Commercial banks mull security revamp

Friday 19 June 2026 ,

Online Version

Commercial banks mull security revamp

Employees making banks vulnerable, fear officials

FAISAL MAHMUD

Alarmed by the $101 million cyber heist in the Bangladesh Bank (BB), commercial banks of the country are planning a complete overhaul in their banking security system to fend off a faceless army of digital intruders. Senior officials of commercial banks have held meetings with BB after the heist and reached a consensus on the issue. Many of the banks have already started contacting global security experts firms like Ernst & Young, Price Waterhouse Coopers, American Express and RSA to make their banking security system fool-proof. Besides, officials from all the commercial banks will also meet today at the Bangladesh Computer Council (BCC) to discuss security issues with foreign cyber security experts, sources said.
However, senior officials admitted to The Independent that the biggest threats may come from within their own banks. After the incident in BB, where hackers successfully installed a malware into the central bank’s system, the commercial banks fear that even after boosting the network security, they could remain vulnerable because of its employees.
Several officials from the IT departments of the commercial banks said that a growing number of employees were unwittingly exposing valuable information to hackers or leaving digital clues that made a breach possible.
Talking to The Independent, Mashrur Arefin, Additional Managing Director of City Bank Limited said the security systems of commercial banks of the country are extremely in vulnerable.
“The security breach could happen from anywhere. Even if we upgrade our current banking security system and ensure the highest level of protection online, the breach could happen if an employee unintentionally leaves the bank susceptible to hackers by falling prey to ‘spear-phishing’ attempts,” he said. Spear-phishing means targeting a specific employee in order to gain access to a company’s information. In order to do this, an email that appears to come from inside the company or another trusted source is sent to the targeted person. This email must also contain information that appears to come from a trusted source.
The target will be requested to click a link, which leads to a bogus website in order to get them to enter in their sensitive information. Sometimes, just clicking the link is enough to install malware on the target’s machine, allowing the attacker to take control of the computer and continue their scheme.
Arefin explained that often, spear-phishing starts with the attacker gathering information from company websites with contact information for individual employees. “Sometimes, it could come from a pen drive that an employee might unknowingly use in one of bank’s computers and put the system at risk,” he remarked.
To boost their defenses, he said, many large banks across the world are banning workers from using portable devices such as USB drives, warning them to be careful about what they post on social media and even discouraging workers from posting ‘out-of-office’ replies on their emails.
“At this point, we don’t know where the security threat could come from,”
he said.
The City Bank AMD informed that they have already contacted Visa, Mastercard and American Express Authorities to discuss the current security solutions. “We are also in talks with Ernst & Young to be our consultant for a thorough security check of our banking security,” he said.
Tarique Barkatullah, Director of National Data Center of Bangladesh, told The Independent that in 2014, the Information and Communication Ministry had appointed Ernst & Young to conduct a complete security audit of the National Data Center before expanding its capacity.
“We make sure that our National Data Center is protected from all possible hacking options and have a dedicated network manager to check any security breach on a regular basis,” he said. Commercial banks still don’t do a thorough security audit, which makes them vulnerable to many hacking options from spear-phishing to firewall breech, commented Barkatullah, who holds the position of the Joint Secretary General of the Chief Technology Officers (CTO) Forum, a platform for CTOs of the country.
He said that most systems operated by the banks were designed before hacks of this scale became commonplace. But, in the aftermath of the BB heist, unless commercial banks emphasize security as much as ease of use, attacks like this will keep happening.
“The real vulnerability is that a critical internal infrastructure like the computer that processes SWIFT is connected to the same machines that people use to read unvetted outside email and browse the web,” said Barkatullah, adding that there’s no business in the world that can secure a system like this.
It is to be noted that, SWIFT stands for the Society for Worldwide Interbank Financial Telecommunications. It is a messaging network that financial institutions use to securely transmit information and instructions through a standardized system of codes. In a round of robberies disclosed last year, a group dubbed the Carbanak gang hacked into a number of banks around the world, seized control of computers that access SWIFT, then ordered fraudulent transfers.
They siphoned money through SWIFT after observing how bank employees crafted their messages so they could follow correct protocols. The current investigations suspect that the hackers were being able to install malware in BB computers that dealt with SWIFT.
Subhankar Saha, Executive Director of Bangladesh yesterday told The Independent that in the wake of the cyber attack, the BB has changed the payment order mechanism and do not rely only on SWIFT. The BB would now use verbal advice along with the existing SWIFT service.
Saha also informed that the BB is working with the Belgium-based SWIFT authorities for making the service more secure. Asked whether the ongoing investigation discovered involvement of any Central Bank’s employee with the heist, the BB official informed there was no such indication so far. Meanwhile, a BB source confirmed that the Silicon Valley-based FireEye, which has investigated some of the biggest cyber thefts on record, was brought in by World Informatix, a smaller firm that is advising Bangladesh Bank on the investigation. When asked about FireEye’s involvement, Saha said he was not aware of any such involvement. He also said that BB has recovered some of the stolen money and is working with anti-money laundering authorities in the Philippines in an attempt to recover the rest.

Comments

Commercial banks mull security revamp

Employees making banks vulnerable, fear officials

FAISAL MAHMUD

Alarmed by the $101 million cyber heist in the Bangladesh Bank (BB), commercial banks of the country are planning a complete overhaul in their banking security system to fend off a faceless army of digital intruders. Senior officials of commercial banks have held meetings with BB after the heist and reached a consensus on the issue. Many of the banks have already started contacting global security experts firms like Ernst Young, Price Waterhouse Coopers, American Express and RSA to make their banking security system fool-proof. Besides, officials from all the commercial banks will also meet today at the Bangladesh Computer Council (BCC) to discuss security issues with foreign cyber security experts, sources said. However, senior officials admitted to The Independent that the biggest threats may come from within their own banks. After the incident in BB, where hackers successfully installed a malware into the central banks system, the commercial banks fear that even after boosting the network security, they could remain vulnerable because of its employees. Several officials from the IT departments of the commercial banks said that a growing number of employees were unwittingly exposing valuable information to hackers or leaving digital clues that made a breach possible. Talking to The Independent, Mashrur Arefin, Additional Managing Director of City Bank Limited said the security systems of commercial banks of the country are extremely in vulnerable. The security breach could happen from anywhere. Even if we upgrade our current banking security system and ensure the highest level of protection online, the breach could happen if an employee unintentionally leaves the bank susceptible to hackers by falling prey to spear-phishing attempts, he said. Spear-phishing means targeting a specific employee in order to gain access to a companys information. In order to do this, an email that appears to come from inside the company or another trusted source is sent to the targeted person. This email must also contain information that appears to come from a trusted source. The target will be requested to click a link, which leads to a bogus website in order to get them to enter in their sensitive information. Sometimes, just clicking the link is enough to install malware on the targets machine, allowing the attacker to take control of the computer and continue their scheme. Arefin explained that often, spear-phishing starts with the attacker gathering information from company websites with contact information for individual employees. Sometimes, it could come from a pen drive that an employee might unknowingly use in one of banks computers and put the system at risk, he remarked. To boost their defenses, he said, many large banks across the world are banning workers from using portable devices such as USB drives, warning them to be careful about what they post on social media and even discouraging workers from posting out-of-office replies on their emails. At this point, we dont know where the security threat could come from, he said. The City Bank AMD informed that they have already contacted Visa, Mastercard and American Express Authorities to discuss the current security solutions. We are also in talks with Ernst Young to be our consultant for a thorough security check of our banking security, he said. Tarique Barkatullah, Director of National Data Center of Bangladesh, told The Independent that in 2014, the Information and Communication Ministry had appointed Ernst Young to conduct a complete security audit of the National Data Center before expanding its capacity. We make sure that our National Data Center is protected from all possible hacking options and have a dedicated network manager to check any security breach on a regular basis, he said. Commercial banks still dont do a thorough security audit, which makes them vulnerable to many hacking options from spear-phishing to firewall breech, commented Barkatullah, who holds the position of the Joint Secretary General of the Chief Technology Officers (CTO) Forum, a platform for CTOs of the country. He said that most systems operated by the banks were designed before hacks of this scale became commonplace. But, in the aftermath of the BB heist, unless commercial banks emphasize security as much as ease of use, attacks like this will keep happening. The real vulnerability is that a critical internal infrastructure like the computer that processes SWIFT is connected to the same machines that people use to read unvetted outside email and browse the web, said Barkatullah, adding that theres no business in the world that can secure a system like this. It is to be noted that, SWIFT stands for the Society for Worldwide Interbank Financial Telecommunications. It is a messaging network that financial institutions use to securely transmit information and instructions through a standardized system of codes. In a round of robberies disclosed last year, a group dubbed the Carbanak gang hacked into a number of banks around the world, seized control of computers that access SWIFT, then ordered fraudulent transfers. They siphoned money through SWIFT after observing how bank employees crafted their messages so they could follow correct protocols. The current investigations suspect that the hackers were being able to install malware in BB computers that dealt with SWIFT. Subhankar Saha, Executive Director of Bangladesh yesterday told The Independent that in the wake of the cyber attack, the BB has changed the payment order mechanism and do not rely only on SWIFT. The BB would now use verbal advice along with the existing SWIFT service. Saha also informed that the BB is working with the Belgium-based SWIFT authorities for making the service more secure. Asked whether the ongoing investigation discovered involvement of any Central Banks employee with the heist, the BB official informed there was no such indication so far. Meanwhile, a BB source confirmed that the Silicon Valley-based FireEye, which has investigated some of the biggest cyber thefts on record, was brought in by World Informatix, a smaller firm that is advising Bangladesh Bank on the investigation. When asked about FireEyes involvement, Saha said he was not aware of any such involvement. He also said that BB has recovered some of the stolen money and is working with anti-money laundering authorities in the Philippines in an attempt to recover the rest.