Kenyan banks are racing to secure their systems against a new wave of cyber crime that has seen them lose hundreds of millions of shillings to fraudsters and eroded consumer confidence in technology-based banking services.
The Central Bank of Kenya’s latest supervision report indicates that commercial banks are losing an average of Sh100 million to fraudsters every month – signalling the level of threat in the industry and the amount of investment that needs to be made to keep customer deposits safe.
CBK’s fraud department data indicates that the incidence of banking fraud rose to three per cent of total financial transactions last year, from 0.5 per cent five years, helped by increased bandwidth that came with fibre connectivity and increased use of technology by banks.
Central Bank says that although most criminals still use traditional methods of stealing cash through bank break-ins, use of fraudulent cheques or electronic fund transfer taps has pushed up computer related fraud and compromised point of sale devices.
Concern over cyber security has been rising in recent months after a number of financial institutions reported illegal activities targeting their operations with millions of shillings at stake.
In the past six months, anti banking fraud experts have reported the copying of a bank’s website and its posting online to capture sensitive client information.
A foreign national has been caught withdrawing large amounts of money from a bank’s ATM hall and an international bank’s ATM has been hacked, resulting in loss of customers’ money.
Card theft, information skimming (insertion of electronic devices in ATM machines to capture customers’ personal data), compromised PINs, vandalism and cash trapping are top on the list of the most common forms of banking sector-related cybercrime.
Analysts reckon that the introduction of online payment portals for e-commerce could be the next frontier for cyber criminals.
“Hackers were originally kids trying to show off. But it is no longer about fame and showing off, it is about making money and harming the individual,” said Mwenesi Muasalia, the Country Manager at Symantec, an online security company.
The growing threat posed by this sophisticated breed of criminals has forced financial institutions to look into their processes afresh.
Though the amount of money lost to cyber criminals is big enough, bankers insist the real damage is on increased operational costs, a build-up of bad debt, erosion of customer confidence and steep drop in revenues as banks are forced to invest in new technology to protect customer information.
In the past two years, the banks have invested more than Sh20 billion in security solutions meant to safeguard their clients from cyber attacks mainly targeting new product lines such as online banking, card-related businesses and e-commerce channels.
Bankers say the increased number of ATM networks and use of credit cards in ordinary business transactions is posing the greatest challenge to securing their online operations.
Equity Bank, Kenya’s biggest financial institution by customer base, recently admitted that its on-line security needs had significantly increased and clinched a deal with a Belgian business partner for a card management system that speeds up transactions made at more than 3,000 points to curb fraud.
Banking sector insiders say the industry faced its most blatant attack in mid January.
A joint operation by a group of local banks succeeded in apprehending an individual who was using several cards to withdraw money from different customer accounts from ATMs in Nairobi.
Armed with more than 100 PIN numbers and debit cards the man — identified as of Slavic origin — withdrew more than Sh140,000 from several accounts in a couple of minutes.
Although the case is still under investigation, bankers say the attack exposed a problem they have to deal with on an hourly basis.
“We cannot determine which bank accounts he attempted to access. This will be known once the investigations are complete,” said Adan Mohamed, the Regional Managing Director for East and West Africa at Barclays.
Online security analysts however insist that the more alarming threat remains in the large amounts of money lost through ATM and credit cards.
ITU, a global cyber security firm, says global revenues from cyber crime exceeded $100 billion in 2007, outpacing illegal trade in drugs for the first time. Much of this was fuelled by global card cartels.
Although many analysts say Kenya is not yet part of this global syndicate, there is increasing evidence that the country’s exposure has increased with the arrival of high speed internet mid last year.
“The exposure originates with the merchants, who do not check that names or signatures match. Customers are also not securing their PINs enough,” said Reshma Sookran, who heads Visa’s Fraud Control for sub-Saharan Africa.
Ms Sookran says there has been a marked shift in types of fraud that financial institutions face in Kenya.
Five years ago most incidents of fraud were related to lost or stolen cards with almost no counterfeiting.
But last year, the number of counterfeit cards rose significantly to become the most virulent threat.
A locally based international bank recently learned the hard lesson when its ATM was hacked into and a skimming or copying device used to capture customers’ personal information for use in card cloning.
The criminals use a simming device placed at the mouth of the ATM card slot to capture details on the magnetic stripe on cards.
That devise enables the criminals to capture the customers’ PIN numbers and card details that are then used to print counterfeit cards — also known as clones — that are commonly used in fraudulent cash withdrawals.
Legal experts blame the trend on ineffective laws.
Cybercrime is defined as offences against the confidentiality, integrity and availability of computer data and systems; computer-related offences; content-related offences; and copyright-related offences.
Although the Kenya Communications Amendment Act contains specific legislation against hacking and unlawful intrusion of computer systems, cyber security experts say the law has failed to define and capture the dynamic character of on-line crime.
“Most hackers use fake cyber identity and getting a hacker’s true identity for purposes of prosecution remains difficult,” said Cathy Mputhia, a lawyer.
Cybercrime often has an international dimension.
The setting-up of procedures for quick response to incidents, as well as requests for international cooperation, is vital.
Given the international nature of cybercrime, the harmonisation of national laws and techniques is vital in the fight against the crime.