Are bank frauds a technology lapse?

The hacking of the IT system of the Union Bank of India that occurred in July 2016 has been revealed to the public only now. The reasons for this abnormal delay are not readily known.

From the face of it, the attack was not just a daring misadventure by unknown miscreants. It was also a culpable goof-up by one or more bank employees, raising serious questions about the security drill and training in place at the institution. It throws up huge concerns about the quality of online security that banks in India provide to their customers.

The only redeeming feature of the unfortunate episode was that the bank ultimately did not lose any money because of some smart and quick action on its part, which denied payment to those who formed part of the conspiracy. The commendable response to a crisis may mitigate the failure of the security system. It does not however allay misgivings about future arrangements at the bank.

From the facts admitted to by Union Bank, the intrusion was not because of a lack or the failure of technology. It was the product of intruder ingenuity and the carelessness of one or more bank employees.

According to facts known till now, this was a triumph for the art of pure and simple phishing which, in simple terms, meant the generation by criminals of a deceptive and fraudulent mail addressed to the victim (either an individual or an organisation).

Everything on the mail would appear normal, as if it emanated from an authorised and trustworthy source, in this case, the RBI (@rbi.org.in). Union Bank was not a specific target, it was chosen at random. The mail in question sought some sensitive information (passwords, user names from the recipients (about 15 Union Bank employees). Three employees smelt a rat and promptly reported it to the bank’s IT department. At least one committed the supreme folly of opening the mail and facilitating entry of a malware carried by the bogus mail into the bank’s servers.

Thereafter it was a kill for the hackers, who transferred nearly $170 million to two Cambodian banks, and one bank each in Thailand, Taiwan and Australia. The modus operandus seen here had a lot of parallels to the heist reported by the Central Bank of Bangladesh in February 2016, when marauders gained access to the SWIFT (Society for a Worldwide Interbank Financial Telecommunication) code that regulates receipt and despatch of details on international bank transactions.

The fraud at the Union Bank was detected before the transfer could be made. This was possible due to the healthy bank practice of preparing a reconciliation statement at the end of each working day. The blunder committed by the fraudsters in deleting from that statement the six criminal transactions made earlier in the day was an utter giveaway.

Investigations revealed that there was no insider collusion, nor was there a technical glitch. This was basically an act of deceit perpetrated on unwary and possibly ill-trained bank employees. It is easy to blame the bank management. I wouldn’t do that.

It is the experience world over that no amount of education and training can help prevent such mishaps. It is difficult to find a single hard-working and devoted human worker who does not relax his vigil even for a second.

Mind you, banking is a stressful calling, and this accounts for the extreme vulnerability of banks. What was admirable was the ability of the senior management of Union Bank to react swiftly to a first class crisis. It is this capacity that should be built up assiduously by any organisation.

In this respect, VIP security and bank security have something in common. Both can fail in a moment due to lack of care and the extreme stress and fatigue of the arduous exercise of protection. It is ironical that, at the end of the day, technology takes a back seat to criminal skill.

The writer is a former CBI director, who is currently the adviser (security) at TCS Ltd

COMMENT NOW