Below is a countdown of the cyber frauds that proved fraudsters are always a step ahead of the good guys. Unfortunately many top honchos still live in self-denial. Average leaders place blame, exceptional leaders take it.
When it comes to fixing the fraud problem, exceptional leaders will have to confront the problem head on through acknowledging it and addressing it in unconventional way. Before we consider the fraud strategies that work in Uganda, let’s do a countdown of the top five frauds that happened in 2013.
| Fraud case highlights |
| · Kshs 15.6 million lost in an internet banking scam
· Dynamic IP addresses traced to Nigeria, Cameroon, India and Belgium
· Money wired to another bank in Kenya, and then withdrawn
· No KYC done on the account to which money was transferred and withdrawn, and account opening file no where to be seen
· Customer sued bank to have his money back, citing weaknesses in the bank’s ICT systems. He urgued, bank owes duty to keep his deposits safe. And that he used his on-line token, username and password as advised only to find his money lost. Bank was challenged to prove customer negligence in the loss. |
Fraud Case #5: The compromised Internet banking platform
This took place in a bank in East Africa’s capital, Nairobi, Kenya.
Bank Ya Sente Ltd (BYS) provides financial services to the middle and high-end market using several delivery channels, including internet banking where customers access and transact online via the URL https://xxx/xxx/servlet/xxxServlet [link disabled to hide identity].
Since the bank started offering Internet banking in 2008, there had been no reported case of a major fraud. BYS’s internet banking product had been considered very secure, fully transactional, internet-based banking platform that enables customers to transact with the bank wherever and whenever it suits them as long as they have a stable internet connection.
Background to the case
In early 2013 one of BYS’s customer account was reported to have been hacked into and an estimated Kshs. 15.6 million stolen from the customer’s bank account. Customer xx who opened the account on [xxx], opted for internet banking platform on 12th November 2010. After signing for Internet banking on the bank’s application, he was given a unique customer ID and asked to log into the system to generate the password. He was informed of the confidentiality of these details at the time of picking them from the bank.
Usually, after opening a bank account and opting to use BYS’s Internet banking, the customer is given a user ID and token from the bank (over the counter) and then they are required to visit https://xxxxx /SelfServicexxxx/ to register their token in order to be activate to use Internet banking. In effect, the bank or any of its staff does not get to know about the customer’s password.
On 15th November 2010, based on the bank’s server logs, the genuine customer started using the username and password. There was no problem for a period until 2013
The fraud
On 12th February 2013, the customer (Account #xxx), reported to the bank that he was unable to access his account via the on-line banking platform using his usual username and password. He asked the bank to reset the password. He was given a form to fill and advised it will take about two days. In the meantime, he was advised to use the banking hall. A day later, he went to the bank to withdraw money, and found his bank account empty.
All the money had been withdrawn.
He immediately notified the bank which disabled the customer’s on-line banking until this matter was resolved.
The bank’s ICT security and internal audit team retrieved the server logs of all transactions (on-line and off-line) on the customer’s account and noticed intense activity between 18th January to 11th February 2013, from dynamic internet protocol (IP) addresses pointing to Nigeria, Cameroon, India and Belgium. They noted that the fraudsters wired the money to an account in an international bank based in Kenya. On contacting the bank, they were informed that particular account was closed. Upon further review, they noted four transactions on the account, after which it was closed. It was surprising how the money was cleared and then paid out. Preliminary findings noted absence of know your customer rules in the opening of the account to which the money was wired and withdrawn. The account had been opened just for that purpose and closed. All these pointed to a sophisticated cybercrime team.
After notifying the bank, the victim (customer) reported a case of theft at Police. He claimed the bank owes him a duty of protecting the money on his account in the bank, and that failure by the bank to prevent the fraudsters from withdrawing the money from the account was due to weaknesses in ICT security at the bank. He wanted the bank to put his money back on his account asap.
It is that action that caused the bank to smell a rat. Many questions came to mind:
What if the customer revealed his username and password to the fraudsters and they shared the money.
What if the customer was involved in the whole fraud, and now is claiming for a refund.
But what explains the unrecognized IP addresses from abroad. If we refund the customer’s money, how will the bank protect itself from similar claims and losses in future? How did the fraudsters withdraw the money?
Was there involvement with some staff in the bank where the money was wired and then withdrawn? If the fraudsters withdrew it in Kenya, how
And that is how the need for a forensic investigation came up. They wanted to:
· Understand how the customer’s credentials were taken over by the fraudsters. Provide evidence to explain whether the customer shared his own credentials or they hacked into their computer and or on-line banking account, who and how did they do it.
· Why did the bank’s controls fail to detect the transfer, even when it was a high volume transaction
· Understand how the money was cleared; and withdrawn at the other bank
· Identify the person/ persons behind the mask IPs that were logged at the bank server while transacting on the client’s account during the time the client claims they had stolen the credentials
· Where possible, provide all explanations relating to the fraud incident, including determining who did what, where, when and how relating to the fraud. The bank wanted to know at what point was the genuine customer’s password taken over to start transacting on it by the fraudsters.
Information on how the investigation was done and the findings is classified. However, we can visit and share with you our experiences so that you strengthen your own on-line banking practices. And that is the intention of this article –empowering you to fix your loopholes.
Lessons
There is no system that is bullet proof. All systems can be compromised. You need a team of professionals who know what they are doing to make it costly for fraudsters to steal i.e. make sure that the cost of breaking into your system by the fraudsters is higher than the benefits.
This particular bank had been doing penetration testing every quarter! And we discovered that instead of real pen test, they were doing IT audits – a mere exercise of benchmarking their processes and systems against best-practices without exploiting any identified weakness. This meant that the findings remained in theory. Going forward, you need to keep rotating the team which does your ICT security assurances.
Happy 2014.
Copyright Mustapha Barnabas Mugisa, 2014. All rights reserved. You are free to share for educational purposes with appropriate attribution.
