Financial institutions in Nigeria have been identified as being increasingly at risk of cyber attacks due to a steady increase in financial inclusion across the country, which is generating large amounts of sensitive data and billions of naira in financial assets.
Nigerian banks have lost approximately N165 billion to electronic fraud and cyber crime between 2000 and 2014, creating several concerns on security, as policy makers reiterate the drive for cashless policy.
In 2014 alone, the actual loss value reported by Nigerian banks was put at N6.21 billion by the Nigeria Interbank Settlement System Plc (NIBBS).
“It is no longer a question of if it will happen, but when it is going to happen. The (Bank) executives need to be told that it is real (and looming), so they will be taking a very big risk if it happens and causes significant damage (due to inadequate preparation),” says David Isiavwe, president of the Information Security Society of Africa- Nigeria (ISSAN).
Control Risks, a leading business risk consultancy in a white paper released yesterday on cyber threats to the Nigerian financial sector, stated: “the global landscape of cyber threats is constantly evolving, and Nigeria is no exception to this. Malicious actors are using an increasingly diverse and sophisticated range of techniques against Nigeria’s financial sector.”
Tom Griffin, managing director, Control Risks Nigeria says, “Ultimately, until organisations are able to utilise high quality strategic intelligence to proactively identify the methods in which they are most likely to be targeted, their defences will always be playing catch up against the attackers.”
Nigeria has made rapid progress in implementing sector-wide controls to improve the sector’s defences against cyber attacks.
These include the Bank Verification Number (BVN), the Cyber Crimes Act, and various regulatory standards that have provided a solid foundation for financial institutions to develop their internal cyber security capabilities.
However, analysts still sound a note of caution.
“Regardless, the threat continues to evolve and various actors will look to bypass these improved defences. Existing assessments of the threats facing the sector have failed to offer a framework through which to understand and ultimately tackle these threats. Instead, they have focused on out-dated stereotypes, such as fraud and corruption, while neglecting to address the strategic cyber threat landscape and the way it is likely to develop and challenge Nigerian financial institutions in the future,” says Control Risks in its assessment.
The threat of a big cyber scam on vulnerable African financial institutions cannot be overstated.
Standard Bank Group Ltd., Africa’s biggest bank by assets, said this week it lost as much as 300 million rand ($19 million) to organised fraud in Japan.
The bank has “been the victim of a sophisticated, coordinated fraud incident,” the Johannesburg-based lender said in a statement on Monday.
“This involved the withdrawal of cash using a small number of fictitious cards at various ATMs in Japan. The target of the fraud has been Standard Bank and there has been no financial loss for customers.”
Jayan Perera, cyber security expert at Control Risks says it is increasingly cheaper for potential hackers to purchase malware and deploy to attack banks.
According to him, for as little as N25,000, malware programs can be bought and used in targeting either a bank or its customers, resulting in losses if inadequate security measures have not been put in place.
“We haven’t seen massive attacks happen, but we know that there are growing capabilities and (plausible) intent to carry out these attacks,” says Perera.
This comes on the heels of an announcement last week by international financial messaging service, SWIFT which requested that clients share information on attacks on the system to help prevent hacking, after criminals used SWIFT messages to steal $81 million from the Bangladesh central bank.
Emphasis in Nigeria, however, seems to be more tilted towards customer losses, whereas, experts are of the opinion that the banks should themselves be more protected.
“On November 11 2014, a scam mail was sent purporting to come from CBN with a target to harvest card and online transaction credentials of several banks customers on a single phishing site (a clone of CBN page). It took an informed customer’s complaint to expose the attack. Unlike several other cases that take between 24 to 48 hours to shut down, this phishing site was brought down in less than 2 hours but the number of customers who may have lost funds is yet to be known,” reads a part of the 2014 report of the Nigerian Electronic Fraud Forum.
In the year 2014, a report by NIBSS showed that ATM machines were the major victims of fraudulent activities in terms of volume as it experienced the highest number of fraudulent transactions. However, Internet banking accounted for a loss of about N3.2 billion to fraudulent transactions in terms of value.
BusinessDay