This is a continuation of the countdown of the top 5 high-tech frauds in 2013. Click here to read part 1.
This is about a reckless IT manager and Ugx 1bn (US $ 400,000) fraud at the reckless Bank A, located in Dodoma, Tanzania.
We uncovered the fraud during a white box penetration testing on the bank’s core banking application, after noticing weak controls over management of the banks database. The bank’s core banking application had been supplied by a given vendor, who insisted on having a service level agreement (SLA). Under the agreement, the bank would call the vendor for on-going maintenance support, major review or changes in the system.
It was during the review of the change management process, that we noticed a given script that had been sent from the vendor to the bank’s head of IT; with instructions to run it on the live database! The bad thing was the IT manager followed the vendor representative’s instructions and indeed ran the script on the bank’s live system. That is how we ended referring to the Head of IT for this bank as one from hell. NO IT manager worth their worth would run any script on the live database without first testing its impact on the system on a test environment or sandbox.
Here is the damage the script did on the bank’s system
The fraud involved steganography manipulation of the bank’s client data. Weak controls and monitoring over core banking application access, enabled some IT staff (Head of IT and database administrator), in collusion with an external party, to exploit a backdoor and install unapproved program on the bank’s SQL server.
The program was timed to make changes to the live client accounts between 1 pm to 2 pm (that is the time branch managers would be out for lunch, so less review of transactions around that time).
The fraud involved replacing the personal details (photo and signature) of the genuine clients with the photo and signature of fraudsters to the specified accounts. The parameters would reset back to the original after 2pm, making it difficult to trace the fraud. The impact of the fraud on the bank was catastrophic. The entire core banking application was put off-line for more than 2 days, attracting the central bank’s attention.
With that discovery, ours was to determine who, did what, where, when, how and why concerning the incident. And provide recommendations to fix the same. A forensic investigation approach was used. We were able to affix blame by identifying the right suspects, and the extent of their involvement.
The key learning points from this case for the Board are numerous. A series of issues went wrong in full presence of the Bank’s board.
As a senior position, the board had been involved in the recruitment of the IT Manager. However, the recruited person had no technical skills. We found that his juniors were too smarter than him. Contrary to the requirement of the dual control over the sa “super administrator” password, the head IT shared the key with his junior. It became difficult on whom to fix blame following the fraud. Accordingly Head IT was severely punished for negligence of duty.
Lesson: The Board should invite a specialist independent technical person to assist whenever technical matters concerning IT or risk are to be discussed – e.g. recruitment of Head of IT, Risk manager or any executive level senior person, Review of Terms of reference and final reports for technical assignments e.g. penetration testing, post core banking implementation review to ensure no back doors are left, etc.
Poor management of the service level agreement (SLA) – due to poor risk management processes and systems for critical issue escalation. Over US $ 180,000 of the fixes paid for by the bank to the vendor had not been fixed. The Board kept posting the agenda item as non-critical!
If the bank has not engaged competent team of forensic experts, it would have lost twice. Lose the money, and take no action against staff.
Lesson: The Board should support management and invest in forensic tools so as to investigate any fraud case thoroughly to ensure that staff know if they misbehave, they will be caught. This is a deterrence measure.
Don’t just do ICT security reviews – do pen test, attempt to exploit any reported vulnerability. And when it comes to ICT security, trust no one.
Mustapha B Mugisa, CFE. All rights reserved. 2014.