Tag Archives | banks

How to Minimize the Effect of the Dollar Crisis on You

For over a month now we have witnessing a dollar shortage in Lebanon which caused two parallel markets to be established for the currency. The first market is the one regulated by the central bank where financial institutions are supposed to deal by the ~1,500L.L rate, while the other is controlled by money changers where the rate changes from day to day and follows the supply and demand principle. And as banks decrease their supply of dollars to the market, their clients feel obliged to turn to money changers who have been imposing a rate as high as 1,750 or 1,800L.L sometimes (20% difference).

This has unfortunately impacted a lot of people since most of us earn our salaries in LBP but pay for goods and services that are priced in USD. And the 20% variation in exchange rate has been translated as an increase in the price of goods. So if I am holding lebanese lira and want to buy a $10 item, it now costs me 18,000L.L instead of 15,000L.L in case a bank refuses my exchange transaction and I opt to do it at some money changer. A real example is now the price of mobile recharge cards which prices have significantly increased in case you want to pay in Lebanese lira.

To avoid this effect of prices inflation on me, I personally have been using digital channels to settle my payments using my credit card (i.e. dealing directly with the financial institutions at the ~1,500L.L rate) whenever I have the option to do so.

This is applicable to mobile recharge cards and bill settlement, internet subscription renewal, money transfers.

Mobile recharge cards & bill settlement

For touch lines you should first create a user on their website and then you can either recharge a prepaid line here or settle your bill here.

Alfa users also need to create an account on Alfa’s website and they can recharge a prepais line here or settle their bills here.

On the other hand, a lot of ATMs around the country gives you the capability of purchasing mobile recharge vouchers when using your card, and you will of course be charged in dollars at the official exchange rate.

Internet subscription renewal

Likewise, the most popular ISPs offer renewing or recharging your internet account online. To my knowledge, Cyberia, IDM, TerraNet, Sodetel, WISE, and MOBI, all offer the service.

Ogero

Ogero actually set their prices in lebanese lira but I’m including it here because I find it more convenient to pay my bill online than physically going to one of their central offices, or to one of their payment partner (like OMT for example) that impose 2,000L.L extra charge for every settled bill.

To settle your bill online, create an account here and then linkt you landline to it by inputting your number and your initial subscription date which you find on any old bill you have.

Money transfers

Last time I tried to transfer dollars outside Lebanon through one of the money transfer companies, the agent didn’t accept the money unless it was in the currency. However, Western Union recently launched a service that allows you to transfer money online using your credit card. I personally didn’t try it yet but you sign up to it here, and you are required to verfiy your identity by taking your ID card to one of the BoB Finance branches in town before starting to use the service.

Other services

Many service providers provide online services that are either not much advertised or people simply don’t know about. If you are subscribed with CableVision for example, you can pay onlin here instead of going through your dealer. And the same applies to beIN here. So always inquire with any solution provider about such possible payment options that can make your life easier.

The above all works as long as bank provide their clients with reasonable amount of dollars to settle their credit cards. So in sum, try as much as you can to perform your exchange operation at regulated institutions until we hopefully make it out of this crisis!

1

Touch is Into The Money Lending Business Now?

To all those who run out of credit before their line cycle is over, Touch recently added a new service to its prepaid Magic lines called “Advance Credit” allowing their subscribers to get an advance credit amount once their balance falls below $1, and it of course gets paid back once they recharge their line.

It sounds all nice until you know the rate at which the advance amount should be paid… A screenshot on Facebook shows that for a $3 in advance, $4.2 get deducted once the subscriber has enough credit again. That’s a whopping 40% in interest and it sounds more like usury to me…

Even banks are not that rude with their offerings… With such rate this must be Touch’s most profitable service right now! But then again, no matter how awful you think their tactic is, you wouldn’t expect less from a company operating in a monopolized industry.

0

Overnight millionaire – Amer Hazimeh

The guys is barely 30 years old and yet managed to steal more than 45 million dollars by borrowing money from banks that trusted him and convincing people to invest their money with him in gold and stocks.

2

No, our banks are still vulnerable to cyber attacks

Remember when it was revealed back in August that many Lebanese bank have been targeted by a malware called “Gauss”? I bet people are starting to forget about the matter and there’s really nothing wrong about that. I mean you can’t expect people to keep talking about the issue for ever, but what’s really worrying is when regulators disregard the threat this malware is still posing to the information systems at our banks.

On September 15th, an article was published in The Daily Star aiming to assure everyone that Lebanese banks are safe and no one will be able to break into their systems because of the “preventive measures” they’re taking. What measures you may ask? Updating their antivirus programs.

Lebanese banks have upgraded their software security systems to block any virus designed to spy on transactions and operations, the Central Bank and IT experts said Thursday.

Jonny Torbey, the head of the IT department at Credit Libanais, said Lebanese banks have developed a security system to prevent any outside party from penetrating their computers regardless of how strong the virus. Read more here

I don’t claim to be a security professional, but I work in the IT sector, and if you also have some basic knowledge in IT and Information Security, you’ll know that updating programs and virus definitions is not sufficient to be protect yourself from cyber attacks. Even the biggest organizations in the world are not immune to attacks, but the difference is in how these organizations react when facing such issue, and that can only be done with proper policies, standards, processes, and systems in place.

A group of independent security professionals wrote this reply to let people know why these actions are insufficient and I decided to publish it here for you guys to read.

Lebanese banks upgrading anti-virus systems: Isn’t it business as usual? Are they truly willing to fight back?

First and foremost, the authors are speaking as Lebanese banking customers who happen to be subject matter experts!

Some of us have had first hands experience reacting to the Gauss Malware in Lebanese banks, and we have taken notice of the Central Bank memorandum released to the IT Departments of all Lebanese banks as well as last week’s related press release.

We can quite understand the need for such communication. It was surely aimed at re-increasing the level of confidence in Lebanese banks in the media and reassuring the general public, who are mostly illiterate in the works of Gauss.

However, knowing how lethal and stealthy the Gauss malware is, we are afraid that such an analysis, if considered sufficient and remained unchallenged, is hurting the Lebanese Banking’s sector reputation rather than increasing confidence in it.

Indeed, the quoted explanations might be misleading and give the impression that the Lebanese Central Bank might have not fully understood the dynamics of the Gauss malware, specially that the latter targets customers’ workstations rather than the banks’ Information Systems.

The reported solution consisting of upgrading the anti-virus systems alone will not prevent future sophisticated malware from targeting the Lebanese banking sector again! More dangerously it might encourage more lethal and frequent hacking and cyber-espionage…

Gauss falls into the category of highly advanced cyber-espionage attacks, more commonly known as Advanced Persistent Threats (APT), and is far from being a playground for script-kiddies.
By only conveying simplistic views about Gauss, the banking sector might not be showing enough readiness to fight back.

Moreover, when it comes to the Lebanese banking sector intrinsic sensitivity, it is quite shocking to read “Other bankers confidently say that they are not concerned about any virus because they insist that they have nothing to hide.”

Is the Lebanese Central Bank enforcing security standards as it should? Is it emphasizing more on implementing policies and procedures? Is there enough security awareness preached and are banks investing enough in this area?

Regulatory authorities should really focus more on pushing Lebanese Banks to become ISO 27001 certified with a clear Information Security Management System (ISMS).

Such a continuous improvement lifecycle will concretely increase Lebanese Banks’ reputation when it comes to operational risk management.

Apparently, much more work needs to be done there, and it’s not that great to hear about these attacks targeting same assets once again. We sincerely hope this will trigger some sort of a more serious action! An information security program must exist, and must be based on a well-established strategy with measured deliverables, and clear accountability for all the involved parties.

As too much time has elapsed between the Gauss info disclosure from Kaspersky and the “public” reaction from the Lebanese Central Bank, one could legitimately look for an officially appointed crisis management spokesperson. Such speaker would rely on a Computer Security Incident Response Team (CISRT) and/or relevant structure in order to protect the sector and the public from unverified media delivery and from misleading information.

It’s not a shame to admit our shortcomings as long as we are determined to work on eliminating them and reassuring the customers in parallel about all sorts of required actions taken to contain and eradicate this malware from the internal workspace.

Remember, big worldwide financial and non-financial companies got compromised too. Even the most sophisticated information security organizations’ operations got hacked as well, but with proper ISMS in place, they were able to stand on their feet and react quickly and expertly.

Remember the Confidentiality, Integrity, Availability (CIA) triad? It’s a great model, but we prefer CIAA instead – Last “A=Accountability” is what matters everywhere used…

To end on a lighter note, we all recall that Lebanese applause when the plane lands safely in Beirut airport but isn’t it business as usual to have a successful landing? The same applies to bankers “continuously updating their antivirus systems”: Isn’t it business as usual?

Sustainable security can only happen with a process enhancement security program!

4

A new malware targets Lebanese Bank customers!

Kaspersky Labs recently discovered a new malware called “Gauss” with a module that aims to capture Lebanese bank accounts login credentials. And the targeted banks included Bank of Beirut, EBLF, Blom Bank, Byblos Bank, Fransabank, and Credit Libanais.

The article suggests the malware has been created by the US and Israeli governments and was not intended to steal money from client accounts, but rather to trace the source of funding to certain individuals (Hezbollah members I suppose).

The spyware, dubbed Gauss after a name found in one of its main files, also has a module that targets bank accounts in order to capture login credentials. The malware targets accounts at several banks in Lebanon, including the Bank of Beirut, EBLF, BlomBank, ByblosBank, FransaBank and Credit Libanais. It also targets customers of Citibank and PayPal.

The researchers don’t know if the attackers used the bank component in Gauss simply to spy on account transactions, or to steal money from targets. But given that the malware was almost certainly created by nation-state actors, its goal is likely not to steal for economic gain, but rather for counterintelligence purposes. Its aim, for instance, might be to monitor and trace the source of funding going to individuals or groups, or to sabotage political or other efforts by draining money from their accounts.

Still, that doesn’t seem like the only purpose for that malware, since the people at Kaspersky are still working to crack the larger part of its code and identify what is it responsible for.

Make sure to read the very interesting and worrying report from Wired.com here.

I know protecting your network from a nation-state-created malware is quite hard, but I hope Lebanese banks are now taking the necessary measures to protect themselves from such attacks and eventually safeguard our information.

 Thank you Ibrahim Lahoud

0

Powered by WordPress. Designed by WooThemes