Rising cybercrime gives banks sleepless nights

Cybercriminals are getting more aggressive. FILE PHOTO | NMG 

Increased adoption of technology by financial services providers such as banks has raised the country’s cyber-attacks risk, exposing them to loss of customers’ deposits and savings to online fraudsters.

Kenyan banks are increasingly investing in mobile and digital products as an efficient and cost-effective way of reaching customers and growing market share.

This is largely buoyed by rising Internet penetration as well as growing acceptance of mobile- and app-based products, which have in turn become a target for cyber criminals.

“Cyber criminality follows broadband and Internet penetration. As we become more online, these risks and threats start manifesting themselves,” Johannesburg-based Samresh Ramjith, a cybersecurity partner with consultancy EY, said in a past interview.

“One of the clearest statistics is that this market isn’t slowing down from a cybercrime perspective. This is growing year-on-year by close to double-digit.”


Directorate of Criminal Investigations (DCI)’s Economic Crimes Unit on January 30 issued warrants of arrest for 130 suspects it suspected had engaged in banking fraud between June last year and January this year.

“The suspects are wanted in connection with electronic fraud by hacking into banks systems,” said the notice in local dailies.

Central Bank of Kenya’s governor Patrick Njoroge had on January 29 told a press conference in Nairobi that cases of ICT-related frauds have been on the rise in recent years, calling on banks to tighten their systems.

“Cybercrime is one of the risks targeting the financial sector which is expected to increase in sophistication and frequency,” the CBK said in 2017 annual report published last August.

“Mitigation of such risks is important for business continuity as well as promoting the development of sound financial systems and risk management frameworks.”

The Kenya Bankers Association (KBA), the industry lobby, says customers need to be vigilant when transacting online to mitigate the risk of their accounts being hacked. With internet increasingly becoming a necessity in meeting places such as hotels and restaurants, KBA warns that customers should be sure the Wifi connection is secure before they transact online.

Banks and other financial services providers usually advise clients to have a complex password – a combination of letters, numbers and special characters and avoid using the same password for all their electric accounts. But that is not all.

“You need to reset your passwords frequently, at least once a month especially on your banking systems,” said Nuru Mugambi, the director for communications and public affairs at KBA.

“Customers should also use bank provided web links to log into internet banking and ensure the site is https certified.”

Banks, the primary target for hackers, have up to November 30, 2017 to adopt cybersecurity regulations developed by the CBK.

The lenders, as a minimum requirement, have been ordered to formulate policy, strategy and a framework to fight the crime.

“Cybercriminals are also getting more aggressive. In the financial sector, it poses a serious challenge since banks are reservoirs of confidential customer information. It takes various forms including high-tech crimes, data breaches, and phishing websites,” KCB Group says in its latest integrated report for period ending December 2017.

“We are doubling down on our risk management in addition to investing more in sophisticated software to prevent cyber-attacks. In addition, we have deployed more resources including more personnel to analyse our cyber security and perform risk assessments.”

With the growing popularity of the mobile loans, cyber criminals are also targeting micro-lending apps on smartphones. Stand-alone mobile loan apps such as San Francisco-headquartered Branch International, Tala Kenya and Opera Group-owned OKash say the threat of fraud using stolen identity data such as Personal Identification Number is rising by the day, prompting use of advanced verification features before advancing loans.

Mobile loan fraudsters are apparently taking advantage of soft automated inquiry on the apps and use of algorithm to underwrite the borrower to try to access funds.

OKash last August upgraded its loan application process, requiring borrowers, to take a picture of their face and national ID.

“This allows us to verify that the applicant is who they say they are. This also helps to mitigate risk and attempts of fraud,” OKash says.

Branch, a Silicon Valley start-up, says it has invested in a “highly trained” loan review staff to assess and analyse suspicious borrowers as well as “sophisticated machine learning models” to target and block fraudulent applications.

“We have dedicated machine learning models targeted towards preventing fraud attacks,” Branch general manager for East Africa Dan Karuga said. “Although we have a simple sign up process of just four questions, technology has helped us mitigate identity theft within the system.”