Kenya Commercial Bank survives an $18m cyber attack

KCB Group claims to have stopped an $18m (ksh2 bn) attempted fraud on its banking system in 2020.
The bank Thursday made public the attempted fraud without giving details on whether the attack was from foreign hackers or local techies.
In 2016, Kenya Commercial Bank allayed fears of data breach in one of their banking systems.
In a statement posted on the bank’s Facebook Page on Friday 21st October 2016, the lender dismissed the claims acknowledging that they were aware of the data breach allegations but an investigation revealed malicious misinformation as the cause of the concern from customers.
There were allegations of data infringement made in an online news report based on claims by a Burundian hacker named Chris Irakoze.
Mr Irakoze, said that KCB may have suffered a massive data breach as a file with the details of more than 500,000 customers detailing their names and phone numbers had appeared online. The alleged data breach had first been reported Irakoze through a tweet in September.
“The alleged customer data breach has been found to be false,” read the statement.
The statement further stated, “We wish to assure all our customers that our platforms and data are highly secured. KCB Group systems including the mobile App have been extensively tested and validated by our internal and the best external data security experts. Multiple layers of encryption, private keys and unique authentication are among the key embedded data security features that safeguard our mobile app. There is no breach to our systems.”
Kenya’s highly digitized economy, linked with mobile money through telcos and banks, has made the country a target for cybercrime and online fraudsters, with lenders losing hundreds of millions of shillings annually.
“In 2020, the Group successfully prevented a theft of Sh2 billion ($18m), in attempted fraud, thanks to our robust cybersecurity systems,” said KCB without giving details of arrest or legal action over the heist.
The bank made the revelation through its sustainability report, which says it prevented 3,624 other cyberattacks and managed to stop 663 attempted fraud cases.
Increased use of mobile and Internet banking have exposed bank customers to cybercrime, especially fraud and phishing attacks
Mobile money transactions in Kenya jumped 52 percent to Sh3.26 trillion in the six months to June, Central Bank of Kenya data show.
Cases where links are widely circulated promising free airtime, money and other products have been used in phishing attacks to collect personal data and use it to siphon cash.
Phishing happens where criminals send out legitimate-looking e-mails from trustworthy websites requesting personal and financial details from unsuspecting people.
They direct you to counterfeit web pages that look identical to the companies’ sites in order to fool you into submitting personal or financial data and passwords.
The scammer will then steal your identity and can access your account and transfer money to their accounts or make online purchases.
KCB says the decision by the Office of the Attorney-General requiring companies to update their beneficial ownership e-register has helped them track payments in real time and flag suspicious transactions.
Banks are also facing cyberattacks targeting weak points in servers, especially as lenders operate remotely from home or transition systems.
The Communications Authority of Kenya said there were 35.1 million cybersecurity incidents detected July to September 2020, an increase of 152.9 per cent as compared to the previous similar period.
The authority said the increase in cyber threats can be attributed to the move to working remotely and increased uptake of e-commerce in response to the Covid-19 pandemic.
Most banks do not reveal the level of fraud and cyberattacks unless the cases land in court.
NIC and CBA, which merged to form NCBA a year ago, came under attack.
Antony Mwangi Ngige, 23, and Ann Wambui Nyoike, 21 — two second-year students at Jomo Kenyatta University of Agriculture and Technology (JKUAT) — were recently charged with stealing ksh25 million from the bank through hacking.
They are also said to have attempted to steal an additional ksh190.7 million from the NCBA Bank.
Eight Kenyans arrested in Rwanda for hacking Equity Bank were handed eight-year jail terms and fined ksh5.6 million.