09 Mar 2018
6 min read
On June 27, 2017, the website of the Department of Passport, Nepal, was hacked by a group of Turkish hackers. For the next 12 hours, the website flashed a ransom note from the hackers, which gave an ultimatum to the Nepali government to either meet their demands or risk disclosure of sensitive information to the general public. The government did not give in to the threat; the hack itself resulted in no real damage, but the event was the biggest high-profile cyber attack of the year.
This hack was not the first in Nepal, and it definitely will not be the last. A recent report published by ThreatNix, a site that specialises on cyber research, stated that only last year, there were 756 cases where websites bearing the suffix ‘.np’ were hacked and defaced. Out of the 756 hits, 332 were commercial sites (.com.np), 160 were government sites (.gov.np), 133 were educational-institution sites (.edu.np) and 123 were sites belonging to registered organisations (.org.np).
But despite the high occurrence of cybercriminal incidents in the country, most organisations and individuals are still not cognizant of cybersecurity threats. According to experts, the reason people still disregard the issue is that most cyber hacks do not usually inflict financial damage. But it is still crucial that Nepalis, who are becoming increasingly reliant on technology, started taking cybersecurity seriously.
When it comes to cybercrime, a majority of institutions that have found themselves in the crosshairs of cybercriminals are those from the banking and financial institutions (BFIs) sector. Over the years, there have been numerous instances in which hackers have made attempts to breach many banking systems. For instance, last October, the vulnerabilities in the Nepali banking system were exposed when hackers managed to break into NIC Asia’s SWIFT servers. SWIFT (which stands for Society for Worldwide Interbank Financial Telecommunication) is a worldwide network that provides BFIs with a secure medium for exchanging information regarding their financial transactions. As reported by The Kathmandu Post, NIC Asia’s SWIFT hackers had gained access to the bank’s servers—by issuing several fake instructions—and had directed funds worth Rs 460 million to various overseas accounts in six countries, including the US, the UK and Japan. Fortunately, the bank has since been able to gradually recover the majority of the stolen funds.
Cybersecurity experts say that if BFIs do not adopt preventive measures quickly, the estimated Rs 2,400 billion of deposits in the country’s BFIs can all be at risk.
Apart from the large-scale threat of criminals hacking into bank systems, another vulnerable BFI asset that has been repeatedly exploited are ATMs. In these hacks, criminals steal data from banks’ clients and use that data to withdraw cash from ATMs. “There are hackers who come to Nepal with the sole purpose of stealing cash from ATMs here,” says Saroj Lamichhane, Chief Operating Officer at Rigo Technology. “Nepal’s ATMs make for an easy target for these foreign hackers, because our systems aren’t as sophisticated as those abroad, and are quite easy to break into.” In 2017 alone, the Nepal Police arrested four Moldovans on charges of stealing funds from ATMs by acquiring user information. In another case, the police arrested eight Nepalis for illegally withdrawing cash from ATMs and Point of Sale (POS) machines by forging debit and credit cards.
It’s not just BFIs that are at risk from cyber criminals; governmental and non-financial corporate institutions are not safe either. Most of these institutions make use of networks and servers to store valuable information, and there is always an omnipresent risk that those networks can be breached. For government institutions, the danger is that in case of a breach, criminals can gain access to important public data from their servers, such as Voter IDs and citizenship information—as was the case with the hacking of the Department of Passport’s website. For corporate houses, there is a risk that hackers can easily plant malwares and other similar applications that can affect corporations’ entire network and operations. Furthermore, a breach could also negatively affect a business’s reputation in the market.
As for individuals, not only are their financial accounts at risk of being breached by cyber criminals, but their social media accounts are vulnerable too. Digital-identity thefts and phishing are becoming increasingly common (for more details, see box story), along with psychological harassment, abuse and blackmailing by cybercriminals.
Why aren’t Nepali institutions more cybersecure?
For a country that is increasingly becoming more reliant on technology, Nepal hasn’t paid much attention to securing their digital sphere. “That’s largely because most Nepali institutions use a bottom-up approach when it comes to IT governance and security,” says Lamichhane. In the bottom-up approach, the IT department has to take the initiative to come up with plans for erecting barriers against any potential breach and take the necessary steps to discourage hackers. Such plans have to then be presented to the top-level management personnel for their approval. The plans can only be implemented once they have been approved by management. “Institutions in developed countries, on the other hand, use a top-down approach, wherein the top-level management takes the initiative regarding security,” says Lamichhane. In fact, in most international institutions top-level management takes the lead setting up policies and budgets, after which they ask their IT department to implement and ensure security. “Companies like Sony and Apple spend millions of dollars to inoculate themselves from a breach. For these companies, cybersecurity is a huge priority,” says Nabin KC, Information Security Advisor at Biz Server IT Pvt. Ltd.
Cybersecurity is also rather neglected in Nepal because securing cyber networks often comes with a hefty price tag, and many companies do not have the resources; or those who do, don’t really regard it as a worthwhile investment.
Thus, due to the lack of initiatives and financial resources, cybersecurity has become an afterthought for most Nepali institutions; there is little importance given to building proper firewalls that ensure security against hackers.
The Nepal government came up with the Electronic Transactions Act of 2008 to ensure that institutions and individuals were protected from cybercrimes. This act contains several policies and provisions that list out penalties and possible repercussions for cyber criminals. For example, gaining unauthorised access to any information system or computer network can lead to a punishment of Rs 200,000, or a three-year prison sentence or both. Similarly, anyone convicted of committing ATM fraud can be liable to a fine of Rs 100,000, or a two-year prison sentence or both.
However, some of the laws are difficult to implement. First, indicting cybercriminals from another country can become an onerous task, owing to jurisdiction limits. The laws and policies that are applicable in this country may not be applicable in others. “How do we convict a hacker who resides in a different country? How do we make the law-enforcement agencies of that country comply with ours? Cyber cases can devolve into lengthy legal processes, which differ with each country,” explains Lamichhane.
The second difficulty in indicting cybercriminals has to do with quantifying the damages caused by them. Most legal officials have to first assign a monetary value to those damages in order to determine the punitive action to be taken against the hackers. For instance, when a hacker infiltrates a company’s servers and successfully plants a dangerous malware, it’s hard to define the impact in numerical terms. That said, quantifying the damage caused is relatively easier when the monetary damage suffered by an institution is discernible. For example, when a hacker illegally transfers funds from a bank, the damage suffered by the bank equals the amount that has been stolen.
The biggest flaw, however, in Nepali cyber laws has to be the fact that all the laws and policies in place are reactive, rather than preventive, measures. Most of these laws deal with mitigating the damages of a cyber attack. So far, there are few to no policies that deter hackers from committing any crime. It’s up to individual institutions to take their own steps. One solution would be for the government to make it mandatory for institutions to take precautionary measures (such as erecting secure firewalls).
Of course, there are several government agencies, such as the Nepal Telecommunications Authority (NTA), who are working towards preventing such incidents from happening. “We have always pushed for the implementation of better laws and policies regarding the setting up of secure networks,” says Ananda Raj Khanal, Senior Director at NTA. “In 2017, we drafted a framework to establish a national Computer Emergency Response Team (CERT) to exclusively focus on such cyber incidents.” The NTA has also worked with UNICEF to protect children, who are the most vulnerable to the harmful effects of the internet, including harassment and abuse.
What can be done?
At the individual level, it is up to the people to be more vigilant when it comes to their private information. There are many who feel that they do not possess sensitive information. But if you were to ask to reveal such information, they would demur. This goes to show that there is a fear among most people of becoming a cybercrime victim, even if they do not readily admit it. But anyone can implement a diverse range of measures to become more secure. (For more, see box story.)
As for systemic security, one advantage that a developing country like Nepal has is that its online networks systems (to do with banking and information) still have not reached the level of sophistication developed nations have. For most of them, adopting more cybersecurity measures comprised a slow, step-by-step process of trial-and-error. It was only after having gone through this painstaking process that these countries have now been able to guarantee the level of advanced security they can provide. Nepal need not, however, reinvent the wheel: they can adopt best practices now used in the West and promulgate cyber policies that have worked abroad.
Some tips for keeping you safe from cyber attacks:
- In public places, whenever you attempt to enter your PIN code (phones and most importantly ATMs), make a habit of using one hand to enter the code and the other for shielding your input.
- If you have to throw away copies of legal papers, remember to shred them to pieces first.
- Think twice before inserting pen drives from untrusted sources into your laptops, and be even more cautious with an organisation’s computers.
- Always memorise your passcodes, and try to avoid writing them down in obvious places.
- Always use genuine operating systems, and regularly update to the latest version of the software’s in-built defender and firewalls.
- Never leave your phones and laptops unattended.
- Always make sure the connection is encrypted when entering any personal information on a website.
- Always enable SMS and email notifications for your banking activities and social media account logins.
- Never use free public Wi-Fi networks to access your private information for activities like e-banking.
- Always download software from the official websites, and never do so from third-party websites.
Phishing and identity theft
Phishing and identity theft are two of the most common cybercrimes. They involve the manipulating or deceiving of a person in order to gain access to their personal information, and are commonly used by cybercriminals to hack into a system or database.
In phishing, a hacker attacker attempts to gain sensitive information of an individual or an organisation. Attackers attempt phishing by pretending to be a reputable entity or a person. It is commonly done through email/s and various other communication mediums. The objective of such email/s is to send malicious links and attachments, which, if clicked on by the victims, can provide sensitive information, like login credentials and account information. The reason such attacks are gaining steam is that it is far easier to trick a person into clicking on a malware-laden attachment than it is to breach a computer’s defense mechanisms and firewalls. Hackers often phish by perusing public sources of information of an individual through various social networking sites like Facebook, Twitter and LinkedIn.
Identity theft is the illegal use of an individual’s personal information in a social-profile attack or for financial gain. In this type of crime, a person’s private information, financial history and other private details are used by a criminal in order to defame a person or make use of their financial accounts—by withdrawing money from user accounts or making purchase without the person’s permission.
“Identity theft happens usually after phishing, once hackers have gathered all the necessary information about a person. Identity thieves mostly riffle through a victim’s bank and card statements, loan and tax information,” says Himal Ojha, Digital Forensics Expert and Cyber Security Consultant at NTA and Nepal Police. Unattended phones and laptops are some other mediums through which hackers can gain easy access to an individual’s social accounts and private details.