The Central Bank of Kenya (CBK) has warned banks and other financial institutions in Kenya of impending cyber attacks due to the level of cybercrime in the industry proliferating.
The CBK wants the lenders to enhance the degree of security in their IT infrastructure to curb the vice.
Reports indicate a rise in using ICT (Information and Communications Technology) among various financial institutions throughout the country.
As a result, the level of ICT-related fraud campaigns has increased by a great deal in the past few years.
It is for this reason that the regulator wants to streamline activities and protect lenders’ cyber fraud.
The industry regulator has introduced several measures to be complied by banks in Kenya.
The rules were brought about by findings from the Banking Fraud Investigations Unit indicating the security issues in mobile, computer and internet banking systems.
The other point noted is that criminals can gain unauthorized access to the systems used by the various financial institutions.
By uploading malware or spyware, they can access very crucial information that can be used to siphon funds from the banks.
The vice occurs not only in Kenya, but also runs throughout the globe where attackers siphon funds from individual accounts in bits.
And by the time the fraud is detected, quite a considerable quantity of funds will have been lost.
Apart from siphoning the funds in bits, the final phase includes withdrawing large amounts then disappearing—leaving no traces to indicate what has transpired.
The disappearance will involve clearing logs in the databases to ensure there are no leads.
And in the event, there is, the tracking process becomes very complicated and tiresome to investigators.
For this reason, the CBK categorically states that it is crucial for the effective controls to be put in place when dealing with computer-based transactions.
The CBK advises lenders to review their cybersecurity measures frequently based on their risk exposure. Of course, banks that have ventured into more areas and are involved in more activities may be faced with relatively higher risks than their counterparts.
Now based on the risk analysis, appropriate measures will be put in place to ensure smooth transactions for the customers who use the various banks for different purposes.
Apart from being the regulator of the industry, the central bank serves other purposes.
The other activities include acting as a lender of last resort, implementing monetary policies, controlling inflation, printing and distributing FIAT, among others.
Under the new rules brought forward by the central bank, there most likely will be a need to hire more IT personnel to serve in various capacities within the banks.
Kenya has a medium ranking on the United Nations Development Programme’s Human Development Index.
Some areas in the country may lack the required staff and expertise within the population, which therefore results in imported labor from other nations.
What’s more is that it’s likely to come at a cost, as the needs of this personnel ought to be sorted adequately.
Since they are from other developed countries and have gained years of experience over time with the resources available to them in those nations, their paychecks may surpass that of their local counterparts servicing in similar capacities.
Due to the new requirements, some stakeholders in the industry have termed the decision as one that is long overdue, as it was to be put in place perhaps years ago.
Also, it serves to the benefit of the banks themselves.
Others noted the fact that banks have opened up online platforms that are meant to streamline activities and minimize long bank queues.
This, consequently, makes them a target for cyber attacks.
In an earlier instance last summer, the Central Bank of Kenya issued a notice to employees warning them of the same.
The notice stated that they should be extra vigilant, as criminals had infiltrated the institution’s system.
In the notice, the CBK stated that the hackers were not only targeting the bank itself, but also other vital government installations that cater to needs of the financial sector.
They warned the employees to of course take the obvious measures to stay safe.
The practices included tips on how to evade phishing campaigns, adopting methods such as avoiding clicking on links carelessly from unknown parties, making sure the employees don’t download files casually, etc.
However, some of these hacks are conducted by insiders.
Mostly, those who are aware of the technical structure of an institution can manipulate systems to their advantage.
For example, employees who create databases and systems for banks can easily obtain crucial information from third parties that can facilitate theft of funds from within.
What’s more is that they can remove logs, effectively erasing any traces that could implicate them in the end. In doing so, the hackers can then engage in similar fraud cases in multiple institutions.
The issuance of credit and debit cards from the various companies put the cardholder at risk as well.
Third parties with ill intentions can use the information to the disadvantage of the cardholder.
Once a third party has obtained the card number, the expiration date and the card verification value (CVV), then they can siphon funds from the card based on their experience.
Now, most people in Kenya do not use their cards for online purposes but rather just casual withdrawals.
For this reason, some cards issued by individual banks have indeed disabled the card for online transactions.
In such a scenario, the cardholder will have to liaise with the bank for it to be enabled. As a result, cards from such backs cannot be used for online fraud purposes.
Then the issue of enhancing security on cards—such as sending a code to the telephone number or email address of the cardholder—will prohibit users from using the card as third parties.
In other cases, those who can obtain the digital numbers on the magnetic strip of the card accompanied with the card number, CVV and the expiration date can forge the card to have similar privileges.
Other ways in which attacks can occur is through the use of mobile apps created for smartphones.
However other banks have gone through the process of comparing every single detail to ascertain that it is indeed the legitimate owner who can access the funds through digital platforms.
It is therefore up to the individual banks to come to check what works best for them based on the platforms they use.
Further, case studies and research will assist them to stay safe and protect their customers at large.
Latest posts by C.M. (see all)
- Android Applications Sending Data to Chinese Servers - October 11, 2017
- More than 700 Million Emails Exposed in a Spambot Vulnerability - October 1, 2017
- Speculations on Valhalla - September 26, 2017