Kathmandu, Sept 2, 2019: On Saturday night, Zhu Lianang was arrested from a Nabil Bank ATM booth in Durbar Marg while trying to withdraw cash. Acting on a tip-off, the Kathmandu Metropolitan Police Circle caught Zhu, a Chinese national, in the act of withdrawing thousands in cash from the ATM using cloned debit cards.
Upon interrogation, Zhu named four others—Lin Jianmeng, Luo Jialei, Zhu Liangang, Qiu-Yunqing and Chen Bin Bin, all Chinese citizens—as complicit in the hacking spree.
“According to their passports, they landed in Nepal on August 30 and were planning to return on September 2, which shows that their sole intention was to steal cash,” said DSP Hobindra Bogati, spokesperson at the Metropolitan Police Circle.
Police have confiscated Rs12.60 million and around $10,000 along with 132 forged VISA debit cards, 17 authentic VISA cards, six mobile phones, a laptop and a data card.
Police believe that Zhu and his accomplices used both real and cloned bank cards in a coordinated ATM cash-out attack, where hackers breach a bank or payment processor’s systems and then use bank cards to withdraw millions in a short amount of time.
According to Laxmi Prapanna Niroula, spokesperson for the Nepal Rastra Bank, the accused hacked the Nepal Electronic Payment Systems (NEPS), an interface that allows the transaction of money deposited in a bank by using cards issued by other member banks. NEPS has incorporated 11 commercial banks, including Prabhu Bank, Sunrise Bank, Machhapuchchhre Bank, Janata Bank, Siddhartha Bank, Citizens Bank, NIC Asia Bank, Prime Bank, Nepal Bangladesh Bank and Global IME Bank. Seven development banks are also members of NEPS.
The failure of banks, especially the central Nepal Rastra Bank, to upgrade their digital security measures has meant that Nepal is increasingly becoming a target for hackers from around the world. In addition to cash-out attacks, weak systems are vulnerable to conventional attacks using phishing software and malware, and physical methods like ATM jackpotting.
Nepal Rastra Bank, through its 2015-16 monetary policy, had directed Nepali banks to switch to cards equipped with microchips, as they are safer than ones with magnetic strips. Although most banks have complied with the central bank’s regulation, a few have yet to use the advanced system on the cards they have already issued, according to Nepal Rastra Bank officials.
Records show that a total of Rs34.5 million was withdrawn illegally in the past two days, including INR10.5 million from India, according to Bam Bahadur Mishra, executive director and chief of the Payment Systems Department at Nepal Rastra Bank. The hackers used debit cards at least 700 times to withdraw money from ATMs.
This is not the first time that hackers have stolen cash from Nepali ATMs. In March 2017, two Bulgarians were arrested for illegally withdrawing money from ATMs in Pokhara. In April 2017, police arrested four Moldovans from Thamel on charges of hacking ATM cards and stealing money. That same day, a Russian national was arrested while stealing money from a Nepal Investment Bank ATM in Durbar Marg.
“Hackers are always in search of countries with weak security systems all over the world,” said Deputy Inspector General Niraj Shahi of the Central Investigation Bureau. “Security systems should be upgraded periodically, or such cases could happen again in the future.”
According to data provided by the Central Investigation Bureau, in the last seven years, police have altogether arrested 24 people, 18 of whom were foreigners.
“Nepalis have mostly been found assisting foreign hackers,” said Superintendent Dipak Regmi, spokesperson for the bureau.
While depositors’ money was not affected by Saturday’s attack, the exact amount of money looted has yet to be ascertained, said Anil Sharma, executive director of the Nepal Bankers’ Association.
“Forensic experts are required to find out the main defects underlying the banking system that allowed the hackers to carry out their attack,” said Sharma.
Following the incident, a number of banks on Sunday issued a circular to their customers and staff not to use their debit cards on ATMs operated by other banks. “Citing possible risks, we have sent a caution notice to customers,” said an official from Shangri-la Development Bank on condition of anonymity.
Meanwhile, Nepal Rastra Bank has formed a committee to investigate the attack. A task force will be led by Mishra and will include officials from Nepal Rastra Bank’s information technology department and bank supervision department, the Nepal Bankers’ Association and NEPS, according to central bank officials.
“Those arrested will be taken to court and kept in judicial custody,” said DSP Bogati. “If convicted they could serve up to five years behind bars, including having to pay a cash penalty equal to the amount they robbed.”