Wherever there is money, there is also a thief lurking about. In the old days, armed gangs targeted banks while the smaller fry limited themselves to burglary and pickpocketing. Now, in the digital age, organised cyber criminals are helping themselves to vast fortunes. Richard Seymour analyses the current level of bank security in Africa and the efforts that are being made to beat the crook.
The issue of a bank’s security was once relatively straightforward. If someone wanted to steal money from a bank they had to turn up in person and do it. Vaults with thick doors, alarm systems and armed guards made this difficult and dangerous.
Today, a bank’s security depends on so many factors, many of them not under its direct control, but all of which serve to strengthen or undermine the trust their customers, along with their money, invest in them. Modern technology has made it easier for us to access money and move it around the world instantly. By means of mobile phones, farmers in areas barely connected by roads can complete transactions with customers hundreds of miles away. But just as this has afforded opportunities for business to flourish in places it could not have done before, it has given organised crime many more ways to furnish itself with ill-gotten gains.
Only the trade in illegal drugs is larger in scale than financial fraud. So not only do law enforcement agencies have the problem of staying ahead in a technological arms race with criminal organisations, the global nature of the problem makes it that much more difficult to come to grips with. Those wishing to combat this type of crime, which is estimated to generate more revenue than illegal drugs, need to realise they are not dealing with small-time crooks sending out bogus emails but highly organised networks.
Criminal gangs recruit talent, have development budgets, systems of distribution and even customer care in terms of support and training. A monthly subscription or a one-off fee will even buy you an analytics service which, accessed via an online dashboard, allows the fraudster to track how much money is being generated, provides tools to control infected devices, information on which browsers are most susceptible and who is using them, or which mobile phone platforms are giving the greatest returns. All very valuable information which itself can be on-sold.
Fraud as service!
This ‘Fraud as a Service’ is proving very difficult to stop. Fraudsters tend to be based in Eastern Europe where the laws on such issues are too out of date to be effective. Instead, the end users are sought by law enforcers, but they are then faced with the problem of tracking them to foreign countries whose governments may not be particularly willing or even able to help.
Mobile banking is proving to be extremely popular in Africa, especially in rural areas. It is also a relatively weaker link in defending against fraud. Phishing is where an apparently legitimate email or text message purporting to be from a trusted organisation asks you to input personal details, download a file or else just click on a link. The smaller screen sizes on a mobile make scrutinising addresses more difficult. And the fact that phones tend to be left on and receive messages instantly means that they are vulnerable to being ‘spammed’ in the first few hours of a scam before they are successfully blocked.
Even mobile devices such as in-car satellite navigation systems, which carry important personal information about us, can be hacked, which is something that very few people have even considered. When it comes to dealing with this threat to their business, banks and other financial institutions are finding themselves fighting multiple fires that keep burning out and igniting elsewhere.
Their own defences against fraud can only go so far. If members of the public are naively surrendering their personal details to criminals or else having them stolen because they have not taken sufficient measures to protect them, then criminals can negotiate security protocols just as easily as a bona fide customer.
Eternal vigilance the watchword
Plans suggested to bolster financial fraud security are manifold and can only be as strong as each individual element. Members of the public, banks, credit card companies and the government each have a key role to play.
The general public can take simple, common sense measures to secure their personal details. These range from destroying bank statements before disposing of them to keeping web browsers up to date.
The banks themselves must conduct rigorous risk assessment studies by a dedicated fraud risk assessment team. This is a daunting task but one that is essential, for not only does vulnerability to fraud lose a business money, it damages the trust its customers must have in its ability to protect them, which may be far more costly in the long term.
A physical inspection of the site will be necessary, according to advice meted out by PricewaterhouseCoopers, and so too would be a thorough examination of the computer systems in use. Scrutiny of existing policies will also be completed, plus awareness raising among the staff.
This last link in the chain should not be underestimated. There have been many cases of staff members either planted or coerced by criminal gangs to pass on sensitive customer information.
In January, Postbank, which is state-owned and part of the South African post office, fell prey to cyber fraud that saw criminals get away with $6.7m. The gang accessed a bank employee’s computer and used it to transfer money, using stolen login details, from customer accounts into their own. The employee, among other gang members, was later charged by police and sentenced to a long prison term. This came after the bank had spent $2m on fraud detection systems. The Postbank cyber attack was relatively amateurish and the perpetrators were caught. Approximately $8bn is lost to credit card fraud annually. The introduction of chip and pin security is helping turn the tide, but fraudsters are becoming more adept at finding ever more innovative ways to make cardholders simply hand their pin numbers over.
Chip and pin is still recognised, however, as an effective means of combating fraud and African banks are in the process of rolling it out to their customers. Among the latest to do so is Ecobank Rwanda who, in line with the Ecobank Group’s policy across the 33 countries it operates in, is offering the technology to its customers so they may carry out financial transactions more securely.
Ecobank Zambia’s managing director, Charity Lumpa, while extolling the technology’s virtues, was keen to remind customers that they must be vigilant when using the new cards. In the hi-tech fight against fraud, looking over one’s shoulder is still a powerful counter measure.
Barclay’s Bank earlier this year launched internet banking services in Africa. Among the offerings to its customers is an SMS service which alerts customers whenever their account is accessed. The bank, just like any other, is walking the fine line between making banking more accessible and convenient for its customers while at the same time making it more difficult for criminals to take what is not theirs.
Measures, such as restricting the amount of money available per day from an ATM, is a blow to the criminals, but also inconvenient to law-abiding customers.
Governments need to step up
Another important pillar in the fight against bank fraud is government. Sadly, many governments in Africa have been slow to recognise the danger and act. The situation across the continent inevitably varies. At one end of the scale we have Zambia. New laws in that country mean that hackers face up to 25 years in jail. This is a step in the right direction, but there is as yet no technology or organisation in place to detect cyber crime when it happens.
Nigeria has paid a price for its inertia. For years, the Nigerian government failed to pass laws to prevent cybercrime. Driven by the Central Bank of Nigeria (CBN), the West African country is moving towards an electronic, cashless economy. This is all well and good, but its sheer lack of oversight has, analysts have warned, alerted the world’s cyber criminals to the opportunities that lay in wait. Many of the worst attacks against a bank’s security remain unpunishable by law in Nigeria.
Stealing a march on Nigeria is Uganda, which, two years ago, passed a series of laws which helped to secure that country’s economy against cybercrime. The Electronic Transactions Act, Electronic Signatures Act and Computer Misuse Act are designed to protect Ugandan consumers who are conducting more and more business online.
Laws without the ability to detect crimes are toothless but in this regard too Uganda has made serious efforts to stay ahead of the criminals. A new Computer Emergency Response Team (CERT) has been established to monitor online transactions for suspicious patterns of behaviour. To this end, the team have acquired the latest technology and know-how. Key to pursuing and prosecuting cyber criminals is a move by the East African Community (EAC) of Kenya, Uganda, Burundi, Tanzania and Rwanda to coordinate their cybercrime laws and make it possible to prosecute offenders anywhere in the EAC. Since many computer users do not keep their systems up to date, security may be found in a culture change in how we use them.
Cloud computing is being looked to as a more secure way of conducting our digital lives. In the past, our programmes, files and data lived on our computer hard drives and few of us protected them well. Today, however, our hard drives are becoming increasingly redundant as the programmes we use, our files and photos, our private documents and personal data are stored online using cloud computing services like Google Drive, Microsoft’s Skydrive and storage solution Dropbox. The level of security employed by such services are considerable and computer viruses should not, in theory, be an issue. Organised criminals have turned their attention to such services but they will have to work a lot harder to gain access to our data.
Old-fashioned bank thefts
Old-fashioned bank robberies are still common, however, across the continent, although in some countries their dynamics are changing. Reliable figures are not often easy to come by as banks, understandably, prefer to underplay losses and their vulnerability to attacks. However, the most recent government statistics in South Africa show a decrease in armed bank robberies of nearly 60% in the financial year ending in 2011 over the previous 12 months.
There has, though, been a dramatic increase in the numbers of ATM bombings. These attacks, and armed robberies, where they still occur, are committed by highly organised and ruthless gangs. Moreover, they are well equipped with military-grade weapons and explosives, which suggests the involvement of existing or former members of the armed forces or the mining industry.
So it seems that measures taken to protect banks have pushed robbers toward the softer targets of ATMs. Geography is also playing a part as successful efforts by police forces in one area force criminals to migrate to others.
This at least shows that law enforcement methods in South Africa are proving effective. Among these measures are laws allowing, for the first time, photos of suspects to be published, which police say have led directly to arrests. But since 2007, a dedicated Crime Line, which empowers members of the public to anonymously tip off police, has seen 3,000 arrests, among them bank robbers. And billions of rand have been spent on recruiting police officers, magistrates and judges. Since banks instruct their employees to not resist robberies, for the sake of their and their customers’ safety, armed robbers tend to be more concerned with their ability to get away quickly. Therefore, bank branches that are located on congested streets or have restricted access by car are safer than those near motorways, for instance. Indeed, anything that slows down a robber’s getaway and gives more time for the police to respond, will make a difference.
The situation elsewhere is grimmer, however. Whereas banks in other parts of the world face closure because of the global financial crisis, banks in Nigeria did close down, sometimes for weeks on end, because of the spiralling incidence of robberies. In 2011, 30 bank employees and members of the public were murdered in the course of bank raids.
Underinvestment and reports of hapless policing mean that bank robbers have little to fear and appear to be able to come and go as they please.
Securing money is an age-old problem and technology can aid the fight against old-fashioned or modern methods of trying to steal it. The latest technology is a brave new world of opportunity for governments, business and the public, but also for criminals who now need to be viewed by a business as a competitor.