Fraudster causes stir with historic credit card theft

The arrest and indictment of the trio sent alarm bells ringing on the local scene where security concerns have been rising since last month’s landing of broadband Internet.

Internet security experts warned that the Kenyan economy could suffer massive losses if firms with sensitive data such as banks do not act to build the right defences against illegal entry into vital data banks.

“If we do not do something about on-line security, key sectors of the economy such as financial services will suffer huge losses,” said Salim Idd, a local security analyst.

“The coming of the fibres means we are getting more exposed to international hackers who are more sophisticated and can access sensitive information.”

Industry statistics indicate that 60 per cent of local banks are classified as high risk targets of identity theft and cyber-crime because they do not have adequate security safeguards against on-line fraudsters.

Hackers are technology experts who use their skills to gain illegal access to data banks of other organizations for information they use to commit crime or to transact unauthorized business.

Typically, a hacker would be a proficient programmer or engineer with sufficient technical skills to identify weaknesses in an internet security system.

Unknown to most Kenyans, who are only beginning to adopt internet-based business solutions, ICT security experts say the level of exposure to cyber crime is so high that only a complete overhaul of systems currently in use will save businesses from potential ruin.

Mobile banking
The list of business solutions at risk includes credit cards, mobile banking, mobile phone-based money transfers, automated stock trading, and debit cards used in automated teller machines.

Cyber crime carries heavy financial and legal implications for affected consumers and banks, who risk becoming part of a digital black market that has been thriving around the world since the advent of the internet.

Kenya has been spared most of the attacks because of its relatively slow internet speeds, a shield it is now losing with the landing of high speed fibre optic links. It is estimated that broadband connections will increase the country’s exposure to cyber crime ten-fold.

That level of threat exposes banks and other financial institutions to loss of millions of shillings to both local and international fraudsters.

The value of credit card transactions in Kenya has risen steadily in the past six years to Sh40 billion but the issuers have been losing an average of Sh50 million to fraudsters annually, according to the Kenya Credit and Debit Card Association.

“Credit card related crime is expected to soar as Kenya joins other nations online. The challenge is to develop secure websites and enhance the level of awareness on how these attacks can take place,” said Liko Agosta, a local developer who is grappling with how to create secure payment systems for Kenyans who want to shop online.

“It is not a matter of if you will be hit, but when,” he said.

Legal experts warned that financial institutions should prepare for a steep rise in lawsuits over money lost to cyber criminals in the digital black market.

“Consumers must realise that many credit card operators and banks have terms and conditions that shield them from such legal actions. The burden will fall on the aggrieved consumers to prove that the bank or credit card issuer was negligent in its security measures,” said Anne Kinuhe, a lawyer with the African Legal Network.

Mr Gonzalez, a resident of Miami, Florida, was indicted for conspiracy to engage in wire fraud, using a sophisticated hacking technique called an “SQL injection attack,”.

The technique exploits computer networks by finding a way around their firewalls to steal credit and debit card information.

Among the corporate victims named in the indictment are Heartland Payment Systems, a New Jersey-based card payment processor; 7-Eleven Inc., a Texas-based nationwide convenience store chain; and Hannaford Brothers Co. Inc., a Maine-based supermarket chain.

The indictment, which details the largest alleged credit and debit card data breach ever charged in US, alleges that beginning October 2006, Mr Gonzalez and his co-conspirators researched the credit and debit card systems used by their victims; devised a sophisticated attack to penetrate their networks and steal credit and debit card data; and then sent that data to computer servers they operated in California, Illinois, Latvia, the Netherlands and Ukraine.

The indictment also alleges Mr Gonzalez and his co-conspirators also used sophisticated hacker techniques to cover their tracks and to avoid detection by anti-virus software used by their victims.

If convicted, Mr Gonzalez faces up to 20 years in prison on the wire fraud conspiracy charge and an additional five years in prison on the conspiracy charge, as well as a fine of $250,000 for each charge.

Similar precedents exist in the Kenyan market, exposing the rich potential for a surge in card related crimes once enhanced internet connectivity is realised.

In 2002, five Nigerians and a Kenyan were investigated for their role in a Sh1 billion fraud involving credit cards.

Kenyan banking fraud experts linked the six suspects to a Nigerian alleged to be a key figure in an international syndicate.

The seized Kenyan was a cashier at the Grand Regency Hotel, Nairobi, just one among dozens of hotel workers sought by the police for allegedly being agents of the gang who used a technology known as “skimming” that copied details off credit cards hotel visitors.

Once skimmed, the details were used to make fake cards which were then sold to customers around the world who used them to fund exorbitant shopping sprees that only stopped once banks or the original owner noticed a large amount of unusual activity.

“In such cases, it can be hard to get the bank to understand what happened. Right now, it’s not clear cut, and the burden of proof lies with the customer,” said Ms Kiunuhe.
In what is known as the digital black market, such credit card swaps are big business.
In 2005, an organization called the Shadowcrew would buy and sell millions of credit card numbers, identity numbers, and other identification documents for typically less than Sh700 a piece.

New changes
Shadowcrew consisted of more than 4,000 members worldwide, ran a worldwide marketplace in which 1.5 million credit card numbers, 18 million email accounts, and scores of identification documents, from passports to driver’s licences were offered to the highest bidder.

But security analysts say one of the major objectives of online attackers is to gain access to “Personally Identifiable Information” (PII).

The internet will instigate new changes in the way attacks are made, according to the “Emerging Cyber Threats report for 2009” from the Georgia Tech Information Security Centre.

Hackers will ride on messages sent through popular mediums such as Facebook from one friend to another that include a link to a YouTube video of interest to the recipient.

Once the recipient clicks on the link supposedly sent by their friend, they see a prompt to install the latest version of Flash Player in order to watch the video clip.

The user clicks to install the update, but actually installs a piece of malware on the machine, effectively involving the computer in a botnet — a malicious internet attack — said the report.

“The email lures, the enticements and the personalization of malware attacks are getting much better. Social engineering attacks on social networks are beginning to explode and will only get worse,” said Ryan Naraine, a Security Evangelist at Kaspersky Lab.