Scenes of hooded gunmen raiding banks or grabbing cash from counters or vaults are no longer commonplace as they used to be as criminals become smarter. With the press of a button, your cash could be gone in a second.
Today bank robbers are largely employees or former employees who know how the system works and in most cases collude with outsiders – making the work of the Banking Fraud Investigations Unit (BFIU) tedious.
The thieves only need to be armed with a few personal details to gain access to billions of bank coffers with a few strokes of their laptop keys while sipping coffee or whiling away the time in some dingy prison cell.
Picture this: on a routine morning on April 5, 2013, Nelson Kipkemei, a senior bank manager with Diamond Trust Bank, was conducting staff training for some of the lender’s tellers on using the Western Union Money Transfer Service.
Then at around 10am, he was informed of a problem with his digital certificate - the online ‘passport’ that allows users exchange information securely - and left his computer for two hours as a technician resolved the issue.
The following Monday, Mr Kipkemei was summoned by senior management.
Over that weekend, more than Sh7.2 million had been syphoned from the bank’s Western Union Money Transfer system through two computer terminals - one of them his.
The funds were stolen through 21 transactions and the money channelled to Russia.
His password and user identification had been used to access the system. CCTV footage further showed him and the technician at his terminal at the time when the Western Union System was accessed using his credentials.
This is just one of the numerous cases that have seen commercial banks lose billions of shillings through cyber-attacks. As more consumers turn to the Internet and mobile devices to access banking services, lenders have ramped up their digital investment.
Last year, Kenyan banks are estimated to have lost more than Sh21 billion to cybercriminals.
The figure is believed to be much higher since many cases are not reported for fear of reputational damage.
Earlier this year, National Bank of Kenya was hit by a cyber-attack that claimed Sh28 million through mobile applications although the firm later reported that customers’ funds had not been affected.
According to the Central Bank of Kenya (CBK), local banks continue with the pattern of high investment and development in key ICT infrastructure acquired in recent years.
“Banks are reviewing their business and digitising some processes that were traditionally manual such as personal loan application and disbursements and know-your-customer documentation,” explained CBK in part.
“These digital innovations have enabled banks to reach out to more customers and offer them services more efficiently.”
Effects of this shift on the traditional business model are already being felt, with employees being the biggest losers.
Kenyan banks last year collectively cut support staff by 27 per cent while the number of clerical and secretarial staff fell by 11 per cent.
Efficiency has also been enhanced, with one employee today serving more than 1,544 customers up from 1,222 in 2016.
As a result, lenders have been able to improve the pay of their staff with salaries and wages as a ratio of income, increasing to 18.6 per cent last year, up from 16.9 per cent the previous year.
However, despite this improved efficiency in business operations, technology is yet to help lenders overcome the challenge of insider fraud.
External attacks from hackers are reducing due to improved features or firewalls and encryption systems used by many corporate organisations.
Some of the more sophisticated firewall applications today use components of artificial intelligence to predict and counter external threats.
This has greatly reduced cases of external hacks that were prevalent in the past.
Technology has, however, made it easier for bank employees in collusion with outsiders to carry out a mix of both traditional and high-tech fraud.
The Directorate of Criminal Investigations (DCI) last week asked banks’ financial technologies and Saccos to step up background checks on employees as it emerged majority of cyber fraud investigations point to insiders.
The DCI, boss George Kinoti, revealed that four employees of Kenya Commercial Bank embezzled Sh72.6 million in small transactions in payments to fake companies.
The four used 37 fake companies that would generate demand for payment that they would then settle through card transactions.
The money would then be channelled to several other bank accounts, withdrawn and shared among the four.
The cases have also seen customers’ funds targeted, with one case involving Peter Sungu, a branch manager with Diamond Trust Bank who has been charged with stealing Sh25 million from customers’ fixed accounts.
In yet another case, a relationship officer with Family Bank Abel Onyango withdrew Sh1.5 million from customers’ accounts through swapping their SIM cards without their knowledge.
Experts now warn that banks and their customers will continue losing money through cybercrime unless they make sweeping changes in their approach to cybersecurity.
“Cybersecurity used to be about protection; being able to identify anomalies and how to respond to them,” explained Dr Bright Gomeli, head of cybersecurity at Internet Solutions.
“This is, however, a more active approach whereas the industry today demands companies to be more proactive. This means identifying anomalies even before they occur, monitoring existing vulnerabilities and using this planning to make recovery faster.”
The latest cybersecurity report released earlier this year by consultancy Serianu indicates although 85 per cent of respondents have felt the impact of cybercrime either through system downtimes or loss of funds, almost half lack policies to govern the use of cloud services.
The report also found that criminals are exploiting loopholes created by company system administrators who have access to crucial systems but are unmonitored.
“These accounts are found in every networked device, database, application, server and social media account and as such are a lucrative target for attackers,” said Serianu in the study.
“More often, privileged accounts go unmonitored and unreported and therefore unsecured. We anticipate that in 2018, abuse of privileged accounts will worsen.”
CBK last year released new guidelines for banks meant to promote a coordinated approach and standards for the industry to combat cybersecurity. The 14-page guidance note makes several recommendations that, if adopted, could see the prevalence of cybercrimes in the banking sector reduce considerably. The guidelines have, however, exposed other systemic weaknesses within the sector that might slow down the development of an industry-wide standard against cybersecurity.
“The CBK guidelines recommend companies hire chief information security officers (CISOs) as part of their C-suite,” explained Gameli. “The problem is that few people understand the roles and designation of a CISO.”
This is both a result of companies being oblivious of their information security needs as well as the learning curriculum in universities and colleges falling behind industry demands.
“Companies need to clearly define in their organogram where the CISO fits and who they report to,” explained Gameli. This is important because decisions entailing cybersecurity should ideally be made at the board level alongside other strategic decisions that affect the whole company.
Having the CISO at the board level also ensures that resources meant for fighting cybercrime are used prudently and with optimum results.
“Many times, companies over-spend on cybersecurity resources without getting the value they expected and you find someone procuring a data loss prevention solution for Sh10 million, for example, when you can spend Sh3 million) on another solution that does the exact same thing or even better,” explained Gameli. Competition to automate and digitise services is also making banks rush to adopt solutions and imitate each other, exposing them to vulnerabilities.
“Applications that used to take 10 months to create today take six months because once one bank sees their competitor implement a solution they rush to copy paste,” he said.
This is often done without proper vulnerability assessments or quality assurance tests, leaving loopholes for cybercriminals to exploit.
The hackers are believed to prefer cash transfers. This happens when the hacker masquerading as a customer instructs the bank to wire funds from his account to another bank by filling Real Time Gross Settlement forms.