Beware: Banking Customers in Pakistan Under Threat

By  · Monday, Nov 19, 2012 1 Comment

Advertisement



Banking customers in Pakistan are undergoing a new threat.

One of our sister concern publication, ProPakistani written in past about phishing (read as fi-shing) attacks, what they are and how these can be made ineffective. 

Having said this, due to increasing popularity of online-banking, these phishing attacks against Pakistani banks are on the rise in the recent past.

All major banks are targeted by attackers, who fake their emails and present themselves as legitimate bank representatives asking the customers to either change their account passwords or update their profiles and PINs.

By definition, phishing is act of attempting to acquire user information such as usernames, passwords, and credit card details or other private information by faking emails and representing themselves as legitimate businesses, such as banks, hosting companies, email service providers and so on.

Pakistan, due to lack of awareness and inexistence of cyber law, is considered a heaven for cyber criminals, attackers and spammers.

You might remember that few days ago – EconomyAge reported that Burj Bank website lost its data to hackers. Unfortunately there has been no response from State Bank to investigate weak internal controls of Burj Bank and maintain the integrity of customers’ data.

How Phishing Attacks Work:

Phishing attackers are sending millions of emails to Pakistani internet users asking them to change their passwords for online-banking accounts. They send email with similar-to-bank domain names, such as no-reply@xyzbank.com or no-reply@examplebankpk.com to make them look like legit system generated email by banks.

Typically, when user clicks on a URL in the phishing email, the user is taken to attackers’ website (instead of original bank’s website) which gives a similar look and feel of respective bank’s website.

All the data input on this fake website is automatically sent to attacker who can use your username/password to use your internet-bank account at his/her will.

Need for Awareness

Banks are sending out mass-emails to their users, explaining them what phishing attacks are and how not to respond to them. This is helpful in many ways, but banks probably need to do more. Maybe State Bank can take this initiative and do a mass-level campaign for users’ awareness.

Message for General Users:

  • NEVER respond to any email that asks Password, Pin Code, Security answer or any similar information that you may not want to share with anyone.
  • Immediately report any such email to your bank
  • Register a complaint with FIA

Message for Banks!

  • With increasing trend of mobile banking and net-banking, there should be a comprehensive awareness campaigns by banks to educate their customers of such phishing attacks.
  • Enhance your security and intelligence to detect and deal with such criminal activities.

Similar Posts:



One Comment

  1. Ray says:

    I’ve got couple of things to say on this.
    1. Let’s first talk about Burj Bank. If I were in legal at Burj Bank, my first priority would be to sue your enterprise for, to say the least, libel. Primarily because you yourself claim the website has been “Reportedly” been hacked despite counter claims from Burj itself. I am quite surprised they haven’t yet ordered you to delete your previous posts on the captioned topic.. Now.. lets see what you have.. you have, at most, website mirror of burjbank or atleast, datamined their website, in either case I’d rather not go in the matter of Burj Bank’s Internal Control Framework if I were you. The whole thing seems less plausible than it looks.. anyway..

    2. The onus of becoming a phishing attack victim resides completely with the customer. The flyers / ebanking application forms, the emails and services briefing by the bank’s representatives time and again explain to the customers that ‘Banks will never ask for your PIN / Password” like Banks never call customers to ask their credit card numbers. The problem is neither the banks nor the regulator. The sheer lack of literacy and common sense (as evident) has culminated in this. Unfortunately, awareness campaigns can only do so much.. I can’t understand how bank can ‘detect’ and ‘deal’ with such activities. Banks can’t discern between authenticated and unauthenticated transactions when proper passwords has been applied. Even when the customers come to them with a complaint, the most they could do is refer to law enforcement agencies. BCO and SBP’s regs don’t allow or empower banks to do anything more than that. They can do one thing though.. shut the service altogether. Please.. Banks are not Divine entities.. do a benchmark analysis before you recommend any organization to do something..

    One more thing.. which you have failed to cover in your post. The phisihing emails need not to come from a ‘lookalike’ bank email address. More advanced phishing attacks can come from “@hbl.com” or “@Bankalfalah.com” or “@mcb.com”.. they need not to be lookalikes as its easy to send email from headers like this but it is “impossible” to receive emails if the victim replies to them.

    Secondly, the link could look like http://www.hbl.com/internetservices/passwordreset but the hyperlink in the email could linkto http://www.hbl.geocities.com/internetservices/passwordreset with almost identical looking webpage.