We were recently treated to a comical meme, which trended on whatsapp because Kenyans love cheap thrills, where a cat was looking outside a moving car, with a hilarious caption. The meme endeared Kenya Commercial Bank (KCB) to the masses, coinciding with the hype generated by visiting American popstar Chris Breezy.
Grumpy Cat: As KCB clients were treated to cheap thrills, their bank was hacked and money siphoned out of their accounts.
As you may all know, KCB has been rated as one of the biggest local banks, with its CEO Joshua Oigara being roped in to take over the collapsed Chase Bank, which was brought to its knees by its greedy directors.
When it comes to corruption in Kenya, banks are the biggest scammers and fraudsters, thriving on stealing depositors money in manipulated interest rates and dubious deductions. For instance, corrupt banks in Kenya have opted to reduce the payment period of loans instead of reducing the monthly repayments as required by the new law which was passed.
So Kenyans are hereby warned never to trust banks.
A customer contacted us about a suspicious transaction in KCB, whereby he discovered that he’d lost a considerable amount of money, in what seemed like an orchestrated scheme by the bank to defraud it’s customers.
After raising concern with the bank, it was discovered that a hacker had breached the Kenya Commercial Bank’s system and made away with over Kshs. 1 million. Surprise surprise; after the “investigation” KCB said that they will only refund 10% of the money, saying that the rest of the money wasn’t their responsibility.
CAPTION: Letter from KCB confirming the accounts hack. This Customer only got a refund of only 10% with the bank telling him that they cannot bear the burden of money lost through hacking, yet they are the ones who bought an inferior banking system from friends of their IT managers.
So the question I ask Kenyans is, why should you continue banking in a financial institution that has a vulnerable computer system? How many cases like this have gone unnoticed, especially because many Kenyans aren’t keen on details with their bank statements?
Well the Kenya’s mediocre education system means that individuals who can trouble-shoot such occurrences are scarce, which is why a Burundian hacker recently made news after discovering massive vulnerabilities in the KCB system, which threatens every customer using the bank.
According to the hacker Chris Irakoze, he started to be interested in computer security from a bank of East Africa named KCB. It all starts when he discovered a flaw in one of the services offered by the KCB Burundi and Rwanda called KCB Iwacu.
KCB Iwacu is a service to deposit or withdraw money from a KCB Iwacu agent using phones, the advantage is that these agents are everywhere, making it more convenient for customers to avoid moving to the headquarters of KCB, plus the long queues.
To withdraw money from a KCB Iwacu agent, the customer performs the transfer to the account of the agent and the agent receives a confirmation message from KCB and gives you money.
The vulnerability lies in the fact that the agent receives confirmation by SMS, when almost all computer scientists know that an SMS is unreliable because anyone can change the number of the sender who is displayed when receiving a message. So a hacker who wants to steal the money will only need the phone number and the name of the agent and will only have to send a false confirmation and voila.
Now the KCB Iwacu agents use Point of Sale Machines, which make the attack more difficult but not impossible.
Then, as KCB Iwacu does not work on all networks, other customers use a smartphone app. The hacker checked the app, but what he discovered was even more serious.
The application has all necessary security staff to protect user data during their logins over the network, but misusing them allowed a man in the middle attack which would have allowed a hacker to take complete control of user account.
Since this discovery, the KCB has closed the application and we are waiting with impatience the new app which is already functional in Kenya and Rwanda.
While waiting for the new smartphone app, the hacker then decided to dig deeper with renewed interest in the services offered by the KCB Kenya, and found an information leakage vulnerability.
The term “information leakage” is used when a flaw in one application reveals sensitive data, such as technical details of the Web application, environment, or specific data of the user. Sensitive data can be used by an attacker to exploit the target Web application, its hosting network or its users. In this case, KCB leaked the numbers and names of their customers.
If most of you readers think that this information is useless, he went further to explain what a hacker could do with it.
One of the things that a hacker can do would be to sell those phone numbers, as among the customers of the KCB to politicians, for instance Kiambu Senetor Kimani Wamatangi a close aide to President Uhuru Kenyatta is known for notoriously acquiring data illegally through hacking of system.
A hacker can also sell the information to competing bank.
Another way the hacker can use the data is to scam or phishing type of attack, which would allow the hacker to target customers of KCB where customers can lose their money like the customer who contacted us above.
I know what you’re thinking, the program is useless because hackers must provide the telephone number and usually if you have the phone number there is a good chance that you know the name of the target.
Again, you have to think like a hacker.
A hacker will create a list of all possible mobile numbers and will try them all, he will end up with a list of customers of KCB with name and phone number. For this, he has to change the program slightly to automate the task, and he will get the full list in less than two months.
A sample of customers whose number starts with 254 701 xxx xxx, is available on request.
Following this discovery, the hacker informed KCB and even tweeted the arrogant and overrated Joshua Oigara that there was a flaw in their system, but despite the risk to their customers and that it is a crime in Kenya in accordance with the Data Protection Act, 2013, more than a month later, their forensic service is still searching the flaws.
