Cyber Insecurity in Pakistan

Journalist Alamzeb Khan discusses recent security breaches in Pakistan that have affected millions of people and accounts.

On 26th October, almost all Pakistani television channels (followed by print and web media) were flooded with the breaking news saying that Pakistan is encountering a new layer of cybercrime scam affecting all commercial banks (more than 20 different banks having thousands of branches in country and abroad). The news in detailelaborated that some 20 thousand credit/debit cards of customers have been compromised during the last week of October with a reported loss of Rs 2.7 million. This flow of news stirred the nation as according to State Bank of Pakistan at present (last quarter 2018) there are 18,778,525 debit cards (excluding hundreds of thousands of credit cards and other ATM cards) being under usage in the country. Consequently, scores of the banks moved a step ahead and blocked myriads of international transactions through credit-debit cards. Some even temporary halted disbursement of cash via ATM machines to save their customers from any mishap.

To double check this stormy news I visited PakCERT (Pakistan’s Computer Emergency Response Team) website. PakCERT is a business concern dealing with ICT solutions in Pakistanwhich revealed that on October 26, 2018, hackers posted over 9,000 debit cards on the dark web for sale at a price ranging from $100 to $160 per card. The data was placed in two different formats. First, with a text-based credit/debit card details, like name, phone number, card number, address and even expiry of the card to facilitate the illegal purchases. The second format was skimmed stuff making it easy for someone to scan details of the cards at a compromised ATM machine.

However, on the following day, media flashed more news saying that the storm is over (probably to avoid panic). But the consequent day (31st October) brought an aftershock saying that some 12,000 more cards were uploaded on the dark web including 11,000 cards from Pakistan.

Sensing this paradoxical scenario, I decided to unfold the issue as in recent years Pakistan has faced similar incidents of cyberspace scams (among which the recent one was the worst ever) that remained active for some time and then faded away unchecked and unresolved.

Some Recent Scams

Last December, a private bank confirmed that hundreds of its bank accounts were hacked through ATM (Automatic Teller Machine) cards. The bank official later confirmed to the media that Rs 10 million had been stolen from 559 of its accounts. A couple of similar incidents were followed until FIA (Federal Investigation Agency) started a comprehensive action and arrested several foreigners for allegedly stealing data from banks with skimming devises at ATM facilities. This kind of stealing and skimming devices was a new phenomenon in Pakistan and all those arrested were foreigners. However, after a gap of eleven months, when the recent cyber scam is hovering, scores of such incidents related to ATM machines were reported. Accordingly, during last two months scores of local hackers involved in ATM hacking were arrested from different parts of the country including the federal capital. In other words, this ATM scam not confined to foreigners but local hackers in different cities have access to the same misdemeanour.

Apart from other such scams, there was one major scam in recent times. In April 2018 a ride-hailing company Careem (having operations in 13 countries in over 90 cities) announced that data of its 14 million customers and drivers was stolen in a cyber attack. However, officials of the company revealed that they have seen no evidence of fraud or misuse related to the issue. But it was a major blow for the leading online transport company in the country as most its customers quit using the app and the service to avoid any mishap to their personal data on their cell phones.

The Issue

Sensing the issue followed by contradictory news, I approached CEO PakCert Qazi Muhammad Musbahuddin and asked him if the crises is over or still looming. He replied, “At present I can’t comment on the issue as all the relevant sector or working on the issue”. He added said that no further information will be shared on this regard until complete investigation of the issue. However, soon after the issue was raised on 26th of October, Mr Qazi told Pakistan leading Television channel Dawn TV “No doubt the problem is there however we are working to assess that either bank database is compromised or another kind of security breach occurred.”

Now the question is, if government departments are working on it, no one knows about it particularly the worried customers. For example all cards (ATM, Debit, Credit Cards etc) are bank generated.

Meanwhile, most of the customers have no or little information about the digital complexities and if stuck with any technical issue find themselves in hot waters. For instance, a local customer from the provincial capital Khyber Pakhtunkhwa Province Peshawar, Adnan Afridi told me that during last week of October 70 thousand Pakistani rupees were stolen from his account but now he doesn’t know how and where to complain about it.

Commenting on the issue of Adnan Afridi and other such mishaps, Iftikhar Firdus, Bureau Chief Express Tribune Peshawar, who also has expertise on the issue, said that cyber crimeshave many types and the one related to the recent scam comes in the category of financial cyber crime. In the said case, usually hackers enter via coding in the dark net. And the problem is most of the time such entries remain untraced. In Pakistan, they are also using other tactics like calling from unknown numbers, using pressure tactics to get pin codes, etc. International hackers are even faster. On the contrary, Pakistan has little or no preparation to counter such threats, and most of the banks here have no counter mechanism. Accordingly, recent reports say that a sufficient number of customers are flexing their muscles to go for analogue transactions.

Challenge at Present

If the issue of cyber scam was something to be worried a couple of yearsago, it seems to be really alarming now. Most of the activitiesonce tackled traditionally (manually) in Pakistan are now transforming into digital and the online amphitheatre. The phenomenon like e-commerce, e-health, e-Tag and online banking, etc., which were once aliens to our economic structure are now the lifeline of the system. It’s obvious that a major part of Pakistani community is now dependent on cyberspace.

Meanwhile, most of the government functions suchas hospitals, sensitive defence offices, election commission of Pakistan, Civil Aviation System, NADRA (National Database and Registration Authority), National Assembly, Senate, Emergency Services, and even nuclear arsenals containing sensitive information are on the digital front.

However,this improvement on the national cyber world also brought with itself cyber security and cyber threat. Recent reports say Pakistan is one of the few leading countries being constantly under threat by foreign cyber offenders. Cyber security threats with recent threats to the banking sector and other relevant enterprises are hard to be avoided.

Comparison

No doubt cyber crimes and cyber insecurity are global issues, and the digital system is vulnerable to cyber attacks throughout the world. However, most of the countries respond to the issue in a smarter way, particularly in developing countries. There are various international fora for the purpose of having a quick response with highly professional staff comprising Computer Security and Incident Response Team (CSRIT), Forum for Response and Security Team (FIRST), etc. Most countries have such security watchdogs like US-CERT, CNCERT, AUS-CERT,JAPCERT, SING-CERT, etc.

Talking on the issue, a senior level official in Islamabad from United Bank Limited explained on condition of anonymity that unfortunately Pakistan’s public and private systems are neither fully automated nor fully secured. He added that unlike developed countries (US, UK, China, etc.), Pakistan don’t possess dedicated cyber warfare units and, as a result, we are more vulnerable events like the recent one as compared to developed countries.

He also gestured to another misfortune that, unlike developed countries, Pakistan don’t have international cyber space treaties with online portals such as Google or Facebook resulting in further vulnerability when any cyber space scam appears.

Government Response

Talking to a media outlet, Assistant Director FIA Cyber Crime Cell Abdul Wajid Khan Safi has said that there are some alarming reports over the issues. He added that the rapid increase have many reasons like the recent boom of social media (making people’s personnel information vulnerable), lack of awareness, and most probably the involvement of international hackers. This is whythere are some 1600 complaints registered in his covered area during last 10 months. However, FIA Cyber Crime Cell is actively addressing such complaints. He added that, on one hand, there are strict penalties being promulgatedin the laws and at the same times scores of arrests have been made in the recent past. According to Cyber Crime Law, if proven guilty, there is a 3 to 7 month imprisonment and Rs 10 million fine.

No doubt government is taking some action to fix the issue and in recent days some arrest were also made by FIA Cyber Crime Cell. In one recent incident, FIA Cyber Crime Wing arrested two hackers stealing Rs 500,000 from a private person. The gang was involved in stealing money from random banks. In another incident at Faisalabad city of Punjab province, a seven-member gang was arrested where data of about 300 customers were recovered from the gang.

However, as the magnitude of the offence is concerned, it’s not a matter of few arrests, but needing a comprehensive strategy by different concerned departments of the public and private sector.

Despite the above-mentioned steps, as magnitude of the threat is concerned, the government is still thousands of miles behind and little effort has been done to tackle the issues. There seems to be no concrete security policy or any guidelines for the public. A few months back, the Senate Standing Committee on Defence tabled a seven point agenda to improve cyber security in the country. The seven points also emphasises having a joint Asian Strategy in collaboration with neighbour states for countering these threats. But these efforts have gone unnoticed and no implementation appeared on board.

Recommendations:

Assessing the overall situation followed by talks with expertsis a prime concern. Pakistan should evolve a comprehensive cyber space strategy and implement it in letter and spirit. No doubt some progress has been made by FIA Cyber Wing, but it needs to be further expedited. PAKCERT offices should be further equipped with contemporary innovations and, if needed, its branches should be open in different units/provinces of the country.

Most of the banks have made sufficient investments for security purposes, but they need more attention and investment to strengthen their firewalls, use of anti-virus protection on their computers, and encrypted websites.

As precautions by the customers are concerned, a legal expert and lawyer at Islamabad Salahuddin Khan said that, apart from banks and other government and private organizations, the customers should adopt some precautionary measures. They should avoid sharing personnel information like CNIC number, account number, pin code, credit/debit card numbers and other such information which are the primary source for most of the hackers.

Mr Khan added, that if a person is still trapped, he or she should immediately contact Cyber Crime Cell (particularly NRC3 wing) to have the complaint either written or online.

Other experts also have the same opinion and are of the view that encrypted and anti-virus software should be updated on home computers and cell phones.

Moreover, the government should go for immediate agreements and treaties with international online portals. Experts say in presence of such agreements almost 90 percent of such cyber issues can be solved.

Continued awareness among the public with liaisons among security intuitions (FIA Cyber Crime Wing, PAKCERT, etc)will help the public bring further strength to cyber security. Adding Cyber Space and Cyber Security as a subject in the syllabus at the university level would no doubt be helpful for a safe and secure cyberspace in the country.

References

State Bank of Pakistan Quarter Analyses/Report: http://www.sbp.org.pk/psd/pdf/2018/PS-Q1FY18.pdf

PakCert report on Intelligence threat:

http://www.pakcert.org/img/PakCERT%20Threat%20Intelligence%20Report%20-%20web.pdf

Dawn (Pakistan’s most reliable and leading English paper) Report: RS 10 million from 559 bank accounts in ATM Fraud: https://www.dawn.com/news/1374623

Data of 14 million customers of Careem Stolen:

https://www.cnbc.com/2018/04/23/careem-says-data-of-14-million-drivers-and-riders-stolen-in-cyberattack.html