It is a hackers’ paradise out there as Kenyans bare their all online

On a chilly Friday evening in August last year, Hughes Okinda walked into an ATM to withdraw some money before he could travel to his rural home. He walked into an ATM lobby along Kimathi Street, checked his account balance, and, to his surprise, realised he was Sh13 million rich.

“I was expecting something between 13,000 and 15,000, and so I was shocked,” he told DN2 this week. “I thought the machine was faulty and so I ejected the card and inserted it into the next machine. It showed that I had the same balance.”

Okinda, 33, said he decided to withdraw Sh10,000, which he was sure was his, and report the rest of the windfall to the bank as soon as he could.

“A few minutes later, I decided not to travel to Siaya because the meeting I was to attend the following day there had been postponed. On my way home in Pipeline, I kept asking myself a lot of questions. I was tempted to withdraw that money. I even wondered whether God had answered my prayer for riches so soon, openly and directly.

At around mid-day the following day, a Saturday, he travelled to the CBD and, again, decided to check his bank balance.

“It read zero!” he said. “I did not have a single cent in my account. I had moved from being a virtual millionaire the evening before, to a virtual pauper just a few hours later! They had even taken the few shillings I had left lying there.”

He had to wait until the following Monday to lodge a formal complaint with his bank, which reimbursed him his money.

SALAMI ATTACK

What Okinda did not know at that point was that his account had been used as a channel for one of Kenya’s banking fraud syndicates, run by a group of cyber-criminals who work in close collaboration with banking staff. His experience was just one of the millions — yes, millions — of others that occur in Kenya annually, with most of them going unnoticed.

The Communication Authority of Kenya estimates that there were 5.4 million cyber-attacks recorded last year alone in Kenya. That is almost three times the number recorded in 2013.  Despite the high number, though, CAK believes that a high number of cases are never reported, especially those involving banks.

More than half of the attacks recorded last year involved financial crimes or targeted information infrastructure like the computer systems of government agencies, companies and individuals.

The Directorate of Criminal Investigation’s Banking Fraud Investigation Department (BFID) indicates that fraud led to the loss of Sh700 million by financial institutions last year. It is not clear how much individual account holders lost in 2014 because most of the fraud goes unnoticed, but an IT and business consulting firm, Serianu, puts the estimated loss at Sh2.2 billion.

“In 2013 alone, bank customers lost Sh1.7 billion through fraudulent schemes involving their employees,” states Serianu in a report.

Another study released late last year by Ernest and Young ranked Kenya high among countries surveyed on cases of business fraud and bribery in the private industry.

Tyrus Kamau Muya, a cybersecurity consultant, says such fraud has been “going on unnoticed for some time” in Kenya.

“People have lost lots of money through this crime because sometimes they do not take it seriously. When you lose something like Sh100 from your account, chances are you will not notice or may not report it because it isn’t that much,” he says.

Cyber-criminals who target banks always deduct little amounts of money from numerous accounts and may channel them to dormant accounts which are most of the time not monitored by the banks. This form of fraud is done through a Salami Attack, also known as Salami Slicing or Penny Shaving. It is accomplished through an automated computer programme which steals money repeatedly in extremely small quantities, usually by taking advantage of rounding off to the nearest cent in financial transactions.

“It takes an extremely keen bank to notice that things like these are happening. The most common way cyber-criminals steal from people’s accounts in Kenya is by tampering with accounts. They collaborate with bank employees who give them details of account holders. Once they have all your details, they can get whatever amount of money they want from it,” says Muya.

GUARDING CYBERSPACE

What happened to Okinda, then, was just a tiny drop in the ocean as the fraudsters “could develop a software that automatically deducts money from the account holders whose information they have”.

“Most of the time, each account loses very little money. The software then channels the raised amount and ‘hides’ it in dormant or less active accounts, the criminals then those accounts to transfer the money to their own.”

Cybercrime, says Muya, is a serious problem in Kenya that needs to be treated with as much importance as other forms of criminal activity. A senior police officer who works at the Directorate of Criminal Investigation’s cybercrime investigation unit says the biggest contributor to the rise of such fraud is the growth in the number of people interested in studying cybercrime.

“Institutions and banks have an ever-growing need to employ people who guard their cyberspace. They need people to protect their information and prevent them from hackers. As these kinds of jobs arise, many youth take the training. When they lack jobs, they start using their knowledge to do commit such crime,” he said.

The National Police Service developed the Cybercrime Investigation Unit following the rise in the number of criminal activity over the Internet. The unit is made up of two sections; the Cellular Forensics and the Computer/Disc Forensics. All officers attached to it have undergone training in digital forensics. They also must undergo training every six months because, according to the senior officer we talked to, “technology is very dynamic, and so what is hi-tech today, is junk tomorrow”.

“Our other problem is that officers who have undergone the intense training usually leave for other companies, especially the banks, and they are on high demand because of their experience. The police unit is therefore left understaffed,” the officer, who did not want to be named, said.

Kenya is listed as one of the countries most likely to face cyber-threats because victims and most consumers are ignorant of technology.

“People are not aware of the risks of doing something on their cyber-spaces. They release too much information on social media and this is an area we still do not have strong legislation to guard,” he said.

Another challenge faced by the Cybercrime Investigation Unit is that individuals and corporates who fall victim of frauds and other forms of crimes involving the Net are hesitant to release information that is necessary for investigators.

Some banks would rather pay the victims of fraud than “get exposed in the media”. They would rather not report these cases, and when they do they become too careful in a bid to “protect the institution’s image”.

In Kenya, perpetrators of computer fraud and criminal hacks are rarely found or arrested because only a few police officers have the capacity to do so. Information Cabinet Secretary Fred Matiang’i says there is need for the country to have more experienced security professionals to counter cyber threats.

FORENSIC TOOLS

“We have to take action to impart our information security professionals with more advanced skills to counter threats and vulnerabilities,” he says. According to his ministry, Kenya ranks fourth in Africa in cybercrime, after Algeria, Egypt and South Africa.

The government plans to establish a Computer Incident Response Coordination Centre, which will offer advice on cybersecurity matters nationally.

The Ministry of Information, on its website, admits that efforts to arrest and prosecute suspects are being hampered by lack of effective laws and the methods used by cyber-criminals as technology keeps changing too quickly.

Currently, cybercrime prosecution is done under the provisions of the Kenya Information and Communication Act. Also, Kenya still relies on the Central Depositories Act and the Penal Code, among other frameworks that are not clear, to police the Internet.

In some cases, police officers still rely on physical evidence to arrest cyber-criminals, which does not make much sense in the digital age when crime leaves no physical traces.

If passed, the Cybercrime and Computer Related Crimes Bill of 2013, which was an initiative of the Office of the Director of Public Prosecutions, will help law enforcement agencies with the necessary legal and forensic tools to tackle cybercrime.

“A person found to be in offence of unauthorised access to computer data attracts a fine of not less than Sh1 million, or a three-year jail term. A corporation attracts a fine not exceeding Sh50 million,” the draft law says in part.

Apart from drafting the Bill, the government has announced plans to host all government websites in a central place to curb hacking. The idea followed the recent attacks on online platforms, including the Kenya Defence Forces’ and Deputy President William Ruto’s Twitter accounts.

A member of the hacker group Anonymous, who infiltrated the accounts and used them to post offensive messages, claimed to have also defaced the Immigration and Registration of Persons, and National Environment Trust Fund websites, as well as the Integrated Financial Management Information System.

The problem of cybercrime is, however, not exclusive to Kenya. The United States’ FBI and the State Department recently announced a record Sh300 million reward for information leading to the arrest of a Russian accused of executing a sophisticated computer heist that siphoned more than Sh100 billion from American bank accounts.

Mr Evgeniy Bogachev was already on the FBI’s cybercrime ‘Most Wanted’ list, and the Sh300 million bounty is the highest ever for an alleged cyber-criminal.

The 31-year-old fugitive, whom authorities say used the online monikers “Lucky 12345” and “Slavik”, is alleged to have deployed a malicious Salami software known as Game-Over Zeus, which is designed to steal bank account numbers and passwords.

COMMON CYBERCRIMES

Kenya’s six main classes of online crime 

1.  Hacking: This is a type of crime where a person’s computer is broken into so that his/her personal or sensitive information can be accessed. In this case the criminal uses a variety of software to enter a person’s computer and the person may not be aware that his/her computer is being accessed from a remote location.

2.  Theft: Occurs when a person violates the Copyright Act of 2001 and downloads music, movies, games and software on the Internet.

3.  Cyber stalking: This is a kind of online harassment where the victim is subjected to a barrage of online messages and e-mails. Typically, these stalkers know their victims and instead of resorting to offline stalking, they use the Internet to harass.

4.  Identity theft: This has become a major problem as more people use the Internet for cash transactions and banking services. A criminal accesses data about a person’s bank account, credit cards, social media, debit card and other sensitive information to siphon money or to buy things online in the victim’s name.

5.  Malicious software: These are Internet-based software or programs that are used to disrupt a network. The software is used to gain access to a system to steal sensitive information or data, or cause damage to software present in the system.

6.  Child pornography and abuse: This is a type of cybercrime where criminals recruit minors via chat rooms on various social media networks for the purpose of child pornography.