Millions still unable to use their bank cards freely

Kathmandu, September 18

Around two million customers of 18 member banks of Nepal Electronic Payment Systems (NePS) will have to wait for some more time to withdraw cash from automated teller machines (ATMs) operated by financial institutions other than those that issued the debit and credit cards.

NePS, a shared card switching system of 18 banks, had restricted interoperability in its payment system after Chinese cyber criminals stole Rs 35.9 million from ATMs in the biggest cyber heist in Nepal. This had forced its clients to use their cards in ATMs and POS network operated by their own financial institution. This had prevented them from using their cards in India and other foreign countries, or getting cash from ATMs operated by other banks inside the country.

Finally, after 18 days, NePS today allowed its clients to make payments through POS network operated by any bank in any country, on condition both the card and POS terminal are chip-based. “But customers will have to wait for some more time to withdraw cash from ATMs operated by banks other than those that issued the cards,” said NePS CEO Prabin Chhetri.

NePS still has not been able to fully restore interoperability in its payment system, as VISA, a global payments technology firm, has not given it the green light to do so, according to Chhetri. Majority of debit and credit cards in Nepal are issued by VISA. “And the American company is still in the process of appraising our new system,” Chhetri said.

NePS had installed a new hardware after the Chinese hacking fiasco. “The new system is up and running, but VISA does not want to rush, so we will gradually address the interoperability issue,” said Chhetri.

However, the delay in operation of cards in all the terminals inside and outside the country has caused inconvenience to cardholders.

“Customers should not bear the brunt of weaknesses in someone else’s system,” said Bam Bahadur Mishra, head of the Payment Systems Department at NRB, adding, “Cyber thieves are everywhere in the world. That’s why we need robust systems.”

Rights of cardholders of the 18 banks were infringed after Chinese hackers stole Rs 18.9 million from 68 ATMs of 17 banks in Nepal on August 31. The hackers had used cloned cards of seven banks to rob the money. Similar clone cards of six Nepali banks were also used in 132 ATMs of 24 banks in India to rob INR 10.6 million, according to a central bank report. Of the stolen money, only Rs 12.6 million has been recovered, while only six of the eight Chinese involved in the heist have been arrested. Yet, what has come as a relief to clients of the 18 banks is that the hackers were not able to dip into their accounts to steal the money. In other words, the money was stolen from the ATMs and not from the bank accounts.

Since the incident took place, the Nepal Rastra Bank, the central bank, has lowered the daily ATM cash withdrawal limit to Rs 60,000 from Rs 100,000, causing more inconvenience to customers. The central bank had resorted to this measure despite NePS saying that the erstwhile daily ATM cash withdrawal limit of Rs 100,000 had been breached by the Chinese involved in the heist.

The modus operandi of the biggest cyber heist in Nepal is still not clear. A preliminary central bank report says hackers either took the network of VISA or NePS switch under control to rob the banks. The hackers could also have done something ‘in between VISA network and NePS switch’, adds the report, meaning information transmitted from VISA network to NePS switch may have been intercepted and modified to steal the money.

Hackers, as per experts, may not have penetrated VISA network as suspected, as the money was stolen using clone cards of NePS member banks only. If VISA network had been compromised, hackers would have stolen money from banks not associated with NePS as well, they say. This implies NePS switch may have come under attack.

“We will learn more about it once the Singaporean team hired to conduct forensic tests of the heist submits its detailed report,” said NRB’s Mishra. A Verizon team based in Singapore has collected data to perform the digital forensics. It is likely to submit its report in November.

The report may explain the modus operandi of the heist, but to control these kinds of incidents that erode people’s trust in the electronic payment system, banks need to invest more to make their systems robust. At the same time, the central bank should also invest in human resources to bolster its monitoring mechanism.

The central bank currently does not have a single IT security expert. So, it allows banks to outsource the work of conducting technical audits. “The banks conduct IT security audits just for the sake of it. The regulatory authority does not cross-verify whether the audits meet the international standards,” Santosh Sigdel, immediate past president of Internet Society of Nepal, recently told THT.

The central bank is aware of this problem. “The governor has already asked us to make preparations to hire at least five IT security officers,” Mishra said.

18 banks whose services have been affected

• Bank of Kathmandu

• Citizens Bank International

• Deva Bikas Bank

• Excel Development Bank

• Global IME Bank

• Janata Bank Nepal

• Jyoti Bikash Bank

• Lumbini Bikas Bank

• Machhapuchchhre Bank

• Nepal Bangladesh Bank

• NIC Asia Bank

• Om Development Bank

• Prabhu Bank

• Prime Commercial Bank

• Shangri-la Development Bank

• Shine Resunga Development Bank

• Siddhartha Bank

• Sunrise Bank