While on an official trip to Israel last month, Mr Stanley Wanjiku needed to do some urgent business back in Kenya through his mobile money transfer service, only to find his PIN blocked.
In seconds, a message popped up asking him to call his bank's service centre through a certain number. He tried several times to have his PIN reset through a WhatsApp call to no avail. Getting anxious, he sought assistance through an SMS.
“I wrote them (bank’s call centre) an SMS via the same number (the number given to him) giving my (bank) account number and my phone number only,” Mr Wanjiku, the MCA for Ikinu in Kiambu County, told the Nation.
A regret came the following day saying the bank was unable to reset his mobile money transfer interface via WhatsApp. He was advised to call using one of the lines registered with the bank but by then he was resigned to doing the business upon his return. He received the shock of his life when he tried to withdraw money from his mobile wallet upon arrival at JKIA on July 5, only to find he could not access the service.
Enquiries at a phone shop in the airport showed his line had been replaced on July 3, a day after he shared his information with the bank. He had travelled to Israel on June 26, according to immigration stamps on his passport.
“We also learnt that Sh40,000 had been withdrawn from my account. I do not know how my mobile money PIN was regenerated and issued to strangers. I am at a loss how they identified themselves,” the former banker said.
Mr Wanjiku was to discover the extent of the theft with time as, in all, Sh1.9 million was withdrawn from his mobile money and two bank accounts, one of which was not linked to his mobile phone between July 3 and 4.
Besides the mobile wallet withdrawal, Sh339,000 was withdrawn from his bank account and Sh1.5 million, which was transferred to other banks, from a joint account. He later learnt that his PIN for the accounts had also been replaced and regenerated. The Nation has seen certified bank statements confirming the transactions.
The case was reported at Central Police Station where he was issued with an OB number 34/12/7/18. On July 8, he wrote a complaint to the Directorate of Criminal Investigations, the Central Bank of Kenya, his bank, and his mobile banking service provider.
The letters were stamped as received on July 9. The institutions declined to comment on the matter citing customer confidentiality, saying the matter was still under investigations.
Mr Wanjiku’s case could be a tip in the iceberg of cybercrime perpetuated through identity theft.
SIM swapping, as in the case of Mr Wanjiku, is the latest vice through which customers are losing their savings in banks and mobile wallets.
“Sim swapping has become a big problem especially in Nigeria since 2016. It started picking up in Kenya in the last half of last year,” said Mr William Makatiani, the CEO of Serianu, a cybersecurity consulting firm.
According to estimates, banks and telcos could be losing up between Sh15 billion and Sh20 billion annually through fraud. A Central Bank official recently told directors of savings and credit societies that the amount lost through cybercrime in 2016 was in the range of Sh600 million.
To guard against the threat, the financial sector in Kenya spent Sh21.2 billion last year on systems to combat the vice.
Since Mr Wanjiku’s story came to light, more people have come out to complain about their mobile phone lines being swapped without their knowledge, in what appears to be an elaborate scheme by fraudsters targeting mobile banking platforms.
On Monday, a Mr Sammy, through his twitter handle @Sammy_ynwa, said his line was targeted by fraudsters who were in the process of replacing it without his knowledge.
According to him, he received a message from his mobile services provider informing him that his request for SIM swap had been approved, so could he confirm his PUK?
He later got a message that his phone was being swapped and his line went dead. He immediately called the telco and was informed that his line had been blocked. The telco informed him that the matter had been forwarded to its support team.
Mr Ndinya John from Mombasa, through his handle @jndinya, said someone kept beeping him three weeks ago. He did not make much of it until his phone lost network.
On contacting the mobile service provider, he found out the SIM had been replaced. There were three other cases including one where a victim apparently borrowed Sh9,600 through different online money lenders.
Mr Martin Luther, a cybercrimes expert, said the intrusion starts when scammer gets subscriber details through social engineering.
He said scamming that is not related to a mobile phone line, however, can only happen with collusion from service providers, who establish the subscriber’s personal details, which include the mobile phone.
“Banks use static data, and its editing must be done with the approval of someone in the bank following a customer request,” Mr Luther, a former forensic auditor with a commercial bank, said.
To avert such cases, Mr Luther advised people to guard their personal data. Banks and mobile phone companies, he added, should tighten requirements for SIM card replacement, including requiring the subscribers be physically present.