With the attempted $951-million Bangladesh Bank heist providing an alarming backdrop, the Reserve Bank of India (RBI) is strongly prodding banks to step up the vigil against cyber crimes, a growing bugbear for consumers. Banks have been specifically directed to put in place a security policy enlisting the strategy to combat such threats, duly approved by their Boards, by September 30, 2016. Alongside this, banks have been told to set up a Security Operations Centre and beef up the role of the chief information security officer (CISO) within individual banks. Besides, the need to leverage the CISO forum under RBI’s Institute for Development and Research in Banking Technology (IDRBT) for exchanging information among banks and generating quick responses to cyber incidents has been stipulated by the central bank. In recent months, with the SMAC format (social, mobile, analytics and cloud) driving innovation in the banking sector, the security imperative is even more compelling with regard to preventing data theft and checking financial fraud. The recent spate of cyber attacks have been turning highly sophisticated and the missive to banks now is on using specialised analytical techniques and exploiting vulnerabilities that had hitherto gone unnoticed. The wake-up call, though, has been the heist in the Bangladeshi central bank. In February 2016, cyberthieves had issued instructions to transfer $951 million out of Bangladesh Bank’s account at the New York Federal Reserve. While most were declined, an amount of $81 million was transferred to a bank in the Philippines, never to be traced again. The theft sent shock waves through the global banking community, both for the amount of money that was swindled and how the heist leveraged the Society for Worldwide Interbank Financial Telecommunication (Swift) system, the backbone of international finance. Gottfried Leibbrandt, chief executive of Belgium-based Swift, had termed the Bangladesh cyberattack “a watershed” for the banking industry. Watch Video: What's making news Among the RBI’s initiatives, alongside the IDRBT — which is primarily a banking research institute established in 1996 by the RBI — the central bank has also established a new institution, the Reserve Bank Information Technology (ReBIT) Pvt Ltd, as its wholly owned subsidiary, for stepping up focus on cyber security and for building cutting edge capabilities for supervising financial technology usage in the sector. The RBI, as highlighted by Deputy Governor R Gandhi at an IDRBT event in Hyderabad on July 19, has also constituted a working group on financial technology, “to fully understand the new paradigm of Fintech and to chart out the best way of using it”. Apart from the issue of cyber security, for which the IDRBT platform is to be leveraged, Gandhi pointed to the use of new technologies such as cloud-based computing, block chain processing and virtualisation of IT systems that hold potential for the future. The focus of these initiatives would be to ensure safe, trackable and secure digital currency, distributed ledger-keeping and homogenous IT systems — all of which is likely to translate into better customer service. Alongside this, the RBI has also petitioned the government and state-owned banks on the dangers of money muling, specifically with reference to a number of newly opened accounts under the NDA government’s flagship Pradhan Mantri Jan-Dhan Yojana (PMJDY) that could be particularly vulnerable. Money muling is a term used to describe innocent victims who are duped by fraudsters into laundering illegal money via their bank accounts. Fraudsters typically contact customers via emails, chat rooms, job websites or blogs, and convince them to receive money into their bank accounts, in exchange of some commissions. Illegal money is deposited into the money mule’s account, who is then directed to transfer the money to typically another money mule’s account — starting off a chain that ultimately results in the money getting transferred to the ultimate beneficiary’s account. When such frauds are reported, the money mule becomes the target of police investigation. The looming danger, as has been cited by the RBI, is the increasing number of idle Jan-Dhan accounts. As of May-end 2016, 22.29 crore accounts had been opened, with the total deposits amounting to Rs 39,251 crore. Tech innovation also heightening cyber risks According to consulting firm Deloitte’s April 2016 report: Cyber Security, De-Risking India’s Banking Industry, the business and technology innovations that financial services companies are adopting for growth, innovation, and cost optimisation, are in turn presenting heightened levels of cyber risks. These innovations, according to the report, have introduced new vulnerabilities and complexities into the financial services technology ecosystem. The continued adoption of alternate channels such as ATMs, kiosks, internet, mobile, cloud, and social media technologies have increased opportunities for attackers, as also the increasing trend towards outsourcing, offshoring, and third-party contracting, which may have further diluted institutional control over IT systems and access points. The modus operandi includes: Account Takeovers Cyber criminals have demonstrated their ability to exploit online financial and market systems that interface with the internet, such as the Automated Clearing House (ACH) systems, card payments, and market trades. Payment Systems Fraudulent monetary transfers and counterfeiting of stored value cards are the most common result of exploits against financial institutions, payment processors, and merchants. ATM Skimming: ATM skimming a common global cyber crime, whereby a criminal affixes a skimmer to the outside or inside of an ATM to collect card numbers and personal identification number (PIN) codes. Point of Sale Terminals Point of Sale (POS) terminals have been a primary target for cyber criminals engaging in credit card fraud and have resulted in the compromise of millions of credit and debit cards across the globe. Mobile Banking Exploitation With more mobile devices being introduced into personal, business, or government networks, they have been increasingly targeted for stealing Personally identifiable information (PII). Cyber criminals have successfully demonstrated man-in-the-middle attacks against mobile phones using malwares.
