'Cybercriminals are creating new ways of hacking'
The Business Standard talked to cybersecurity expert Professor BM Mainul Hossain at the Institute of Information Technology of Dhaka University on the latest arrest of hackers and the overall cybersecurity situation in Bangladesh
The Rapid Action Battalion (RAB) on Sunday busted a ring that hacked into the server of Computer Network Systems and scammed Tk1.20 crore through fake money receipts. The software firm is affiliated with the Bangladesh Road Transport Authority (BRTA).
At the end of 2022, the same ring hacked the Dhaka Electric Supply Company Limited website and scammed around Tk1.50 crore by faking money transaction accounts.
The law enforcement agency members launched drives and arrested six members of the ring including ringleader computer engineer Sharear Islam from Dhaka and Gazipur last week.
Keep updated, follow The Business Standard's Google news channel
We have seen incidents of hacking and phishing in the country before. Do you see anything new in the latest hacking of BRTA and DESCO's payment gateways?
There is a new dimension in the BRTA hacking incident. The hackers usually take the money away. But we have seen a different picture in this case. According to newspapers, the hackers provided the service to the customers and gave the customers fake receipts. This is a serious issue.
I would say both BRTA and DESCO are just victims. Cybercriminals or hackers always search for vulnerable websites and launch attacks on websites which have security loopholes. If hackers want, they can target 50 more websites because the security measures are very weak on many websites.
BRTA has been carrying out the job with the help of a third-party vendor. The latest incident means that cybercriminals are becoming sophisticated and they are creating new ways of hacking.
The hackers have hacked the payment gateway of BRTA and the hackers have been successful in showing that the money has been paid without the payment of money.
In general, when the transaction is completed in banks, then the software shows that the payment is done. But in this case, the hackers bypassed the process of the transaction in the bank. The hackers took the money from the clients but they might have kept the money in their accounts or somewhere else.
What kind of initiatives should the government take now to minimise cyber-attacks or hacking?
You know, in many offices, the job is done by different software firms on behalf of the government agency. Whenever the government will buy services from a third party, the government will have to ask vendors to make sure that adequate security measures have been taken. If not, the government will have to make them take proper security measures.
Security can be breached at any time but the firms will have to take preventive measures. There are differences between software and quality software. For quality software security is a major concern. We will have to be updated as the criminals are becoming more and more skilled.
You can never tell that you have made 100% secure software but you have to take the security measures. If you make a house and keep a window broken, a thief may enter the house. You will make the house in such a way that a thief cannot enter it. You will have to make software in the same way. You will have to plug up the holes so that criminals cannot enter. In the case of software development, the developer company will have to keep this in mind how the software can be attacked and at what places, especially the payment processing software and services.
To control cybercriminals, the law enforcement agency as well as software firms will have to invest in security measures for their software. At the same time, we will have to be aware [of the current threats and risks]. We will have to create manpower to counter the cybercriminals now.
In a public meeting in 2021, State Minister for ICT Zunaid Ahmed Palak said Bangladesh will be turned into a cyber security service providers' hub. Is it possible to make Bangladesh a cyber security service hub?
Everything is possible. But only vision will not do. You will need plans, preparation and execution of the plan. We cannot sit idle with a plan or vision. Are we providing training to people, or are we setting up training centres?
We need to implement the plans. Some works are visible but we have to emphasise more on the issue because these things are becoming more and more important. We have to invest more in security measures and we will have to focus more on the security issues.
For the time being, we do not have that many cybersecurity experts in the country. A few universities have courses on cyber security. There is no scope for depending only on the universities. We will have to set up a separate training centre to create cybersecurity experts. We do not have a single world-class cybersecurity research centre in the country. We should have more than one. The government should take more initiative on that.
All government agencies in the country have a separate IT department so it is mandatory for us to have cybersecurity experts in the offices. Otherwise, how will they handle the security issues if they do not have any security experts?
