Cybercrimes and alleged unethical hacking are happening in Sri Lanka and worldwide.
A global example is where hackers breached the production systems of the cloud storage of DropBox for its DropBox Sign eSignature platform and gained access to authentication tokens, Multi-Factor Authentication (MFA) keys, hashed passwords, and customer information.
In a local example, Dialog Axiata has issued a notice concerning specific WhatsApp groups and social media accounts claiming to represent the Dialog Axiata Group, which are engaged in the unauthorised use of its brand and the circulation of false information.
In a similar vein, Sri Lanka Podujana Peramuna (SLPP) breakaway independent MP Gamini Waleboda has raised concerns about serious scams involving unauthorised transfers of money from State bank accounts to multiple other accounts, with account holders not receiving any notice.
The Sunday Morning spoke to Waleboda, who said people had reported that money from their current and savings accounts had been transferred to several different accounts in a single day without the account holder having been notified.
“Ten Buddhist monks and two to three civilians from the Ratnapura District personally complained to me about the scam. We have discovered that the transactions had reportedly been carried out through bank accounts in State sector banks,” he said.
Upon the victims registering complaints with the Police, the latter had commenced inquiries concerning the relevant banks, and through these banks, those who had been involved in the scam had been identified.
Prompt investigation needed
One individual involved in the scam is reportedly a youth from the Embilipitiya area in the Ratnapura District. He had claimed to have an institution which trained people to trade on the internet in order to earn money.
According to Waleboda, scammers had directed the victims to provide relevant details so that they could transfer funds. Once the transfer had been completed, the scammers had moved the money to many accounts simultaneously.
Furthermore, he revealed in Parliament that he had notified the Ministry of Finance, Economic Stabilisation, and National Policies; the Telecommunications Regulatory Commission; and Parliament itself about the issue, emphasising that the matter must now be investigated and addressed promptly.
Crucial information, such as bank account details, had sometimes been shared without the holder’s knowledge, even in shops where people had given their mobile phones for repairs, contributing to such scams, Waleboda noted.
“Everyone who does internet transactions must be aware and take precautionary measures not to disclose their passwords. Usually, victims of such scams claim they have not divulged any information, yet scams have happened. But if we probe deeply, they must have revealed some information to others on the internet or on websites without their knowledge,” he highlighted.
The Central Bank of Sri Lanka (CBSL) still needed to control and regulate the country’s financial market, Waleboda highlighted in Parliament.
A source from the CBSL revealed that its Governor had inquired regarding this matter from a few banks, only to be met by the banks’ denial of such a phenomenon. As the CBSL had already received several complaints, the source disclosed that the relevant department of the Central Bank was looking into this issue.
A source from a State bank said that they had been receiving complaints for a while from bank account holders who shared that they had been receiving phone calls claiming to send them money and a One-Time Password (OTP). The source noted that when victims shared the OTP, small to staggering amounts of money had been transferred from their accounts. This appears to have happened to many people and bank branches have received many complaints from account holders.
The Ministry of Technology is actively implementing the National Digital Strategy and fostering technological development within the country. Given this context, it becomes essential for the ministry to prioritise the establishment and enhancement of robust online banking services.
The digital strategy includes Digital Financial Services (DFS), where one of the targets for 2025 is to increase the volume of digital transactions by 50%. The strategy also notes that it is crucial to educate individuals about the benefits of DFS, such as opening bank accounts, saving money, and using online banking and e-commerce services.
Therefore, the significance of having solid online banking capabilities aligns with the broader goals of advancing digital infrastructure and promoting financial inclusion.
A source from the Ministry of Technology said that the ministry had to coordinate, obtain clearance, and verify the information with the CBSL and the Sri Lanka Computer Emergency Readiness Team (SLCERT) in order to comment on the issues concerning the scam related to the banking sector.
Safety measures
Speaking to The Sunday Morning, independent cybersecurity consultant and privacy advocate Asela Waidyalankara said that the reasons for such scams in the country’s banking sector were simple.
“The banking sector attracts the highest amount of cybercrime globally, because that’s where most transactions in terms of people’s money and commerce occur. Therefore, banking and financial apps have become desirable targets for cybercriminals both locally and globally,” he said.
Commenting on safety measures in banking apps, Waidyalankara noted that the apps, by their regulated environment, were subject to higher data security and cybersecurity compliance standards by entities such as the CBSL, which ensured that these apps were safer than most.
“However, one must be conscious of other cybersecurity dangers that a person may be subject to; for example, if a person clicks on a phishing link, their entire device may become compromised. Thus, the security of an app is a more minor issue. Therefore, it is always encouraged to follow cybersecurity best practices and avoid downloading or clicking on questionable or unsafe links,” he asserted.
Outlining possible solutions to avoid such issues in future, Waidyalankara said: “Awareness is the best weapon when it comes to such issues. However, the bank is also responsible for taking the necessary steps to ensure additional safeguards for their customers, especially older people.”
By way of example, he pointed out that in Singapore, authorities had now impressed upon banks and financial institutions to assume more responsibility for fraud activities, even floating the idea that they should face fines, which was an extreme measure. However, banks and other financial institutions must be encouraged to focus on cybersecurity awareness, he further pointed out.
Waidyalankara also advised consumers to enhance the security of their online banking accounts and transactions: “Exercise extreme caution when carrying out financial transactions via smartphones or apps. I encourage the public to have a separate email address linked to their banking accounts, separate from their regular email, as an additional layer of security. Also, be mindful of the apps you install on your device and only install apps from the official app stores.”
OTP and parcel scams
Speaking to The Sunday Morning, SLCERT Senior Information Security Engineer Charuka Damunupola said that the particular case that MP Waleboda had brought up in Parliament had not been reported to SLCERT.
“A lot of financial scams are reported to us. We receive reports of ordinary people sharing OTPs without knowing. After that, people try to access their online bank accounts and try to carry out unauthorised transactions – those are the most common incidents reported,” he added.
Damunupola pointed out that the scams came in different formats: “For example, the parcel scam, where you receive an SMS with the link and people click the link to get the parcel returned to their address. It goes to the website given in the message, which is a fake website and it asks for credit card details for a postage fee. Many people have fallen for that and given their credit card details, through which the scammers have managed to access their accounts and carry out transactions. Most cases are related to the parcel scam. That and the OTP scam are the two main things that are reported to us.”
CBSL stance
CBSL Governor Dr. Nandalal Weerasinghe said that a similar incident had first been reported in the last week of February by a bank to the Financial Sector Computer Security Incident Response Team (FinCSIRT), an institutional arrangement among banks including the CBSL, which responds to incidents related to cyber security.
He said that FinCSIRT had taken steps to remove the website, which was sent as a link to customers.
Another similar incident had been reported in April and FinCSIRT has swiftly taken measures to remove the website again. He added that an informational alert had also been issued to make the public aware of this scam.
“The CBSL requested information from all Licensed Banks (LBs) with respect to the incident, similar to the scam identified and cyber security threats in the banking sector. As a response, a few incidents have been reported. These incidents have occurred after the customer clicked on an unknown link sent by an unverified merchant or person and the customers have shared their bank account details or OTP.
“Most incidents that have happened are due to the sharing of the OTP, mostly over the telephone, directly by the customer with the attacker despite continuous requests made by banks and the CBSL not to share personal information, OTP, etc. used to perform transactions through digital payment channels, including mobile payment apps,” Weerasinghe elaborated.
He noted that banks had increased their customer awareness measures in relation to banking activities. Accordingly, he said that banks were informing customers through text, email, social media, and official websites not to share sensitive information with anyone.
“Banks are also on alert to identify suspicious transactions through their fraud detection systems and complaints received via call centres and other online communication platforms. They are engaging with third-party experts in this field to detect any potential fraud that could happen,” he stated.
Security measures
Regarding security measures, Weerasinghe said that for mobile payment apps, the CBSL had issued Guidelines on Minimum Compliance Standard for Payment Related Mobile Applications in 2020.
Accordingly, it is compulsory for all Payment Service Providers (PSPs) which are financial institutions providing payment services using mobile applications to submit a compliance report certifying compliance with the guidelines before the commercial launch of the application.
He noted that these PSPs had to conduct an audit through an independent third-party auditor before launching any mobile payment app, that each PSP had to provide an annual compliance report to the CBSL, and that only the mobile payment apps that met the requirements were allowed to operate.
“Additionally, the CBSL issued a Regulatory Framework on Technology Risk Management and Resilience for all banks in 2021 to strengthen technology risk management. Further, the CBSL has already instructed PSPs to introduce a transaction-based OTP if the accounts of other financial institutions are linked to mobile apps for payments or funds transfers if the amount is equal to or exceeds Rs. 10,000. However, the attacker remotely controls the mobile device of the victim,” Weerasinghe elaborated.
Weerasinghe also addressed the frequency of updates and testing of the security measures in the banking systems to ensure effectiveness: “All banks conduct periodic Vulnerability Assessments and Penetration Tests (VAPT) on their Information and Communication Technology (ICT) ecosystems. Further, all mobile payment apps are subject to an annual security review against the CBSL guidelines.
“PSPs have to upgrade apps, do necessary security updates throughout the year, and report the same to the CBSL as per compliance requirements of the guidelines. In addition, the PSP Board of Directors can request an independent third-party auditor to review such upgrades whenever it deems necessary.”
Further, Weerasinghe said that all banks were expected to report IT security incidents to FinCSIRT, established by LankaPay Ltd. with the patronage of the CBSL, which analyses the incidents and sends alerts to all financial institutions, along with remedial measures.
“FinCSIRT supports all Sri Lankan financial sector stakeholders to build information security resiliency against rapidly-advancing information security threats by building a collaborative platform for all members in the Sri Lankan financial sector to work together and share threat intelligence,” he added.
Customer awareness
Weerasinghe also spoke about the awareness provided by the banking sector to customers to enhance their understanding of safe online banking habits: “All banks engage in customer awareness activities in different ways, such as sending periodic SMS alerts to remind them not to share OTPs and any other confidential data, including the text ‘do not share the OTP with anyone’ with every OTP sent to customers, and inform of scams and security measures via their official websites, etc.,” he said.
“Customers can also call the respective financial institution’s call centre 24/7 and get clarifications on any suspicious matters before engaging in them,” he highlighted.
The CBSL also conducts customer awareness programmes via various print and electronic media platforms, including social media and SMS, to increase customer awareness on the risks of OTP sharing and safe digital payment practices.
Weerasinghe said that financial institutions would continue to carry out awareness campaigns to improve customers’ knowledge of safe digital payments and mobile payment app practices.
“It is essential that the users of online payment systems and apps strictly adhere to the safety measures informed by banks and the CBSL in order to protect themselves from cyber threats. Under no circumstance should an account holder share his personal information, OTP, etc. with another party to perform a financial transaction,” Weerasinghe concluded.