Introduction
Millions of Kenyans have bank accounts that have been digitized in one way or another. This includes the ability to manage accounts from mobile phones through STK or smartphone apps, which eliminates the need to visit a local branch.
Digital banking, for all intent and purposes, is a good thing for the customer and financial organizations. However, while customers may have digital banking credentials to access the digital financial system, the same consumers in many emerging markets such as Kenya are not active users of the digital channels due to many reasons such as lack of trust and confidence in the new channels.
The lack of trust in the channels has also been linked to a negative effect on the digital finance space, and this is even greater in spaces that lack robust consumer protection frameworks.
These issues have recently become apparent because some customers have not had the best experience using digital banking channels.
The majority of reported issues are centered around fraud. There is no denying that some customers receive multiple texts and calls from people impersonating bank staff. Some unfortunate customers have lost money through such attempts.
The outcome is that some customers with low income and those who are security-conscious will have little incentive to use any form of digital banking, perhaps because they do not understand it, or are unaware of attack vectors and how to overcome them.
Mzee Kenoti is a tea farmer with a sizeable farm from which he earns a considerable bonus every October. As years have continued to catch up with him, he has found it very hard to keep going to the nearest bank branch to withdraw his earnings for upkeep. One of his nephews suggested that he registers for his bank’s app to enable him to access his funds, wherever, whenever.
Being very old school, he trusted his nephew to set up everything for him including setting up his PIN as his year of birth. Everything went on well until one day in October, when he was anticipating to access his bonus, only to find his account wiped clean. He accused the bank of having robbed him and yet records showed the money had been withdrawn through his App. He said he had done no such transaction but couldn’t explain it himself. In Mzee Kenoti’s case, he couldn’t draw parallels with the fact that his nephew had his PIN Number and they lived in the same compound. The fact that his PIN was not known to him alone had exposed him to the risk of theft.
Take another case of Georgina who had gone to the Coast to buy a car. She was knowledgeable enough to know that she couldn’t only deal in cash with the sellers but had to leave a digital trail of the flow of money from her account to the seller’s.
Once she settled on the car to be bought, she requested to do a transfer through Internet Banking. She got herself into a cyber café and logged in through one of the computers. Once she got her OTP, she was able to key it in and do the transfer. She hurriedly left the cyber café and went about her business of finalizing her transfer documents and enjoying her new car.
Sometime later, she received a message that some money had been transferred from her account. She was confused because she hadn’t initiated that particular transaction and realizing that something was amiss, she called her bank.
What Georgina did not realize is that in her hurry to leave the Cyber Café she did not log out of her browser and her transaction history was still open and active. All someone did was to continue initiating transactions on the already opened tab. Her small act of omission got her into real trouble.
Measures
The majority of banks have developed key security measures to guard customers against fraud cases, some of them socially engineered.
Some of the measures have since been rolled out to customers. The measures are often known to the majority of customers but are overlooked for one reason or another. The human link is often exploited for assuming things that go a long way to keep you safe from fraudsters.
Some of the measures include banking apps that are supported by fingerprints locking/unlocking. One of them is Eazzy Banking App that allows users to log into it using their fingerprint, meaning they do not need to punch in a PIN code in compromising situations such as a crowded agency shop.
Additionally, Eazzy Banking App now only completes transactions with a one-time password (OTP); this means that a code is sent to the registered mobile number associated with your bank account to authenticate a transaction; hence it must not be shared. It, therefore, makes it impossible for a fraudster to transact in case they get access to your account information.
Social engineering is becoming the most prevalent strategy used by hackers today. With continually blossoming e-commerce activity on the web, customers adopting online banking services will become prime targets for such hackers.
As such, banks have a responsibility to contain this issue in order to sustain their competitive advantage. Most banks have security policies that manifest their strategy to counter hackers and yet social engineering attacks are rampant. Unsuspecting customers have, from time to time, lost their funds due to this scheme.
Lenders such as the aforementioned Equity says that customers will only be contacted at 0763000000.
Customers should also be vigilant on their end to know to recognize official SMS lines such as M-PESA, KCB, EQUITEL, and EQUITY, to mention a few.
The Equitel platform also has some features that we first saw on M-PESA. It is akin to M-PESA’s Hakikisha, which tasks a customer to verify the recipient’s credentials before performing a transaction.
Customers should also be aware of normal safety practices, some of which are overlooked. For instance, your PIN must be memorized and not saved on your device as a contact list or SMS. Those PINs must also be unique, and not associated with your date of birth or the most commonly used options like 1234/1111.
Customers sometimes receive messages alerting them that their lines have been suspended or blocked. The messages are a fraud, and must not be responded to in any way. Lenders such as Equity will not ask you to call to unblock your account.
On Equity’s EazzyNet internet banking, customers get a One Time Pin (OTP) to enable them to transact successfully. The OTP is sent to the mobile number registered at the bank. This is a way by which the company ensures the transaction requested is valid and from the authorized holder of the account.
Lastly, beware that you can only get Equitel SIM cards from select Equity Bank Agents or at the bank branches because some fraudsters who hawk the cards impersonate bank agents.
It also should be repeated that these measures are mostly straightforward, and must not be ignored.
Conclusion
The evolution in technology offers both opportunities and challenges to the financial sector.
However, cybercriminals are also becoming ingenious and creative in their attacks, especially as they exploit human emotions with social engineering tools.
To improve the cybersecurity stance of banks, new ways and tools need to be developed and deployed to fill the existing gaps created by these clever criminals and to counter the attacks they present.
A holistic approach towards cyber threats is needed to elevate the threats to an operational level, which could help in making better decisions quickly and effectively.
Of course, not all threats can be analyzed and prioritized at the same, but by examining the analytics of threats retrospectively, banks could foresee attack patterns, and predict the possibility of an attack before it even happens, thus helping its customers to counter it.
