for instance, the whole financial and banking sector of the country can have a CSIRT. Even an individual organisation like a bank can have its own CSIRT, which can be linked with the sector CSIRT for updates.
Incidentally in the past few years, several senior officials of commercial banks have asked Bangladesh Bank to establish a CSIRT, but to no avail. A senior BB official told The Independent that commercial banks have demanded a centralised CSIRT and asked the apex bank to coordinate efforts for its establishment. The official, however, added that a centralised CSIRT for the financial and banking sector cannot be established within a short period of time. Citing an example, the BB official said that in South East Asia, Sri Lanka had established a CSIRT for the banking and finance sector in 2014 after six years of planning and policy making. The Sri Lankan CSIRT for the banking and finance sector is hosted and managed by Lanka Clear (Pvt) Ltd under the guidance of that country’s central bank with the assistance of the Sri Lanka Computer Emergency Readiness Team and Sri Lanka Banks Association (SLBA).
The official also said the Sri Lankan CSIRT implementation was not easy as they had to overcome many obstacles as well as the reluctance of banks to share sensitive information.
Similarly, the banks in Bangladesh have not reached a consensus for a centralised CSIRT and many of them are reluctant to share information.
Omar Faruq, secretary general of the Bangladesh chapter of Information System Audit and Control Association (ISACA), an international professional association focused on IT governance, told The Independent that a centralised CSIRT under the guidance and supervision of BB has become imperative for protecting the information security of the country’s financial sector.
Faruq said that there was a growing need to protect financial data in the banking system as the country has already embraced internet banking, mobile banking, electronic cheque transactions, e-transfer of money, etc. He also said the importance of information security in the banking industry has grown rapidly at present.
“Under the circumstances, a centralised CSIRT under the umbrella of BB could have ensured a fool-proof security in the financial and banking sector,” he added.
Faruq said a specific information security framework and guideline was also missing in Bangladesh. “The BB needs to come up with a specific framework and guideline, otherwise the measures for ensuring information security will be taken on a piecemeal basis, as it is being done right now,” he noted.
He said that the Indian chapter of ISACA had aided the Reserve Bank of India to establish Control Objectives for Information and Related Technology (COBIT)—a framework created by ISACA for information technology (IT) management and IT governance—to regulate policies for information security.
“From the Bangladesh chapter of ISACA, we have offered our aid in establishing the framework. This is needed because even if an individual financial institution buys the highest security package for its own organisation, a security breach can happen because of one employee. A specific framework would ensure security efficiency at the employee level,” he explained.
Talking to The Independent, Dr Vilius Benetis, CEO of NRD CS, a Lithuania-based cyber security technology consulting, incident response and applied research company, said the only way for the financial sector, both in Bangladesh and around the world, to be efficient and reliable was to be highly automated.
NRD CS is currently working as the consultant for Bangladesh Computer Council (BCC) for the implementation of the first National CSIRT in the country.
Benetis said the biggest risk for financial institutions and their clients were lack of proper knowledge on new threats—how to use methodologies, technologies, and cyber-hygiene. He also said the cyber security costs must be adequate to the value of the protected assets. Since more assets are moving into the digital world, more investments are required, he added.
Interestingly, he mentioned that owing to the availability of many security tools (both commercial and open source), cyber-hygiene was not that expensive now. “What costs most are the setups of appropriate processes and the training required to build the human skills,” he added.
About the necessity of a financial sector CSIRT, Benetis said organisations in the financial sector should start from building their own CSIRT, adjust processes, and should then cooperate in an organised way with the sector CSIRT and the national CSIRT to achieve the security of their assets and clients.