KENYA: How hackers steal your money from hapless banks
A young man walks into a bank, opens an account, obtains a Automated Teller Machine (ATM) card for only Sh500. Minutes later, he sells all those banking credentials for a few thousands to a fraudster.
In another bank, a hacker has identified people in the IT department of a financial institution, used them to install gadgets that relay key information to external servers for months. One Saturday afternoon, when the bank staff are way, the hackers strike the bank making away with hundreds of millions of shillings in a matter of hours.
The money is then sent to many M-Pesa super agents across the country who walk to the bank and withdraw it. The hackers then go round in cars collecting their loot and paying off the agents.
In one such case hackers, installed a computer in a well-known bank and transferred Sh150 million between Saturday, 5pm, and Sunday noon. No one has been arrested, months later.
Last month, one of the country's five biggest banks, lost Sh200 million to hackers on a weekend.
According to industry sources out of 47 banks, fewer than 10 have their core banking system relatively safe. “The sad part is that some of the people running these banks have no clue of IT issues, are not interested and take too long to respond to the attacks,” said a senior industry player.
On Wednesday, the Central Bank of Kenya and card payments solution provider Visa held a cyber security workshop in a Nairobi hotel where it was disclosed that ignorant customers and rogue bank officers colluded with hackers to aid ATM-induced cash outs.
Hackers target mainly young and new bank account holders. They ride on details of ignorant account holders to find easy entry into banks and safe passage for money siphoned off.
Details and scale of loss from this sophisticated fraud involving bank customers, rogue employees and hackers is top secret in the banking sector as institutions work extra hard and spend more to build solid buffers. Some are even willing to pay an arm and leg to conceal this truth.
Banking insiders who spoke to the Star in confidence due to the sensitivity of the matter said most accounts involved are initially owned by young people aged 20-26 years, presumably in universities or other tertiary institutions.
‘’At least seven out of 10 bank accounts flagged belong to customers with an average age of 23 years and have balances of less than Sh1000. Most ATM cards used normally have zero transitory history and are never reported as lost," a senior cyber security officer at a multinational lender said.
Experts say most students are hippy, ignorant and in need of quick funds regardless of the source, hence easy target by cyber criminals, some of who were their schoolmates.
They either don’t know or care less about the consequences of providing their banking details. It gets worse when rogue bankers join this web. "There is an urgent need for cyber security sensitisation among customers, especially now that most lenders are going digital,’’ another Information Technology head at a fast growing local bank said.
On Friday, the Star asked random students at the University of Nairobi and neighbouring Kenya Methodist University town campus if they can sell their bank details for Sh100,000.
Out of the 20 students sampled, 14 said they would promptly do so while four would refuse but did not give reasons. Only two were aware of the risks involved, saying it is a crime.
The simple survey showed that male students are likely to collaborate with cyber criminals than their female counterparts, with only three out of 12 sampled saying they would decline the offer.
‘’That is gold presented on a silver platter. I don’t remember when I last deposited in my account Sh100,000. It can help me sort a few problems,’’ Kibe, a second year UoN student said.
His friend Roberto said he would willingly give his national ID as a bonus and take even Sh50,000.
‘’It is simple to sign up for another bank account, thanks to technology. Internet and my phone are all I need to open 10 accounts in deferent banks. Selling some for such fortune is not madness,’’ he said.
Juliet and her friend Irene, both first years at same institution, would decline the offer. Lawrence termed the trade as criminal and extremely risky.
Bernard and Shix, third year students at KEMU, were hesitant to sell their banking details, citing security reasons but would give out their ATM cards as they no longer use them.
‘’Is this a trap? You know it is no longer safe to have this kind of conversation in these streets. Kamatakamata Friday (Friday arrests) is real. I won’t give out my bank account details. Maybe ATM card. I use banking apps anyway,’’ Shix said as her friend nodded in agreement.
On Friday, the Assets Recovery Agency asked a court to freeze the accounts of a university student who fraudulently transferred Sh41 million from I&M Bank to himself.
Timothy Kang’arua of Jomo Kenyatta University of Agriculture and Technology (JKUAT) is said to have devised an intricate scheme to defraud the bank using its login credentials in the Safaricom web portal.
Detective Jackson Nzau told the court that the suspect and accomplices fraudulently transferred the money from I&M’s Party Paybill Number 517822 to other persons and later to himself in November 2017.
The deposits and withdrawals were made in tranches below Sh1 million to evade Central Bank of Kenya's reporting threshold.Any withdrawals beyond Sh1 million must be reported and the account holder should declare the source of the money.
Back to the drawing board
During Wednesday's CBK and Visa cyber security workshop, it was revealed that ignorant customers and rogue bank officers collude with hackers to aid ATM induced cash-outs.
Bevan Smith, head of risk, Visa sub-Saharan Africa, said hackers looking for easy way into banks systems are having a field day using genuine cards. ‘’ignorant customers especially young ones have become easy targets. A hacker needs a slight security blunder to loot. It is even much easier when genuine customers provide the way and are cleared by rogue employees in the financial sector,’’ Smith said.
His sentiments were echoed by Andrew Henwood, CEO Foregenix who discussed ATM cash-out in details.
Henwood said that although most banks in Kenya have tough security buffer to counter cyber-attacks, they continue to lose millions of shillings daily, thanks to some ‘silly’ and deliberate mistakes perpetuated by customers and employees.
‘’Although digital innovations are aiding efficiency in the financial sector, hackers are getting smarter and are now using genuine bank details provided by customers and employees knowingly or unknowingly,’’ he said, adding that most hackers attack local banks at odd hours, weekends and on eves of big holidays like Easter and Christmas when bank employees are relaxed and customers transact carelessly.
Nita Omanga, risk director, Visa sub-Saharan Africa, disclosed that most ATM cash-outs targeting banks in Kenya are perpetuated in countries where Kenyans travel less. They include Bosnia, Romania, Vietnam, South Korea and Russia.
She asked banks to work with service providers to tighten security to protect customers’ deposits by, for instance, setting transaction limits per 10 minutes.
‘’Visa has a system where it agrees with banks on transaction limits per 10 minutes. If a card transacts more than limit set, it is flagged and account suspended,’’ Omanga said.
CBK’s Eunice Koiyani said the regulator had witnessed poor cyber security hygiene in its investigations and asked banks to handle their reports with extra care.
"Cyber security audit reports are gold to hackers. They expose soft underbellies for attack and assist the hackers to strategise. Those classified information must be protected,’’ Koiyani said.
Her sentiments were echoed the following day by Bright Gameli, a cyber security expert and head of IT at the Internet Solution Kenya.
Gamely, who is also an ethical hacker, told a cyber security seminar organisaed by Kenya Bankers Association (KBA) on Thursday that hackers can easily access cyber security reports by banks due to poor handling and security checks.
‘’Most banks in Kenya have naked information floating online. Banking staff don’t know how to secure their emails while some institutions allow strangers like cleaners access key rooms unchecked,’’ Gameli said.
He warned financial institutions against giving key transaction credentials to risky employees who can be easily compromised by criminals.
‘’It is extremely risky to entrust transaction credentials with employees planning to exit the company however how good they are. Banks have made this mistake and paid dearly for it,’’ Gameli said.
Integrated Payment Services Ltd (IPSL) chief executive Agnes Gathaiya asked banks to become more vigilant and update their systems to remove ‘middlemen’ in virtual transactions.
She said that whereas Pesalink is supposed to aid seamless person-to-person transactions, a study conducted on 30 banks in the country revealed that in 25 banks, human hand is still at the centre of such transactions, hence easily susceptible to interceptions and fraud.
‘We need consolidated effort from depositors, banks and third party vendors to limit cyber crimes. There is no one stop fix all for this scourge,’’ Gathaiya said.
IPSL is a fully-owned subsidiary of Kenya Bankers Association (KBA), and can handle person-to-person transfers from as low as Sh10 to a high of Sh999,999.
In September 2017, the system fended off a hacking attempt into its real-time gross settlement channel.
It had transacted Sh81 billion as at August last year since its launch in February 2017.
Hackers are becoming more sophisticated as technology evolves, with financial institutions becoming highly under threat.
A cyber security study by Serianu, an information technology services and business consulting firm in 2017 revealed that Kenya is losing at least $210 million (Sh21 billion) out of $394 million (Sh39.4 billion) in East Africa most of it coming from banks.
The study ranked banks top in cyber attacks, indicating that the motives for data breaches are increasingly financial. Other sectors include government and mobile money.
According to the study, more attacks targeting Kenyan banks range from insider threats to spear phishing and ransomware attacks were noted.
‘’Banks are getting hit through their web applications, internet and mobile banking platforms. While the attack vectors may differ, the execution of the attacks is often the same. It is paramount that local banks invest in mechanisms to anticipate, detect, recover and contain cyber crime,’’ the report said.
In March last year, technology firm Microsoft warned Kenya to prepare for a massive exploration of cyber crimes, a month after the National Bank of Kenya confirmed that fraudsters had gotten away with Sh29 million in what was suspected to be a hacking incident.
According to director of Cloud strategy at Microsoft Rudiger Dorn, cyber crime cost the global economy Sh600 trillion in 2017, up from Sh300 trillion in 2016.
We are likely to see an increase in phishing- where hackers obtain account details of employees or individuals through credit cards and banking details to commit a cyber crime,’’ Dorn said.
In another report released by technology firm Cisco showed that more than half of such cyber-attacks result in financial damages of more than $500,000 ( Sh50.55 million ) annually in Kenya including, but not limited to, lost revenue, customers, opportunities, and out-of-pocket cost.
In July 2017, introduced cyber security policy guidelines aimed at helping banks deal with cyber crimes and prepare for emerging threats.
Banks are required to compile and file annual report with the regulator detailing on how they plan to curb cyber security threats.
Last year, the regulator widened the scope to mobile money transfer networks which are demanded to notify CBK within 24 hours of any cyber security incident.
“The guidelines set the minimum standards that PSPs should adopt to develop effective cyber security governance and risk management frameworks in order to maintain a sound, secure and efficient National Payment System,”CBK said in circular.