XY, a financial institution, suffered US $504,000 loss in fraudulent transactions. The culprits did it by: (i) gaining access to the super administrator (“sa”) password through social engineering. The “sa” password is required to access the live banking application database and the Head of ICT and Managing Director keep its custody under dual control. The bank’s system admin accessed the Head of ICT’s notebook and got part 1 of the password. He then tricked the MD’s to have his computer updated with a recent patch contrary to the normal procedure where an external firm provides such maintenance service under a service level agreement (SLA).

In the process, he got the part 2 of the “sa” password. With the complete password at hand; he did the following; (a)   accessed the live banking application database (running on SQL) and inserted fictitious client identities by manipulating genuine client accounts. Thereafter, he replicated transactions across the client accounts manipulated; (b) manually inserted fraudulent transactions into the live banking database and syndicated withdrawals using fake client identities; (c) created fictitious users in the database and assigned different roles – creation of transactions and approvals. He would post a factious transaction, and supervise and approve it until it is cashed over the counter (d) and made fictitious loan disbursements as well as altered already disbursed clients loans. As he was doing the ‘backend’ manipulation of genuine bank client accounts, he went downtown Nairobi and got street criminals, whose pictures and signatures he used and inserted over the genuine ones. He set then created a Trojan horse malware, which was set to change run the authorized script whereby at a defined time, between 12:45 pm to 2:00pm, the fraudulent client identified suppresses the genuine client ones, have the fraudsters withdraw the money over the counter, and thereafter revert the bank accounts to the genuine ones. On a 22 April 2013, the Trojan ran affecting all the bank’s branches throughout Nairobi; and five (5) other branches in the country outside of Nairobi.

Also read: Fraud in banks on the increase

How it was discovered:

On 22 April, 2013 at around 3pm (an hour after the fraud) a Manager at one of the bank branches reported a series of abnormal withdrawals on some known client accounts with specific id numbers being affected. He immediately made a report to the MD; who called the bank’s senior management team (SMT) composed of heat of ICT and operations manager.  The manager IT confirmed that (a) client account names had been altered on those accounts; (b) the client’s unique identifications i.e photo and signatures had been fictitiously altered. Some accounts with male names, had female photos over them! and some transactions had been copied from one account and duplicated on others. Over US $504,000 had been withdrawn at several bank branches within a space of 1 hour. And reported that they had put the banking application off-line as investigations go on. In the meantime, the bank was on a manual system.

Countermeasure

Implemented real time notifications for any changes or access to the live database of the core banking platform.