Regulator raises alarm over Christmas hacking of saccos

Cyber thieves are increasingly using malware to steal banking credentials from unsuspecting consumers when they log on to their bank accounts via their mobile phones.

In a security circular issued on Monday, Sasra acting CEO David Sandagi said fresh intelligence shows a majority of breaches occur during the late evening and early night hours of a long weekend or holiday.

The regulator warned saccos that the three upcoming long weekends and holiday windows—Jamhuri Day (December 12–14), Christmas (December 25–28) and New Year (January 1–3)—pose heightened danger.

"Periodic analysis and intelligence monitoring of the trends of cyber-threats and security breaches in the regulated sacco subsector shows that a majority of the cybersecurity breaches and attacks mostly occur during the long-week end public holidays," said Mr Sandagi in the circular seen by the Business Daily.

"The trends equally show that these breaches and attacks are predominantly perpetrated during the last 12 hours before the commencement of the long-weekend public holidays and during the late evening and early night hours of any of the long-weekends and/or the public holidays."

Sasra noted that digital channels, notably mobile banking, are the most targeted entry points for fraudsters.

Mr Sandagi said saccos using ATMs, mobile money platforms, web-based applications and internet banking services face elevated risks, especially during off-peak periods when cyber attackers exploit slower response times and relaxed oversight.

Cybercriminals are riding on mobile phones to hack into consumer bank accounts with malware—a software designed to gain unauthorised access to a computer system.

The malware typically gets onto a phone when a user clicks on a text message from an unknown source or taps an advertisement on a website. Once installed, it often lies dormant until the user opens a banking app.

Read: How big borrowers pressure saccos for unsecured loans

The malware then creates a customised overlay on the authentic banking app. This allows criminals to follow a user's movements on the phone and eventually grab credentials for the account.

This type of mobile phone malware is gaining ground as more consumers use banking apps and financial firms are rolling out a wider array of mobile services.

Hackers stole a record Sh1.59 billion from Kenyan banks last year in an attack that highlights the risk of cyber heists in the wake of heavy investment in tech and mobile banking.

Half of thefts were through mobile banking, with cyber thieves stealing Sh810.68 million last year from Sh182.41 million in 2023, a jump of 344 percent.

The saccos regulator has now directed cooperatives to "heighten, intensify and strengthen" round-the-clock monitoring of their management information systems, digital banking services, and all ICT infrastructure that supports member transactions.

In addition to external threats, Sasra has warned of rising insider risks and directed saccos to tighten internal controls to prevent employees from colluding with outsiders to defraud institutions.

Mr Sandagi has asked saccos to pay attention to activities involving digital access to Front Office Service Activity (Fosa) accounts and requests to link members' accounts with their mobile numbers.

Saccos have also been directed to focus on linkages between mobile numbers and mobile money wallets or settlement accounts, as well as unusual transfers flowing in from third-party financial institutions into sacco pay bill or mobile wallet accounts.

Mr Sandagi has directed saccos and their third-party vendors to deploy round-the-clock cybersecurity monitoring tools and ensure technical teams are on standby to identify and respond to intrusions in real time.

The 2022 Sasra report revealed that the Sacco Societies Fraud Investigations Unit, which investigates fraud in the sacco sector, handled cases involving Sh232.5 million in the past two years.

Of this amount, Sh118.1 million was stolen, while Sh114.4 million was at risk of being lost.

The report indicated that most of the fraud occurred through collusion between staff and outsiders who exploited weaknesses in mobile and internet banking services.

"The internal technical staff working within saccos' ICT and credit departments have been noted to be the greatest collaborators in perpetuation of fraudulent activities, and thus Saccos are called upon to constantly review the adequacy of the internal controls in their ICT and credit functions," said Sasra in the 2022 report.

In 2021, the financial sector stability report disclosed that saccos had lost Sh106 million in 17 months to March 2021 on the back of increased use of digital channels.

The 2021 report asked saccos to tighten their IT security, review contracts with third parties and even consider tapping cyber security insurance.

→ [email protected]