اخبار سوريا اليوم – وطن نيوز
سوريا اليوم – اخبار سوريا عاجل
W6nnews.com ==== وطن === تاريخ النشر – 2026-03-17 21:45:00
The cessation of the “Sham Cash” application last week sparked widespread controversy and questions among the Syrian public about it, especially since the Syrian government has adopted it as an official means of disbursing salaries since May 2025. The services of the “Sham Cash” application returned to work later, through the launch of a new update to the application, after it was announced, on March 8, that its services had been temporarily halted, due to a technical problem with the “domain” service providers. At that time, technical activist Anas Ayoun Al-Aswad adopted the disabling of the application, citing the reason as proving to the Syrian government that the application was not qualified to be a primary source of financial transactions in Syria. “Sham Cash” explained that the defect that occurred was not the result of any hack or security problem as was reported, but rather occurred due to systematic and repeated reporting on the “Sham Cash Domain” by a group of people, which led to the hosting service provider temporarily stopping the “domain” in accordance with its policies. He confirmed that all user accounts are completely safe and sound, and that there has been no hacking or data leakage, and that all “servers” and databases are operating normally. While the technical activist said on the Facebook platform that the application ignores the problems of users and those affected by some of its services and freezes their accounts, and that all branches outside the city of Idlib do not address the problems. Gaps at several levels After the application was disabled, questions were raised about its security, and the impact of malfunctions, disruption and hacking campaigns on subscribers’ accounts. Technical expert Nidal Faour told Enab Baladi that the success of a technical activist or “hacker” in disrupting a financial application of this size indicates the presence of vulnerabilities at several levels: System engineering: In professional financial applications, the “application interface” is separated from the “databases” and from the “identity server.” Complete disruption often means that there is a single point of failure, meaning that the attacker was able to access the nervous center of the system, which reflects a weakness in the design of the “firewalls” and encryption systems. However, if the disruption results from the server being flooded with requests, this means that the application lacks advanced cloud protection services, which are essential tools for any application that deals with financial flows. “Fragile” application. Disabling the application generated a wave of controversy and criticism, which described the application as “fragile” and not worthy of being an approved entity for disbursing salaries and financial transfers. According to the technical expert, these criticisms are not just emotional opinions. Technically, this may mean that the “API” (Application Programming Interface), which is usually responsible for linking the front end with the background of the application, is not adequately protected against “Code Injection”, which is a professional method of hacking or bypassing permissions (Broken Access Control), which can be accessed by the hacker. Moving to a new domain…security risks. After the disruption to which the application was exposed, he moved to work on a new domain under the name “shamcash.”[.]sy”, this transition was not just a technical change. Rather, technical experts described it as carrying security risks related to the way the official “servers” are managed in Syria, and the application’s connections to mysterious development companies. In this context, technical expert Nidal Faour explained that the rapid transition to the “shamcash.sy” domain after the deactivation carries serious technical connotations, the most important of which are: connection to the official infrastructure: relying on a domain that ends with “sy.” means that the “servers” are managed locally, or Subject to the authority of the official service provider, this move may be an attempt to escape from external attacks, but it places user data in a “closed” environment that may lack global security updates. The complete absence of service: This reminds the Syrian people of the “Takamul” application, during the period of the previous regime, which was crashing due to excessive pressure on the “servers.” The application was not built through professional efforts, but rather is a “white-label” version of ready-made software that contains known zero-day vulnerabilities. vulnerabilities), which facilitates the task of any technical activist in targeting. Confusion in transferring domains indicates the absence of a “disaster recovery” protocol. In solid companies, the domain is not changed suddenly, but rather alternative “servers” (Redundancy) are activated automatically without the user being aware. Faour concluded his speech by proposing a set of steps that would save the application from a technical standpoint, which are: An external security audit (Third-party Security Audit): contracting with security companies. Independent cyber to conduct a comprehensive “penetration test” (End-to-End Encryption): to ensure that even if the “server” is hacked, the user’s data remains an unreadable cryptic. Technical transparency: Issuing a statement explaining the nature of the vulnerability that was exploited and the measures taken to close it instead of a policy of silence or non-technical justifications. Activating two-factor authentication (2FA): as a last line of defense for the user to protect his account even if the platform is exposed to an attack He said that the “Sham Cash” incident is a warning bell that “digital transformation” does not only mean launching software applications, but rather building digital fortresses capable of withstanding attacks, especially when it comes to people’s money and savings. Legally… How is disabling the application read? The controversy did not raise the aspect of the security of the application and the protection of depositors’ accounts and their balances, but also touched on the legal position, which generated several questions about the law’s protection of user accounts through “Sham Cash,” and how the legal procedures require it to protect accounts. Its users: The controversy surrounding the “Sham Cash” application is mainly related to the issue of the legal status and the entity operating the application. The basic principle of any digital financial service or electronic wallet is that it is considered a financial activity subject to the supervision of the monetary authority in the country, and this is often under the supervision of the Central Bank or the Payments Regulatory Authority, according to what the legal expert and specialist in the field of human rights and international criminal law, Al-Muatasem Al-Kilani, said. Therefore, providing money transfer services or managing digital wallets requires the presence of a legally defined and registered legal person who bears civil responsibility And if the ownership of the application or the entity operating it remains officially unclear, according to Al-Kilani, this creates a legal problem related to the principle of determining legal responsibility, because the user cannot determine the party to whom he can legally resort in the event of financial or technical damage. Al-Kilani considered that this ambiguity places the application in a legal gray area, especially if it is widely used in financial transactions related to citizens, and from the perspective of administrative law, the legal expert believes that the adoption of a specific financial application by a governmental or semi-governmental entity Payments or transfers impose a legal obligation on that entity to ensure legal and financial security for users. Once this means becomes part of the financial system approved for official transactions, this assumes the existence of a clear legal framework that regulates its work, defines the rights of users and the duties of the operating entity, and mechanisms for financial and technical oversight and auditing. He explained that in the absence of these elements, it can be said that there is a defect in the principle of administrative transparency and in the principle of protecting citizens’ private money, because individuals may find themselves forced to use a financial system that does not have legal guarantees. According to Al-Kilani, the matter raises serious questions about the level of cybersecurity and the technical structure on which the application is based, as applications that manage financial operations must be subject to strict standards in the field of data protection and digital systems, because any defect in this system may lead to hacking of personal data or manipulation of financial balances. Technical reports that dealt with the application indicated concerns related to data protection mechanisms and the management of sensitive information, which becomes doubly important when the application relates to money transfers or storage. Users’ financial data. Al-Kilani said, “If we hypothetically assume a complete hack of the application or the loss of users’ funds as a result of a technical glitch or electronic attack, then the legal responsibility in this case must fall on the entity operating the financial service, as it is responsible for managing the system and ensuring its technical integrity,” as he put it. He explained this by saying that in regulated financial systems, financial institutions usually bear civil liability for damages to customers as a result of negligence or weak technical protection, and they may be obligated to compensate those affected. However, the problem is in the case of an application such as “Sham.” Cash” lies in the difficulty of accurately determining the responsible party if the ownership or legal structure of the application is not clear, which may create a legal vacuum that makes the process of claiming compensation more complex for users. Elements of the success of any digital financial system The legal expert concludes that the issue is not only related to the existence of an application for financial transfers, but rather the extent of clarity of the legal and regulatory framework within which it operates, as the success of any digital financial system depends on the availability of three basic elements: • Identifying the legally responsible party. • The system being subject to clear financial and regulatory oversight. • Providing sufficient legal and technical guarantees to protect Users’ money and data. In the absence of these elements, the legal concerns about the application remain justified from a purely legal point of view. They must be attributed to the rules of the contractual relationship. Some users of the application suffer from sudden freezing or deactivation of accounts, which forces them to go to a branch and deal with the malfunction, which may last for days. As for user complaints about poor services or sudden freezing of accounts, Al-Kilani believes that the issue must be subject to the rules of the contractual relationship between the user and the service provider. According to his opinion, the terms of use of the service are usually required to be clear and announced, and any action such as freezing the account must be based on a legitimate legal reason, such as suspicion of fraud or violation of the terms of use. In all cases, the user must be given the right to appeal and appeal the decision, and there must be a clear legal mechanism for recovering funds or settling disputes. If there is no regulatory body or clear system for handling complaints, this puts the user in a state of legal weakness because he does not have an effective means of defending his financial rights, Al-Kilani concluded Through the “Sham Cash” application, in mid-April 2025, the Syrian Ministry of Finance decided to deposit all salaries of workers in the public sector through the “Sham Cash” application, provided that it is approved as an official means of disbursing salaries, starting in early May 2025. The circular issued by the Minister of Finance, Muhammad Yusser Barneyah, was directed to all management accountants in public agencies of an administrative nature, and financial managers in agencies of an economic nature, requesting the issuance of disbursement orders for salaries, wages, and compensation of workers, It is deposited in the “Sham Cash” account opened with the Central Bank of Syria. “Sham Cash” services return after they were stopped. A technical activist takes responsibility for disabling it. Related
