India is moving towards a cashless economy with lots of fanfare and it is being trumpeted as big achievement by the Government and the Reserve Bank of India touted as one of the largest financial inclusion instruments. There are 31 crore Jan Dhan accounts across India. The Government uses these accounts for direct benefit transfer schemes and providing accident and life insurance. But unfortunately the system seems to be blissfully ignorant of the flaws accompanying a cashless system. As so many transactions going online across bank branches in India and as well as globally, the security of bank transactions are exposed to hackers operating from across the world. Now that the RBI is pushing for creating bank accounts for the underprivileged and ensuring more online transactions, Indian banks need to wake up to the threat posed by various operating software like the SWIFT platform and take steps in advance .
SWIFT (Society for Worldwide Interbank Financial Telecommunication) is a cooperative owned by over 3,000 financial institutions across 200 countries in the world. The network is put to use by more than 11,000 banks worldwide that send more than 25 million messages per day on the platform to seek and validate transactions. Each bank is assigned an eight-character identification code and a SWIFT message can only be sent from one SWIFT terminal to another where authentication happens using smart-card technology. There have been four successive incidents of cyber attacks on banks in the transactions authorized via SWIFT over the past two years viz. (a) on the Ecuadorian Bank in January 2016, (b) on Vietnam’s Tien Phong Commercial Joint Stock Bank May 2016 and (c) on the Bangladesh Central Bank February 2017 and latest our own Punjab National Bank (PNB) scam unearthed in February 2018. The first three frauds were reportedly committed using the digital infrastructure of the banks and exploiting the weaknesses on the SWIFT network causing losses of over USD 100 million and the PNB scam alone costs nearly 2000 million USD. A report published by Infosec Institute on its website says the modus operandi of the hackers appeared to be similar. The hackers used fraudulent transactions to break into the bank’s systems in all the cases. However, what was typical is that in most cases alert employees of the bank could have identified these frauds by way of transactions after banking hours and beneficiaries located in different parts of the world but in connivance failed to do so.
In India, RBI Governor Raghuram Rajan had already warned that it is not only through processes and networks that cyber defences are broken open. He had gone on record to state that the apex bank had identified cyber security experts to head a subsidiary created specifically for the purpose of detecting fraud. But nothing seems to have been done and we are in the midst of a huge PNB scam now.
The PNB had probably one of the biggest scams in the history of banking, worth over Rs 11,300 crore. This should be an eye opener for the entire banking industry as it was a case of failure of technology systems and procedure. Two employees of PNB directly used international payment system SWIFT to raise overseas credit and bypassed the core banking system (CBS) which processes daily banking transactions and posts updates. In other words, this was possible as SWIFT was not online with CBS software Finacle and that enabled the fraud. However, in case of the PNB scam, question arises as to why the reconciliation between SWIFT and core banking transactions was not done on regular basis? There is no doubt that senior management is responsible risk compliance management and for this fraud. The reasons include a lack of oversight or connivance by the line managers or senior management, business pressures to meet unrealistic targets, lack of tools to identify frauds, software and staff collusion, which was at the bottom. When in Bangladesh, such a fraud had just taken place through SWIFT, why Indian banks did not wake up and why ( Lettr of Understanding) LoU was entered into the CBS of PNB only when the foreign bank branches claimed that money. In 2016, criminals managed to steal $101 million from Bangladesh Bank, whereby attackers circumvented a bank’s local security systems and gained access to the SWIFT network. Fraudulent messages were then used to initiate cash transfers. In the case of Bangladesh Bank, hackers used the tactic to transfer money out of its accounts at the New York Fed. Cyber criminals also used SWIFT to steal $6 million from a Russian bank last year. They also hacked City Union Bank’s systems and transferred nearly $2 million through three unauthorised remittances to lenders overseas via the SWIFT financial platform.
Indian banks became extremely vulnerable after a major data breach of 3.2 million credit and debit cards in 2016, one of the biggest attacks in India. A global ransomware attack hit India among several countries compelling RBI to make it mandatory for banks to update their ATM software and other systems.
Worldwide banking sector is coping with challenges of frauds India is way behind is in the preparedness of banks in fraud risk management. At present, when the credibility of technology was questioned, RBI said it has appointed working groups on Cyber security and will be soon coming up with similar frauds in the coming days. Unfortunately, such precautions are hardly taken or even looked into before a technology is put into operations.
Experts believe that after the recent PNB scam, financial institutions should focus on using newer and updated security technologies, such as certificate pinning, two-factor authentication and innovative sign in methods, by conducting transactions only on secure networks, monitoring bank accounts for suspicious activity and creating tough screen lock passwords.