Devastating Cyberattack Shakes Up Pakistan’s Financial Sector

Pakistan has a pretty solid financial services sector. According to the World Bank in 2005, Pakistan’s banking has undergone a series of significant reforms that has shifted their industry from the public sector to the private sector.

The reforms benefitted from a climate of broader macroeconomic stabilization, and featured major bank restructuring, stronger regulations, and improvements in transparency. Better transparency definitely should work well with more regulations.

More than thirteen years have passed since that report. Inevitably there have been ups and downs in their economy like in most other large countries, and they weren’t as affected by the 2008 recession as the United States, Canada, and western Europe were. Imperfect but stable relations with India and their connections to the rest of the Asian market probably helped.

But just like every other major international banking sector, their financial data has become increasingly digitized. The digitalization is great for convenience and efficiency, but it has made their banking industry increasingly vulnerable to cyber attack.

The Changing Financial Climate

According to PakCERT’s Qazi Misbah, 22 banks in the country were subject to a catastrophic cyber attack on October 27th of this year. 19,864 accounts with client banking data were hit, with some victims saying that funds were stolen. Amongst the many targets was the former Chief Scientist of Khan Research Laboratories, who says that Rs3 million disappeared from his bank account.

Bank auditor Chief Hermond Javed Bhatti has a better view of the big picture, noting that “the general public is slowly losing faith in the banking sector, and with data breaches like these, coupled with the introduction of federal taxes on banking transactions and the latest money laundering cases, more and more customers are turning away from the formal banking sector to the informal sector in a bid to distance themselves from conspiracy.”

MCB Bank tried to reassure customers with a public statement:

“In wake of a recent incident of cyber crime related to fraudulent bank transactions due to the data breach, MCB Bank would like to assure its valued customers that the customers’ data is completely safe. Not a single customer has been affected in the incident report publicized in media. Furthermore, the Bank reaffirms to remain vigilant and assure the integrity of its systems.”

Allied Bank made a similar statement:  

“Allied Bank would like to assure its valued customers that Bank’s systems and customers’ data are absolutely secured and they can enjoy banking services both domestically as well as internationally with ease. The Bank has already heavily invested in the past years on security and resilience of its systems to make them robust and reliable for safe and secure banking across all the channels. Allied Bank is continuously engaged with the top of the line consulting firms for regular testing of its banking systems and infrastructure in line with best international practices.”

So basically, they’re saying that things are generally fine, they’re being extra careful, and Allied Bank customers should let them know if they’re going to use their bank card in countries outside of Pakistan.

Meanwhile some banks have suspended international payments on their cards. Simultaneously, Habib Bank Limited, Standard Chartered Pakistan, Summit Bank, Meezan Bank, and Sindh Bank want their customers to proceed as usual with their banking activities.

Taking Stock of Banking Security

Whatever the truth is, stock markets react to people’s emotions, whether or not the mood correlates with reality. According to Topline Securities, many shares in Pakistani financial companies were sold on November 6th.

So, what’s going on? There aren’t a lot of publicly known details as of yet, but the cyberattack probably involves the use of malicious card skimming devices attached to ATMs. The Director of the Federal Investigation Agency says that this is all part of a large criminal operation. “We have caught many gangs, presented them in court and recovered part of the looted money… we are trying to work proactively on the issue and stop bank pilferage.”

A lot of security improvements should probably be made to Pakistan’s banking technology. One thing I wonder about is if there are human-monitored cameras on all ATMs. That sort of measure alone may have prevented the criminals from successfully attaching card skimming devices. The State Bank of Pakistan says that the new but temporary restrictions apply only to cross-border transactions. That seems to suggest that they believe the cyberattack is foreign rather than domestic in origin.

If little is publicly known yet and we’re getting some contradictory information, Pakistan’s financial sector may be trying to downplay the severity of the attack for obvious reasons. Either way, sometimes there’s a positive side to incidents. But only if mistakes lead to lessons being learned.

Related reading: Check out this newly released report detailing an espionage campaign targeting Pakistan dubbed Operation Shaheen carried out by new and likely state-sponsored threat actor - includes bypass of eight AV solutions and complex, automated exploit build system:

The White Company: Inside the Operation Shaheen Espionage Campaign