Printer Friendly

Cybercrime - New cyber attacks threaten African banks.

Summary: African banks need to educate the next generation of security personnel to combat increasingly sophisticated cyber criminals.

Cybercriminals are increasingly targeting African banks and their customers, both with traditional cyber attacks and more sophisticated modern techniques, in an attempt to extort sensitive information and funds. From data loss, identity theft, malicious software to phishing, financial institutions have many areas to defend from resourceful hackers.

Attempts have been made to bolster cybersecurity across the continent, but as these criminals become more experienced, further work has to be done to contain this very real threat.

High-profile heists

South Africa's Postbank became a cybercrime victim in 2012, after hackers stole around $6.7m from the state-owned bank. Using stolen login details from a Postbank call centre agent and bank teller, thieves transferred funds into many different bank accounts and made major cash withdrawals from ATMs, after increasing withdrawal limits. At the time, this cybertheft raised a number of pertinent questions, such as how did this act occur over three days without alerting any Postbank officials?

The timing of this attack was also a cause for concern, as Postbank had spent almost $2m in 2009 upgrading its fraud detection systems. Even after this investment in cybersecurity, a senior IT and banking security expert told South Africa's Sunday Times that "The Postbank network and security systems are shocking and in desperate need of an overhaul. This [theft] was always going to be a very real possibility."

African banks face other less-direct impacts from failing to prepare their defences against hackers. Credit rating agency Standard & Poor's announced they will take into consideration cybersecurity when grading banks, with those failing this assessment potentially seeing a ratings cut.

Legislative support

Attempts have been made by a number of African countries to further criminalise cyber crimes through national legislation. South Africa's heavily criticised Cybercrimes and Cybersecurity Bill 2015 highlights the issues around achieving progress in this contentious area, with opponents of the Bill saying that it contains features that would limit freedom of expression, access to information and the right to privacy. "It will be important to ensure that any cybersecurity bill that is implemented supports the constitution and businesses that rely on creating content on the internet," said Harry Grobbelaar, Managing Director South Africa, MWR InfoSecurity. "Law enforcement should also be granted the appropriate level of authority to act when necessary -- something that is not necessarily that simple in our modern society."

Greater cooperation is needed between law enforcement agencies and banks if this insidious behaviour is to be limited and its perpetrators prosecuted. The South African Banking Risk Information Centre (SABRIC) is one such organisation that works to reduce bank-related crime through public-private partnerships. Formed by four major banks, SABRIC's approach could be used as a template for other African banks that want to create meaningful dialogue around cybersecurity issues.

At present, low levels of funding are hindering successful investigations and prosecutions of cybercriminals, but if inter-bank and police communication is more open and their experiences of cybercrime, both successful and unsuccessful, shared, then there is every chance that more high-profile attacks can be detected and stopped. Efforts by African governments to create cybercrime legislation should be made in collaboration with banks, to ensure that a comprehensive framework is established.

New threats

Cybercriminals are continually finding new ways to circumvent bank's security systems. The increasing appearance of cyber robberies with employee involvement is causing African banks major concern, especially as their staff become more mobile. Nigeria's Economic and Financial Crimes Commission (EFCC) revealed in January 2014 that they had seen evidence that allegedly showed insiders at several banks working directly with cybercrime suspects, with the EFCC cautioning five banks in Nigeria due to these security lapses.

Most banks are aware of the importance of securing both digital and physical property, but with the increasing number of cyber attacks that involve complicit bank personnel, increased training and checks should be given to bank staff at all levels. "The human assets are what I would consider to be the most important, as this is how real cyber attacks happen. Sometimes banks only look at physical assets," according to Sharon Knowles of Cape Town-based cyber security firm Da Vinci Forensics.

Smartphone users targeted

Hackers, from organised criminal operations to lone specialists, have seen the growth in smartphone adoption to be the perfect opportunity to steal from a whole new market. A not-insignificant proportion of new smartphone users are inexperienced when dealing with fake emails and texts purportedly from their bank. "People still click on phishing links and believe the emails regarding bank rewards. Malware is then installed on the phone and when the unsuspecting person clicks and enters their banking details, funds are taken," says Knowles. There are unfortunately few safeguards in place to prevent attacks through this platform in this way, mainly because it requires smartphone owners themselves to discern whether the communication is legitimate or not.

There may be many awareness programmes teaching Africans about internet safety, but even as the education around cyber attacks improves, so do the attempts by hackers to make their emails and websites look more authentic, to trick visitors into entering their information.

Although the vast majority of phishing messages are deleted within seconds, it only takes a very small number of recipients to open them to provide hackers with substantial income, due to the enormous amount transferred each year. In 2013 South Africa alone accounted for 5% of the total phishing attacks globally, highlighting the unique threat posed across the continent.

Whilst cyber security software and products have their place in defending against threats, highly trained staff are a vital component to any well rounded protection strategy. These employees can continually review cyber safety policies and quickly respond to any system breaches.

"In Africa there is a significant shortage of skilled security personnel, requiring the banks to make do with what is available, potentially to their disadvantage," adds Grobbelaar. By setting industry practices and funding graduate programmes focusing on cybersecurity, African banks are uniquely positioned to create the next generation of information security specialists.

South Africa's Postbank became a cybercrime victim in 2012, after hackers stole around $6.7m from the state-owned bank.


[c] Copyright IC Publications 2016 Provided by SyndiGate Media Inc. ( ).
COPYRIGHT 2016 SyndiGate Media Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2016 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Publication:African Banker
Geographic Code:6SOUT
Date:Mar 31, 2016
Previous Article:Stephen Olabisi Onasanya GMD/CEO, First Bank of Nigeria Limited.
Next Article:MasterCard - Will MasterCard get the credit for backing blended finance?

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters