Thousands of Nigerians lose millions of naira each year due to online banking fraud. Access Bank and First Bank were the easiest banks to hack, according to a suspected fraudster recently caught by Nigerian police.
The 46-year-old suspect Zakarriyah Yahaya, who was paraded by the police alongside 38 other suspects, revealed how his gang used missing or stolen SIM cards to empty the bank accounts of Nigerians.
“I used to reset any SIM that receives bank alerts. I do reset it with the victim’s bank account number through bank code from the first to the last number.
“Any bank that we get, we first use it to buy a recharge card. From there, they will send us the alert. From the alert, we will now get the account number,” he said.
The ICIR examined Access Bank and First Bank’s audited financial records to determine the losses experienced by both institutions as a result of fraudulent actions or cyberattacks over the previous four years.
Following a review of the financial statements, First Bank records revealed no information of financial losses resulting from fraudulent actions on any of its electronic banking channels, including USSD codes and ATM cards.
Furthermore, there was no section dedicated to losses incurred by First Bank of Nigeria (FBN) Plc as a result of electronic transactions; rather, the financial records of all First Bank Holdings companies, including FBN, were amalgamated together.
In comparison, Access Bank released its yearly financial accounts, revealing that the bank lost a total of N871.4 million in fraudulent transfer/withdrawal activities between 2016 and 2020, including transactions made through its electronic channels.
According to the findings, Access Bank lost N86.9 million in 2016, N78 million in 2017, and N385.7 million in 2018 – its largest loss due to electronic fraud during the period under review.
There were 17,432 attempts to penetrate Access Bank’s electronic channels via USSD codes and ATM cards between 2019 and 2020.
However, it reported that the bank suffered no financial losses as a result of the attacks.
The bank also lost N224.4 million in fraudulent transfers and withdrawals from 2018 to 2020, according to the audit, although there was no information on whether the transfers were made over the counter or through its online platforms.
A single cyberattack was launched against the bank in 2019, resulting in a loss of N96.4 million, according to the financial audit. The attack’s details were hazy.
Last year, a hacker based in Benin City, Ihebuzo Chris, extracted personal data from over 2,000 Access Bank customers, which he shared in a popular video on Twitter.
Customers’ Bank Verification Numbers (BVNs), account numbers, and other personal information were all accessible to Ihebuzo. He blew his secret in the post when his name flashed on his computer screen in the web video.
After receiving a petition from an undisclosed bank, the Lagos Zonal Office of the Economic and Financial Crimes Commission (EFCC) detained Ihebuzo in Benin City on September 10, 2020, for alleged cyberstalking.
However, it is unclear whether Ihebuzor was charged with a crime because his LinkedIn and Twitter profiles were both live as of August 10, according to the ICIR.
Amaechi Okobi, Access Bank’s Head of Corporate Communications, downplayed the incident, assuring the bank’s stakeholders of the system’s integrity.
“Our attention has been drawn to some social media reports claiming a data breach of our systems.
“We would like to reassure all our stakeholders and the general public of the security and integrity of our banking platforms which at this time are the best-in-class,” he said.
Nigeria loses a significant amount of money to cybercrime every year. According to an ICIR report, N250 billion was lost in 2017 and N288 billion was lost in 2018, however 95 percent of these crimes went unreported.
The database of Unity Bank, a Nigerian commercial bank, was being leaked online on hacker forums on August 25, 2020, according to Bank Security, a Twitter handle focusing on bank security risks.
The hackers said they had only shared a “small dump” from the bank, but that “larger dumps were on the way.”
According to Bank Security, three additional hacker forums shared the same database.
However, the bank did not outright deny the breach or disregard the accompanying data in its statement.
“The Bank hereby reassures its customers and the public at large, of the integrity of its systems, controls of which are continually enhanced in line with best practices, to forestall attempts at compromising confidential data,” a section of the statement read.
According to a Serianu research from 2019, hackers cost Africa $3.5 billion. Nigeria was the biggest hit, with $649 million in damages, followed by Kenya with $210 million and Tanzania with $99 million, according to the research.
Why are cyberattacks kept under wraps?
Enyioma Madubaite, a legal cybersecurity specialist, told The ICIR that Nigerian companies were concerned about their reputation, especially when it came to revealing cyberattacks to the public.
“We live in a world dominated by digital infrastructure. If there is a cyberattack on a bank, for instance, people go into panic mode because money is involved, which makes them keep quiet to save face or their reputation.
“They don’t care if it is employees’ information that was revealed or something not related to customers accounts, they want to preserve their money which may cause losses to the bank,” he said.
In May 2015, the Nigerian Cybercrime Act was signed into law. This piece of legislation covers all aspects of cybersecurity in the United States.
Section 21 of the Cybercrime Act, on the other hand, requires people and organizations to report cyberattacks to the National Computer Emergency Response Team (CERT) for management.
Maigari Ahmadu, the Chief Executive Officer of Livestock247.com and RiceAfrika.com, a Lagos-based entrepreneur, stated that cybersecurity is a low priority for Nigerian businesses.
“We operate on a porous cyberspace cloud in Nigeria because there are no government policies to guarantee the safety of our systems when exposed to danger.
“Nigerian tech companies need to do a lot to protect their systems by mitigating breaches, how it happens and how to secure their systems in the future, but it weighs low in terms of their order of priority,” he said.