SBP Wants All Banks to Undergo Massive Cybersecurity Audit
SBP, also known as the State Bank of Pakistan has ordered all banks operating in Pakistan to establish a thorough cybersecurity audit of their systems, including patching procedures in order to prevent cybersecurity issues.
“Failure to comply with the…instructions will lead to penal action by SBP including but not limited to the suspension of non-compliant digital payment products and services of the banks/MFBs (Microfinance Banks),” the SBP stressed in an official communication they sent the banks last November 28.
SBP has strictly instructed the banks under its jurisdiction to protect their customers, including reimbursements in the event someone lost their funds when a cybersecurity emergency happens. “In case of a financial loss to customers due to such incidents, the bank/MFB shall compensate them within two business days. Banks/MFBs (Microfinance Banks) shall immediately carry out extensive vulnerability assessment and penetration testing to identify potential weaknesses in their Alternate Delivery Channels (ADCs) and payment systems including but not limited to card systems, RTGS (Real-time gross settlement systems), SWIFT (international wire transfers code), internet and mobile banking and agent-based and branchless banking etc,” explained SBP.
SBP issued these very strict orders in the wake of a cyber attack against Pakistan’s banking system just a month ago. The bank heist recorded a total of Pakistani Rupee 2.6 million (around US$19,368), after which Pakistani banks decided to temporarily halt any processing of International transactions with debit and credit cards.
By March 31, 2019, the banks are required to submit their audited vulnerability assessment to PDS (Payment Systems Department), while audit of payment schemes should be under the custody of PDS by the end of 2019.
Just like the rest of the world, the State Bank of Pakistan is pushing for total migration from the old magnetic stripe debit/credit cards to a more secure chip-based EMV (Europay, Mastercard, Visa) cards by June 30, 2019. This will help cancel the card copying schemes through the use of card skimmers.
As a defensive mechanism for unauthorized transactions SBP asked the banks to enable free SMS and email notifications for users every time a transaction happens with their bank accounts. This way, suspicious withdrawals will be logged, and it will be easier to detect fraudulent transactions. Criminals were able to create false cards simply by obtaining card information from discarded sales receipts. In today’s electronic world, additional information contained on the card’s magnetic stripe is read by the authorization terminal. Simple hand held devices are now available to criminals that can be used to “skim” the magnetic stripe and obtain all the information needed for the creation of a fraudulent card.
Those card skimming devices are not sold in secret, they are available for purchase in retail websites with least regulation. Once in possession of a customer’s credit card, the criminal can run the card through this easily concealed device and in seconds access and store the magnetic stripe information. Skimming usually occurs in businesses where the normal transaction requires the cardholder to give up possession of the card, such as in a restaurant.