US officials have recently issued warning to the banks globally about the potential threat of cyber-attack. They have referred the incident of the Bangladesh Bank reserve heist and feared that such type of cyber-attack may continue to happen in large scale which will jeopardise banking transaction and payment system all over the world. Even SWIFT (Society for Worldwide Interbank Financial Telecommunication) has reported that hackers used malware last month to bypass another bank's control mechanism and accessed its fund transfer system. Although they did not mention the name of the bank, analysts think that it would be a Vietnamese bank.
In 2015, members of the so-called Carbanak Group exploited a common cyber-security vulnerability to compromise the internal system of more than 100 financial institutions in 30 countries to steal around one billion US dollar. It is alleged that this group wired funds to offshore bank accounts controlled by them and instructed the victim banks to allow them draw the money. Kaspersky Labs, a Russia-based cyber-security company, indicated that these financial institutions are located in US, Russia, Germany, China and Ukraine. So cyber-attack and online hacking of financial institutions are now rampant in world financial industry including the developed countries.
Bangladesh has probably become a victim of this heinous crime sweeping all over the world. After ATM fraud and Bangladesh Bank's Reserve heist, three commercial banks have been hacked and data from Trust Bank, City Bank and Dutch-Bangla bank have allegedly been stolen by the hackers. Time has come for our financial sector to undertake extensive precautionary measures comprising both technological and human control.
OBJECTIVE OF HACKING: Why have the hackers targeted Bangladesh, particularly its financial sector? Although there is no exact answer, yet, some situational analyses can be done. During the last one decade, Bangladesh has achieved spectacular economic development; its accumulating huge foreign currency reserve, especially, has drawn attention of the international forum. Moreover, the hackers have been successful in stealing money from Bangladesh Bank's account maintained with Federal Reserve of New York in their first attempt. This success story of hacking might have instigated the hackers to focus on the financial sector of our country. They might have found our country's cyber security system and monitoring arrangement very vulnerable. Secondly, some unscrupulous people may want to expose our country's reputational risk in the international arena and thus jeopardise its economic growth prospect. Thirdly, there is a hearsay in the IT world that the ultimate objective of carrying out online hacking or cyber-attack is to sell products and services of online security as it is alleged that tacit understanding may exist among companies engaged in developing and marketing online security products and the hackers. If a frightening situation may be created by means of carrying out successive cyber attacks, affected people may want to buy or install online security system from those companies.
THE ROLE OF IT EXPERTS AND BANKERS: Following the incident of hacking data from three commercial banks, I had discussions with some bankers, including one IT officer. I understand that some misconception is prevailing among the bankers and bank's tech people about the associated risk factors, control parameters and mitigating tools. There is strong perception in our banking industry that the entire responsibility of ensuring online security arrangement lies exclusively with IT department, which may be partially true but not absolutely true. The overall responsibility of bank's entire online system and its security arrangement lies with IT department, but assessing risk of using IT in banking business, identifying risk factors associated with banking operation, degree of risk and controlling parameters must have to be determined by the bankers while IT department will be held responsible for implementing those control mechanism in the system. One example may clarify this conflicting stance between the bankers and IT experts. Whether incoming email carrying attachment or hyperlink will be allowed or not must be the decision of the bankers or policymakers but not IT people and if decided negatively, then it becomes the responsibility of IT experts to ensure either stopping or filtering all emails received with attachment or hyperlink.
LOCAL CURRENCY VS. FOREIGN CURRENCY: Hackers' eyes are always on foreign currency because local currency has no exchange value outside the country. Moreover local currency must be physically withdrawn from the bank for transacting within the country which can easily be prevented by taking some extra measures. Therefore security threat of using computer system in managing foreign currency is more vulnerable than that of local currency. In order to reduce the risk of losing foreign currency through cyber attack, bank may consider diversifying their NOSTRO account balance maintained with foreign banks. Through proper analysis, foreign exchange requirement for every three/six months can be determined and accordingly retained as liquid cash in NOSTRO account while the rest may be converted to term deposit for which US treasury bond may be a preferred option. For safeguarding local currency from cyber-attack, consensus must be reached among the bankers to follow some control features while acting on the transactions, particularly when cash payment or over-the-counter payment will be made against any account transfer or online fund transfer. Holding transaction for certain period, preferably two/three days depending upon the amount, may be introduced and during that holding period, any fraud, if detected, must be reported and reimbursement thereof will be claimed. If no such claim is reported during this holding period, it will be presumed that the transaction is authentic and will be acted upon. If fraud is identified after the lapse of that period, no other bank but the originating one will be held responsible.
In the developed world's, especially in North American banks, crediting transaction with value ten thousand and more is held for five working days.
LIMIT INTERNET ACCESS/USES: Computer systems are commonly infected with virus attack, cyber attack, malware etc. which mostly come through email communication and web-browsing. These two forms of internet use must be strictly controlled and will be limited to some extent. First of all, using personal email like yahoo, gmail etc. from office computer must be restricted. System will automatically stop officers/executives from accessing personal email account of gmail, yahoo, cloud etc. Similarly, browsing unsecured website must be prevented from the official computer. IT department will periodically review and analyse various website and based on their findings, secured official websites will be identified and allowed to open in the official computer. Opening of unidentified website must be filtered and prevented. However, for official purpose if opening of any unidentified website is necessary, the matter will be referred to IT department who will then assess the risk and decide thereon. Likewise, email carrying hyperlink must also be filtered and deleted at IT department so that email containing hyperlink does not reach the officer's folder. Again attachment is now an integral part of office communication. This cannot be discarded, but close monitoring of email carrying attachment will be established and officers will be strictly instructed to refrain from opening any attachment if source/sender is not clearly known to them.
Some internet fans may be unhappy with this kind of monitoring/control system but this is needed for the greater interest of the institution, industry and the country as a whole. This kind of close monitoring is a mandatory requirement of developed country's office culture. However, bank may create a common place in the office where some computers can be installed with internet connection from third-party service provider who must not have connection with bank's main server like our home internet connection. This will facilitate the officers and executives to use their personal email and web-browsing for limited time.
STRENGTHENING REAL TIME MONITORING: For making the banking system foolproof and securing the bank's foreign currency from potential threat of cyber attack, strengthening real time monitoring of bank's NOSTRO account has no substitute. Usually, money transferred through ABA (American Banks Association) routing number is effected on the same day but only some large US and Canadian banks have this routing facility. All other fund transfers are carried out through SWIFT messaging system. Money transferred through SWIFT message remains 24 hours on transit when this fund is not credited to anybody's account. Any fraudulent transaction, if detected within this 24 hours, can easily be prevented or reversed. This may easily be evident from bank's NOSTRO account statement where there may have some debit and corresponding credit or vice versa which are not substantiated by the respective invoice. Because these are either erroneous or fraudulent entries which are subsequently detected and corrected. Moreover, in the case of transferring US dollar fund, Bangladesh is in a preferential time zone because when North America closes, Bangladesh opens. Transactions effected during the preceding day's business hour must be reconciled, verified and confirmed within 10 a.m. and if any unmatched item is detected, respective correspondent bank must be notified with request to withdraw/reverse the transaction. Since the correspondent bank will receive this rectification message as soon as their office opens, it will be able to act on the transaction accordingly.
This real time monitoring will have to be done under direct supervision and validation of high officials who will also verify the current balance with previous day's figure. This practice is commonly followed in the monetary system of developed world to substantially reduce the risk associated with fund transfer transaction. Mentionable that everyday banks in the developed world process high volume of fund transfers through ABA routing number and SWIFT message of which a good number of payment is sent out to the wrong account because of using different payment instructions but the risk of losing money is prevented through real time monitoring and reconciliation.
Cyber attack and online hacking is a big challenge to the computer world. People are now frightened in using information technology due to potential threat of cyber attack. But we will have to live with technology installing high standard online security system and strengthening human control mechanism. Since successive cyber attacks have occurred in our country's banking industry, the bankers must take it seriously.
Nironjan Roy, CPA, CMA, is a Canada-based banker.