Saturday’s cash-out attacks on various ATMs in Kathmandu have exposed significant security vulnerabilities in the Nepali banking system, including a failure to conduct periodic security audits, comply with the latest technology and invest adequately in digital security, according to security analysts.

Zhu Lianang, a Chinese citizen, was arrested on Saturday night from a Nabil Bank ATM booth in Durbar Marg while attempting to withdraw cash. Zhu named four other Chinese nationals who were involved in stealing cash from ATMs by using cloned debit cards to breach processing systems.

“The incident was an outcome of weak digital security in the banking business, which calls for adequate investment in both technology and human resources by banks,” said Hempal Shrestha, member of the Federation of Computer Associations Nepal. “Although the central bank has made it mandatory for banks to conduct information security audits, many banks have not been allocating an adequate budget for a proper audit.”

Despite banks making record profits year after year, investment in digital security is minimal, said former bankers. In the last fiscal year, commercial banks made a net profit of over Rs60 billion in total, with almost all of them posting net profits of more than Rs1 billion each, according to the Nepal Rastra Bank.

Banks also need to invest in both technical and non-technical human resource, all of whom need to be trained on preventive security measures.

“As non-technical officers are responsible for conveying security codes, they too need to be trained to check possible loopholes in the system,” said Shrestha.

Most banks still consider building up security systems as an unrewarding and unnecessary expense, which is what leads to attacks like these, said Prajwal Shrestha, an IT lecturer at Kathmandu University School of Management.

“It is the negligence of banks that has provided ample room for hackers to steal cash from ATMs,” he said. “As advancements in technology are major challenges in modern banking, banks need to increase investment to secure their systems, apart from just tackling the leakage of pin codes.”

Advancements in technology have also meant that hackers are using increasingly sophisticated methods to gain access to gateways in banking software and to access customer information. A sector as vulnerable as banking needs to constantly stay up-to-date with technology, according to analysts.

Although most banks have transitioned to debit and credit cards with microchips, there are still a few banks that still use magnetic strips in their cards, which poses a vulnerability, said Sashin Joshi, former chief executive officer of Nabil Bank.

“Banks fail to follow security protocols for Swift and governance risk compliance systems for the Nepal Electronic Payment Systems (NEPS). These banks face problems,” said Joshi, who has worked as an executive at a number of banks. “There should also be management oversight and an independent audit system as part of NEPS.

Swift is a messaging network used by banks for money transfers while NEPS is a local interface that allows transactions of money deposited in one bank using cards issued by other member banks.

Former central bank officials also pointed to the variety of software that banks use as a hindrance in monitoring.

“Had there been uniformity in the software used by banks, it would have made vigilance easier,” said Dipendra Bahadur Chhetri, former governor of Nepal Rastra Bank.

Presently, Nepali banks are different types of software, such as Finacle, Temenos T24 and different editions of Pumori Plus, in their operations.

“If the same software is used in all banks, it could minimise the number of loopholes that take place in switching to a new system while carrying out transactions between different banks,” said Chhetri. However, using the same software could also expose all banks to the same vulnerabilities, putting everyone at risk if a hacker finds one loophole.

Gyanendra Dhungana, president of the Nepal Bankers’ Association, admitted that there was a need to improve security but that threats were persistent, due to rapid changes in technology worldwide. Dhungana said they were looking forward to guidance from Nepal Rastra Bank. 

***

What do you think?

Dear reader, we’d like to hear from you. We regularly publish letters to the editor on contemporary issues or direct responses to something the Post has recently published. Please send your letters to [email protected] with "Letter to the Editor" in the subject line. Please include your name, location, and a contact address so one of our editors can reach out to you.