At least three local private banks suffered major cyberattacks last month, raising concern about the robustness of their security systems against a growing threat of scammers.
Of the three, Dutch Bangla Bank Limited (DBBL) was the biggest victim, losing as much as $3 million (around Tk 25 crore) to global cybercriminals, according to sources in the banking sector.
Two other banks -- NCC Bank and Prime Bank -- also faced cyberattacks, but they claimed they were able to avert financial losses.
This was the biggest cyberattack after hackers made off with $81 million from Bangladesh Bank’s account with the Federal Reserve Bank of New York around three and a half years ago.
Following last month’s cyberattack, the BB formed an eight-member committee to probe the matter. Intelligence agencies are also investigating it separately.
The latest incident has created worries in the country’s banking sector as it was different from the past incidents of hacking.
Usually, hackers use malware to steal customer data from a bank’s server and then use that information to clone credit and debit cards.
But in the case of the DBBL, hackers planted a malware in the bank’s switch (card management system) around three months ago and made a perfect replica of the switch, which the bank could not detect.
When hackers went for transactions last month, the proxy or the shadow switch gave instructions to release funds, keeping the bank completely in the dark.
Hackers made off with around $3 million between May 1 and 3 from cash machines in Cyprus, Russia and Ukraine. Hackers used credit cards and Personal Identification Numbers (PINs) of the DBBL to steal the money.
The DBBL came to know about the fraud when Visa, a global payment solution provider, asked it to settle payments for transactions made by the bank’s “clients” in Cyprus.
Initially, the bank refused to pay as its server didn’t show any of the transactions. Then Visa came up with “solid proof”, and the bank was compelled to pay, said sources in the DBBL.
The DBBL reported the matter to the BB which held two meetings with the heads of IT, retail banking and card divisions of all banks in the middle of last month to discuss the issue.
Around a couple of weeks later, the DBBL’s nine ATMs fell prey to an international hacker group that stole around Tk 16 lakh on May 31. Law enforcers later arrested six Ukrainians in connection with the theft.
A senior BB official, who attended the meetings last month, said the latest incident of cyberattack is a matter of concern for all banks as it exposed vulnerabilities in their cybersecurity controls.
“It can happen to any bank if it doesn’t protect its IT system with updated software and anti-virus,” the official told The Daily Star, seeking anonymity.
Contacted, DBBL Managing Director Abul Kashem Md Shirin declined to comment.
But the other two banks that faced cyberattacks admitted that their cybersecurity systems were compromised.
“Somebody tried to break into our security system recently, but failed. We didn’t incur any financial losses,” said NCC Bank Managing Director Mosleh Uddin Ahmed.
After the hacking attempt, the bank suspended payments through the automated cheque processing system for a few days, he added.
Prime Bank Managing Director Rahel Ahmed said they had faced a hacking attempt but was able to avert financial losses.
However, multiple sources confirmed to this newspaper that the two banks lost money. The amounts, however, were not that big.
Voicing concern over the latest cyberattack, a number of experts have criticised banks for their lax attitude towards strengthening their IT systems, and said this left them vulnerable to fraud.
Out of 58 banks in the country, only three -- Eastern Bank Limited, City Bank and Mutual Trust Bank Limited -- have got certification for complying with the Payment Card Industry Data Security Standard (PCI DSS) set by Visa, MasterCard, Discover Financial Services, JCB International and American Express.
The only other local firm that has the certification is IT Consultants which runs Q-Cash, a payment processing consortium.
The DBBL has the largest network of cash machines and the highest number of debit cards in circulation, but it does not have the PCI DSS certification.
Banks are not making enough investments to strengthen their IT security and human resources, and this is one of the key reasons for vulnerabilities in their cybersecurity systems, said the head of the IT department of a leading private bank.
“Many banks use below par and pirated software, which is very vulnerable to fraud,” the official told this newspaper on the condition of anonymity.
Another senior banker blamed a lack of awareness among boards of directors and top management of banks for poor investment in IT security.
In a study last year, Bangladesh Institute of Bank Management (BIBM) found 28 percent of the banks had no preparation to tackle a largescale cyberattack.
Talking to The Daily Star, Mahbubur Rahman Alam, associate professor of the BIBM, said banks in Bangladesh got automated without adequate preparation.
“Many banks went for automation without sufficient IT infrastructure. The time has come to address these crucial issues. The banks should hire skilled IT professionals,” he added.