Cyber Security in Pakistan's Banking Sector Vaqar Ahmed SDPI

1. 1
Islamabad/Rawalpindi, November 11, 2018
Digital dangers
By Dr. Vaqar Ahmed and Prof. Siraj Ahmed Shaikh
Some recent cyber attacks have wrung alarm
bells for modern economy and digital banking
he recent cyber attacks on Pakistani
financial institutions are of great concern
to people. A financial bank suffered
abnormal transactions valuing over Rs2.5
million on the morning of October 27, 2018.
During the process of detection and recovery,
the international payment card and domestic
ATM cash withdrawal services were disrupted
at the bank. Moreover, concerns over a further
US$6 million worth of payments were reported
to be allegedly carried out.
After this incident there have been more
revelations — of up to nine banks withdrawing
international debit card facility. This is in line
with reports that Pakistani card details have
become available in online underground
markets; such markets have become a norm as
part of the “dark web” which are essentially
unregulated parts of the Internet that have
T

2. 2
emerged over the years to support a black
economy to thrive and be marketised.
The scale of potential disruption from cyber
attacks on banking services is not to be
underestimated given the increasing reliance on
online banking — everything, from ATMs to e-
commerce.
A distributed denial of service (DDoS) attack
on the RBS Group in the UK three years ago
left millions of customers without access to
their account for nearly an hour.
A DDoS attack is a complex and coordinated
cyber attack that serves to undermine digital
connected systems, reflecting on a high-tech
form of crime that is purposeful, resourceful
and timed for maximum effect. This year’s
Global Risk Report places cyber attacks in the
top five global risks, behind only extreme
weather events and natural disasters. The
Report by the World Economic Forum (WEF)
said:
“Most attacks on critical and strategic systems
have not succeeded — but the combination of
isolated successes with a growing list of
attempted attacks suggests that risks are
increasing. And the world’s increasing
interconnectedness and pace heightens our
vulnerability to attacks that cause not only
isolated and temporary disruptions, but radical
and irreversible systemic shocks.”
Banks and financial institutions are acute targets
as such given their critical role in the entire
national ecosystems. A recent Brookings report
on cyber risks and financial stability alludes to
this argument on how financial markets can
propagate and amplify such shocks, potentially
leading to financial crises. One argues this is a
sobering moment for the cyber security
community interested in Pakistani financial
institutions, as the potential for a domino effect,
exposing vulnerabilities in the technical
foundations of the banking sector of the
country.
There has been an encouraging growth of online
payment platforms in Pakistan. A large part of
this is attributable to growth of business to
consumer e-commerce. This of course was also
helped by expanding internet access, branchless
banking, improvements in 3G/4G services
beyond first-tier cities, and a rising youth
population which is educated and tech-savvy.
As the central bank moves towards its
ambition of allowing a separate category i.e.
‘Digital Banks’ to come into the market, it is
equally important to have a greater
understanding of: a) what to regulate and
how; and b) how to allow a more ‘connected
consumer’ the confidence to participate in
electronic transactions in a secure manner.
Consumers are gradually moving from the
largely used cash-on-delivery mode to online
payment options. This shift is rather slow owing
to businesses themselves being reluctant to
invest in development costs (including putting
in place online security related measures) of
online payment options.
To help the businesses and consumers find
greater confidence in online payment options,
the central bank has allowed third party service
providers to provide payment gateways in
Pakistan. The examples now include for
example, Easypay and Fonepay. These are also
providing the facility to allow payments through
mobile wallet accounts such as EasyPaisa and
JazzCash.
The central bank is also keen to promote use of
information technology to support growth of
small and medium enterprises. This among
other ways can be achieved through the
development of web-based market places which
encourage e-commerce. There have been efforts
now to promote innovation challenge funds
which can support SME financing through
technology.
In 2017, while foreseeing a foreign exchange
crunch and looming pressures on the value of
Pakistani rupee vis-à-vis other major currencies,
the then government allowed remittances by

3. 3
workers abroad through m-wallets. This step
apart from increasing dollar inflows was also
aimed to boost financial inclusion and reducing
cost and time taken to transfer of remittances
back home.
While the above mentioned is indeed
encouraging, unfortunately the recent cyber
attack incident could invite further regulation by
the central bank which could increase the
transactions cost of businesses and consumers.
The regulatory environment is already stifling
the market players with oversight activities
ranging from monitoring of payment gateway
data, assessment of gateway trends, random
checks on the degree of safety, onsite
inspections, and offsite supervision. We
understand from industry experts that a key
reason for PayPal not coming in the country is
excessive banking sector regulation.
But the cyber attack incident and stifling
regulation in turn also has macroeconomic
implications. Successive governments in
Pakistan will have tried to promote greater
formalisation of economy i.e. helping those
operating in informal sector to formalise and
become eligible to access scheduled finance and
insurance facilities. This effort has been
challenged as Pakistan remains a cash-based
economy. Only about 15 per cent of Pakistan’s
adult population has an active bank account.
The natural disadvantage of this is that once
people start to save too much in cash, this
hinders the creation of money which in turn can
be transformed into credit. This of course also
has implications for future investment in the
country.
As the central bank moves towards its ambition
of allowing a separate category i.e. ‘Digital
Banks’ to come into the market, it is equally
important to have a greater understanding of: a)
what to regulate and how; and b) how to allow a
more ‘connected consumer’ the confidence to
participate in electronic transactions in a secure
manner. This is important as the banking sector
and telecom industry wishes to promote mobile-
commerce through almost 140 million
subscribers out of which approximately 40
million are 3G/4G users. These numbers are set
to rise as the turnover of smart phones in the
country continues to be on the uptick.
The experts associated with FinTechs —
startups which aim to use technology to provide
innovative financial services — also inform of
issues beyond an unfavourable regulatory
environment and are particularly concerned
about lack of systems that bring about greater
data security, threats to intellectual property,
difficulty of licensing, weak access to license
holders and uncertain tax regime.
All of these problems get accentuated by the
weak redressal provided to those who are
already victims of cyber-attacks in Pakistan.
More reliable online security mechanisms could
also promote greater collaborations between the
scheduled banking sector and FinTechs.
However, it is the public sector which will have
to share the costs of putting in place relatively
more reliable security systems.
In responding to cyber attacks, which
potentially target an entire sector as such,
coordination across agencies, affected
institutions, law enforcement and international
actors is a key to the required solution. While
global in nature, this has to be led nationally in
response to incidents. Indeed, the quality of a
state’s capacity to respond to cyber attacks is
rapidly being recognised as an important
element of global competitiveness. Such
coordination could then be broken down to a
number of steps.
First, ensuring the first line of defence is
invoked. These include traditional measures of
incident response to curtail the impact of the
attack and prevent propagation across connected
networks. The security industry has established
a set of standards around immediate measures
to disable and de-escalate such situations.
Secondly, for banking in particular, ensure that
the client base and the wider public are
reassured to avoid panic and confusion. This
also has the secondary, but equally important,
effect of calming stock markets and investors
against any unwarranted reactions.

4. 4
Finally, forensic audits and legal instruments
deployed to coordinate collection of evidence
and coordinate with domestic and international
actors to help detect attackers. Some of this may
even require diplomatic support and longer-
term measures for transnational coordination.
This has been recognised by world leaders as a
necessary measure to avoid the risk of crippling
economies.
The authors are associated with Coventry
University, UK and Sustainable Development
Policy Institute, Pakistan respectively.
http://tns.thenews.com.pk/digital-
dangers/#.W-e08dUzbcc