BFIs told to switch to chip-based cards
Kathmandu, September 5
After the recent incident in which Chinese hackers withdrew millions of rupees from ATM kiosks of different banks and due to the glaring lapses in security related to the banking system, the central bank has urged banks to provide their customers only chip-based cards within three months.
Releasing a study report today, Nepal Rastra Bank said the scam had occurred through the use of magnetic stripe cards and banks and financial institutions should replace such cards with chip-based cards within three months.
On Sunday, NRB had formed a taskforce to probe the cyber attack on the banking sector under the coordination of NRB’s Executive Director Bam Bahadur Mishra. The committee stated that Rs 18.9 million was withdrawn from 68 ATMs of 17 banks in Nepal and Rs 35.8 million was siphoned off through 132 ATMs of 24 banks in India by Chinese hackers.
The report adds that the above mentioned amount is just a preliminary figure and the exact amount that was withdrawn will be determined only after the NRB receives a report from the forensic expert team from Singapore that has already arrived in the capital.
The report indicates that the fraud took place between Visa and Nepal Electronic Payment System’s switching system.
Suggesting short-term and long-term measures, the committee has recommended that NRB should lower the withdrawal limit from ATMs of banks and ATM booths of banks and financial institutions should be insured.
According to the report, NRB today decided to lower the withdrawal limit from ATMs to Rs 20,000 (from Rs 25,000) on a single transaction and the limit for daily withdrawal from Rs 100,000 to Rs 60,000.
It has also suggested that all devices, such as PSO machines and ATMs, be made chip readable within three months and BFIs and Payment System Operators/Payment Service Providers must have 24/7 security surveillance.
The committee has also directed BFIs to conduct vulnerability assessment and penetration testing within six months and to audit their card-related information systems every year.
BFIs and PSOs/PSPs must also build strong information technology infrastructure and privilege access management system and follow the payment card industry and data security standard in the ATM switch and audit every six months.
Laxmi Prapanna Niroula, spokesperson for NRB, said concrete details of the banking fraud would come only after the forensic test report was submitted by the expert team from Singapore. The team has started its work and will finalise details by next week, he added.
“We are preparing further IT security measures to make sure BFIs can minimise the risk of cyber attacks and malware attacks in the core banking system. After the forensic report is ready we’ll direct BFIs with necessary measures that need to be taken to address the mounting concerns of costumers that have arisen due to the recent fraud,” he said.