The vulnerabilities of Nepal’s banking system came to the fore on the night of August 31, 2019, when five Chinese nationals were arrested in the capital, who were on ATM hacking spree in different places in Kathmandu. The hackers had come to Nepal on August 20 and had planned to return on September 2; their sole intention to come to Nepal was to carry out the heist of millions of rupees. (This is not the first time that hackers have stolen cash from Nepal’s ATMs.)
This clearly shows the failure in providing cyber-security of banks, the same banks who claim to have made huge profits annually. Despite the banks’ assertions that they have appropriate measures at place against every kind of cyber-attacks, growing cases of hacking and thefts from ATMs raise huge questions on the robustness of the security systems of the banks in Nepal. 
The history of cash theft from ATMs is long, given the development of card banking and e-banking system in the country. On March 2017, two Bulgarians were arrested from Pokhara for an ATM heist; and on April 2017, four Moldovans from Thamel and a Russian from Durbarmarg were arrested for similar charges. In the past seven years, 24 people have been arrested, 18 of whom were foreigners, charged of ATM theft. The remaining were Nepalis assisting the foreigners.
Nepal is extremely vulnerable to cyber-attacks and encounters a number of malware attacks daily. Nepal has also become a target of cybercriminals and being exploited by them and state-sponsored hackers. The current cyber-attack resulted in a financial loss for Nepal and almost thirty other countries. Despite the growth in such attacks, Nepal has not been active in research and development, intelligence gathering, and learning about new threats and preparation to counter them.
The hackers caused malware attack on the Nepal Electronic Payment Systems (NEPS), an interface that allows the transaction of money deposited in a bank by using cards issued by other member banks. The malware allowed Chinese hackers to steal cash from the vaults of ATMs. The malware apparently gave ATMs the instruction to emit cash before the request to withdraw cash could reach the member banks. The heist confirms weak system and its vulnerability to phishing software and malware.
A total of Rs 16.87 million was looted in the cyber-attack which
happened between 11:00 am
and 4:30 pm on Saturday. Hackers also withdrew INR 12.4 million from various ATMs in India. The hackers injected malware into NEPS, a shared card switching system of 17 banks, to drain the cash out. The hackers, according to police, had used electronic cards of at least six banks—NIC Asia, Siddhartha, Janata, Global IME, Prabhu, and Sunrise — and used them at ATMs of three banks—Nabil, Nepal Investment, and Nepal SBI — to illegally withdraw money in Nepal. The cash machines vomited limitless amount of cash as the hackers used cloned debit cards at least 700 times to withdraw the cash.
The US Federal Bureau of Investigations had warned of possible attacks worldwide and had urged banks to review how they handle their security. The attacks would compromise banks or payment card processors with malware, giving the hackers access to the network and customer card details and enable the cash machines to vomit cash.
Just as the FBI had said, the cybercrime gangs seemed to have removed many of the fraud controls of the banks using phishing techniques, such as ridding of the maximum ATM withdrawal amount, or any limits on the number of transactions per day, maximizing how much they could steal. The arrested Chinese had numerous cards, a proof that they must have created fraudulent copies of legitimate cards and could also have altered the account balances and security measures to make an unlimited amount of money available at the time of the transactions.
Not just the cash, the cybercriminals, who could access the servers must have gotten all the personal information of individual depositors. The information was, hopefully, of no use to those on the cash-out rampage, but would be of use for other criminals and is hence a national security concern. Ironically, the government, on various occasions of such an attack, seems unprepared to abort a catastrophe anytime.
On the largest heist that took place on Saturday, had the bank staffers not noticed the incident and informed authorities on time, the hackers would have emptied many more ATMs and fled the country.
During the police interrogation, the arrestees said that the mastermind, also a Chinese National, was in Spain and had deployed them to Kathmandu, and they were deployed on contracts. One of the arrested includes a French national of Chinese origin. Some Nepali nationals were arrested for allegedly giving foreign currency to the hackers in exchange for the looted money. The money changers based in Thamel have been charged with being accomplices in the heist. After the arrests, the officials from the Chinese Embassy in Kathmandu met the police and asked for a fair and thorough investigation.
On the first week of May this year, security agencies confirmed the involvement of Chinese hackers in hacking more than 200 government websites. The hackers were working for China Communication Service International (CCSI) affiliated to Huawei, a Chinese company that provides information and communications technology (ICT) infrastructure and smart devices globally. When the police raided the CCSI office, the hackers were reported to have fled. Sources claim that the company has the capacity to launch a cyber-attack capable of damaging strategic sectors of Nepal. Ironically, CCSI has been awarded the Nepal Telecom contracts for 4G expansion and laying of 555 km of optical fiber in the country.
Increased access to the internet and technological advances is correlated with improvement in cyber-security in countries with developing economies, and lower levels of technological development lack well-trained experts and necessary education on cyber-security issues. The global cybersecurity index 2017 has ranked Nepal at 94th position with a score of 0.275 worldwide.
As Nepal lacks advanced forensic measures to find out how and from where the hacking of banks’ digital information system was conducted, it would be a difficult task to get the details of the heist out. The police also face a language barrier in the recent hack as the hackers only speak Chinese. Nepal Rastra Bank, in coordination with NEPS, has processed to hire forensic experts from abroad to do the job. The government, now, should take the necessary steps to improve cyber-security. Banking institutions need to make increased investments in making its IT system secure. Nepal’s Central Bank had directed Nepali banks to switch to microchips-equipped cards, which are safer than the ones with magnetic strips; a few banking institutions have not yet made the changes. Nepal Rastra Bank said the recent scam was successful because of the use of magnetic strip cards, and banks and financial institutions should replace such cards with chip-based cards within three months.
Cybersecurity is important. Banking institutions in Nepal tend to lack tough implementation of cyber-security controls, have compromised budgets, and the use of third-party vendors increase vulnerabilities and insecurity, as the hacking is often committed from abroad. Cybercriminal based in Spain committed the fraud remotely without being on the radar of Nepal’s security services. Nepal Government should, therefore, consider comprehensive national cybersecurity policies to support continued growth in technological sophistication, access, and security.
The government needs to set up a mechanism to thoroughly screen foreign companies, especially IT related, which sets up operational bases in Nepal. The nature of business they indulge in, their manner of functioning, and the equipment they use should all come under scrutiny to rule out the possibility of their involvement in any activities detrimental to Nepal’s security. This will also help in doing away with the general perception that Nepal has lax IT security norms and that one can get away by duping the system. Capacity building in cyber sector is thus of utmost relevance.
Author: Milan Karki
 NEPS was established by a group of Nepali banks to process cash withdrawal requests. It basically carries a message sent by issuers of electronic cards to member banks, whose cards are used for cash withdrawals. ATMs emit cash only after approval from member banks.
 Almost all of the ATM cash-out operations launched so far have been done so on weekends, often just after financial institutions begin closing for business on Saturday.
 The Global Cybersecurity Index is a survey that measures the commitment of Member States to cybersecurity in order to raise awareness.