Despite the intensive growth of Internet banking in Tajikistan and its seeming stability, there are questions about the level of security of virtual banking services. There is a possibility that bank customers may encounter certain problems, says Shirin Atlasova, a graduate of the CABAR.asia School of Analytics.
The legislation of the Republic of Tajikistan does not contain such regulations, which in any way control the process of security of storage and transfer of electronic assets of the banks and its clients’ data. It can be confirmed by the absence of requirements on these areas on the official website of the National Bank. Also, the leading banks in the country do not actually apply the user privacy and security policy, which many countries adopted as a mandatory standard that should confirm the transparency of organizations’ actions within the framework of the law on personal data.
Instead of a public privacy and security policy, an offer (an agreement between a legal entity and a customer) is provided which, in turn, lacks provisions for the key network security factors of e-banking users.
Applications and websites of popular Tajik banks that only have a public offer: Bank Eskhata, Bank Arvand, Amonatbonk, Spitamen Bank, Orienbank (on the use of bank cards), The First Microfinance Bank, Humo, IBT, Dushanbe City Bank.
Only a few banks talk about guaranteeing customers’ information security.
Applications and websites of popular Tajik banks that have privacy policies: Halyk Bank (Halyk Bank in Tajikistan currently operates as part of IBT), FINCA Tajikistan, and Alif Bank.
Meanwhile, a Kaspersky Lab study states that banks in Central Asia are the main target of hacker attacks in the financial sector.
They stated this in the studies that were conducted both in 2021 and 2022. For example, banks in the region are among the top ten most vulnerable to Malware attacks (a program for unauthorized access to resources or stored data). It should be noted that the material uses mostly data from Russian information security (IS) organizations, due to the fact that the main coverage of IS services and research in the CIS region is conducted by Russian industry leaders.
Rating of the Least Cyber-Secure Countries
Data credit to Kaspersky Lab
A more detailed data on Tajikistan's vulnerability in the cybersecurity sector is provided by comparitech, which also quotes Kaspersky Lab. Tajikistan leads the list of 75 countries (Tajikistan, Bangladesh and China) most vulnerable to malware and phishing attacks.
A notable example of an attack on banks would be a botnet attack on banks in Kazakhstan.
DoS, DDoS, which can also be called botnet attacks, are types of attacks that cause "denial of service". Essentially, it is an attempt to cause harm by making a target system inaccessible by overloading the system's operation for normal end users. For example, a website or an application can be targeted. Typically, such attacks are carried out for the purpose of extortion, or can be a cover for a larger attack on important servers. It can also be caused by unhealthy competition or by novice hackers fooling around. Attacks are also used for political reasons. Precedents include hacker attacks during the war between Russia and Ukraine.
The tools of DoS and DDoS attacks are computers infected with viruses, for instance, by means of pirated Windows software.
Use of pirated Windows software and Microsoft tools by users
Source: StatCounter Global Stats - Windows Version Market Share
The cause of vulnerabilities of banks to (D)DoS attacks might be a weak design of the requisites themselves, vulnerable firewall, and/or filtering traffic of electronic sites.
At the same time, amid all the vulnerabilities, the National Bank of Tajikistan is trying to control these processes in some way, based on international security protocols, such as the international standard ISO/IEC 27001 (article on Wikipedia), with the protocol of banking security and COBIT considered as the basic one, but these requirements are only a suggestion.
Source: StatCounter Global Stats - Windows Version Market ShareRating of the Least Cyber-Secure Countries
Data credit to Kaspersky Lab
A more detailed data on Tajikistan's vulnerability in the cybersecurity sector is provided by comparitech, which also quotes Kaspersky Lab. Tajikistan leads the list of 75 countries (Tajikistan, Bangladesh and China) most vulnerable to malware and phishing attacks.
A notable example of an attack on banks would be a botnet attack on banks in Kazakhstan.
DoS, DDoS, which can also be called botnet attacks, are types of attacks that cause "denial of service". Essentially, it is an attempt to cause harm by making a target system inaccessible by overloading the system's operation for normal end users. For example, a website or an application can be targeted. Typically, such attacks are carried out for the purpose of extortion, or can be a cover for a larger attack on important servers. It can also be caused by unhealthy competition or by novice hackers fooling around. Attacks are also used for political reasons. Precedents include hacker attacks during the war between Russia and Ukraine.
The tools of DoS and DDoS attacks are computers infected with viruses, for instance, by means of pirated Windows software.
Use of pirated Windows software and Microsoft tools by users
Source: StatCounter Global Stats - Windows Version Market Share
The cause of vulnerabilities of banks to (D)DoS attacks might be a weak design of the requisites themselves, vulnerable firewall, and/or filtering traffic of electronic sites.
At the same time, amid all the vulnerabilities, the National Bank of Tajikistan is trying to control these processes in some way, based on international security protocols, such as the international standard ISO/IEC 27001 (article on Wikipedia), with the protocol of banking security and COBIT considered as the basic one, but these requirements are only a suggestion.
The protocols themselves work as a guideline that can be applied to any organization (and in any industry, speaking generally) and ensures the quality, control, and reliability of information systems in the organization, which is also the most important aspect of any modern business.
Another tool for controlling the security of the e-banking system is the AppStore and Playmarket standards for the applications that impose their requirements and that include protocols for handling user data and security.
According to those standards, security and privacy policies should be mandatory for all apps hosted on these platforms and available for users to read. But they are often replaced on the entry page by a user offer.
It would seem that these requirements should ensure safety, which is difficult to dispute, especially considering that there are almost no reports in the media about the technical shortcomings of organizations.
Reading through these offers, most of them, in the case of incidents, protect the legal rights of the company and its administration, not the clients.
It is hard to argue in favor of a bank legally ensuring the security of its users, if a leak does occur.
Considering the issues of electronic banking security we can credit the opinion of IS specialists of banks in Tajikistan, who argue that organizations save resources on IS departments because of the lack of financial income of these departments. Meanwhile, the total IS management system consists of several systems that need to purchase licenses for different types of software, which requires financial resources.
It can be stated that a full-fledged Information Security Management System is absent from many banks in Tajikistan. For example, the author knows one popular bank in Tajikistan, which does not have any means of information security, except for antivirus. In general, the very issue of IS is not taken seriously in many companies in Tajikistan.
An additional problem is the lack of employees' awareness of IS, which is mentioned in the Kaspersky study. In the updated version of the study, however, the situation is not much different. According to them, the majority (80%) of successful phishing and hacking attacks occur as a result of data leakage within the company.
Information illiteracy of bank consumers
The information literacy of consumers of banking services is also at a low level. The incidents with the users of electronic details of Dushanbe City can be evidence of that. Recently, users of the Tajik segment of the social media Facebook have repeatedly complained about phishing attempts.
There were cases of counterfeiting of e-payment checkout of Spitamentbank and the Russian logistics system SDEK. Victims of these scams were owners of houses, cars, and other items for sale that were put up on the somon.tj platform. The amount of money lost and the victims of the hackers are not known. There was a similar situation with DC customers, where they lost money on their cards and wallets, which bank employees commented as:
"Money is stolen from a card/wallet due to the customer's own inattention. The client tells the scammers either the CVV code or sends the code to enter the application. It happens very often that the relatives and friends of the clients themselves take advantage of the cardholder's inattention and also steal money from the card."
The second example may be the attack of the users of Kazakhstani banks through phishing, with the sms code confirmation as a convenient tool for the hackers, which resulted in the theft of 2 million tenge (over $32 000).
A similar situation took place in the bank of Uzbekistan, where hackers managed to steal 2 million dollars from InfinBank and 700 thousand from AsakaBank customers, as well as DDoS-attack on other banks of the country.
How can this situation be resolved?
To protect sites and applications from attacks that try to exploit vulnerabilities or forge cross-site request traffic, the quality of firewall filtering can be improved by configuring login to the system to a specific bank's service area. This would at the very least reduce requests for infected traffic coming from unexpected IP addresses, i.e. regions and countries from where the login is made. But this will require the support of direct specialists to study the characteristics of traffic and create individual protection.
A protocolized control of the processes of banking institutions by the government and the National Bank is necessary. At the moment, there are positive examples of control by the mentioned institutions in Central Asian countries. Uzbekistan introduced such a system back in 2006. Similar documents were issued by the governments of Kazakhstan and Kyrgyzstan.
In private conversations, employees of the Ministry of Industry of Tajikistan told the author that they are working on the development of a document that could control the process of information security of both authorities and institutions, as well as individuals.
Develop a regulation of the National Bank to ensure information security, which would establish minimum requirements for operators of payment systems and payment service providers in payment systems. This document should have the following objectives:
to determine the necessary tasks to ensure the information security of information systems;
to clarify the requirements for operators, which are necessary to ensure information security during the input, exchange, processing, and storage of payment information in payment systems;
to prevent unauthorized changes, information leaks, and other negative impacts on payment information of operators of payment systems and payment services providers.
This document may be used to develop internal rules for information security, based on the peculiarities of payment systems.
Initiatives on the part of bank administrations and the allocation of funds for the development of information security structures should also be welcomed.
Banks have certain structures, which are the most critical in terms of information security. It is possible to segment the network and apply the most severe IS measures exactly to such structures.
It is also necessary to work on increasing the competence level of bank employees. At the same time, it is important to launch long-term campaigns to improve the information literacy of consumers of banking services.