Complacence, stinginess driving up cyber attacks

Sometime in September, Gertrude Njambi received an urgent phone call from a panicky woman claiming to be an employee of her bank.

The “banker” called Ms Njambi by her three names and read out her identity card and bank account numbers.

“She told me that the bank had detected that someone had tried to move money from my account and that they would have to freeze it,” she recalls.

“She then added that the only way out was for me to reset my PIN, which sounded quite plausible.”

Ms Njambi was told to provide her current PIN, something she did without batting an eyelid.

It was only minutes later that she realized she had been a victim of fraud when she received a bank text message informing her she had withdrawn Sh20,000.

And she is not alone. A man who refused to be named had a similar experience where he lost Sh30,000 while his colleague had to hop onto a boda boda to withdraw Sh15,000 to attain the daily withdrawal cap avoid losing more.

As Kenya embraces modern technology, hackers are having the time of their lives conning individuals and companies.

Nairobi City County has rolled out an e-parking application where motorists pay for parking with their phones while matatu fares will soon be paid using cards.

A Kenya Cyber Security Report 2014 released in June shows that Kenya is losing Sh5 billion every year to cyber fraud. And some Sh2.1 billion was spirited out of financial institutions alone last year.

Technology experts say the problem lies in the fact that Kenyan companies are complacent in embracing solutions offered by new and complex technologies.

“If you invest Sh5 million in a technology, invest another Sh5 million to ensure it’s safe and secure,” says Mr William Makatiani, the managing director of Serianu Ltd, the authors of the report.

Mr Sidiki Traore, who lecturers on cyber crime at Distance Education for Africa (DeAfrica), concurs.

“In some instances like the upcoming cashless payment of matatu fares, people are rushing to embrace technology before they are ready,” he argues.

“Companies need to create an ecosystem of cyber security where they can defend themselves against cyber attacks, destroy those attacks and clean up the systems.”

Mr Makatiani also warns that Kenyans could be left exposed when the cashless matatu fare system is implemented next month owing to lack of proper planning.

“I shudder when I see technology being marketed before it is piloted and security measures put in place. The cashless system could be attacked on two areas: where the money is kept or at the individual level.”

“The only reason you don’t hear safety concerns being raised is because no company risks losing huge amounts of money. It’s the common mwananchi who will.”

In recent months, Safaricom has been fighting attempts by Equity Bank to roll out its own money transfer service that works by superimposing an ultra-thin SIM card on the main SIM, which the telco argues poses a security threat.

With the financial sector in Kenya booming, Kenyan banks can afford to install and use the latest technology being used in banks in more developed economies. Therein, Mr Makatiani notes, lies part of the problem.

“Kenyan companies that were using Ms Excel 10 to 16 years ago have bought the latest version of Oracle, that is being used by American contemporaries. These firms did not mature with the technology like those in the US that have grown systematically to the latest version.”

Serious attacks on Kenyan systems came from Germany and locally. Hackers in eastern Europe release scanning devices that profile the most vulnerable systems in the world, which then become targets.

The report cites insider threats, telecom threats, social media, online and mobile banking, mobile money fraud and cyber espionage as the main issues of 2013.