By W.A. Wijewardena –
Irrational reaction of Homo sapiens
It seems that the genetic code of modern Homo sapiens is not different from that of other species. The latter is guided not by thinking but by instincts. Similarly, Homo sapiens is still embedded with the ‘gene of fear’ that compels it to ‘fight or flight’ when faced with fear-stricken situations. That emotion is necessary for safety and survival. But in the modern world, Homo sapiens who is called ‘man the wise’ does not have to resort to either course without subjecting the source of fear to a critical inquiry.
This irrational behaviour of Homo sapiens led psychologist Herbert Simon, a Nobel laureate in economics, to coin the term ‘bounded rationality’ to describe it. According to him, Homo sapiens is rational within the boundary of ‘information, time and brain power available’, no matter what improved education, counselling or mentoring he may have got.
Later, another Nobel laureate in economics, Daniel Kahneman, made a startling revelation about why we make appropriate judgments fast on some occasions and slow on others. He attributed it to ‘biases of intuition’. That is, we allow ourselves to be guided by our own over-confidence in beliefs, impressions and intuitive knowledge rather than rational thinking. We believe that we are correct even when we have made wrong judgments.
This deficiency of ours is being used by politicians, religious leaders, marketers and many more to herd and lead us. We do not think that we have been victims, but firmly believe that we have been correctly guided. This weakness of Homo sapiens has been the source of all financial manias, panics and crashes in the history, as documented by Economist Charles Kindleberger, in a book under the same title.
An isolated ATM skimming
The reaction of Sri Lankans last week when a few Automated Teller Machines or ATMs operated by a few commercial banks came under attack by some criminal elements was testimony to this irrational behaviour.
The modus operandi used by these elements, nicknamed as ATM skimming, is second only to a James Bond movie full of weird-looking, intelligence-gathering high-tech gadgets. To withdraw monies fraudulently from a customer’s account, one needs to have the details embedded in the ATM card and the customer’s personal identification number or PIN. To capture the former, they had stealthily fitted a card-reading electronic device to the ATM’s card slot. To learn of the PIN, a secret camera had been mounted just above the keyboard of selected ATMs. Then, monies had been withdrawn from the customers’ accounts by using a duplicate card cloned by embedding the information so copied.
They had used a long weekend to put their plan into action. That was to prevent banks from detecting the robbery because they are usually operate low key on holidays or during weekends. But the banks, having detected these unusual activities in time, had taken prompt action to limit the loss only to those transactions that had already been completed. Thus, a major cyber robbery of Sri Lanka’s banking system was averted.
Fake news to create a major banking crisis
Even before the news of the ATM robbery was out, Sri Lanka’s irrational minds appeared to have sprung into full action. WhatsApp and other social media communication networks were used by bigger unscrupulous characters to malign the banks concerned and create panic among bank customers.
I received a message purported to have been disseminated by a Sri Lankan living abroad claiming that all bank networks had been hacked, implying monies were being robbed. It had sourced its information to a leading TV channel which is said to have advised bank customers to check the balances in their bank accounts. Though it was obvious that the information in the message had been faked implicating this TV channel, there was no denial of it in the website of its home page. It added credence to the fake message, further fuelling its dissemination.
But a bigger damage was done by other Sri Lankans, either through mischief or compelled by genuine concerns, by re-forwarding this fake message wholesale to all others. It spread like wildfire among Sri Lankans living both in the country and outside, fanned by irresistible manic compulsions. The attack on ATMs had been isolated and it had been brought under control. Yet, the secondary attack orchestrated by the unscrupulous elements through fake news in social media, amplified by word of mouth, was to create a major banking crisis in the country.
LankaClear has no role
The fake news had also implicated LankaPay, a national payment network operated by Sri Lanka’s cheque clearing agency, LankaClear. The rumour had been that LankaPay had been used to rob money from customer accounts. The irrational minds to which both LankaPay and its product JustPay were aliens had believed the story that it was LankaPay which was responsible for the digital heist of bank accounts in the country.
A senior bank manager whom I met also expressed these sentiments to me. His concern was that the security system in the common use of ATMs by several banks, known as the Common ATM Switch or CAS and operated by LankaClear, had been breached, enabling the cyber robbers to rob customers’ money.
LankaClear was not responsible for the robbery in question because it was only a facilitator of the common use of ATMs by several banks. ATMs were still owned by banks which were responsible for their security and proper use by bank customers. On the other hand, the product of LankaPay – tagged JustPay – was a transaction between a customer and a merchant by directly debiting his account by using a mobile device. ATM cards did not come into the picture at all.
Banks have always been source for robbers
Throughout history, banks have been the most sought-after institution by robbers. That was because they were rich with stacks of currency notes and coins and robbers could have an easy getaway after robbing them. Hence, armed gangs often covering their faces with masks have raided banks to rob cash in their vaults at gun point. It was an action-filled spectacle to witness armed men storming into a bank branch, asking both customers and bank staff to lie face down and then freely pushing money into bags before making a getaway in speeding vehicles.
However, these incidents were kept under control by banks by stepping up their physical security alarm systems. As such, the incidence of bank hold-ups has been on the decline. Another reason for its decline has been the significant reduction in the potential gain due to a similar reduction in the currency content in a bank branch, a development due to fast and progressive digitisation of banks.
With that, a new type of bank robbery in the form of cyber attacks on banks began to take root in the system. The attackers were not armed with guns but with sophisticated equipment that could hack banks’ computer systems to transfer money from accounts to undisclosed destinations. They were carried out at two levels. One was at the banks’ head office level penetrating their main computer systems. The other was at the local level targeting cash dispensing machines also known as ATMs.
Compromising a bank’s computer system
At the head office level, a bank’s computer system is operated by numerous staff members who have been given passwords to have access to it. It is these passwords which hackers try to acquire. Hence, banks have introduced a strict password compliance guideline to their staff.
Despite these measures, simple human errors and negligence would open doors for hackers to acquire them easily. Against this human error, banks have protected themselves through firewalls that would block unauthorised entry, encryption of messages preventing viewers from reading them and regular update of software and ‘data use audits’ as a preventive measure.
Hence, it is very rare now that computer systems have been hacked and monies belonging to customers have been stolen. The risks to systems have been the introduction of malware temporarily disabling their operation. In Sri Lanka, such major attacks on banks’ computer systems have not been reported in the past few years.
Today, it is ATMs that come under attack by criminal elements to rob money from genuine customers.
In addition to ATM skimming, there are other ways of doing so. One frequently adopted method, known as ATM Jackpotting, involves in fitting ATMs with a duplicate computer operated remotely from an off-site. Similar to an endoscope that penetrates a human body to take pictures inside, the heart of the operating system of the ATM is penetrated and its operating system is captured.
For practical purposes, the bank concerned will receive the alert that the ATM is out of order. By the time the bank’s technical staff comes there to fix it, the remote operator would have drained it of all the cash, forcing the machine to cough it out at full speed. This would amount to a hold-up of a bank branch by criminal gangsters since it is bank’s money that is being stolen.
Removing ATMs by using forklifts
Another popular method is the removal of ATMs located in isolated places using forklifts and carrying them away to retrieve the currency inside them at leisure. This is exactly similar to how it was done in the Wild West in the 18th century.
There, the bank robbers will come behind the bank branch, blow up the wall partitioning the iron safe of the bank, pull it out by using actual horse power and whisk it away before the sheriff would make his presence in the crime scene. The safe is then cut in order to retrieve the stacks of currency notes and coins within. Hence, raiding of ATMs by criminal elements is a common occurrence in the world today.
Ghost or fake ATMs
To retrieve details of ATM cards and PINs, criminal elements had in the initial stage used some ingenious methods. They would buy a used ATM discarded by a bank and recondition it to look like a genuine ATM operated by a reputed bank.
Then, the ghost or fake ATM is set it in a public place to deceive unsuspecting customers. When a customer inserts his card into the slot of these ghost or fake ATMs and enters his PIN, the machine immediately captures the data in the card and PIN, having displayed an error message on the screen to send the customer away.
The information is then used to clone duplicate cards for use in subsequent operations. This has been made possible by the availability of a large number of discarded ATMs in the used ATM market.
Technology brings in risks too
Technology has definitely eased our life. But, it has also brought in new risks. Thus, the challenge of bankers today has been how to use technology, while keeping the risks at a minimum. For that, the three parties which have an interest in a safe financial system – customers, banks and regulators – should get together and form a common front to fight abusers of technology.
In this context, vigilance, due diligence and quick action are the buzz words of success.
Alert the customer in real time
On the banks’ side, there should be adequate safety measures within the bank to thwart cyber robbers who usually operate from unknown foreign countries.
There are instances where banks have been negligent in changing the password of the customer. In one instance, the password had been communicated to the customer via common email and the email had been intercepted by criminal elements operating from a foreign country. Before the customer had noted it, his whole account had been drained. While the bank should take responsibility for not passing the password in encrypted form to the customer, the issue involved in this case boils down to failure to alert and failure to exercise due diligence.
In this modern communication world, there are enough low-cost methods of alerting customers of transactions being done in their accounts on a real-time basis. One is the use of SMS services; another is the use of email communications. Of these two methods, the first is preferred since it does not require internet facilities for communication.
When a customer is alerted via SMS, he could immediately alert back the bank concerned about a possible compromise of his account. It could limit the loss to what has already taken place.
Due diligence should be rewarded
At the same time, bank officers should use due diligence when they observe unusual patterns of debits to customers’ accounts. Such due diligence exercised by a Sri Lankan bank when the payments system of Bangladesh Bank or BB was compromised by hackers had saved BB some $ 900 million. Hence, due diligence is a preventive measure and bank officers should be encouraged to use it by rewarding them appropriately. Thus, there is nothing better than the use of the costless ‘eyeball test’ involving vigilance for preventing cyberattacks on banks.
*W.A. Wijewardena, a former Deputy Governor of the Central Bank of Sri Lanka, can be reached at firstname.lastname@example.org