Kapital Bank's Board member, Chief Risk Officer, Javid Mirzayev discusses the challenges against cyberattacks



As technology advances, it not only simplifies our lives but also brings modern challenges, such as cyberattacks. In recent times, complaints regarding cyberattacks on bank cards frequently grab the headlines. We often encounter complaints on social media about money being stolen from bank cards without the customers' knowledge. In this interview with Kapital Bank's Board member, Chief Risk Officer, Javid Mirzayev, we aim to inform people about the reasons behind theft, the protection of personal data, what to do when facing cyberattacks, and the responsibilities of both the bank and its customers.

One of the problems brought by modern technology is cyberattacks. Almost every day, there are reports in the press and on social media about people having money withdrawn from their cards without their knowledge. Why is this happening?

Unfortunately, fraud methods have become digital in today's world, and there are quite "professionals" in this field. The main reason for their success is often the ignorance of individuals. These cybercriminals find new methods every day. If we talk about real incidents, you have probably come across announcements under various titles such as "Click this link and get a gift", "Birthday special gift campaign", etc. In 2023, we identified and blocked 62 fraudulent sites created under the name of Kapital Bank on the internet. The number of fake pages we blocked on social networks such as "TikTok", "Facebook", "WhatsApp", "Telegram", "Instagram" is over 600. If you look carefully, you will see that the names in those links are misspelled by 1-2 letters, and fakelogos are used. These advertisements should not be trusted at all. When a customer clicks on that link, even if they do not complete the transaction, their personal information is already stolen. Our customers should clearly know that news about any campaign can only be shared online through Kapital Bank's officially verified social media accounts such as https://kbl.az/kbsml, Birbank, and BirbankBiznes mobile applications as well: https://kbl.az/bbsml. Even other official pages provide such information by directly referring to the bank's official website. Campaigns are also promoted through traditional media channels and within our bank branches. This issue isn't unique to us, it's a challenge faced by all banks.

Who are the most common targets of fraudsters? How prevalent are customer information theft methods, and how can we protect ourselves from them?

Their primary targets are undoubtedly all of us. Considering that Kapital Bank has over 5 million customers, it means that 2-3 members of every family are our clients. Fraudsters are keenly aware of this fact, making Kapital Bank a frequent target for exploitation. The methods of fraud are so diverse that regardless of age, social status, or occupation, each of us can fall victim if we are not vigilant. For instance, during phone scams, the elderly are often more susceptible. Fraudsters call and impersonate bank employees, tricking customers into revealing sensitive information. It's essential for customers to understand that no legitimate bank employee would ever request the CVV code or the 3D secure code sent via SMS.

Additionally, the use of unofficial mobile applications is a significant source of danger. Unofficially modified mobile applications, such as "Whats app+" or VPNs, expose the phone to cyber-attacks, resulting in the theft of personal information without the owner's knowledge.

When shopping on online platforms, it is essential to use official, reliable sales channels. It is advisable to set limits on cards for purchases and avoid storing card information on websites.

Fake job advertisements or offers like "like this link and earn this amount" are currently widespread. It is crucial to note that all complaints from customers who have suffered losses are investigated. It has been revealed that in all cases where the stolen amount cannot be returned, the information was shared by the customer themselves. In most cases, individuals share their personal information without verifying the source's security or are stolen due to the reasons mentioned earlier. Once hackers obtain card information, they can intercept SMS messages sent for bank-issued OTP codes due to vulnerabilities in the system.

The techniques of fraud are indeed diverse, and we frequently see customers blaming the bank for their inability to safeguard personal data. What is the bank's responsibility in this regard?

Ensuring secure banking services and fighting against fraud have always been main concerns for Kapital Bank. The bank operates in accordance with existing regulations, regulatory requirements, and international standards. Kapital Bank has 54 control mechanisms in line with the ISO27001 standard on data security. Additionally, a 24/7 monitoring mechanism is established for swift resolution of cybersecurity incidents. Our dedicated staff members monitor cyber threats all day long and intervene promptly in critical situations, ensuring the independent protection of customer data and immediate response to any issues. As a provider of transaction services, our bank undergoes annual PCI-DSS (Payment Card Industry Data Security Standard) certification, ensuring the highest level of security for customer card data. As you know, all Kapital Bank cards are equipped with a 3D protection system. It is true that there are websites where customers are not ascdferreked for an SMS confirmation code during transactions. However, transactions on such sites are regularly monitored, and if they fall into the suspicious category, they are blocked. Overall, hundreds of such sources are blacklisted and suspended every day within the framework of cooperation with "Meta" and relevant government agencies. In 2023 alone, we received close to 4,000 fraud complaints. Approximately 2,000 cards were blocked by us, and this has been confirmed.

Mr. Javid, do you believe the methods used to inform customers about this issue are sufficient?

We are utilizing all available resources for informing our customers. Information related to this matter is regularly shared by our social media channels. We also collaborate with the Azerbaijan Banks Association to create informative videos. However, despite these efforts, it remains crucial for banks and customers to take collective steps to ensure security. We also urge our customers to exercise caution when using mobile applications that raise doubts about reliability, to refrain from sharing personal information, not to disclose their card's CVV code (the 3-digit code on the card), the 3D verification OTP (one-time password) received via SMS, the protection code, or their identity card's Fin code with anyone. They should also not believe in unprofessional videos and advertising texts purportedly representing banks. Moreover, it is unacceptable to click on fake web links, which have become a new trend among fraudsters, and to enter card information on these links, as well as to believe individuals promising easy gains on various social media platforms.

Javid bey, unfortunately, despite our best efforts, incidents of fraud can still occur. What happens next for both parties, the bank and the customers? And what should someone do if they become a victim of fraud? 

When customers faced with fraud, the first step for them is to immediately contact the bank. This can be done by visiting the nearest branch, contacting the bank's inquiry center, or reaching out through official social media channels or the mobile application. As a next step, the bank takes immediate action to block the card or payment instruments (such as ApplePay or GooglePay) tokens associated with the fraudulent activity. Subsequently, the customer should confirm these actions with the bank and raise a claim stating that they did not authorize the transaction. The bank then acknowledges the claim and initiates an investigation following the directives of the Central Bank, rules of international payment systems, and internal procedures. The outcome of the investigation is communicated to the customer, and depending on the case, they may be invited to the branch, asked to provide additional documents, or requested to submit relevant requests based on procedures.

In which cases is the stolen money returned to the customer?

The outcomes become evident after the investigation concludes. Initially, the bank investigates the transaction method. For instance, they examine whether it was conducted via a POS terminal, online shopping, ATM, mobile application, etc. Subsequently, they ascertain how the fraudsters obtained the information and the extent of their knowledge about the customer. Based on the investigation's findings, the bank encounters two scenarios.

In the first case, if it becomes apparent that the customer's personal data was provided to a third party by the customer themselves, and the fraudster possesses all the information, unfortunately, the bank's support mechanism is limited at that point.

In the second scenario, the opposite happens, where the fraud occurs despite the fraudster not having access to all of the customer's data. For instance, some information might have been compromised due to a virus on the phone, but the fraudster doesn't have access to the customer's 3D and OTP codes. In this case, the bank follows international security regulations and safeguards the customer's rights. Ultimately, if the suspicious transactions do not comply with payment system standards, or if the fraudsters do not have complete access to the customer's security information, the customer's money are returned. Each case undergoes thorough investigation, and this process typically concludes within approximately 45 working days. Looking at the statistics of fraudulent transactions on cards in 2023, out of nearly 4,000 complaints received, 70% were resolved in favor of the customers, while 30% were not resolved due to customers failing to secure their personal information.

Additionally, if we exclude the applications received by the bank, approximately 382,000 suspicious transactions were identified last year, with no authorization granted for their execution. As a result of contacting the customers, preventive measures were taken, preventing 72,000 individuals from falling victim to fraud without any theft occurring. This means that 72,000 individuals refrained from proceeding with the transaction after being informed by bank employees. Other customers confirmed that the transactions were indeed conducted by themselves. It's worth noting that both payment systems and the Central Bank, through the Bank Card Center, regulate procedures for handling all suspicious and erroneous transactions, and the bank implements appropriate actions in accordance with these procedures.

Thank you so much, Javid bey.

My pleasure. I sincerely hope this interview would be helpful for everyone.