19 minute read
managed to dodge a bullet, but will everyone else be as lucky? Bykea
The Bykea hacking incident has raised some serious data security issues across the nation
By Nisma Riaz and Daniyal Ahmad
Advertisement
Early on Tuesday last week, one of the leading lights of Pakistan’s startup ecosystem became the centre of an embarrassing but seemingly harmless hacking incident.
At 12:01 PM in the afternoon several Bykea users received a pop-up notification from the application.
Hackers had breached a third party application and sent two obscene and abusive messages to users as a nationwide app notification. The incident ignited a firestorm of jokes and mockery on social media, with rival companies joining in on the fun. Bykea quickly bounced back from the attack by the end of the day, and affirmed that no personal data was leaked.
But this was not a joke. It was a not so pleasant trip down memory lane for both users and tech companies alike. However, the incident did show that Bykea had learned from the mistakes of those before them, by only having an ancillary part of their business affected. Had they stored sensitive user data on their app’s domain and had that been compromised, the incident would’ve been a lot more serious. But what about other companies? Have they learned their lessons too? And will they be as lucky when hackers strike again?
Let’s start with what happened at Bykea last Tuesday.
Grazed by the bullet
We were eager to know what transpired at Bykea, so we contacted Rafiq Malik, Bykea’s Chief Operating Officer. He divulged that Bykea’s app was not hacked, but a third party tool that they used to send push notifications to their users had been compromised.
Rafay Baloch, an ethical hacker, helped us decipher this enigma. He said that Bykea was using a tool called One Signal that provides push notification services to mobile apps. He said that a security faux pas caused an Application Programming Interface (API) Key to be leaked in the production and the attacker used it to send notifications. He likened an API Key to a password for applications that provides authentication to users requesting service. He said it was like entrusting a duplicate set of keys to your house to someone.
This could have been a debacle if the attacker had access to any critical tools of Bykea’s app. Baloch cautioned us that Bykea does not store debit/credit card details and those are kept with a merchant processor, which is an entity that facilitates card transactions and other payment-related services³. He said that Bykea is not compliant with the Payment Card Industry Data Security Standard (PCI DSS), which is a set of security requirements for card transactions.
Malik corroborated this and said that sensitive customer information is not stored with Bykea, but with local banks, so the hack did not affect their security.
However, one is not so lucky all the time.
Ghosts of cyber security past
The panic that ensued after the recent incident with Bykea has resurfaced some traumatic memories in the industry, reminding us of the misfortunes from the past. Listing all the times a tech company has been dangerously compromised might be out of the scope of this article, however, we can go over a few cases to demonstrate that cyber security is nothing less than a joke for Pakistani tech companies.
Back in 2018, ride-hailing service Ca - reem experienced a significant cyber-security breach that resulted in the compromise of personal data of several customers and drivers. Approximately 14 million customers and 558,000 drivers across 13 countries were active on the Careem platform during this time. Even though it was assured that passwords and credit card information remained uncompromised, the stolen data consisted of customers’ names, email addresses, phone numbers, and trip history details, such as pick-up and drop-off locations, which raised serious privacy and safety concerns.
Similarly, Careem’s direct competitor Uber was the victim of a similar hacking incident in 2016. According to a Bloomberg report, on November 22, 2017, hackers managed to steal the personal information of 57 million customers and drivers from Uber Technologies Inc., and this significant breach was concealed by the company for over a year. In response, Uber removed its chief security officer and one of his deputies from their positions due to their involvement in covering up the hack, which also involved making a $100,000 payment to the attackers. During the October 2016 attack, compromised data from approximately 50 million Uber riders worldwide included their names, email addresses, and phone numbers.
According to a previous investigation conducted by Profit, it was confirmed that unethical practices, such as blackmail and hacking, are prevalent in the industry. Notable examples include Zameen.com and Pakwheels.com, two highly popular Pakistani startups. Both companies were targeted by a group of bounty hunters posing as ethical hackers. Subsequently, both startups experienced security breaches not long after the ‘warnings’ they had received. In the case of Zameen.com, a real estate portal, the hackers went as far as publicly disclosing sensitive user data, including names, passwords, email addresses, and phone numbers. As a result, the Federal Investigation Agency’s cybercrime wing, the National Response Center for Cyber Crime (NR3C), took action and apprehended several members of the group involved in 2016.
This issue is not limited to private sector companies but also affects public sector enterprises. In an extremely embarrassing turn of events Pakistan’s largest data centre operated by Federal Board of Revenue (FBR) was targeted in a cyberattack resulting in shutdown of all official tax machinery websites. Adding insult to injury Pakistan Revenue Automation Limited responsible for data protection was also compromised around the same time.
Earlier this year in January Pakistan’s National Power Transmission Company
(NTDC) systems were allegedly hacked. But should it be that easy for a country’s power transmission system to get hacked? The answer is no! These events don’t just call for better security but also urge for important law and policy changes to enable a better secure tech ecosystem.
What if lightning strikes twice, or strikes you?
How would you feel if you received obscenities from an app you trust? That’s the shocking ordeal that Bykea’s users endured, when they saw abhorrent messages emerge on their screens.
Fakhra Haq, an IT expert, told Profit that this was a severe breach that could have disastrous consequences. “Firebase code hacks are especially treacherous because they can access and manipulate the database, plunder user data, or disrupt the functioning of the application. Internal leaks can also result in the exposure of sensitive data, intellectual property theft, or compromise the security of the system,” Haq said.
Haq advised that data security is not something companies can overlook, as it affects not only their reputation and operations, but also their customers’ security. “Unauthorised access, hacking, or leaking internal information and code is illegal and unethical. Companies and developers should implement robust security measures, such as access controls, encryption, and regular security audits, to shield their systems and data from such incidents.”
Bykea’s hack may not have imperilled customer safety, but it certainly undermined customer trust. The hack raised many questions about how safe Bykea’s data is and how dreadful it could have been. Haq said that such incidents have intangible consequences as well. “Users and customers affected by internal leaks or code hacks often feel betrayed and concerned about the safety of their personal information. They expect companies to prioritise the security and privacy of their data and may lose trust in the affected organisation. Users may also be nervous about potential misuse of their data, such as identity theft or unauthorised access to their accounts.”
Skeletons in our tech closet?
Trusting app developers to value one’s security as much as they themselves do is a mistake many people make. You are using a mo - bile app that stores your personal data: your name, address, phone number, bank details, and location. And your data is vulnerable to cyber attacks.
This is not a hypothetical scenario. This is a reality for many users of mobile apps that contain sensitive information. And this reality is horrifying. Profit spoke to a cyber security expert, who wishes to remain anonymous. They exposed the truth about data breaches. “Many mobile apps have blatant vulnerabilities that hackers exploit every few months. The main reason for this is that security is an afterthought. The software is not designed with safety and security in mind, but the task of making the app more secure comes later, and that entails a hefty price.”
They continued, “Some companies have been admonished repeatedly about fortifying their security, but they have no incentive to do so. They shrug off the warnings and claim that the vulnerabilities are features, not flaws. They only consider how the app can be utilised and not how it can be exploited or abused, so it’s a flaw in the development process.” Why are these companies so negligent about security? The expert elucidated that, “Investing in security is exorbitant. It is not facile or economical but it is indispensable and the repercussions can be calamitous and costly.”
“Security is all about tradeoffs,” they elaborated, “Investing in greater security often impairs the application’s performance, usability, operating costs and functionality. To eschew making these changes, companies skimp on their software and staffing, and with following SOPs.”
Our source also highlighted the dearth of proficient professionals in cyber security. “There is a dire need for training. We are severely deficient in well-trained professionals in the field. Many cyber security experts or those who purport to be experts are not trained to be IT and cyber security experts, but emanate from unrelated fields.”
According to the same source, there is a grave lack of awareness and tech-literacy in the country. Everyone from developers to policy makers and auditors to the workforce and the users is oblivious to the risks involved in dealing with sensitive information that can imperil lives.
“People enter very personal information in these apps, having no clue who can access it and how it can be misused. And when the users are reckless and not asking the right questions, companies can easily turn a blind eye to the issue.”
The expert suggested that the government should play a more proactive role in regulating data security and privacy issues. “Data security and privacy issues will never get resolved unless the government holds feet to fire. When laws that penalise such negligence are enforced, there will be a decline in data and privacy violations. Currently, there is no legal requirement for tech companies to keep data safe, so data security is not a priority for them.”
However, despite the dire need for better policies, the Personal Data Protection Bill of 2021 was not cleared by the Ministry of Information and Technology and a similar 2023 bill awaits approval. Tech companies have no incentive or obligation to comply with crucial safety measures when there are no laws constraining them to do so.
Altruistic and ethical values, thus far, have failed to convince companies into being more responsible but incidents, such as the recent one, serve as reminders for companies to take their cyber security seriously.
It is not only dangerous and costly but also extremely embarrassing for such events to occur, as it reflects upon the carelessness of not just tech companies, but policy makers, law enforcers and auditors, as well.
These events don’t just call for a better sanctity of data, but also urge for some important law and policy changes to enable a better and secure tech ecosystem.
What can companies do to ensure better security?
Baloch asserts that there are ingenious strategies that can be employed to avoid such catastrophes and protect both the reputation of tech companies and user data. “At a strategic level, a foolproof process should be established to prevent any code from being moved to production without approval from the security team.
On a tactical level, it should be ensured that automated security scanning tools are integrated into the CI/CD pipeline to detect security misconfigurations such as hardcoded keys. Additionally, companies should consider rotating API keys,” Baloch revealed when asked to provide practical solutions to data security challenges.
Bykea was an unfortunate victim of this incident due to the actions of a third-party vendor. However, this does not diminish the threat of internal vulnerabilities that many companies face. Baloch elaborated on this by stating that “Insider threats are one of the most significant challenges in cybersecurity.
The best practices to avoid such issues include implementing the principle of least privilege, where individuals only have access to the minimum amount of resources required to perform their duties. Organisations should also have a robust offboarding process, including revoking access when employees leave. Additionally, user behaviour analytics can be used to identify suspicious users.”
Our cybersecurity expert asserts that common ride-hailing, food delivery, medical services, and dating apps should all have intrusion detection and prevention systems in place to ensure secure storage of user data. “Every security system used should undergo a risk analysis to identify potential attacks and asset types to determine which areas and tools are critical.
This assessment allows companies to rank their application’s tools from high to low risk in terms of value and impact if compromised and invest in security accordingly,” they explained.
The incident with Bykea attracted a lot of attention, but fortunately, no serious damage was done other than harm to their reputation. However, we must take this incident as a wake-up call because firebase hacks and internal leaks are not uncommon and can pose more severe privacy, security, and safety concerns.
All sources in this article agreed that a policy shift and government involvement are necessary for ensuring data integrity in the country. n
By Zain Naeem
In order to study any crisis, it is important to note what happened leading up to the crisis, what was done once the crisis was going on and steps taken in its aftermath to prevent it from happening again in the future. In a market like Pakistan, where capital market participants look to control and exploit the system in their favour, it is important that a regulatory body like the SECP looks to protect the interest of smaller investors who typically enter the market mostly with their life savings to invest and expect that when they do invest, the SECP will look to protect them from the sharks present in the system. The stock market crash of 2000 shows that SECP was not well-equipped and did not have a capable enough staff to be able to foresee the coming crisis.
In addition to that, they did nothing substantial or material while the crisis was going on and put in no considerable guardrails once the crisis ended to prevent another one from happening. Their lack of action and inability meant that the smaller investors lost their life savings in the market and later lost confidence in the market which would take years to recover.
Priming the charge
The first crash that can be considered as a case against SECP took place on the 30th of May 2000. The period leading up to the crisis, according to SECP’s own findings, saw massive trading taking place where speculators were taking huge positions in certain scrips. Brokers and speculators started to use these holdings as collateral in banks, raise additional funds and speculate further by increasing their holdings. As the speculators were able to corner the market to an extent, they started to raise the prices which meant their holdings were gaining value and they could borrow more as their collateral was rising in value as well. Banks and Karachi Stock Exchange had little guidance or processes in place to monitor the risk management that they needed to have put in place. They were using their old, archaic and antiquated measures which meant that as long as their collateral was sustaining its value and could cover the losses in the future, they kept lending more.
Speculators always look to favour a company which they feel is ripe for manipulation and in this regard, Adamjee Insurance (ACIL) and Bank of Punjab (BOP) saw their trading volumes and prices skyrocket which could not be explained by the fundamentals. Most of the times the speculators look to corner a certain share, they look to create hype around it. The human mind is wired in a manner where it starts to see patterns where there aren’t any and attempts to rationalize everything. As the small investors started to see higher volumes and prices, they rationalized it believing in rumors of a positive development which would be announced soon. This is termed as dehan or the trend being seen. Based on this dehan, small investors started to pour their own savings into the same companies expecting to make a profit. The speculators feed on this market sentiment and capitalize on it by actually perpetuating any such rumors in the market.
In terms of the buying being carried out, speculators were able to leverage their buying by utilizing the process of carry over trade. This is a mechanism in which a financier will put up the funds for the shares while the speculator promises to pay back the financier with interest at a later date once they are able to sell their shares at a profit. In local lingo it is termed as badla. At one point, the carry over trade of AICL was more than its net free float available in the market, which means that a majority of its actual value was made up of essentially nothing; pure speculation.
While all this was going on, SECP was not expected to intervene and take any cor- rective measures. Rather any such steps were carried out on an ad-hoc basis by banks or the Karachi Stock Exchange. In fact, the SECP has been found sleeping at the wheel more times than it would like to remember.
This judgment can be made based on the fact that within 10 years of its establishment, SECP saw 3 different crises in the Karachi Stock Exchange and it failed to provide the framework and infrastructure to deal with these. The result was the destruction of trust of the investing community as small investors always bore the burden of the loss while the big market players got to reap the benefits.
Detonation
As the market was heating up, the KSE decided to put additional risk management tools by raising the margin requirements against the collateral taken out which had to be funded by the speculators and in turn the financiers. This was done in conjunction with a downgrade in the risk profile of the stocks which meant that the pledged stocks had lower collateral value than before and needed to be reinforced before additional trading could be carried out. This was a knee jerk reaction and a solution of the last resort which the Karachi Stock Exchange had the power to do.
The SECP had given powers to the KSE and the banks to set their own risk management systems on a case-by-case basis. This was a measure to protect the markets from a meltdown and to protect the market from a default taking place. Even though it was a step taken in line with its risk management controls, at its core, the measure taken by KSE proved to be disastrous. As liquidity in the market dried up, the markets began to fall, leading to a death spiral. As more liquidity was taken away from the market and used to back margin financing needs, the markets kept falling, leading to a fall in prices which needed additional funding leading to a vicious spiral and the inevitable stock market crash of 2000. The crash caused a settlement crisis and markets had to be closed in the end of May and start of June culminating in the default of one broker in Karachi and suspension of four brokers in Lahore.
The aftermath
Following the crash, investor confidence had taken a serious hit as the steady fall of the market and its subsequent temporary closure hurt investor sentiment. Measures were then taken to discourage such activity from taking place again. Exposure limits of brokers were increased to make sure their risk management could be brought in line with the volumes the market was trading. Additionally, net capital balance was used to determine how much brokers could hold in terms of their trading capacity while settlement period was decreased from 5 days to 3 days to minimize the risk of settlement default and short selling was limited to a smaller operating window.
Till now all exchanges were operating based on their own rules and regulations. Up until 2000, SECP had no division carrying out surveillance and monitoring but one was set up following the crash. Lastly, an investor complaint cell was set up to address any queries and complaints of clients but it seems this was a step taken far too late as the investors had little interest once they had lost their money.
SECP failings leading to the crisis
It is clear and evident by the reaction to the crisis at the SECP that more could have been done and should have been done. The fact that KSE had to take action, when they saw the market overheating to such an extent, shows that SECP did little to nothing to protect the markets from themselves. As there was no formal monitoring wing at the SECP, they had no mechanism in place to see how the market was overheating on a daily basis.
KSE was only able to take extreme measures when it was too late, that too in a haphazard manner. A monitoring wing at the SECP, being setup before the crisis hit, could have taken notice of the trading activity taking place in the market. The volumes and prices of the scrips are recorded on a daily basis, quoted and published. The first red flag should have been the jump in volumes which had taken place and the value of trading which was seen on a daily basis.
The acceleration of the crisis was perpetuated by the fact that most of the volume seen in the market was in a few companies which should have been noted as well. The constant rise in prices and volume without any change in the economic fundamentals of the compa- nies should also have been noticed as rationale of the rise could not have been justified. If that had been done, trading activity could have been brought into check. This could have acted as a release valve which could have taken away pressure being built up in the system from the artificial rally. By addressing the narrative around the price rise, the rumors or fuel for the dehan could also have been addressed which would have helped investors spot the economic reality of the rise and sell their shares once the rumor was debunked as being baseless.
Capital markets around the world are set up in order to allow companies and financial institutions to raise funds and capital while allowing for investors to invest in the products that they seem fit for investing. They are able to provide a marketplace where buyers and sellers are matched and are able to function as the middlemen in the process. As their function is to maximize profit and utility, the task of regulation falls at the feet of a quasi-government organization. Its job is to ascertain that markets perform in an efficient manner while making sure that the investing community is protected and shielded from predatory and unfair practices. Securities and Exchange Commission of Pakistan (SECP) was set up as a licensing, monitoring and regulating body in 1999 tasked to facilitate the corporate sector and the capital markets of the country. Effective enforcement of regulations would have ensured that markets performed smoothly and efficiently for the benefit of the community and country on the whole. The case for SECP has actually been opposite where it has looked to interfere as little as possible. SECP has made the necessary regulations and put them into place but has not always looked to monitor and enforce the laws and regulations it has formulated. This approach to be reactionary rather than be proactive means that by the time SECP steps in, investors have already lost their money or hold shares which are virtually worthless. Even after the blame has been placed and the culprit has been identified, the actions taken are no more than a slap on the wrist. Lastly, the steps taken to protect the market are not effective enough and the participants in the market are again able to find loopholes in the laws to take advantage again starting the manipulation cycle again.
Lack of action in crisis mode
The measures that could have been put in place before the crisis perhaps could not have been foreseen earlier and SECP can be given the benefit of the doubt in that case as it was a young and immature body at that point. This cannot be said for the reaction of the SECP once the crisis had taken place. Once there was a likelihood of a default, SECP could have contacted the KSE in order to determine the value of clients who stood to lose in the situation and protect the clients from a loss on their investment. This could have been carried out by developing a fund or a protection mechanism which would have meant that even if a broker had defaulted, the investors could have recouped part of their losses which could have dampened the damage. T
The overheating in the market was not caused by smaller investors and they should not have been punished when the whole system came tumbling down. This was a failure for the SECP as it sat on the sidelines and let the KSE take the corrective measures they saw fit. None of the measures being taken by the KSE were scrutinized or independently studied and they were given total control of the situation. The board of the KSE, with such sweeping authority and power became self-serving, looking after its interests and members of the board, while investors were left to fend for themselves.
Insufficient accountability
Following the crash the SECP introduced procedural and regulatory changes in teh system but dropped the ball yet again when it came to punishing those responsible for the debacle. Their approach was only putting in measures which could make sure that a market crash like the one seen in 2000 could never take place again. The parties who were the culprits of the crash, namely the financiers and speculators, were also allowed to escape any with little to no punishment being dealt out. A brokerage house being run by a market expert having an experience of more than 30 years will find ways to circumvent laws and regulations. The SECP was never meant to be flexible and quick in its responses to the everyday changing corporate sector and that shows in their inefficiencies to provide helpful feedback during the crisis. The role of the regulatory body is to be the voice for the powerless in the market and to make sure they are protected but SECP showed that it was not up to the task
The primary reason for the crisis taking place was the badla market which was used to perpetuate and damage the market. In the aftermath of the crisis, the SECP did not take any substantive action against it, leaving the stock market vulnerable to other similar episodes of volatility and mayhem. n
