An online banking fraud refers to any illicit activity completed on a financial institution’s web application or mobile apps for money management, bank transfers, instant payments, and money lending.
Speaking with Daily Trust, an ICT expert, Chief Martin Nwoga, said fraudsters target weak gaps in technology deploy by banks and other financial institutions and they (fraudsters) exploit such gaps.
Another expert, Engr Muizz Oyewole said the breach of security in banking system comes in many forms. Some, he said, are due to vulnerabilities in the banking system security architecture from application to network, banking staff, third party integrations and so on. Many others, he added, are due to negligence or carelessness by the bank customers.
Other experts said online banking frauds are now multidimensional and they are today perpetrated via malware, social engineering, and fast cash-out techniques. It includes two macro-categories: Account Takeover (ATO) or Automatic Transfer System (ATS).
Cybersecurity experts at Cleafy Intelligence Network said an Account Takeover (ATO) happens every time a cybercriminal takes over an online account to steal information or money. The most common targeted online accounts are bank accounts, social media profiles, and email addresses.
The first step cyber criminals take in accessing a person’s account is stealing personal credentials or login information. Criminals can use social engineering techniques or install malware on the victim’s device to do so. Advanced fraud attacks sometimes involve both of them.
Social engineering techniques include all those activities aimed at tricking customers through psychological manipulation into giving access to personal information or committing security mistakes that let fraudsters accomplish their breach.
Phishing, smishing, and vishing are the most common examples of social engineering attacks, and they are pretty simple to implement. Cybercriminals can spread infectious malware on the victim’s devices via clickable links contained in an email (phishing) or an SMS (smishing) that could look 100% legitimate. Often these links direct the victim towards downloading apps directly from the official marketplaces, such as Google Play Store, making it harder for users to realise the potential danger in advance. Once the malicious app is downloaded and installed, the hidden malware gains complete access to the victim’s device, giving the fraudsters the door they need to perform ATO.
Fraudsters can also trick customers directly via voice calls (vishing) and convince them to perform a straightforward illicit activity without the need to spread any malware.
SIM Swap is another way to do ATO based purely on social engineering: it is a fraudulent activity that allows cybercriminals to transfer the victim’s phone number to another SIM. The illegal transfer of the phone number is carried out by impersonating the victim and tricking the mobile provider’s operators into releasing a new SIM card for the same phone number.
Automatic Transfer System (ATS)
Over the last years, the continuous improvement of fraud prevention solutions has made ATO attacks more difficult to complete. That’s why fraudsters are developing new ways to perpetrate fraud without the need to take over the victims’ accounts. These new techniques are engineered to automate illegal activities and complete them in the fastest possible way.
Unlike Account Takeover, attacks through the Automatic Transfer System don’t require taking over the victims’ accounts. The fraud occurs while the user actively operates on the target application by tampering with the genuine operation without the user noticing it.
Nwoga and Oyewole speak
Addressing these issues, Oyewole said, there is need for a holistic approach involving cooperation among key players including regulators in the financial and technology industries.
Oyewole, who is the founder and chief technical officer of Madjatek Pro Technology Limited, Lagos, however, said no matter how secure a banking system is, if there is vulnerability from the network service or any other provider then that weak point is enough to compromise the entire system.
But Nwoga said there is a difference between hacking a secure system and exploiting gaps in internet touch points.
“There is a difference between financial fraud and bank fraud. This response is with regards to bank fraud”, he said.
According to him, in a great number of bank fraud cases, an internal staff of the bank is involved in committing the fraud.
Nwoga who also a transformation and delivery expert, said: “In the first case, customer accounts that are dormant and little-used are targeted by the internal staff who then connives to transfer the funds to conspirators. When the customer tries to access the funds many weeks or months later, the funds have disappeared. In other cases, high net worth accounts (large deposit volumes) are targeted. The pattern of deposit and debit are analysed and in the most opportune time for the fraudster, the transfer is done and the bank staff drops out of sight.”
In the case of exploit systems, he said, it requires access to customer SIM or phone. The fraudster he explains, uses a USSD channel to remotely commit the fraud. “This could be by stealing the phone, cloning the SIM/phone, or identify theft. There are so many uncontrolled “financial systems” popping over the web that are not regulated by CBN. These are used as recipient of the funds transfer. The recipient account is then closed and there is little legal recourse by the victim”, he revealed.
He also said a targeted individual could have man-in-the-middle exploits on their devices. This is when, he said, username and passwords and other confidential information are recorded and transmitted to the fraudster. This information, he added, is used for identity theft and customer accounts are completely drained.
He also said there are cases of bank hacks. “This is usually an exploit of the security of the bank’s internet facing systems. An example of such an attack is a DNS (denial of service) attack. The bank URL or link is no longer available to the public. This could go on for days and the bank is blackmailed if it is a criminal attack. There is also a Domain Name exploit where the customer is sent to a spoof (fake) site and their details captured as part of identify theft. Sometimes the customer is sent to a pornography site causing great damage to the bank’s reputation”, he said.
On what banks and bank customers should do, Oyewole said banks should have a dedicated cybersecurity unit, employ experts to manage the unit and commit good budget to the operations of that department. This unit, he said, must include technology, financial and legal experts who have undergone extensive training in cybersecurity.
“The cybersecurity unit of the bank will take care of all necessary steps from orientation to policies and implementation. The unit should be mandated to implement AI-driven security architecture and be on top of their game. That is why experts need to be hired”, he said.
Also, he added, banks need to provide a 24/7 active multi-channel fraud tracking, reporting and de-escalating system.
These channels, he explained, should be as seamless and user-friendly as possible to allow customers get quick relief in the event of a potential breach. “Imagine a customer just got robbed and his wallet containing his banking instruments in the hand of fraudsters, he should be able to use the closest possible means to report deactivation of his banking credentials. I am aware some USSD codes exist for this but I have personally witnessed at least two occasions where a friend who lost his debit card attempted to dial these codes to deactivate access to his bank account but failed. Also call to customer care service ended up being frustrating. Some of those who experienced this ended up losing funds in their account to fraudsters which could have been prevented. AI-driven solutions could have helped here but I won’t want to go too technical with this discourse”.
He said further: “Like I stated earlier, there is need for synergy among the agencies. Cybersecurity team and fraud preventation/monitoring team of the relevant regulators and agencies need to work together with operators to adopt a unifying approach. This should be highly enforced. Also, the national assembly needs to come up with legislation that helps fast track recovery of stolen funds. The existing laws make the process very cumbersome and a lot of people end up loosing hope. National identity also has a big role to play here. The NIMC has a long way to go together with NCC and NITDA. We have data but highly unstructured and collection points are still inadequate. We are making too little insights from even the available data. At the international scene we should target driving up our National Security Index to help create confidence required for foreign stakeholders to step in and collaborate. But with a determined mindset and the required effrontery we can do wonders within few years”.