Probashi smart card fraud: BMET finds solution in shifting server

The mobile app, operated by a private agency, is seemingly involved with the recent round of frauds. According to sources, a total of 20 smart card applications through the Amiprobashi app were rejected initially, but were approved later between 27 December and 4 January. 

The BMET formed a six-member committee to look into the incident on 10 January, while the committee reported back on 7 February.

According to the report, the 20 cards were approved by the BMET’s additional director general. The bureau's director (employment) and additional director general (employment) have the authority to approve the rejected applications through due verification. 

Two separate internet protocol (IP) addresses were used to approve 19 of the 20 cards through android handset, while the remaining one received approval through the additional director general’s computer. There was a scope to avail his system account and password as these were saved in his computer.

A responsible source of the BMET said the additional DG was on vacation during the period and additional DG (training) Ashraful Islam was in charge. 

However, Ashraful Islam claimed before the investigation committee that he cleared no rejected applications during the period. He mentioned that there is an instance of hacking in the Amiprobashi mobile app’s server.

The app’s chief technical officer told the investigation committee that none of the app officials has the scope to do such things, except for the users of the server system. 

Contacted, BMET Director General Saleh Ahmed Mujaffor refused to make any comment officially. 

According to a BMET source, among the 20 compromised cards, seven were issued in favour of recruiting agency Bangladesh Export Corporation (RL-803) on 2 January and one on 3 January. Besides, seven cards were issued in favour of Saad International Limited (RL-1068) on 1 January and five on 3 January.

Shamim Mahmud Patwary, managing director of Saad International, said they always maintain the rules in the application process and there are no allegations against them. 

He further said that the recent smart cards were cleared through due application. He has no idea about the irregularities as none from the BMET contacted him in this regard. 

When contacted, the other recruiting agency did not provide any comment over the frauds. 

The investigation committee comprised representatives from the expatriate's welfare ministry, the Amiprobashi app and the Bangladesh Computer Council (BCC) of the information and communication technology (ICT) division.

They did not blame anyone for the frauds, but mentioned that the Amiprobashi system does not have any one-time password (OTP) verification or automatic session out system. Taking advantage of the technical flaws, the hackers accessed the system using the additional DG’s account and got the cards approved.

Against such a backdrop, the BMET has taken an initiative to shift the server from its headquarters to the BCC custody. Individuals concerned said it is too tough to ensure safety to the server since it is operated through a much older version of software management. Hence, the fraudulent activities do not stop and the associated individuals do not get exposed. 

One third of the server has already been shifted to the BCC custody, while the remaining portion is expected to be completed by this month.

Once everything is settled, the issuance of fraud cards will stop and the fraudsters will be identified easily thanks to the latest technology, said two responsible BCC officials. 

Alif Overseas (RL-847) got a total of 24 smart cards issued on 31 December. The BMET officials sensed the issue while verifying documents in the third week of January as they did not find any input in the server against the cards.

The issue was reported in writing to the director general on 28 January, but no action was taken immediately to cancel the cards, according to a source. 

However, Saleh Ahmed Mojaffar sent a letter to the deputy commissioner (city cyber crime investigation) of Dhaka Metropolitan Police (DMP) on 5 February, requesting an investigation into the 24 cards. The letter described the incident as unwarranted and embarrassing and sought action as per the law. 

Alif Overseas owner Monirul Haque is now abroad for treatment. His son Akib Jabed told Prothom Alo that they have no capacity to hack the BTME server and that they did not even apply for the 24 cards. He suspected that someone associated with the BMET might have done this. 

On the condition of anonymity, a senior official of the BMET said the cyber police have been asked to investigate not only the 24 cards, but also the entire system of fraud. Also, the BCC was asked to look into the server one and a half months ago and submit their findings. 

AFM Al Kibria, the DMP deputy commissioner, said the letter is yet to reach his office. They will consider the issue once the letter is received at the office. 

Tasneem Siddiqui, founding chair of the Refugee and Migratory Movements Research Unit, said the workers might be deceived if they are sent abroad without proper verification. 

“It is a good initiative that the BMET took note of the issue and is going to take action. The agencies involved with the frauds should be investigated and booked. Besides, it needs to introduce developed technologies in BMET management and ensure its security as an important site,” she added.