The recent string of ATM breaches in Nepal shows how vulnerable our banking sector is. For an industry that survives on people trusting it enough to deposit their money in it, the highly profitable sector has been woefully close-fisted when it comes to securing their charge from digital attack and theft. What else could explain the rise in the number of attacks, that too from a diverse set of foreign nationals? Banks and financial institutions must invest more to secure the money in their care, and Nepal Rastra Bank must enforce its policies and regulations on security in a more stringent manner.

The recent attack by Chinese nationals on a Nabil Bank ATM on Durbar Marg was thankfully foiled by the police, who were acting on a tip-off. Had the police not been tipped off, or had they not acted swiftly upon it, the four thieves would have gotten away with at least Rs12.60 million and around $10,000, if not more. The thieves apparently used a device to connect to the ATM and sever its connection to the core banking software, allowing them to bypass network security and withdraw all the money stored in that particular ATM. That the foreign nationals thought Nepal would be an easy target is worrisome. But what is even more worrying is that this is just the latest of numerous attacks that Nepal’s ATM and digital banking systems have suffered in the past few years.

Data from the Central Investigation Bureau shows that the Nepal Police have arrested 18 foreigners and six Nepalis for breaking into ATM systems in the past seven years alone. The arrested included people from Bulgaria, Moldova, Russia and China. And in 2017, on the day of Laxmi Puja, unidentified criminals—thought to have been operating from abroad—hacked into NIC Asia Bank’s SWIFT interbank fund transfer system. They got away with almost Rs460 million, making it the largest heist in Nepal’s history. It seems that foreign hackers and thieves are finding digital security in Nepali banking especially easy to breach. And this is not a positive development.

Nepal Rastra Bank says that it has been pushing measures and regulation to beef up security. But, obviously, it has not done enough to enforce such regulations. In the case of the NIC Asia heist in 2017, IT staff were found to have been given remote access to secure servers, and employees were found to be using the sensitive, secure interbank computers to send and receive personal emails. Moreover, even though Nepal Rastra Bank’s Monetary Policy 2015-16 had directed banks to switch all card systems to the more secure microchip-based equipment by mid-October that year, many banks are still, in 2019, using and accepting the old magnetic strip-based cards. Nepal Rastra Bank needs to strictly enforce the directives it passes, especially on security matters, and punish appropriately those violating banks and financial institutions. Banks and financial institutions, too, have to take more responsibility in securing the funds entrusted to their care—both physically and digitally. They cannot continue to earn high profits without investing some of that back into security.

***

What do you think?

Dear reader, we’d like to hear from you. We regularly publish letters to the editor on contemporary issues or direct responses to something the Post has recently published. Please send your letters to [email protected] with "Letter to the Editor" in the subject line. Please include your name, location, and a contact address so one of our editors can reach out to you.