Friday, November 22, 2013

Why Nigerian Banks Will Keep Losing Money to e-Fraud

The recent loss of money recorded by the Central Bank of Nigeria (CBN)
has not only given researchers a case study but has shown that the
acclaimed tools and techniques currently used by Nigerian banks are
not sufficient. This is regardless of the source of the tool or
technique used. As technology growth is in parallel with the time it
is also essential for every organisation and nation to improve
It is not enough to get involved with the technology by purchasing
gadgets but it is paramount to keep abreast of all and sundry
regarding technology- that is, in this case- security.
The lack of awareness by users of Nigerian e-Banking system create a
rift in eliminating the cause of this problem, although some
experienced users protect themselves but the percentage is minimal
compared to the incidents reported.
In a paper published by me some months back, I did mention certain
causes of hacking in Africa. Most importantly is the growing use of
Many banks around the world are targeted and a lot have lost money to
e-Theft but the drastic incident recovery measure taken, give
investors confidence in these banks. This is a major problem for the
growing Nigerian economy. The protective measures have proven to be
insufficient, not good enough or irrelevant. What is the CBN doing to
ensure the security of customers?
During one of my research visits to Nigerian banks, I was astonished
to hear "we have that in place" when banks were undergoing attacks.
Sadly, you cannot impose help on those who really need help but do not
acknowledge they do.
If banks such as World Bank and Bank of America can look for research
students like me to have us use their organisations as case studies,
why will Nigerian banks think they have it all? Truth be told, we are
still a developing country and do not have it all. No nation or bank
does but it is important to know the loopholes and backdoors that
attract these hackers.
Following quite recent news in one of the Nigerian online media, it
was quite interesting to read about a Nigerian hacker. A young
Nigerian student who stole couple of thousands from a bank account to
purchase some petty items was an intriguing case to read. What was
most appalling however, was the knowledge that he had been arrested.
True he is a thief, but Microsoft for instance, regards these thieves
as assets.
They get these guys to break into their system, do not report them to
the authorities, in the end give them some stipend and little treat to
say "thank you for showing us how you do it; we will now block you all
from further entry and theft". Where is our sense of "quick-thinking"?
It is not always about behind bars but about what to do to stop
further problems of this nature.
What to look out for as a Bank customer
Strange how some e-Banking users have no clue about phishing attacks.
Phishing attacks have gone haywire and are more advanced than
previous. Do you know that phishing attacks now link you to a url that
is almost similar with your bank's url? The difference is obvious only
to those who take a critical look at it and more advanced users who
know about certificates. Some browsers have certificate validation
techniques and can alert you if the website certificate is invalid or
expired. Some users do not understand the importance of seeing the
padlock sign on a secure website, whether a bank or an e-Commerce
It is also important to have a basic idea of computing. There are
three types of computer attacks that work similar: Man-in-the-Browser,
Man-in-the-Computer, and Man-in-the-Middle attack. Every computer is
not safe, and banks need to highlight that to users who have signed up
for any form of e-Finance.
There may be a malware in your computer (a malware is a running
programme on your computer controlled by a spy somewhere monitoring
everything you do) that collects or modifies any information that goes
through your computer. When you think you are safe with your bank and
token (TAN generator), there may be someone somewhere spying on your
login, watching the bank, the algorithm used for the banking token and
compile the information which can take up to a year or two before you
become a victim of electronic fraud. Anti-virus is essential but more
is needed.
Do not bank on your mobile phone
Electronic transactions of any form and sort are well advisable not to
be done on a mobile phone at present. Researchers are still working to
get a more protective means of m-banking and are yet to full solve the
problem of e-banking using your computer. What customers do not know
is that the mobile phone has more spyware than your computer. It is
highly susceptible to malware and many mobile phone platforms are
under attack. The biggest insecure platform is the Android. Before you
carry out any sensitive transaction on your mobile phone, think again.
You may be a victim of e-Fraud if you are not careful. It doesn't
matter if you've got an anti-virus on your phone or you use the
banking application given by your bank; malware respects nothing when
it gets into your phone but breaks through everything and remember
there is always someone behind the scene watching what you do on your
What the Banks Do Not Know
Electronic token and other forms of protection on your network like
your VPN or your secure transaction channel or TAN generator from
third parties have been developed by these guys you fight against.
This is a huge reason why the banks in Nigeria will remain under the
control of hackers. Yes, yes, it has been developed in India, China,
the States etc, the point is, so long as it is not in-house (the
software behind the token), it will be under constant attack. This is
not to say in-house cyber security tools are not attacked but the
percentage is minimal compared to third party tools.
Time for the Right Investment by CBN
There are quite a number of Nigerian research students in Diaspora
working in areas of cyber security, network security and e-Banking
inclusive around the world. It is time to get in touch with students
in the US, Canada and the UK with great research proposal that are
willing to take on the case of Nigerian e-Banking security. It will
interest you to know that some Professors in this field who are none
Nigerians are willing to take their students on this challenging
research to develop a solution for Nigerian banks. It will cost less
than a quarter of how much is being lost every year to sponsor
research students in this area for the cause of Nigeria. Use the banks
as case studies, permit them to break through the system and give
their advice and assistance, keep up to date with the recent issues in
electronic banking, and let them organise awareness programmes for
bank employees, stakeholders and users. The result can be monitored
within a year and KPI drawn to ensure there is value for money. Now
this should be an open invitation to current research students in
these countries not for training of current employees but for
enthusiast. Only enthusiastic researchers can get the required result.
Some News for you from the UK
I opened one of my email accounts to find an email from NatWest (this
is a retail bank in the UK found on most of the high streets, they are
quite popular in the UK and can be ranked as one of the top banks
especially for mortgages). Below is a snapshot of the message and the
URL redirect.

All they require is your card details and password or pin, that's it!
They become second users of your bank account and can carry out
banking transactions even though the banking token is required; they
most likely have the algorithm or worse the TAN list for the old TAN

Recent News from Crime Watch, FBI
On the 28th of October this year, FBI published news based on research
in Cyber security. It was quite interesting to read about the recent
malware that is being spread via email. The target receives an email
with alleged customer complaints concerning an attachment. Upon
opening the attachment, a malware is downloaded and automatically
installed, it alerts you that all important files have been encrypted.
This malware is known as Crypto Locker Malware which cannot be
uninstalled without the private key. It is based upon the AES
encryption method. The hackers will then demand $300 to decrypt the
files and without the corresponding private key of the generated
public key from your computer through the downloaded malware, the
files remain encrypted. However, this key never leaves the control
server, putting it out of reach of everyone except the attacker. The
recommended solution is to clean hard drive and restore files from an
earlier backup.
ALERT!!!: Practise safe browsing and do not download email from
unknown and unverified sender.
One More Information on Security
At the ATMs, always shield your card as you slot it into the card
reader and always shield your PIN. Failure to do so can cause your
card being cloned and reused somewhere else, indirectly having more
than one unauthorised access to your card. Be security conscious!
• Umukoro is a cybersecurity researcher at University of Kent, UK

No comments:

Post a Comment