Global Issues
Recent Increase in Internet Bank Fraud; A Result of Pure Negligence and Lack of Responsibility by Players in the Financial Sector -By Chuka Okoye
DISCLAIMER: THE CONTENTS AND INFORMATION DISCLOSED WITHIN THIS ARTICLE IS INTENDED TO INFORM CONSUMERS AND SERVICE PROVIDERS WITHIN THE BANKING AND OTHER RELATED FINANCIAL SECTOR. OPINION NIGERIA AS WELL AS THE AUTHOR TAKE NO RESPONSIBILITY FOR MISUSE OF ANY INFORMATION DISCLOSED WITHIN THIS ARTICLE.
Over the past few months, Nigeria has witnessed an increase in internet fraud, especially money related cases. This is almost getting to the point where owning a bank account in Nigeria is enough to make one a target.
Before now, we hear of cases where a fraudster calls its victim over the telephone, pretending to be working with the bank in an attempt to get the victim’s debit card details or even OTP, which is then used to make a onetime online purchase.
This “text-book” trick has worked for internet fraudsters for many years and still does. However, the likelihood for one to fall victim of such scam has dropped drastically in recent times, thanks to the efforts of the banks to sensitize its customers.
Unfortunately, internet fraud (just like every other aspect of our lives) has advanced in tactics and techniques to match measures put in place by its opponents (the banks), leaving one to wonder if it is safe at all to operate a bank account in Nigeria (or anywhere).
With over 18 years worth of experience in the ICT sector and as the founder/CEO of one of the notable players in the information technology industry, I have carried out an in-depth analysis on the situation of bank-related internet fraud in Nigeria.
In this article, I will be exposing some of the “lapses” that lead to the increase in bank fraud over the past few months.
As owners of one or two platforms that offer instant bill payment facilities in Nigeria, we have had to intervene in several internet fraud claims.
One interesting fact from my observation is that victims of internet fraudsters are not duly advised by their banks on the steps to take to resolve or apprehend the fraudsters. It is important to mention that sometimes, victims are directed to 3rd party or company where the money may have been expended.
It is understandable that there are risks which most financial institutions would want to avoid; however there should be defined processes for addressing this from the apex regulatory body.
In-order not to bore you with “stories of my life”, I am going to dive straight into the “how-come” and “what-then” questions of internet bank fraud;
Why the Internet?
The answer to this question is quite simple… most transactions on the internet are instant-value based and untraceable (in most cases).
The banking sector in Nigeria has done some great works in making transacting over the counter and their internet banking platforms (to an extent) secured. Unfortunately, same cannot be said about mobile banking and (most especially) card services.
It is very difficult for a fraudster to walk into a banking hall or ATM machine to make withdrawals from a victim’s account, knowing that banking halls and ATM machines are equipped with CCTV cameras.
With services that runs on the internet on the other hand (especially those that offer digital goods and instant value-based services), it is very easy for fraudsters to make purchases with stolen cards and bank identities without being noticed (or even a possibility of being traced in some cases).
How do they do it?
There are many tricks used by fraudsters to gain access to their victim’s money but am going to be shedding some light on the most damaging ones in this article;
Your Bank Account Number:
This may come as a surprise to you but there are actually web-based (API) services and technologies out-there (which I cannot disclose here for obvious security reasons), that can be used to access confidential details about your bank account, using nothing but your 10-digits NUBAN (account number). These services are not something accessible or usable by the public. They are usually available and accessible only to organizations that have met certain requirements.
The issue here is that the access credentials to these (API) services get compromised and becomes available to the fraudsters. In some cases, the fraudsters are or have insider accomplices in these organizations licensed to access those services.
The fraudster collects a bunch of target account numbers, then run them through some validation services to disclose the account holder’s phone number and account balance (in some cases).
Armed with this data, the fraudster then goes on an online store, initiates a transaction and opts to pay using bank account (which is already a popular service here in Nigeria). This will result in an OTP being sent to the account holder’s phone for transaction validation.
The fraudster then calls the victim pretending to be from the bank, asking for the code (OTP) received by SMS, convincing the victim that the code is urgently needed to stop a suspicious withdrawal from the victim’s account.
Once the victim makes this code available, the fraudster uses this to complete the online transaction, consumes the instant value provided by the online store, and then heads on to its next target.
Yahoo boys
Stolen or Compromised Card:
The portability of our debit/credit cards (or ATM cards as popularly called) also makes it so easy to forget or even misplaced without even knowing it.
I once misplaced mine and never even realized it until after two whole days (silly me).
A fraudster can easily pickup this card and use it to “wipe clean” your account before you can do anything about it.
I know what you are thinking… how can that be possible when the “criminal” doesn’t even know my PIN nor have my bank token. Well… “news-flash”… merely seeing or having an image from both sides of most debit/credit card is enough to access your money with it on most online payment gateways.
Here is the thing… every debit/credit card contains three set of information, which are actually the primary data needed to charge a card. These information include the Card Number (which is the 16-digit bold number printed on the front-side of your card), the Expiry Date (also printed on the front-side of your card) and finally, the CVV (card verification/value code which is a 3 or 4 digit number at the real-side of your card).
Anyone who has all three data can access your funds through your card without any further authorization (in most cases).
Your card PIN or Token only applies (in most cases) if the final payment processor is controlled by our local financial regulatory body.
Once a fraudster gains access to your card details, he/she can use it on online services that doesn’t require any form of second-level or third-level card validation to complete payments.
In most cases, the time it takes you to report or block your stolen card at your bank is more than enough for the fraudster to spend all the money on your account.
Instant Debit Cards:
We hear about instant food, instant delivery, etc., what most people don’t know is that we now have instant cards too.
Yes… some Nigerian banks now offer a service that allows you to walk-into a branch and have a debit card printed for you within minutes. Just hang on a second… I can walk into a bank branch, type in my account number in a machine and have a card produced and linked to my account, even without any paper-work. This sounds good right?
In a recent fraud incident, my organization was contacted to assist the investigations, it was discovered that the victims did not lose their cards or tricked to divulge personal information. And in a most peculiar case, the victim did not lose any item linked to the bank account.
Here is the thing, a fraudster can steal your phone or even hack your smart-phone to gain access to your SMS messages, then using just your 10-digit to produce an instant debit card on your behalf, giving him/her full and absolute control over your bank account.
What makes this the most dangerous trick is that the victim can never see it coming in most cases and once it happens, the victim stand very little chance against the fraudster, since being in possession of the debit card, PIN and SMS, he or she is now in total control over the victim’s money.
By the time the victim realize what has happened, the fraudster has spent all funds available in the victims bank account on websites and platforms that offers instant value/digital products like Airtime, online transfers, etc.
Why are the Banks to be blamed?
When one fall victim of online bank fraud, first line of action is usually to contact the bank. At this point, the bank may only be able to prevent future debit from your account. Recovering the stolen money is a “different ball game”, which may be impossible in most cases as the fraudsters only spend these stolen funds on non-reversible instant-value online products.
Before I start pointing fingers, let me use a simple diagram to give you a snappy peep into how online transactions works;
From the illustration above, you will notice we have 3 main players involved in every single transaction that take place online. Among these 3 players, only 2 have access to the payer’s card/account details before a debit takes place (which is the Payment Processor and the Bank).
This means that the regulatory authorities, banks and the payment processors (which can be collectively referred to as the financial sector) are responsible for authorizing as well as controlling card/account charges, and as such are to be blamed for all bank internet frauds.
It might interest you to know that before I decided to publish this article, I have reached out to many key players in the financial sector, advising them on loop-holes in the online payment and online banking workflow that can easily be exploited. I have also proposed some “simple changes” that can be made to cushion these but obviously, no one wants to take responsibilities of making those changes… after-all, they are not the once losing money to fraudsters. In-fact if anything, they are gaining from it.
In summary, the high rise in bank related internet fraud can be traced to negligence and lack of responsibility on the part of the key players in our financial sector.
Let me dive deeper into why each player is to be blamed so we get a clearer picture of it;
The Payment Processors:
During an online transaction, the payment processors are responsible for collecting payment details as well as initiating a charge through the bank. They stand between the seller (or merchants) and the banks, which means they have access to data from both parties.
Why my first blame falls on the payment processors is because they are in a good position to collect and analyze data from both sides, then decide whether to flag such transaction for further fraud checks or not. As complex as this may sound, I can tell you (as a developer with many years of experience) that this is something quite simple to do and doesn’t cost the payment processors much to implement.
If such fraud check systems are put in-place, many internet fraud cases would have been detected and prevented.
The Banks:
My blames on the banks comes from a completely different but related perspective. The banks control both the means of payment as well as debit authorization and as such, can play an important role in fraud prevention by offering better and more flexible account security.
The banks already succeeded to a very large extent in making their internet banking platforms secure and difficult to compromise. However, they failed to provide substantial level of automation in many areas that could have given their customers some level of control over what happens on their account.
Imagine if banks provide a facility within their already secure internet banking platforms that enables its customers perform instant operation like blocking/unblocking a card, deciding what channels can be used to access fund on a customer’s account, setting a panic PIN, controlling what payment gateways can charge a customer’s card, controlling hourly or daily card limits, etc.
If these features and advanced infrastructures were made available by the banks, it would have gone a long way to preventing online bank frauds by allowing the customer to decide and controlling where, when and how its account can be accessed at anytime.
The Regulatory Authorities:
The financial sector in Nigeria is a well regulated sector, thanks to authorities like CBN, SEC, etc. However, their role in the industries should just be to decide who gets licensed and who doesn’t.
My blame on the regulatory authorities is based on the fact that they are in a position to make policies that influence how every other player in the sector operate.
The regulatory authority can decide to set certain fraud prevention standards and technologies to be followed by all payment processors or even make certain facilities a standard to have by all banks in Nigeria.
What’s the way forward?
Though a major responsibility falls on the financial sectors, every one (consumers and service providers) still has a part to play in the fight against internet fraud.
As an account holder, you need to pay closer attention to activities on your account. Subscribe to SMS alert services on your accounts as this will keep you informed on every transaction on your account and also help you detect unauthorized charges quicker.
If you ever lose your mobile phone, quickly contact your network operator to have your line blocked so no one will be able to make use of it. Also change password to every important apps on the phone, especially your banking apps.
If you ever lose your debit or credit card, quickly contact your bank or the card issuer to have it blocked at once.
Most importantly, always use a PIN lock on your phone and set a SIM lock on your SIM cards as well. Doing this will mean no one can access your phone or SIM without your consent.
To the banks, look for innovative ways to make your customer’s account safer. Be more available and proactive when it comes to handling fraud related claims from customers.
To the payment processors, add smart features that will enable you detect fraudulent transactions, even before debit occurs. Consider requesting payer’s full name from your merchants, so system can compare it with that on the card or account being used for a transaction along with other techniques (which I can’t disclose here for security reasons) then decide whether to hold such transaction for further fraud review.
Conclusion
Internet fraud can be controlled or reduced to the barest minimum if all key players and participants in the financial sector make necessary changes to improve standards within the sector.
Chuka Okoye (CEO, Ynet Interactive Ltd)
