R.B
JF-Expert Member
- May 10, 2012
- 6,296
- 2,573
With mobile money services gaining ground in Africa and with recent developments in the sector exhibiting breaches, experts are wary of safety in the systems and the transactions passing through them
Many African economies are on the verge of going cashless and many Africans are currently changing their financial cultures to embrace electronic transactions, which proponents believe will reduce the amount of cash in circulation, improve transparency, grow customer base for businesspeople and most importantly check financial crimes.
However, recent reports say cybercriminals have also changed their strategies and now combine traditional banking malware with server-hosted scripts to automate online bank fraud, fuelling fears among users and potential customers.
Antivirus firm McAfee and online banking security vendor Guardian Analytics this week published a joint report that fraudsters were now capable of using sophisticated fraud automation techniques that can bypass two-factor authentication.
In their popular contrivance, the fraudsters used to employ online banking malwares known as Zeus and SpyEye to perform the man-in-the-browser (MitB) attacks, which injects forms or pop-ups into online banking websites when they are accessed from infected computers, and collect financial details and log-in credentials from victims for subsequent fraudulent activities.
But the report says the attackers now combine malware-based web injection with server-hosted scripts in order to piggyback on active online banking sessions and initiate fraudulent transfers in real time.
The malware works with specific online banking websites and automate the entire fraud process, making it possible to read account balances and transfer predefined sums to money mules - intermediaries - the selection of which is also done automatically by querying a constantly updated database of money mule accounts.
While the programme allows criminals to bypass the two-factor authorisation systems operated by banks for security purposes, it also intercepts the authentication process and captures the one-time password generated by the victim's bank-issued hardware token and uses it to perform the fraud in the background. During this time, the user is shown a "please wait" message on the screen.
[h=3]SIM Cards Fraud[/h] SIM swap is one of current wiles used in the SIM graft, which is a technique employed by fraudsters to defraud unsuspecting internet banking users. After obtaining the victim's banking details and other personal information through phishing scams, the fraudsters then call the network operator posing as the customer and request a SIM swap which will cancel the customer's SIM connection and the fraudsters will have access to the customer's cellphone line. This will in turn enable the fraudsters to receive the customer's one time internet banking password and allow them perform fraudulent internet banking transactions.
The Nigerian Communications Commission, NCC, arrested 14 people this week for selling preregistered SIM cards in bulk, which is another means for fraudsters to get details of future users of those cards.
The Ghanaian police busted three SIM card fraud gangs in a week and have opened investigations while intensifying the search for others.
Vodacom in South Africa warned its customers last week on the SIM card fraud while Tigo in Tanzania said it was tightening security around its Tigo Pesa mobile money service following recurrent fraudulent transactions.
While the financial institutions and telecommunication firms are securing their systems, with the authorities setting up dissuasion, customers and potential users of the mobile money services need to be cautious and play safe not to fall in the hands of the digital rogues.
