In August last year, Nepal Police arrested five Chinese nationals for ATM fraud. The Chinese, Zhu Lianang and four others, were apprehended by the police for using cloned debit cards to breach multiple banks’ processing system and withdrawing cash from 68 ATMs.

Police confiscated Rs12.60 million and around $10,000 along with 132 forged VISA debit cards, 17 authentic VISA cards, six mobile phones, a laptop and a data card from them.

According to police, Zhu and his accomplices had hacked the Nepal Electronic Payment Systems (NEPS), an interface that allows the transaction of money deposited in a bank by using cards issued by other member banks.

Banks falling prey to hackers isn’t new to Nepal. In November 2017, NIC Asia Bank suffered a hack attack that led to attackers issuing fraudulent money transfers via the SWIFT interbank messaging service.

The bank said that attackers initiated $4.4 million in fraudulent money transfers from its accounts to accounts in six other countries, including the United States, the United Kingdom, Japan and Singapore.

Both the incidents have shed light to how weak Nepal’s cyber security is. The incidents have also forced banks and other big corporations to hire cyber-security experts to ensure that if and when such things happen, they have the right person to deal with the issue. The people they have been hiring are ethical hackers.

The failure of banks, especially the central Nepal Rastra Bank, to upgrade their digital security measures has meant that Nepal is increasingly becoming a target for hackers from around the world. But it’s not just banks that are in danger. In addition to cash-out attacks, weak systems are vulnerable to conventional attacks using phishing software and malware, and physical methods like ATM jackpotting.

What is ethical hacking?

Ethical hacking can be defined as the practice of bypassing system security to identify potential data breaches and threats in a network.

“It happens after the company that owns the system or network allows cyber security experts to test the system’s defences,” says Samir Gautam, an independent security analyst. “Unlike malicious hacking, this process is planned, approved, and more importantly, legal.”

Gautam says that ethical hackers aim to check the company’s system or network for weak points. “That way we get to know if the system can be exploited or not,” he says.

The purpose of ethical hacking, according to experts, is to improve the security of the network or systems by fixing the vulnerabilities found during testing.

What is an ethical hacker’s job?

“We use the same methods that a hacker uses. We try to find out what is wrong and how it can be solved,” says Shailendra Basnet, founder of IT Training Nepal, a computer institute based in Kathmandu. “An ethical hacker’s job is to improve the security and defend the system from attacks by malicious users.”

Gautam says that Nepali organisations started to hire security experts around 2014. But the need for them intensified after the NIC Asia incident in 2017. Prior to this, hacking was never considered a big threat because there was no actual incident where any organisation lost money.

“It’s about quantitative assessment rather than qualitative when it comes to big corporations in Nepal. That makes Nepal quite prone to international hacking. But things are getting better. Banks are more vigilant as they don’t want to leak money as well as their client’s information. But we need to do more,” says Gautam.

By more, Gautam means companies need to regularly update the software they use and to hire and retain qualified staff members.

“It’s small things like these that are the reason that can stop cyber hacking. Nepal has just begun to go digital. Our details are going online more than it used to, which is why ethical hacking is important. It keeps us on our toes and keeps us safe,” says Gautam.

To ensure that cyber security is taken seriously, various hacking events/conferences have also started taking place in Nepal. One such conference is Threat Con organised by a security analysing company Threat Nix, which has been taking place annually since 2018.

“The aim is to talk about the importance of cyber security and how we can prepare ourselves right now,” says Abiral Shrestha, security analyst at ThreatNix.

Shrestha says that these events expose Nepali companies to the risk that they might have to face in the future. He says that Nepal currently is in a delicate situation, with everything going digital, from national identity cards to driving licenses, and if the country is not careful, it could invite in a lot of risks related to data security.

Who provides such services in Nepal?

Gautam shares that there are various companies in Nepal which offer ethical hacking services. Laba Nepal, Vairav Technology and Cryptogen have been in operation for nearly a decade. “These companies give an individual the skills required to become an ethical hacker. They provide them the knowledge of programming, networking skills and a general understanding of databases. If I were a company, I would hire two of these companies—one would hack and the other would try to block the hack. That is how you could create a safe cyberspace,” says Gautam.

Colleges, after seeing a rise in demand for courses which deal with cyber security, are also adding courses on the topic, says Shrestha, who was interested in computer security from a young age, and thus completed his bachelor’s degree in Computer Networking and Cyber Security from Islington College.

“It’s great that colleges are offering courses like these. There is a huge demand for skilled people in the security sector in Nepal and this is just the start,” says Shrestha.

Gautam feels it’s a booming market which can be both a good thing and a bad thing. But for now, he hopes all organisations keep up with what is happening and invest in better software and systems.

“We need to invest in three things—people, process and technology,” says Gautam. “When we do that, we can say that we are prepared.”