By Ogor Umukoro
The recent loss of money recorded by the Central Bank of Nigeria (CBN) has not only given researchers a case study but has shown that the acclaimed tools and techniques currently used by Nigerian banks are not sufficient. This is regardless of the source of the tool or technique used. As technology growth is in parallel with the time it is also essential for every organisation and nation to improve themselves. It is not enough to get involved with the technology by purchasing gadgets but it is paramount to keep abreast of all and sundry regarding technology- that is, in this case- security.
The lack of awareness by users of Nigerian e-Banking system create a rift in eliminating the cause of this problem, although some experienced users protect themselves but the percentage is minimal compared to the incidents reported.
In a paper published by me some months back, I did mention certain causes of hacking in Africa. Most importantly is the growing use of technology. Many banks around the world are targeted and a lot have lost money to e-Theft but the drastic incident recovery measure taken, give investors confidence in these banks. This is a major problem for the growing Nigerian economy. The protective measures have proven to be insufficient, not good enough or irrelevant. What is the CBN doing to ensure the security of customers?
During one of my research visits to Nigerian banks, I was astonished to hear “we have that in place” when banks were undergoing attacks. Sadly, you cannot impose help on those who really need help but do not acknowledge they do. If banks such as World Bank and Bank of America can look for research students like me to have us use their organisations as case studies, why will Nigerian banks think they have it all? Truth be told, we are still a developing country and do not have it all. No nation or bank does but it is important to know the loopholes and backdoors that attract these hackers.
Following quite recent news in one of the Nigerian online media, it was quite interesting to read about a Nigerian hacker. A young Nigerian student who stole couple of thousands from a bank account to purchase some petty items was an intriguing case to read. What was most appalling however, was the knowledge that he had been arrested. True he is a thief, but Microsoft for instance, regards these thieves as assets. They get these guys to break into their system, do not report them to the authorities, in the end give them some stipend and little treat to say “thank you for showing us how you do it; we will now block you all from further entry and theft”. Where is our sense of “quick-thinking”? It is not always about behind bars but about what to do to stop further problems of this nature.
What to look out for as a Bank customer
Strange how some e-Banking users have no clue about phishing attacks. Phishing attacks have gone haywire and are more advanced than previous. Do you know that phishing attacks now link you to a url that is almost similar with your bank’s url? The difference is obvious only to those who take a critical look at it and more advanced users who know about certificates. Some browsers have certificate validation techniques and can alert you if the website certificate is invalid or expired. Some users do not understand the importance of seeing the padlock sign on a secure website, whether a bank or an e-Commerce website.
It is also important to have a basic idea of computing. There are three types of computer attacks that work similar: Man-in-the-Browser, Man-in-the-Computer, and Man-in-the-Middle attack. Every computer is not safe, and banks need to highlight that to users who have signed up for any form of e-Finance. There may be a malware in your computer (a malware is a running programme on your computer controlled by a spy somewhere monitoring everything you do) that collects or modifies any information that goes through your computer. When you think you are safe with your bank and token (TAN generator), there may be someone somewhere spying on your login, watching the bank, the algorithm used for the banking token and compile the information which can take up to a year or two before you become a victim of electronic fraud. Anti-virus is essential but more is needed.
Do not bank on your mobile phone
Electronic transactions of any form and sort are well advisable not to be done on a mobile phone at present. Researchers are still working to get a more protective means of m-banking and are yet to full solve the problem of e-banking using your computer. What customers do not know is that the mobile phone has more spyware than your computer. It is highly susceptible to malware and many mobile phone platforms are under attack. The biggest insecure platform is the Android. Before you carry out any sensitive transaction on your mobile phone, think again. You may be a victim of e-Fraud if you are not careful. It doesn’t matter if you’ve got an anti-virus on your phone or you use the banking application given by your bank; malware respects nothing when it gets into your phone but breaks through everything and remember there is always someone behind the scene watching what you do on your phone.
What the Banks Do Not Know
Electronic token and other forms of protection on your network like your VPN or your secure transaction channel or TAN generator from third parties have been developed by these guys you fight against. This is a huge reason why the banks in Nigeria will remain under the control of hackers. Yes, yes, it has been developed in India, China, the States etc, the point is, so long as it is not in-house (the software behind the token), it will be under constant attack. This is not to say in-house cyber security tools are not attacked but the percentage is minimal compared to third party tools.
Time for the Right Investment by CBN
There are quite a number of Nigerian research students in Diaspora working in areas of cyber security, network security and e-Banking inclusive around the world. It is time to get in touch with students in the US, Canada and the UK with great research proposal that are willing to take on the case of Nigerian e-Banking security. It will interest you to know that some Professors in this field who are none Nigerians are willing to take their students on this challenging research to develop a solution for Nigerian banks. It will cost less than a quarter of how much is being lost every year to sponsor research students in this area for the cause of Nigeria. Use the banks as case studies, permit them to break through the system and give their advice and assistance, keep up to date with the recent issues in electronic banking, and let them organise awareness programmes for bank employees, stakeholders and users. The result can be monitored within a year and KPI drawn to ensure there is value for money. Now this should be an open invitation to current research students in these countries not for training of current employees but for enthusiast. Only enthusiastic researchers can get the required result.
Some News for you from the UK
I opened one of my email accounts to find an email from NatWest (this is a retail bank in the UK found on most of the high streets, they are quite popular in the UK and can be ranked as one of the top banks especially for mortgages). Below is a snapshot of the message and the URL redirect.
All they require is your card details and password or pin, that’s it! They become second users of your bank account and can carry out banking transactions even though the banking token is required; they most likely have the algorithm or worse the TAN list for the old TAN method.
Recent News from Crime Watch, FBI
On the 28th of October this year, FBI published news based on research in Cyber security. It was quite interesting to read about the recent malware that is being spread via email. The target receives an email with alleged customer complaints concerning an attachment. Upon opening the attachment, a malware is downloaded and automatically installed, it alerts you that all important files have been encrypted. This malware is known as Crypto Locker Malware which cannot be uninstalled without the private key. It is based upon the AES encryption method. The hackers will then demand $300 to decrypt the files and without the corresponding private key of the generated public key from your computer through the downloaded malware, the files remain encrypted. However, this key never leaves the control server, putting it out of reach of everyone except the attacker. The recommended solution is to clean hard drive and restore files from an earlier backup.
ALERT!!!: Practise safe browsing and do not download email from unknown and unverified sender.
One More Information on Security
At the ATMs, always shield your card as you slot it into the card reader and always shield your PIN. Failure to do so can cause your card being cloned and reused somewhere else, indirectly having more than one unauthorised access to your card. Be security conscious!
• Umukoro is a cybersecurity researcher at University of Kent, UK
Article originally appeared on Thisday