The vulnerable situation of Nepali ATM and banks is now known to everyone. We used to listen about ATM card skimming and other frauds but this time, we heard about a new attack. Chinese hackers hacked PIN and security system of the Nepali banks through ATM and withdrew cash. They were caught in the act and now this has shown that the banking system is very vulnerable. After the event, Nepal Rastra Bank or NRB ordered IT and security audit for all banks.
Last year there was hacking in NIC Asia using Swift transfer. About Rs, 40 crores were siphoned overnight by the swift system of the bank. Now Chinese hackers were caught withdrawing money from ATM of Nabil bank. They were taking money from another bank and were caught by the action of Police. The criminals were found with illegal foreign currency and withdrawn Nepali currency. Nepal Police is investigating into this matter.
Central Bank or Nepal Rastra Bank (NRB) called a meeting after this incident to talk with bankers. The main concern is cybersecurity and electronic fund transfer. The primary investigation shows that hackers bypassed the system by installing the malware in the ATM machine. ATM is just a simple computer with special software. Therefore it is vulnerable. And our banks in Nepal don’t have better cybersecurity. Therefore NRB has ordered them to improve security and patch vulnerabilities in the system.
Security Audit, Monitoring, and Prevention
Banks now need to focus on their IT section. Many people claim that banks are just busy changing and increasing interest rates. But they are not focusing on important things like security. This attack is an example and far cry that we should be prepared. This time the banks are absorbing the loss. But many times normal people lose money. So banks should be always ready and have a secure system.
Also Read: Cybercrime rules and penalties in Nepal
All A, B, C and D class banks and financial institutions should now do IT audit for assessing internal and external vulnerabilities. NRB ordered the licensed institutes to assess mobile app, websites, social media for the virus, ransomware, malware, trojan, and other threats. The institutes need to ensure both internal and external safety of the system by assessing and bolstering. DDoS, Cyberattack, phishing, spamming, spoofing, keylogging etc are common threats. The order tells directs banks to have a good antivirus, encryption, perimeter defense, and access control. We have found that many banks haven’t updated their app since months and are outdated.
Banks also need to do a security audit of all IT systems and make preventive, detective and responsive IT security strategy. NRB has ordered the banks to do the audit and make necessary improvements as soon as possible. They have also told the bank to increase awareness among staff, people and improve their capacity. People also need to be aware of scams, spam, and bait. It is better to have good strong password for online banking. We advise you to not share ATM PIN and OTP to anyone.
How to be safe while using ATM and online banking
Always be careful while doing transactions out of the bank. While withdrawing money from ATM using your debit or credit card, check the booth and machine. See if there is anything suspicious like an extra keyboard or number pad. See if there is a hidden camera near or above the keypad. Also, check card inserting or swiping place for the skimmer. If there is anything suspicious hardware that looks like skimmer, don’t use it and inform the authorities.
Do not tell your ATM PIN to anyone and use it carefully. While entering it better to cover with others and enter. We recommend this in every place including ATM booth or PoS machine. If you have an international card like USD card then don’t show or give it haphazardly as its printed information can be used for online transaction. And any fraudulent transaction or illegal work is done on your card can cause you trouble. Keep strong passwords that have a mix combination of capital and small letters, numbers ans special characters. Use two factor authentication like OTP as far as possible.