The TikTok Trap: How Pakistani Bank Employees are Live-Streaming the Keys to the Vault

Executive Summary

This article highlights the carelessness of bank employees in Pakistan who record TikTok videos in their workplaces, exposing working desks, documents lying on them, and computer screens, including sensitive customer details. Not only are they leaking restricted data, but they are also advertising themselves as untrained vulnerable target. In this article, I have shared some such cases.

Introduction

Considering what I have witnessed Pakistani bank employees uploading on TikTok, I can assume that hacking a Pakistani bank using TikTok is not far from reality. I believe that corporate training for Pakistani bank employees does not exist, and their compliance with security protocols is largely limited to paperwork.

Rules For Thee, Not For Me — A Personal Experience

I remember last time going to a bank to pay out a challan. While standing at the counter, I had to attend a call. The cashier inside told me to move the phone away from the counter, as I could not use it standing there. Which, I believe, was reasonable-they were concerned about someone recording the procedure or capturing the vault entrance, etc.

But boy oh boy, was I shocked to see the biggest "rules for thee, not for me" moment?

The same bank employees are uploading videos featuring:

• Their working bench
• Computer screens
• The documents lying on the bench
• Customer's Personally Identifiable Information
• Their emails
• The (outdated) software they use
• and behold, THEIR EMPLOYEE LOGIN CREDENTIALS

All of this, publicly available — on TikTok — just a search away.

What I Witnessed

I was randomly scrolling TikTok one day, and I suddenly stumbled upon this lady flexing the currency straps. The environment suggested it was a banking establishment, and the lady had "banker" in her captions, too. It was recorded during her office hours, which featured her desk and the stuff available on it. I got curious and explored her profile.

And I was shocked! She had zero regard for the privacy of the data and the sensitivity of the institute where she works.

For instance, while making an unfunny joke, she casually uploaded her email address, her branch address, an email of the senior, and that they use an inactivated or unofficial (likely pirated) version of Outlook.

 

Now it depends upon the creativity of the attacker to figure out how they can exploit this knowledge. And I wish that it were an isolated incident, but unfortunately, it was not. I came across several similar cases.

Then comes this user who recorded how aesthetically built her office is, but unintentionally revealed that her bank uses an inactivated (likely pirated) version of Windows:

And things got worse when they started involving Personally Identifiable Information (PII) of banking customers. This lady clearly exposes the identification document of a female customer.

This guy is posting the complete bank database picture

Or look at this genius, who inevitably videographed a diary where they write sensitive data, including accounts and ID Card numbers:

This guy even captured a document classified as Restricted

I am sure Lt. Col. Wing Commander will not be too pleased to find out his sensitive documents leaked while an employee was flexing his keyboard on TikTok.

There is even a worse case of an employee logging in to her bank employee portal account on a TikTok video. I am not featuring that one, but the purpose of telling is that things are that bad.

Gravity of the situation

The image of a hacker as someone hunched over a terminal, exploiting zero-days and writing shellcode, is increasingly outdated. Modern threat actors are pragmatic — they go where the resistance is least. And increasingly, that means going through people, not systems.

A Splunk research reveals that:

• 90% of data breach incidents target the human element to gain access to sensitive business information.
• 98% of cyberattacks rely on social engineering.

Neglecting such a consistent and dangerous threat these days is a literal call to disaster. While I don't mind someone showing off their shoes on TikTok, but please let it not include my sensitive financial information.

How could this be exploited?

Even if the videos do not contain enough information to compromise a bank, they still present a naive person with system access, which is very tempting to hackers, who can later bribe or fool them to facilitate the breach. Insider threats are the most efficient and sophisticated threats an organization can face — tough to detect, most effective.

Intent of Writing

I have written this blog as part of research in Threat intelligence. All the information shared above is solely for educational and awareness purposes. I highly discourage misusing the provided information for illegal conduct.

Bottom Line

While Pakistani banks are spending large sums of money on marketing, overlooking critical factors like security greatly undermines the integrity of a financial institution. Security shouldn't be treated as a formality to be met or a checklist to be ticked; it should be taken seriously. They should consider reviewing employee activities on shift as a security measure to combat insider threats and initial access brokers.