BANKING SECURITY - Will NIGERIA get it right?
Michael Nwadike spoke to a number of bankers to find out how they are combating the fraudster and what else needs doing.
In Nigeria, as the IT-savvy youths join the jobless army, they are also turning to vulnerable banks to "earn huge income" by hacking into their databases and selling customers' information for handsome fees in the booming online black market. The online fraudsters who buy the data use it to defraud unsuspecting bank customers after sending mails asking for password or tokens.
Data obtained from the Central Bank for 2012 showed the bank received and processed 6,274 complaints, via e-mail on various financial crimes, particularly advance fee fraud. There were 4,527 cases of fraud and forgery involving N14.8bn ($92.45m) and $1.6m respectively.
The Central Bank also received and investigated four complaints against the commercial banks and the issues were promptly reported to the law enforcement agencies such as the Economic and Financial Crimes Commission (EFCC) investigation.
Taiwo Otiti, general manager, IBM Africa, said these developments have prompted Visa and other global payment companies to ra ise t he sophistication level of technology deployed in Nigeria. "The standard for Visa in Nigeria is the strictest in the whole payment system worldwide. Visa stipulated a very, very high standard for Nigeria. That is why the V-Pay standard came to be. The V-pay was originally meant for Nigeria because of its enhanced sophistication, but it was later deployed in other countries," he said during an interview at the IBM headquarters in Lagos.
Tim Akano, chief executive officer, New Horizons Nigeria, an IT-security and business solutions company says banks are still vulnerable to hacking, nearly two years after migrating to chip and pin technology. He said banks remain in very delicate condition, with high possibility of losing huge sums to fraudsters, especially through the collusion of insiders.
Akano said it is the duty of banks and global payment companies to ensure data security and protect card holders from fraud , while achieving electronic payments that are safe, simple and secure.
Central Bank Deputy Director, Banking Supervision, Ibedu Onyebuchi, says that Nigerian banks have to wake up to the realities of cyber fraud and boost their IT formations in a way that hackers will not be able to penetrate, and when they do, their acts will be easily tracked and checked.
Onyebuchi spoke at the launch of United Bank for Africa (UBA) 24-hour online real-time Security Operations Centre (SOC) & Forensic Lab in Lagos. The facility assists the lender to monitor online transactions in all its branches both locally and internationally to check fraudulent transactions.
He said, "We cannot continue to roll out e-channels without securing t he channels. Transactions have moved from the banking halls to the e-channels, therefore we must control all aspects of these channels, both internally and externally."
Phillips Oduoza, Group Managing Director, UBA, said the centre provides all round security monitoring for all electronic banking transactions in all the lender's networks in Nigeria and sub-Saharan Africa.
Access Bank, Unity Bank and FirstBank of Nigeria, among others, have adopted t he Payment Card Industry Data Security Standard certif ication (PCIDSS). Otiti said a l t hough t he PCIDSS does not guarantee a Visa or MasterCard standard, adoption by the banks is a way forward in securing their end users' transactions.
"For card issuance standards, personalisation standards including how a bank delivers the Personal Identification Number (PIN) to customers ; how the cards are manufactured and stored is very important. There are various standards which come to bear which a bank has to conform to, including how staff handling the cards can separate their duties," Otiti explained.
Chip-based or magstrip?
The magstrip [magnetic strip], he said, is slightly different from the chip-based, with both setting their own standards. "The beauty of the chip-based is that no password is ever transmitted. In the magstripe, passwords are transmitted, making it very vulnerable because it can easily be cloned. But if the chip- based is cloned, only one transaction would be transmitted. Here, in every transaction, the keys are regenerated based on set standards," he explained.
But in magstrip transactions, the PIN is bundled into a message format and passed to Interswitch, MasterCard or Visa, to the issuing bank for confirmation of payment or rejection of transaction.
He said the beauty of these processes is that it is nearly impossible to have human intervention. "If you look at the card issuance processes, a lot of people are adapting straight to processes, using lots of workload tools, which are taken to the card management system, and secure approvals. We try to take away a lot of human intervention. Otherwise, when there is collusion, that's where we see a lot of fraud."
Such frauds, he said, may arise due to bank staff not following procedures in the personalisation of cards.
Otiti however said that there are several cases where bank staff can acquire a card legitimately but use it in perpetrating fraud.
This can be done by moving funds internally, from one account to other, from where an attached card could be used to remove the transferred money.
"We have seen syndicates work with internal staff of banks to do that. The easiest way is to get a normal card, open an account and get someone internally to transfer funds into the account. The funds are withdrawn mainly through the ATMs," he explained.
He added, "There is certain level of security in banking software but it is not everything. It is the responsibility of the bank to secure its software, ensuring that nobody brings strange objects that can monitor or infiltrate the systems or passwords," he said.
Otiti explained that in other cases, online fraudsters could compromise customer's account by sending them a mail asking them to generate a token, "and you would be unwise to oblige them. Remember, each time you generate a token, the system in the bank waits for further instruction that would come either from the fraudster, or from you," he said.
Central Bank's roles
Aware of these dangers, the Central Bank decided to set up a five-year Information Technology (IT) Standards training for banks.
John Ayoh, Central Bank Director, Information Technology, said the exercise would help banks identify and adopt global IT standards that address industry problems. He said banks are expected to implement the plan on a continuous basis and in accordance with set time-lines with compliance audits billed to begin at the end of first quarter.
Dipo Fatokun, Centra l Bank Director, Banking Payment & Systems, said the introduction of chip and pin payment cards has led to a drastic drop in ATM card fraud. He said the Central Bank and other relevant institutions have been able to reduce card frauds considerably by instituting ATM Fraud Prevention Group and the Nigeria Electronic Fraud Forum (NeFF). The groups are to enable banks to collaboratively share data on fraud attempts and proactively tackle them to reduce losses.
According to Fatokun, the Central Bank instructed banks to set and implement mandatory daily limits for ATM cash withdrawal, while other related transactions, including POS and Web purchases, should be subjected to stringent limits as agreed and documented between the banks and customers.
He said it is the responsibility of the banks to ensure that a trigger is automatically initiated when limits are exceeded.
According to him, t he use of second-level authentication for internet transactions was compulsory for all payment cards, stressing that it was the responsibility of the issuer to ensure that transactions emanating from its web merchants are properly scrutinised, and operations were permitted only after the second level verification.
Fatokun said all card issuing banks should deploy fraud monitoring tools that have the capability to monitor the normal spending trends of a card holder as well as automatically stop abnormal transactions that are perceived to be fraudulent.
Sanusi Lamido Sanusi, Central Bank Governor, said a $50m biometric solution introduced by the bank will be operational before the end of the first quarter. The facility is expected to boost Nigeria's image internationally, deal with money laundering and fraud at all levels of the financial system.
Analysts said that despite above challenges, the Central Bank and banks through innovation, are addressing the current threats through upcoming technologies, improving employee awareness, increasing budgets and devoting more resources to innovating security solutions. ua
Copyright IC Publications 2014 Provided by Syndigate.info , an Albawaba.com company
|Printer friendly Cite/link Email Feedback|
|Date:||Feb 17, 2014|
|Previous Article:||BANKING SECURITY - Outwitting the information robbers.|
|Next Article:||SPECIAL REPORT ON THE CENTRAL BANK OF NIGERIA - A LEGACY OF REFORM AND RENEWAL.|