Securing Nigeria’s wealth from cyber attacks
Cybercrime attacks and security breaches on Nigerian banks have increased dramatically over the years. While the fraud cases reported last year decreased by six percent, the value of stolen funds increased by 23 per cent to N17.67 billion, and Internet Banking Fraud Loss increased by +325 per cent as per the NIBSS Annual Fraud Landscape 2023.
According to the 2023 Survey conducted by the African Financial Industry Barometer, 97 per cent of surveyed executives at top financial institutions in Africa consider cybercrime a significant threat.
In 2023, Zenith Bank and Access Bank experienced significant attacks. A phishing campaign targeted Zenith Bank, resulting in substantial financial losses.
Access Bank faced a ransomware attack that disrupted operations and compromised customer information.
Even recently, there was an isolated incident of an attempt to compromise the Guarantee Trust Bank (GT Bank) website domain. Lagos represents Nigeria’s highest fraud area and has been designated a priority area of concern. Some of these institutions improved their security over the years.
However, the security landscape is constantly evolving, and many attack vectors continue to arise. This article discusses the nature of such attacks, pointing out the probable vulnerabilities and proposing mitigating measures to ensure enhanced customer security.Popular types of attack methods: These various fraud attacks mostly leave the banks of Nigeria in sorrow.
Social engineering against bank employees
Based on analysis, social engineering remains the primary method hackers use to attack banks. Not all tries are successful, and not everyone can accomplish it, but the impact of being successful is huge.
Impersonation is commonly used to extract personal information from various sources, contact bank employees, or call people and pretend to be employees directly and try to hack their system remotely using leaked credentials, malware, and social engineering calls.
Attackers send social engineering messages designed to trick bank employees or bank clients into revealing sensitive information or clicking on malicious links.
Insider threats
Internal Complicity: One or a few employees facilitate fraud by accessing or granting access to sensitive systems for fraudsters. This can compromise the entire organisation. A known large amount of cases where employees sell darknet credit card data of clients as well as other PII data.
Ransomware
Attackers lock down bank systems and demand a ransom for release are on the rise. Raised to an all-time high level and many banks and commercial sector staff globally.
Globally, ransomware is controlled by APTS, which earns billions of dollars by attacking companies using its ability to hack inside active directories and encrypt full infrastructure. Hackers and APT pay a good amount of money to buy internal access inside the bank’s active directory or network; pricing can start at USD 15-50k, depending on the bank.
Recent human error causes technical vulnerabilities and money loss: In 2021, a vulnerability in business logic inside the payment system resulted in N22 billion going missing from various bank accounts.
Cloning of Apps/Websites: As mobile and internet banking platforms gain popularity, they increasingly attract cybercriminals. The creation of clone applications IN Mobile and Internet Banking creates many issues for banks.
What banks can do to stop attackers from exploiting their systems
By implementing these recommendations, banks can better safeguard their assets and maintain financial stability in an evolving digital world, thus enhancing customer trust.
Zero trust architecture: This model is based on the principle of “never trust, always verify.” Identity and access management (IAM) methods like MFA, biometric verification, and real-time events monitoring. The permissions can be changed based on real-time risk assessments. While some banks are beginning to explore Zero Trust principles, it is not yet widely adopted across the board.
Endpoint protection: Implement robust next-gen endpoint security solutions across all devices connected to the bank’s network, including anti-virus, anti-malware, and firewall systems. Even AI-powered new-gen tools can analyse data for unusual patterns and behaviours to detect threats early.
Periodic system inspections: Conduct regular security risk assessments to identify and correct any vulnerabilities before they are exploited—continuous vulnerability scanning for perimeter and source code. Threat modeling and risk assessment by the Bank’s R&D teams can also help to correlate and enrich security events to proactively defend against malicious actors and known threats.
Employee and client training
Employee education: Educate on the latest cyber threats and best practices to prevent internal fraud and enhance overall security awareness. Implement programmes such as Initiate fake social engineering attacks. While some banks conduct regular training, the level of cybersecurity awareness among staff varies. Smaller banks may not have comprehensive or frequent training programmes, leaving them vulnerable to social engineering attacks.
Banks and the government can collaborate and organise user education programmes and educate them on the following best practices Change your account passwords and PINs regularly (at least every six months)
Keep the passwords strong, and don’t use simple sequential numbers or birthdays or names of your family that could be easily detected Cover your hand on top of the screen while entering any credentials, such as financial passwords or pins, in public ATMs.
Never share OTP or private information with anyone.
Do not login to banking or other apps when connected to the public wifi networks. Be careful while scanning QR codes at shops while making payments, and don’t click any URLs that you don’t recognise after scanning the QR code.
Keep your banking applications up to date. You can check this by going to your Play/App Store. Be cautious with spamming calls, and try not to get tricked. E.g., For someone who claims they are a bank employee asking for OTP, you have won a lottery or prize, and asking you to fill in the details.
Advanced fraud detection Systems: Implement next-generation analytics and machine learning-based systems for real-time detection and reaction to suspicious activity. The system can allow clients to be protected automatically or by using AI.
Timely updates and patching: Regularly update software and patch vulnerabilities to reduce the risk of ransomware and other attacks. Updated systems and system backups can stop attackers from getting easy. They can still exploit zero-day vulnerability, where the attacker exploits vulnerability before the bank patches the vulnerability.
Discussion/dialogue with regulators: Work closely with regulatory authorities to comply with the latest security standards and best practices. Report any suspicious activities inside or outside the company which can cause data leaks or information exposure.
Nigerian banks are now at a critical stage in their fight against cybercrime. This article reflects a snapshot of the cybersecurity challenges confronting Nigerian banks in 2023, with strategies and plans to evolve in 2024 and beyond to address new and emerging threats. Boyapati is a director at Samsung Research America and Barchuk is an experienced Red Teamer and security expert.
They both can be reached via: [email protected] and [email protected]
Related
Latest
Get the latest news delivered straight to your inbox every day of the week. Stay informed with the Guardian’s leading coverage of Nigerian and world news, business, technology and sports.
0 Comments
We will review and take appropriate action.