Digital security remains an illusion in Bangladesh’s banking system

In the last week of August, a fraud syndicate siphoned Tk27 lakh from the credit cards of 54 of Standard Chartered Bank customers. Each time, Tk50,000 was withdrawn and transferred into MFS wallets, then immediately cashed out. 

Several customers later described on social media how they had received OTPs on their phones but had not shared them with anyone, had not logged into suspicious websites, and had not installed unverified apps. Yet within seconds, their money was gone. 

Though expected, it's commendable that Standard Chartered Bangladesh refunded its credit card customers who lost money in a series of fraudulent incidents.

The situation is not limited to private banks or MFS platforms. In 2016, the Central Bank itself fell victim to the infamous SWIFT heist. Hackers patiently exploited weak systems, tricked employees by phishing emails, and sent fraudulent instructions through SWIFT that led to $101 million being diverted. Of this, $81 million was stolen through the Philippines, some of which was later frozen by court orders abroad, but a significant portion remains unrecovered. 

That breach did not just cost money; it revealed how even the country's most powerful financial institution could be compromised by outdated security and inadequate training. If the central bank were so vulnerable, the exposure of ordinary commercial banks and MFS operators is even easier to imagine.

The consistency of fraud raises serious questions. Why did the bank not flag these identical transactions? How could dozens of high-value withdrawals occur so quickly without triggering alarms? If the systems are truly "safest and most secure", why was a core feature suspended at all? 

Proper security is never about slogans. No system in the world can be labelled as 'most secure'. Encryption can be strong but never unbeatable; even widely used algorithms face theoretical risks from advances like quantum computing. The wise approach is to admit vulnerabilities, disclose what went wrong, and show what new defences are being built. 

It is possible that in this case, attackers used SIM swap techniques, SS7 interception, or real-time malware to capture OTPs. But this raises another crucial question: how did hackers obtain the phone numbers of these cardholders specifically? Were they leaked in bulk, harvested from an insider, or gathered from third-party vendors? And what were the common patterns among the victims — same telecom operators, same card type, same merchant history, or even similar transaction behaviour? 

These are the investigative questions regulators and the bank must urgently address. Without clear answers, speculation will grow, and public trust will erode further. 

Unfortunately, in Bangladesh, it has become a common practice to blame customers whenever cybercrime occurs. Victims are told they must have shared their OTPs or lacked technical knowledge. But the Central Bank heist began with phishing emails targeting employees, not clients. It proved that even trained staff can fall victim. The lesson should be clear: people are always the weakest link, and systems must be designed to anticipate human error, not punish it afterwards. 

MFS providers also share liability. Despite serving tens of millions of people, their apps do not yet offer secondary questions or layered verification for high-value transactions. Many still do not display the recipient's full name during send money flows, forcing customers to approve transfers unquestioningly. Fraudsters exploit these gaps, while ordinary users are blamed for falling victim. If MFS companies want to lead financial inclusion, they must also lead in security design and user awareness. 

Why not make minimum security education mandatory, delivered through gamified tutorials inside apps? Why not freeze or flag suspicious accounts at the NID level, preventing fraudsters from opening and closing disposable wallets overnight? 

Meanwhile, ordinary citizens face extraordinary obstacles in legitimate banking. When someone sends foreign currency from abroad, whether for daily expenses, medical treatment, or work purposes, recipients are often forced to submit piles of documents, endure delays, and accept lower exchange rates. Yet at the same time, fraud syndicates move millions of taka through disposable MFS accounts in minutes. The contradiction is stark: the system is rigid and punitive for honest users, yet inexplicably lenient for criminals. 

The lesson is clear. Cyber fraud is not inevitable, but it will continue unless Bangladesh rethinks its financial security architecture. Banks must update their fraud detection pipelines using the latest cases as training data, not just old patterns. MFS apps must add layered verification, display full recipient identities, and freeze suspicious accounts linked to fraudulent NIDs. Regulators must enforce transparency, publish aggregated fraud statistics, and hold institutions accountable. A Digital Finance Protection Act should be introduced to ensure victims are not unfairly blamed for systemic flaws. 

Hackers are patient and relentless. They do not care how old a bank is, how decorated its executives are, or how skilled its security personnel claim to be. They do not bother whether a system employs the best-trained expert or not. They only need one weakness, and they will exploit it fully. 

As Julian Assange, the founder of WikiLeaks, once remarked, "If something is online, there is always a way to attack it." That truth cannot be avoided — but it can be prepared for. Banks and regulators must finally accept that no system is unbreakable, that no encryption is beyond challenge, and that only constant vigilance and adaptation can restore the trust that banking was meant to protect. 

Sketch: TBS

Mohammad Jafrin Hossain is a recent postgraduate in Cybersecurity with a specialisation in Artificial Intelligence from Florida International University.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views and opinions of The Business Standard.