Banks’ cybersecurity systems are not considered infallible

The dreaded attacks sponsored by cyber-gangs

A record number of Bangladeshi public and private banks are currently under threat from unprecedented cyberattacks, mainly due to their indifference and the fragility of their cybersecurity systems, prompting experts to suggest immediate action, sources say.

Stakeholders and experts say a large percentage of banks are not taking enough precautionary measures to ward off possible dangerous large-scale attacks and avoid greater financial losses, which they believe are imminent.

The malicious actors behind such a cross-border invasion not only include increasingly audacious criminals – such as the Carbanak group, which targeted financial institutions to steal more than $1.0 billion during the period 2013-2018 – but also states and state-sponsored criminal gangs, according to a 2021 report by the International Monetary Fund (IMF).

The country has yet to measure its financial losses caused by cybercrimes – the most outrageous being the theft of its reserves from the US Fed by an international gang of cybercriminals.

Earlier in June 2022, the Bangladesh Institute of Banking Management (BIBM) conducted a study based on the state of the banking sector in 2020 which revealed that almost 52% of banks were at serious risk of cyberattacks.

In April 2020, the Financial Stability Board (FSB) warned that “a major cyber incident, if not properly contained, could severely disrupt financial systems, including critical financial infrastructure, with implications wider for financial stability”.

On March 3, 2016, the Bangladesh Bank (BB) issued a directive asking banks to boost their cybersecurity capabilities after the unprecedented type of reserve theft orchestrated by the bank.

The regulator had also asked them to form a security operations center (SOC) to oversee round-the-clock security measures.

But most banks have yet to install SOCs, sources added, leaving such vigilance a long way off.

Considering this phenomenon, experts have also called for enhanced measures from the regulator to bolster the weakened cybersecurity scenario in Bangladesh’s banking sector, stressing the need for banks to build capacity among their employees and improve logistical support. to the security shield.

Labeling these financial institutions (FIs), especially banks, as prime targets for cybercriminals, the state-owned Bangladesh e-Government Computer Incident Response Team (BGD e-Gov CIRT) made a gruesome revelation that around 99% of private and public companies Banks have suffered major cyberattacks very recently.

The report, titled “Sectoral Cyber ​​Threat Intelligence for Banking Industries,” also identified that most users of banking apps and portals (both internal and external) lacked adequate awareness of cyber hygiene.

Research also reveals that unsecured use and/or access to the internal application/portal by employees’ mobile devices can increase the risk of exposure to organizations’ critical assets.

In 75% of cases, credential theft is possible due to insecure uses of mobile or computer devices, the report says.

In another report titled Common Vulnerabilities in Cyber ​​Space of Bangladesh, it is stated that the level of cyberspace vulnerability is increasing day by day in the country.

“To mitigate the impact, new technologies and services must be adopted to deal with the situation as well as the competition,” he adds.

Nearly 70% of attacks against FI companies targeted banks, according to IBM X-Force research, adding that around 16% targeted insurance companies while 14% targeted other financial institutions in 2021.

BGD e-GOV CIRT’s Intelligence Unit has also found that vendor-managed applications/devices influence a large exposure of organizations’ assets.

It also detected that strong password policy enforcement was missing from many banking apps and portals.

Speaking to the FE, Tarique M Barkatullah, Director of BCC (Data Center), said that almost all banks were running one or more vulnerable services and weak authentication systems that could lead to potential cyberattacks.

“What’s worse is that these risky services can be identified with simple reconnaissance techniques by threat actors using the Internet,” he lamented.

Additionally, different types of apps, devices and other assets are also identified on the internet that run risky services, he said, citing the report.

Routers top the list, which lags behind the required security hardening, he warns.

In February 2020, Christine Lagarde, President of the European Central Bank and former head of the IMF, warned that a cyberattack could trigger a serious financial crisis, according to the IMF report.

Cybersecurity expert Tanvir Hassan Zoha suggests installing ISO 27001 and Payment Card Industry Data Security Standard (PCI DSS) to thwart rampant cyber threats.

ISO 27001 and PCI DSS) help organizations manage and protect their information assets so they remain safe and secure.

“A large percentage of banks are not currently using these tools to keep their information secure,” Zoha, who is also managing director of Backdoor Private Limited, told Finsncial Express.

Stating that the role of the central bank is key to building a strong ecosystem of banks, Tanvir says, “If the guidance of the BB is not followed, bank operations should be halted.”

Dr. Md Mahbubul Alam Joarder, a professor at the Institute of Information Technology, University of Dhaka, believes that every bank should form a fully professional response team like the BGD e-Gov CIRT to prevent all kinds of threat.

“If this happens regularly, the banking system could face a dangerous and serious situation in the coming days,” he warns.

The BB must take steps and actions for proper implementation of its guidelines to minimize the likely risk, Dr Mahbub said.

“All relevant stakeholders, including regulators, must understand and identify the existing problem, and seek the lasting solution in the best interests of the important banking industry,” he added.

On September 13, 2020, Bangladesh Bank issued an alert of a probable hacking attempt in the country’s ATM network.

The report also urged banks to establish and maintain a dedicated Cyber ​​Security Operations Center (Cyber ​​SOC) in the organization to improve overall security operations.

Tarique also emphasized the need for continued collaboration, cooperation and sharing of threat information within the community as well as with law enforcement agencies and government entities. to fight mutually and in an organized way against cyber threats.

Omar Faruk Khondaker, former chief technology officer at Sonali Bank, suggests developing a well-built surveillance system, as most banks have yet to build it properly.

“Based on this, an action plan should be well prepared by each bank,” he said.

The BGD e-GOV CIRT report advises banks to be cautious about unwanted exposure from all ad-hoc and core applications and services.

Jamuna Bank ICT Manager Syeed Zahid Hossain said the BB should prepare timely new guidelines based on the relentless and widespread cyber threat to FIs including banks.

“Even so, he did not notice any action taken by the central bank against those banks that have weak security systems,” Hossain adds.

However, the BB occasionally organizes training programs to curb attacks, he noted.

[email protected]