How secure is Nepal’s banking system?

Kathmandu, September 3

The news of hackers siphoning off $13.5 million by hacking the core banking system of India’s Cosmos Bank based in Pune and simultaneously making withdrawals across 28 countries in August last year had made the headlines.

Chinese hackers had used the similar modus operandi on Saturday afternoon as they tried to steal millions of rupees from several ATMs in Kathmandu using malware attacks. The incident has brought to the fore glaring concerns related to the security of Nepal’s banking system.

What happened on Saturday?

During the malware attack, a proxy switch was created and all the fake payment

approvals were passed by the proxy switching system. The hackers used electronic cards of at least six banks — NIC Asia, Siddhartha, Janata, Global IME, Prabhu and Sunrise — and used them at ATMs of three banks — Nabil, Nepal Investment and Nepal SBI — to illegally withdraw the money in Nepal.

As per Nepal Rastra Bank, two companies — Smart Choice Technologies (SCT) and Nepal Electronic Payment System (Neps) — have been handling electronic payment systems of a majority of commercial banks in Nepal

The Chinese hackers had targeted the Neps switching system for stealing the money from various ATMs.

While the police have nabbed six Chinese nationals and four Nepalis so far and

recovered approximately Rs 12.63 million, the banks, payment switching provider and the police are yet to determine the exact amount they stole from the ATMs.

How did this happen?

Banks are using both chip-based Europay, MasterCard and Visa (EMV) cards and magnetic stripe cards for electronic transactions. The ATM machines in the country accept both types of cards, which is comparatively cheaper than only EMV chip-enabled ATMs.

Prabin Prakash Chhetri, chief executive officer of Neps, said they had determined that the hackers had used fake magnetic stripe cards to withdraw the money in the name of Nepali customers. However, the money parked by the customers is not affected.

The risk in the banking system primarily stems from the weak monitoring mechanism of the central bank, according to Santosh Sigdel, immediate past president of Internet Society of Nepal.

In the lack of its own core IT auditors, the central bank allows commercial banks to hire external IT firms to conduct core technical audits.“The banks conduct IT security audits just for the sake of it. The regulatory authority does not cross-verify whether the audits meet the international standards or not,” Sigdel claimed.

Bam Bahadur Mishra, head of Department of Payment System at NRB, admitted that the central bank has no other option than to trust the IT audit reports presented by the banks themselves owing to lack of resources.

Meanwhile, Ashoke SJB Rana, chief executive officer of Himalayan Bank, said that the hackers had used loopholes in the Neps switching system. “There are rumours being spread that the banking system was hacked, which is not the truth. Only the Neps switching system was hacked and the banking system is safe.”

What next?

According to Chhetri, Neps is hiring a forensic expert from Singapore for further

investigation.“The forensic report will reveal where the fault lies — in electronic transaction system of payment switching system, server, ATMs and its software, banking software, among others,” he said, adding it will take at least one week to get the investigation result.

Sameer Bajracharya, chief technical officer at SCT, opined, “Banks need to secure their electronic transactions, upgrade their existing ATMs, their software, their payment switching system, their servers, along with enhancing other security measures.”

He further said that the central bank needs to develop local resources or hire an international certified technical expert to cross-check the IT audits presented by the banks.

Similarly, Sigdel warned of huge problems related to electronic payment system in the future if risks were not mitigated. “This incident should be an eye-opener for the central bank,” he added.

Similarly, the IT head of one commercial bank, seeking anonymity, said Neps is using switching software without actually acquiring the commercial licence from the vendor company. Since the system being used by Neps is not genuine software this recent problem has occurred. “Moreover, we have heard that Neps allows its IT operators to operate some of the functions from their homes. This also increases the probability of hacking.”