Insider threats - It involves privileged users corrupting systems for various reasons among them to defraud the company by stealing crucial data, revenging against those perceived as enemies and blackmailing others. VoIP PBX fraud - The popularity of Internet telephony has made many private box exchange (PBX) to have Internet connectivity unlike before. As a result, PBX fraud has been on the rise, with hackers gaining access and making free calls, with the real owners of the equipment receiving the bills. Social media - Social media has been misused as a platform where individuals post defamatory statements, spread hate speech, cyber-bully others and post obscene images. Online and mobile banking - The popularity of online and mobile banking has seen some financial institutions introducing vulnerable web and mobile applications. Some financial institutions have inadequate online security for their web applications and lack strong encryption making them susceptible to phishing. Mobile fraud - The popularity of the mobile money in East Africa has made it attractive to criminals. Fraudsters are getting innovative every day, identifying loopholes in software used by mobile network operators to defraud users of their hard-earned money. Cyber espionage - Cyber espionage involves stealing of secrets stored in digital formats or on computers and IT network. Cyber criminals either sponsored by states or individuals are using sophisticated gadgets to gains access to networks and steal information.
In 2012, British hacker Gary Mckinnon won a 10-year legal battle for his extradition to the United States to face charges for causing damage to military computers worth $800,000.
Though Mr Mckinnon was released on humantarian grounds after medical reports revealed he was likely to kill himself if extradited, he did admit guilt. If convicted of the crime, Mr Mckinnon would have faced 60 years in prison.
Information and communications technology experts are now warning that Kenya and other East African countries are threatened with cyber crimes as the use of the Internet becomes part and parcel of the growing middle class. Worse, the threat will be both national and international.
As a result, the ICT experts are asking East African countries to take cyber crime seriously and invest time and money in formulating laws, acquiring modern security equipment and training more personnel to effectively tackle cyber security. A new report on cyber security conducted by IT company Serianu exposes the major threats the region faces as the number of East Africans with access to the Internet continues to grow.
Though the report focused on Kenya, security experts involved in the survey say the same challenges apply to other East African countries.
“From the data we have gathered in the region, cyber crime is highest in Kenya, given the size of its economy and technological advancement. However, other East African countries like Tanzania and Uganda are also recording increase in cyber crime. The increased threat is partly due to the number of devices used and the number of people accessing the Internet,” said William Makatiani, the managing director of Serianu Ltd.
Though seen as a developed world’s problem, cyber crime is fast becoming a major problem in East Africa, costing economies millions of dollars in revenue loss, even threatening national cohesion of some countries.
Sample this: Kenya’s Cabinet Secretary for Information Fred Matiang’i estimates that the country lost nearly Ksh2 billion ($22.56 million) to cyber crime, with close to 1,000 Kenyans falling victim to Internet fraud on a daily basis. Uganda’s 2012-2013 annual Police Crime and Traffic Report says the country recorded a 149 per cent increase in economic crimes, with mobile money and automated teller machine (ATM) fraud blamed for the loss of about Ush1.5 billion ($575,373 million). Tanzania lost about Tsh1.3 billion ($782,419) last year, according to statistics from the Bank of Tanzania.
Social media threat
At the national level, the report cites the misuse of social media as one of the biggest threats in the region, with the potential to compromise both social cohesion and regional security. Social media, for example, has been blamed for fuelling tribal and religious animosity in parts of East Africa.
The National Steering Committee on Media Monitoring in Kenya has on numerous occasions called for tougher penalties against bloggers found guilty of posting hate messages on the Internet. The committee accuses some bloggers of trying to divide the country along tribal and religious lines.
Terrorist groups like Al Qaeda and Al Shabaab are also using YouTube, Facebook and Twitter to spread terror and war propaganda against East African countries that have contributed soldiers to the African Union Mission in Somalia (Amisom). The militants have also used the Internet not only to recruit young men to fight their battles but also claim responsibility for terror attacks on innocent civilians in the region.
“We have seen an increase in the posting of defamatory statements, hate speech cyber bullying and obscene images on social media. This will continue being a major problem going forward,” said Mr Makatiani.
Using cell phones
Apart from the social media problem, the region will record more cases of mobile money fraud, as more and more people conduct transactions using cell phones, the study said. “The continued popularity of mobile money in the region has attracted criminals who are now targeting this new money transfer channel,” said the Kenya Cyber Security Report, 2014.
The study noted that increased mobile money fraud is not restricted to Kenya only but extends to other East African countries. “Fraudsters are working hard to find loopholes in new controls implemented by merchants, banks and consumers using mobile money technology,” said Mr Makatiani.
Online and mobile banking syndicates have also become rampant, thanks to many financial institutions in the region introducing vulnerable web and mobile applications. In Kenya, for example, out of the 33 online banking portals sampled, only two had adequate security deployed on their web applications.
“The majority of the web applications reviewed lack strong encryption and are susceptible to phishing attacks,” says the Cyber Security Report.
Phishing is used by fraudsters to acquire sensitive client information mainly usernames, passwords and credit card details. To win their victim’s trust, the fraudsters masquerade as a trustworthy entity in electronic communication. The information acquired is then used to access the victim’s financial account.
Tyrus Muya, head of information security and risk at Cellulant Group Kenya, said an increase in financial fraud was recorded in 2013, affecting a majority of banks in the region. The common methods used, Mr Muya said, were ATM skimming, mobile banking fraud, credit card theft and insider collusion.
“All these contributed to high financial loss while at the same time getting attention from industry regulators that more needs to be done,” he added.
Government institutions have also not been spared. Criminals have managed to hack government websites and Twitter accounts at will. In Kenya, for example, those that have fallen prey to hacking include the Ministry of Transport, the Central Bank, Kenya Police and the Kenya Defence Forces.
Another cyber crime the region needs to take cognisance of is VoIP (voice over internet protocol) PBX (private box exchange) fraud. The increasing popularity of Internet telephony services has led to majority of PBXs used in the region to have Internet connectivity unlike in the past. As a result, hackers continue to target organisations using the technology.
“This type of fraud has been around globally for the past 10 to 20 years. However, over the past few years, there appears to be a concerted focus on attacking businesses within Kenya,” says the report.
PBX hacking involves a third party making international calls at the expense of a business entity. This is made possible after hackers gain unauthorised access to an organisation’s PBX phone system.
“Companies have been left with huge telephone bills, since the hackers make numerous international calls to different parts of the world,” said Janson Kimeu, an IT expert. Mr Kimeu said many big companies in Kenya have fallen victim to VoIP PBX fraud forcing them to incur costs, which they never budgeted for. The syndicates, he said, operate both locally and internationally.
Insider threats
The threat mentioned aside, the report cites insider cyber crime as the biggest challenge facing companies and organisations at the local level. Many companies continue to incur heavy losses due to insider fraud conducted by employees who are well aware of the operations of the organisation.
“In 2013, insider threats had a high incidence of deliberate malicious activity by current employees. Privileged users probed systems for unauthorised access, co-opted other users access privileges, and attacked systems for a variety of reasons including revenge, competitive advantage and blackmail,” says the report.
Kenya’s Banking Fraud Investigations Department reported that $17.52 million was stolen from customers’ accounts between April 2012 and April 2013 through schemes hatched by employees. The report warns that insider threat will continue being a major setback as models used by businesses continue to evolve as a result of increased mobility among workers, a growing mix of users with different aspirations, and geographically diverse business offices.
What are governments in the region doing to arrest the problem?
According to Joseph Mathenge, a senior manager, information and security at Equity Bank, steps are already being taken to counter cyber criminals, with governments in East Africa establishing special units to fight the crime.
Mr Mathenge said that Tanzania, for example, has formed a task force comprising members from Bank of Tanzania, Tanzania Communication Regulatory Authority, Financial Intelligence Unit, Tanzania Bankers Association and the Police Force’s Cyber Crime Unit. The team is working on strategies to effectively fight cyber crime.
Kenya, he said, is crafting tough cyber laws. “The draft Cyber Crime and Computer Related Offences Bill 2014 will address offences against confidentiality, integrity and availability computer data and systems. It also seeks to curb cyber stalking, hate speech and identity related crimes,” Mr Mathenge added.
Technology budgets
He said companies are also increasing their technology budgets, buying more security tools to help strengthen cyber security. “These tools range from the traditional firewall and antivirus solutions to advanced end point protection,” Mr Mathenge said.
All told, the region needs to prepare well to ensure individuals with ideas like those of Mckinnon do not access its IT system. Paula Kigen, a research associate director, Centre for Informatics Research and Innovation (Ciri), warned that the region is likely to see more information security threats, which will result in heavy losses not only to organisations but also to national economies.
“There is a growing population of tech-savvy youth who are not gainfully employed and are seeking to make a quick buck, live lavishly and drive the latest cars. As they discover the vulnerabilities in our information systems and see ways of making money, we are likely to see more information security threats and bigger losses for organisations and the economy,” said Ms Kigen.