Financial institutions and challenges of cyber crime
New voices may have been added to the global campaign against the growing threat of cyber crimes on financial institutions, even as experts have prescribed the adoption of asset-based approach as a foil to the menace.
According to experts, in a report from the Global Trade Review (GTR), the traditional all-in-one Information Technology (IT) approach is no longer working and financial institutions should instead, build IT systems tailored specifically to each asset class on their balance sheet, giving priority to the most lucrative ones.
In Nigeria, cases of cyber crime have become a state matter and assigned a weightier repercussion for offenders, as government moves to curb the activities of internet scammers, who give the country bad name, both locally and internationally. However, equally thriving currently is the electronic fraud, which a body- Nigeria Electronic Fraud Forum (NeFF), said if left unchecked, is capable of wiping out entire profit line of an individual bank, as well as send a wrong signal against the financial inclusion drive.
Cybercrime refers to any illegal activity through the computer as primary means, as well as any illegal activity that uses a computer for the storage of evidence. It include crimes that have been made possible by computers, such as network intrusions and the dissemination of computer viruses, as well as computer-based variations of existing crimes, such as identity theft, stalking, bullying and terrorism.
This may have been partly the motivating force behind the Central Bank of Nigeria’s intensified efforts to give the financial system a facelift through the Bank Verification Number project, which among other things, would foil identity theft and duplication of identities in various financial institutions.
The debit and credit cards used in the electronic payments system have as well undergone several reforms, policies and security “beef-up”, in an effort to stem the growing tide of electronic-fraud in the country, which is however, a global issue. Already, the total loss made by Nigeria’s Deposit Money Banks (DMBs) due to fraud related cases have been put at about N203 billion in the last 14 years, a development, which still persists in the industry with sophistication and some cases left unreported by some financial institutions.
But the stakeholders- NeFF, Nigeria Interbank Settlement System (NIBSS) and DMBs, appear more worried as the fraudsters become more ingenious in an effort to undermine every security measures put in place, duping unsuspecting customers of banks and corporate organisations of billions of naira.
The Director of Banking and Payment System, Central Bank of Nigeria (CBN) and Chairman of Nigeria Electronic Fraud Forum (NeFF), Dipo Fatokun, decried the number and size of frauds against organisations, which are on the rise. Fatokun, at NeFF’s first general meeting of the year, with the theme: “e-Fraud: Shining a Light on Insider Abuse,” Fatokun, said that recent investigations have revealed that as many as 20 or 30 persons are involved. “You need to take a non-traditional approach.
Unfortunately we’re getting all these breaches because everybody is still persevering with the traditional route, which is not actually looking at the balance sheet, the key assets and trying to understand which IT infrastructure you have to support the operation that creates wealth.
You’ve got to tailor your defenses according to that, and it’s not happening,” the Group Director of cyber security firm, MWR InfoSecurity, Alex Fidgen, said. He noted that geopolitical monitoring could be an important part of cyber protection, as attacks are often socio-politically motivated, targeting organisations that support either publicly or in private certain government policies.
Specifically, he cited the virus allegedly used by Iran on Saudi Aramco in 2012, which wiped most of the company’s computers and forced it to shut down its internal communication system and was seen by many as retaliation against Stuxnet, the computer virus used by the United States and Israel to destroy centrifuges in an Iranian nuclear facility in 2010.
Fidgen said the same attack is now “consistently poking and prodding the U.S. bank network” with small-scale attacks, and other countries have been looking at financial markets as an increasingly relevant target to hurt political adversaries.
“Your chief executives or senior board members expressing political views – that makes you a target. It brings the question: is geopolitical tension being measured properly in your organisation as a form of indicator to your likelihood of being attacked? Hardly anybody does that,” he added. According to Fidgen, nation-states wanting to remain anonymous now give highly-organised criminal groups the remit to “do the dirty work for them”, leading to a crossover between the capabilities of the criminal organisation and the government, and making it very difficult for defensive intelligence agencies to understand attacks.
Another important aspect of cyber protection is communication, which the Vice-President of a security outfit, Luke Beeson, explained that the forces of criminal hackings on an organisation lie in their ability and desire to share information, while commercial organisations generally limit communication with their peers, perhaps for fear of competition.
Regulators at a national level are poised to become increasingly involved in financial institutions’ cyber security programmes- the perfect example being the Bank of England’s CBEST Vulnerability Testing Framework, which aims to protect the UK’s financial stability by implementing a cyber attack testing system in each of its financial institutions.
Fidgen added: “With CBEST, the Bank of England has done something absolutely superb. The UK recognises what’s happening, and the financial industry needs to be defensively well organised for the future. As a nation, we now have a financial regulator directly assigned to investigate cyber attacks.
“They’re not interested in you as an individual organisation – what they’re really interested in is whether you would have a role to play in a systemic collapse. With this scheme you will start to see this kind of cyber security structure cascade through all the regulators.” The Executive Director of Operations, First City Monument Bank, Nath Ude, said that the consequence of the menace on the banking landscape has been reputational damage, loss of share value, loss of customer confidence and increased audit costs.
While citing NIBSS reports on the loss of revenue to fraudsters, he noted that between 2000 to the first quarter of 2013, banks had already lost N159 billion, and subsequently lost N40 billion for the rest of the year, while from January to September 2014, N4 billion more was lost. According to him, fraudulent activities are on the increase, which amount to severe consequences for the financial industry in Nigeria, even as most electronic fraud in recent times assumed the insider abuse dimension, including “dedicated employees.”
He said banks could curb insider abuse by watching out for warning signs like employees living above their means, frequent manipulation of data by employees and continuous, excessive use and abuse of privileged and systems account.
“Banks will be able to combat electronic fraud by filtering out predatory employees, reviewing upwards, the required reliability status for all staff who need privileged roles to work as well as deploying appropriate prevention and detection technologies like CCTV monitoring and access cards with authorizations,” Ude explained.
The Chief Internal Auditor, First Bank of Nigeria Plc, Uduak Udoh, pointed out that the fraud committed by an insider is always hard to detect than those by outsiders, as the impact is usually higher when an insider is involved. According to him, though, at a particular period, investigations showed that outsider fraud volume was 5,173, representing 99.79 per cent, worth N786 million, the insider related fraud volume was 11 (0.21 per cent) but valued at N114 million. “Outsiders and insiders remain the greatest challenge as they are both vectors and actors in e-fraud space.
For without them banks will have good sleeps and less rough relationships with customers and regulators. The outsiders are those outside the wall of the bank who wants to reap where they never sowed. They are social engineers, impostors, con artist and gold diggers. Outsiders are usually the first focus to protect against by banks,” he said.
On the risk mitigation, FBN chief auditor said that each organization has to decide how much loss they are willing to tolerate, as each of these areas requires an investment, in some cases substantial investments that may outweigh the benefits. “Even with these controls in place, there will still be the residual risk of user carelessness or of those angry users who are determined to circumvent the system. Thoughtful implementation of some or all of these controls can deter, prevent, detect, or reduce the ultimate impact of the incident,” he suggested.
However, as part of efforts to stem the tide of the menace, Fatokun, NeFF chairman, said the forum has created an avenue for information exchange and knowledge sharing on fraud issues among key stakeholders to foster collaborative and proactive approach in tackling the challenge and limiting occurrences, as well as losses.
The forum has reiterated the need to collaborate more, think ahead and creatively too, to successfully tackle the fraudulent activities, which have been assessed as increasingly devising sophisticated techniques in approach.
The Head, Information System Security, NIBSS, Olufemi Fadairo, decried that 2014 was quite alarming in terms of fraud as it recorded very high volume of fraudulent transactions, noting that the unreported cases were far higher than the reported cases of frauds perpetuated in the system. Fadairo pointed out that Internet and ATMs remain the most popular channels for e-fraud, with Point of Sales (PoS) terminals being the preferred channel of cash out for fraudsters.
According to him, in 2014 there was a record of 1,461 fraud cases, with attempted value of N7.8 billion and actual loss value of N6.216 billion; in 2013, the fraud cases were 855, with attempted value of N19.149 billion, while actual loss value was N485.194 million, but added that the fraudulent cases emphasize the need for more security measures in handling payment cards on individual level and improved security practices as corporate bodies, to minimize fraud rates.
No comments yet