Uganda: Thugs Used Registered SIM Cards to Hack Into Banks, Says Source

A source in one of the two major telecom companies that fraudsters used to withdraw money and send after hacking an electronic financial provider system has confirmed that the SIM cards used met all registration standards.

The fraudsters allegedly hacked into Pegasus Technologies system, which is a third party provider, then digitally instructed the banks to transfer funds estimated to be Shs12.5b to telecommunication companies who in turn remitted the money to different SIM cards which were seeking payment across the country.

This prompted Stanbic Bank, Airtel and MTN to suspend their mobile money services.

"The SIM cards used are fully KYC (know your customer) complaint [and have] newly registered KYC compliant numbers," the source said.

KYC is the mandatory process of identifying and verifying the identity of the person or corporate at the time of opening an account.

The telecom companies are expected to hand over to the police all the mobile money accounts that were used to withdraw the funds to aid the investigations.

By press time yesterday, detectives were still holding a meeting on how to investigate the case.

Efforts to get a comment from the spokesperson of Criminal Investigations Directorate, Mr Charles Twiine, on the progress of the investigations, were futile. Our calls went unanswered.

The amount said to have been lost in this theft last week is more than the money that police recorded as stolen in similar offences last year.

Ugandans lost Shs11.4b in 2019 through cyber-crimes, Uganda Police Force records indicate.

However, only Shs58m was recovered.

A senior detective, who participating in the investigations of similar incidents that happened in 2018 and 2019, said it is very likely that the fraudsters used identities of unsuspected victims to register SIM cards as is in all cases he has investigated.

"When you talk to the owners of the identity cards and photographs in the system, you find that the mobile money numbers were registered without the consent of the owner," a senior detective said.

Beyonic Ltd Systems lost Shs2.6b in 2018 in similar manner, but the police were unable to find the people who withdrew the money, which was illegally sent to MTN and Airtel mobile money accounts. In the year, MTN lost Shs800m in a similar scam.

Last year, dfcu Bank lost Shs380m to fraudsters that hacked into their system while Centenary Bank lost Shs800m. In all cases, the genuine owners of the SIM cards were unaware of the fraud.

"In those cases, errant employees of financial institutions were suspected to have given access to criminals or installed self-replicating malware that creates a back door access to the system," the detective said.

Mr Emmanuel Chagara, an ethical hacker and chief executive officer of Milima Security, said organisations focus more on the technology but ignore the human resource.

"People who are not ethical, not trained and monitored will always be the biggest threat to the system," Mr Chagara said.

How to avoid theft

- Invest in 24-hour surveillance

- Ensure you have policies and clear responsibilities for staff

- Constantly invest in the latest technology as hackers also upgrade and update their software and skills. Using old computer devices and outdated software opens the company to technology breaches.

- Take action and not reaction.

SOURCE: THE MONITOR / Christine Kasemiire &  Andrew Bagala