There has been financial crime as long as there has been financial activity, so the banking sector faces a never-ending task in seeking to stay one step ahead of the criminals in preventing fraud.
The need for banking security in Africa is increasing in line with the growing proportion of the population that has access to banking services of any kind. The latest technology appears to have greatly reduced the incidence of credit card fraud but the boom in mobile and online banking is certain to provide more testing challenges for the continent’s banking security sector.
In an increasingly globalised world, Africa in general and South Africa in particular appear to be following global trends in financial fraud.
The latest developments in South Africa are not only important because it has the biggest economy and banking centre on the continent, but because financial criminal patterns in the country are soon replicated in the rest of Africa. In addition, more accurate and more detailed figures on fraud are available in South Africa than in many other countries on the continent.
The South African Banking Risk Information Centre (Sabric) is particularly important because it provides both detailed information on the nature of banking crime and advice on the best methods of tackling it, both for South Africa and for the wider continent.
Sabric and the banks it works with appear to be having some success as the value of credit card fraud in South Africa to the end of November stood at R263.8m ($38.7m), 36% lower than during the same period in 2009. Sabric chief executive, Kalyani Pillay commented: “The significant decrease in credit card fraud losses this year really presents good news for bank customers and the banks. Even more noteworthy is that the industry experienced this decrease despite the high volumes of financial activity in our sector during the country’s hosting of the FIFA 2010 World Cup.
“All signs are that the various industry measures to mitigate card fraud are beginning to bear desired results, and the banks, together with all our partners, will continue with efforts to ensure a safe banking environment for everyone.”
A particular area of concern is counterfeit card fraud, which most commonly takes place through skimming; when the data on the magnetic strip of customers’ cards is copied using handheld skimming devices and transferred to duplicate cards.
Pillay says: “Card skimming is one of the foremost card fraud challenges faced by the local banks currently because customer vulnerabilities are directly exploited by those that are responsible for card fraud.” It is traditionally carried out in retail outlets, when operators smuggle the cards briefly out of sight of customers.
Businesses that accept bank cards have an important role to play in tackling such fraud. The fraud control executive for Visa sub-Saharan Africa, Reshma Sookran, said: “We are telling the banks that up to 80% of fraud can be stopped at the merchant level. There is simply not enough education in the market.”
However, skimming devices are now often mounted on ATM machines by criminal gangs. Pillay says of South Africa: “Although the usage of ATM-mounted skimming devices is not yet prevalent in most parts of the country, this trend is definitely of concern and the banks are already deploying various inter-bank strategies to ensure that customers do not fall victim to it.”
The Central Bank of Nigeria is attempting to reduce ATM fraud by insisting that all cash machines must either be located in banks or operated by third party companies.
This appears to suggest that fraud was and is a particular problem at ATMs located off-site, in Nigeria at least. The new directive is obviously a great boost for independent ATM operators in Nigeria, such as Spark ATM Systems, and may help to increase confidence in the sector as a whole.
While banks continue to roll out more comprehensive ATM networks across the continent, customers in some countries are reluctant to use them because of numerous reports of fraud.
Despite the initial cost in terms of capital outlay, it can be worthwhile investing in ATM networks on the grounds of cost alone. More ATM machines means fewer in-branch customers and therefore fewer bank personnel, so it should be viable for banks to invest in ATM anti-fraud technology on economic grounds, as well as in order to protect their public image.
Banks and anti-fraud agencies across the continent all agree that customers are a vital link – perhaps the key link – in deterring and detecting banking fraud. As a result, Sabric issues guidelines for credit card users.
Chip and PIN
The industry finally seems to be getting on top of the fraudulent use of lost and stolen cards the value of which has fallen from R92.9m ($13.6m) to R37.2m ($5.5m) in South Africa over the past year.
The biggest factor in the rapid improvement here and elsewhere in Africa has been the introduction of chip and PIN technology, which requires credit and debit card holders to input a PIN (Personal Identification Number) when using their cards, which are also embedded with microchip technology. Other advances include the enhanced card system Prime 3, which is used by Barclays to provide real-time account access.
Pillay says: “The downward trend of card fraud types that require the physical presentation of the card, such as lost or stolen card fraud, and the apparent shift towards card fraud committed via the internet, mail orders and telephone, mirrors the global trends of countries that have migrated to chip and PIN technology.
“Our own roll out of chip and PIN is at a fairly advanced stage, and this explains the sudden change in tactics by the perpetrators of these crimes. As our forecast is that this trend will continue in the future, the current industry’s consideration and implementation of measures to prevent further losses are most welcome.”
The value of false-application and account-takeover fraud have also fallen dramatically in South Africa over the past year, by 91% and 71% respectively. Sabric believes that this is the result of improved internal security measures, including greater collaboration between the banks, the post office and courier companies contracted to deliver cards.
It is often argued that the introduction of anti-crime technology merely results in the adoption of new strategies by criminals. This is not always true, as the incidence of car crime almost always plummets when more sophisticated car alarms are installed, but it is often true in the banking sector.
If improved credit card technology reduces the ease of bank card fraud, then criminal networks will seek out new areas of opportunity.
Online banking accounts for a very small proportion of the overall banking sector in most African countries but is important in South Africa and a number of other key markets.
The Central Bank of Kenya, for instance, estimates that cyber criminals steal more than KSh100m ($1.2m) a month in Kenya alone and the scale of the problem is growing in most markets.
The most popular forms of online fraud are fake websites and key logging software. The former are websites that closely replicate genuine bank websites but which are controlled by criminal gangs, who use them to siphon off customers’ savings. The latter record keystrokes on a keyboard in order to gain user names, passwords and other data.
Customers can be more at risk from key logging software in internet cafés but can also be tricked into downloading the software at home. While banks constantly seek to upgrade their online anti-fraud systems and many police forces now have dedicated cyber crime units, customer vigilance is more important with online crime than with any other form of banking fraud. Advice on avoiding online banking fraud is given on p. 24.
A study by software company Avira in November concluded that 31% of customers in the US never used mobile or online banking because of the security risk, while a further 48.5% carried out some banking online but were concerned about the security risks. This demonstrates that banks still have a long way to go to convince customers and potential customers that online banking is relatively safe and secure.
This can partly be achieved through positive marketing campaigns and branding but improving security infrastructure and reducing fraud levels is also required.
An increasing proportion of African banks are employing external security specialists to improve their online security. At the end of November, Société Tunisienne de Banque awarded Vasco Data Security International of the US a contract to supply its Vacman Controller and Digipass 260 applications for its online operations.
The Digipass system generates one-time passwords for use by clients, while Vacman Controller is an authentication platform that combines one-time passwords, challenge response and e-signature on a single platform.
Mobile banking fraud is low
The biggest banking growth area at present is mobile banking. About 95% of mobile phone users on the continent have prepaid accounts and so can make payments by transferring airtime or even money between mobile phones.
A number of specialist banking services have been set up to make the most of mobile banking options, most notably M-Pesa in Kenya, which is owned by Safaricom and Vodafone. It has almost 10m customers, more than the entire conventional banking sector in Kenya combined.
Mobile banking is certainly a more secure method of transferring money than sending cash across long distances. However, in March last year, M-Pesa revealed that criminals had stolen about KSh21m ($0.3m) from users, although the company’s chief executive, Michael Joseph added: “Suspected or actual fraud stands at less than 0.006% of all recorded transactions, with a downward trend.”
Gangs are using fake text messages including codes to trick M-Pesa agents into giving them money. No further details on the nature of the fraud were provided, probably because of the fear of giving ideas to other criminals, but M-Pesa is working with the country’s regulatory authorities to tackle the crime.
The incidence of mobile and online banking fraud looks likely to rise as growing numbers of African customers make use of the new technology. Yet the breakthroughs that have been made in tackling bank card fraud suggest that solutions can be found and criminal operations deterred.
The battle against banking crime will never be won but it can be contained and constrained into a smaller space. The experiences of South Africa over the past couple of years suggest that greater cooperation between customers, banks and third parties is the key to success but this effort must be sustained and transferred to different platforms if levels of fraud are not to rebound.