From over-the-counter (OTC) transactions to transactions performed by the mere click of a button, FinTech has — in a bid to provide personalized, consumer-friendly and convenient banking—revolutionized traditional banking and payment systems in Nigeria and the world over. New means of carrying out banking transactions continue to emerge. From the emergence of web payments and gateways, to the development of mobile payments, to the introduction of new payment methods with the aid of technologies such as artificial intelligence (AI), Blockchain, Internet of Things (IoTs), contactless cards and near field communication (NFC), technology has continued to disrupt payment systems.
While this revolution has brought about ease in banking and payment systems, it has also brought about certain unprecedented risks associated with the development of sophisticated technologies.
This article therefore seeks to briefly discuss cybersecurity trends in the FinTech industry.
Every year, financial losses arising from cyber threats are on the increase, According to Serianu Cybersecurity Report1, Cyber-attacks cost Nigerian businesses about $649 Million yearly. At the Cyber Secure Nigeria Conference organised by the Cyber Security Experts Association of Nigeria (CSEAN) in 2018, one of the speakers, relying on available statistics stated that the losses associated with cyber-crime activities around the world, would rise to USD$2 trillion by the end of 2019. This humongous figure is associated with the spread of digitization and the fast-paced increase in internet penetration over the years, coupled with the desire to get quick wealth by some unscrupulous individuals.
Internet penetration has continued to experience astronomical growth in Nigeria. The Nigeria Communications Commission (NCC) recorded a difference of 11.4 Million in the number of connected telephone subscribers between May 20172 and July 20183. If this increase continues at the current rate, it is estimated that at least 114 Million subscribers will have access to the internet by July 20194. Essentially, this may mean more consumers of digital services which will drive financial inclusion on one hand, and, sadly, there would be more digital power to perpetuate cyber-attacks on the other. Either way the coin is flipped, what will make the difference is the preparedness of the Nigerian FinTech sector for this growth.
The threat to cybersecurity, especially in the financial services sector is now associated with the use of sophisticated technologies to exploit the vulnerabilities of computer systems and bypass access or hack into computer servers for the purpose of carrying out cyber-crime or fraud. In 2017, Serianu reported the hack perpetuated by one Nigerian hacker on 4,000 organisations and the alleged hack of Bank accounts to steal about N39, 000, 000.00 (Thirty Nine Million Naira).
In 2018, it was reported by the National Information Technology Development Agency (NITDA) that attempts by attackers to launch "Wannacry Ransomware" was foiled by the joint efforts of the Agency and Microsoft Inc. However, a few government agencies that failed to adhere to the directive were affected by the attack. While there was no official report on Ransomware attacks in the Nigerian FinTech industry in 2018, (perhaps due to the attitude of the sector towards reporting) the FinTech industry is not immune from this menace in the future5.
Going forward – 2019
In the past, Nigerian cybercriminals were notorious for advanced fraud-style schemes, such as 'Nigerian Prince' scam-style of frauds, also known as "Yahoo-Yahoo". Schemes of this nature leverage on social networking tools to get their victims into transferring funds into anonymous accounts. Although the scheme has been successful for several years, public awareness combined with the regulatory efforts of the CBN through the Bank Verification Number (BVN)6 and other initiatives has helped to reduce this trend in the country.
In order to adapt to new realities, Nigerian cybercriminals turned to creating phish websites to defraud unsuspecting victims while others looked to malware as a means to enhance access to potential victims data.7 Most notably, in recent years, cybercriminals evolved from using malware for simple financial gain to employing malware as part of complex Business Email Compromise (BEC) schemes, which they refer to as "Wire-Wire" scams. This has over the years proven to be tremendously profitable for cybercriminals, such that in the 2018, the Internet Crime Complaint Center of the Federal Bureau of Investigation (FBI), reported that BEC was in the front burner of cyber-attacks, having been attributed to more than US$12.5 billion in international losses, and gaining status as its own category of attack.
Cybercriminals are becoming more creative. Gone are the days when specific and exclusive skill-sets were required to successfully launch an attack – the trading of rudimentary knowledge online between malicious actors has significantly aided their efforts. Downloading a phishing software, key logger or ransomware code with setup instructions is now as easy as streaming a YouTube video. As a result, it is easier than ever to carry out a cyber-attack with little or no technical skill. Public websites are providing cybercriminals with a means to purchase tools as well as seek technical support and advice on how to configure and deploy the capabilities to remotely control compromised systems.
Cyber-attackers then use these tools to steal important personally identifiable information (PII) of customers, and if unable to transfer funds from hijacked account into their personal accounts, they trade the details of such customer in the darknet for other goods or digital currency (e.g. cryptocurrency or perfect money).
Cyber-Attack Trends – 2019
The deployment and use of Artificial Intelligence (AI) and Machine Learning (ML) for the delivery of personalized banking will pose new risks in the FinTech industry. The use of technologies like AI-powered chatbots by banks may be hijacked by attackers to socially engineer customers to click phishing links, download files containing malware or share personal financial information. It is therefore critical to make the public aware about how users should authenticate financial transactions.
Insider threat still accounts for most of the security vulnerabilities in the financial industry. In 2017, it was reported by the Nigeria Deposit Insurance Corporation (NDIC) that about three hundred and twenty bank employees either had their jobs terminated or were summarily dismissed as a result of fraud related activities.8
The negligent attitude of financial services employees to security configuration owing to lack of awareness and/or adequate training on new security tools may be very fatal to the security of any FinTech organization. The year 2018, witnessed an event which may have led to possible theft of personal data including, email, phone numbers, one-time passwords (OTPs) and hash credit card details of thousands of Nigerians. Justin Paine, Head of Trust & Safety at Cloudflare, reported a discovered leak while carrying out regular scanning for open and vulnerable Amazon S3 buckets. The leaky S3 bucket which was found to either belong to a Nigerian airline or payment processor for a Nigerian airline, could have been exploited by a malicious person who could use this sensitive information to target customers of the airline for identify theft. According to Serianu's Report, insider threat still tops the list of high-risk attacks. It is therefore crucial for FinTech organisations to invest more in staff training and development, as well as carry out extensive character due diligence in the employment of staff who carry out sensitive tasks highly capable of being compromised.
Despite several awareness campaigns on the need to beware of phishing and spamming mails, cyber-attackers have continued to evolve by developing new techniques and methods of collecting personal financial details from their victims. One of such new technique is spear-phishing which is more targeted than the general phishing technique. Cyber criminals who use spear-phishing tactics segment their victims, personalize the emails (e.g. "Hello Mr. Jon Doe"), impersonate specific senders (e.g. banks) and use other techniques to bypass traditional email defenses. Their goal is to trick targets into clicking a link or opening an attachment. A phishing campaign may blanket an entire database of email addresses, but spear phishing targets specific individuals within specific organizations with a specific mission. By mining social networks for personal information about targets, an attacker can write emails that are extremely accurate and compelling. Once the target clicks on a link or opens an attachment, the attacker establishes a foothold in the network, enabling them to complete their illicit mission. This kind of threat is convincing and takes extra caution on the part of the victim to be able to avoid it. Fintech organisations must therefore constantly create awareness and provide measures for the identification and authentication of authorised emails and correspondence.
Based on the metrics available from analyzing its customer systems over the past years, Unit 42 of PAN's report stated that cyber attackers have employed a total of 15 different malware families, which may be grouped into – Information Stealers and Remote Admin Tools (RATS) to support their illicit activities. According to the report, Nigerian actors are currently producing an average of 840 unique samples of malware per month and the common tools used in the information stealing category includes LokiBot, KeyBase, Predator Pain, Pony, ISpySoftware, Agent Tesla, Zeus and Atmos, which are all designed to steal usernames, passwords and other valuable credentials stored on an infected computer. These tools are widely available on underground forums, require minimal technical expertise to set up and are easy to deploy. Once infected, compromised systems transfer stolen information back to a "predator-host," using common internet protocols, such as Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP) or Hypertext Transfer Protocol (HTTP). As a direct result, it's difficult to block the transfer of data with edge devices, as these protocols blend in with normal activity on most networks
In the remote access category, these attackers make use of tools such as NetWire, DarkComet, NanoCore, LuminosityLink, Remcos and Imminent Monitor to provide remote access to compromised systems, by capturing keystrokes, monitoring web cameras, accessing network resources and providing remote desktop connections. These tools are widely available on the internet, and not just in the dark or deep web.
Accenture, in its 2019 annual cost of cybercrime study9, reveals that the total value at risk from global cybercrime is US$5.2 trillion over the next five years. This is rather alarming and calls for necessary action by all stakeholders. As noted above, malware remains at the peak of cyber-attacks and the most difficult to resolve, followed closely by phishing through social media engineering and mining. To curb these styles of attacks requires more than securing the individual systems and requires ore of collaboration and cooperation by all concerned parties.
There is a huge information gap in the ecosystem, Chief Information Security Officers (CISOs) need to share information on emerging and existing threats so as to brainstorm and develop potent responses to these threats.
Prevention – they say – is better than cure. Companies and organisations should focus more on the preventing cybercrimes or mitigating its impact through the deployment of potent cybersecurity programs, tools and expertise.
The regulators should equally develop legislation such as the Central Bank of Nigeria ("CBN"), Risk Based Cybersecurity Frameworks and Guidelines for Deposit Money Banks and Payment Service Providers O1 to compel companies to comply with minimum standards and ensure reporting of cyber-threats.
For further reading on the CBN Risk Based Cybersecurity Framework, click here.O2
1 Serianu Cybersecurity Report for 2017 available at https://www.serianu.com/downloads/NigeriaCyberSecurityReport2017.pdf last assessed 16th January, 2019
4 It should be noted that experts have continued to question the figures attributable to internet penetration in Nigeria as issued by the NCC. This is because, according to experts, the commission has continued to measure teledensity using the number of registered SIM cards as opposed to the actual number of subscribers. https://techpoint.africa/2019/01/17/ncc-nigerian-telecom/
6 It is an initiative of the CBN to issue every bank customer a unique identification number, that can be verified across all banks in Nigeria, such that no one is able to create an anonymous bank account.
7 Unit 42 of Palo Alto Networks (PAN) https://www.paloaltonetworks.com/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise.html
O1 We can upload the regulation on our website and have the link here as well.
O2 Please add a link to the article on Dissecting the CBN Risk Based Cybersecurity... here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.