EVERY year, thousands of Nigerians collectively lose millions of naira to online banking fraud. A suspected fraudster recently arrested by the Nigerian Police revealed that Access Bank and First Bank were the easiest banks to hack.
The 46-year-old suspect Zakarriyah Yahaya, paraded by the Police, alongside thirty-eight other suspects, disclosed how his gang emptied the bank accounts of Nigerians using their missing or stolen SIM cards.
“I used to reset any SIM that receives bank alerts. I do reset it with the victim’s bank account number through bank code from the first to the last number.
“Any bank that we get, we first use it to buy a recharge card. From there, they will send us the alert. From the alert, we will now get the account number,” he said.
He also explained that the most vulnerable banks for his eleven-member gang were Access Bank and First Bank, revealing that the highest amount they had stolen from a single bank account was N800,000.
Yahaya’s story confirms the rising cases of online banking fraud and cyberattacks perpetrated by fraudsters in the country. However, corporate organisations in Nigeria rarely disclose to the public when being attacked.
The ICIR checked the audited financial records of Access Bank and First Bank to ascertain the losses incurred by both banks from fraudulent activities or cyberattacks over the past four years.
After examining the financial statements, First Bank records did not provide details on its financial losses from fraudulent activities on any of its electronic banking channels, either through USSD codes or ATM cards.
Also, there was no section specifically meant to show losses from electronic transactions by First Bank of Nigeria (FBN) Plc, rather the financial records of all the subsidiaries of First Bank Holdings, which includes FBN, were merged together.
In comparison, Access Bank displayed its annual financial statements which revealed that between 2016 to 2020, the bank lost a total of N871.4 million to fraudulent transfer/withdrawal transactions, which included transactions on its electronic channels.
A breakdown of the figures showed that Access Bank lost N86.9 million in 2016, which dropped to N78 million in 2017, before rising to N385.7 in 2018 – its biggest loss to electronic fraud for the period under review.
Between 2019 and 2020, there were 17,432 attempts to breach Access Bank’s electronic channels via USSD codes and ATM cards.
However, it stated the bank did not suffer any financial loss from those attacks.
The audit also revealed that the bank lost N224.4 million to fraudulent transfers and withdrawals between 2018 to 2020, but there was no information on whether the transfers were carried out off-the-counter or through its online platforms.
In 2019, the financial audit showed that a single incident of cyberattack was launched against the bank resulting in the loss of N96.4 million. The details of the attack were sketchy.
Last year, a hacker Ihebuzo Chris, based in Benin City, extracted sensitive data of over 2,000 customers of Access Bank which he revealed in a viral video on Twitter.
Ihebuzo had access to customer’s Bank Verification Numbers (BVN), account numbers, amongst other personal information. In the online video, he blew his cover in the post as his name appeared on his computer screen.
The Lagos Zonal Office of the Economic and Financial Crimes Commission (EFCC) arrested Ihebuzo on September 10, 2020, in Benin City, for alleged cyberstalking after receiving a petition from an unnamed bank.
However, it is uncertain if Ihebuzor was charged with a crime because The ICIR checked his LinkedIn and Twitter accounts and found that they were both active as at August 10.
Access Bank’s Head of Corporate Communications Amaechi Okobi had dismissed the attack, assuring its stakeholders of the integrity of their system.
“Our attention has been drawn to some social media reports claiming a data breach of our systems.
“We would like to reassure all our stakeholders and the general public of the security and integrity of our banking platforms which at this time are the best-in-class,” he said.
Every year, Nigeria loses a substantial amount of money to cybercrime. For instance, N250 billion was lost in 2017 while N288 billion was also lost in 2018, according to an ICIR report, yet 95 per cent of these crimes went unreported.
On August 25, 2020, Bank Security, a Twitter handle focused on bank security threats, reported that the database of Unity Bank, a Nigerian commercial bank, was being shared online on hacker forums.
The hackers claimed they had shared ‘only small dump’ from the bank, and said, “bigger dumps were coming soon.”
Three other hacker forums also shared the same database, according to Bank Security.
However, in its statement, the bank did not explicitly deny the breach or dismiss the associated data.
“The Bank hereby reassures its customers and the public at large, of the integrity of its systems, controls of which are continually enhanced in line with best practices, to forestall attempts at compromising confidential data,” a section of the statement read.
A 2019 report by Serianu revealed that Africa lost $3.5 billion to cyberattacks. The report stated that Nigeria was the hardest hit with losses of $649 million, followed by Kenya with $210 million, and Tanzania with $99 million.
Why are cyberattacks hushed?
Speaking to The ICIR, a legal cybersecurity expert Enyioma Madubaite said organisations in Nigeria were being careful about their reputation, especially as regards disclosing cyberattacks to the public.
“We live in a world dominated by digital infrastructure. If there is a cyberattack on a bank, for instance, people go into panic mode because money is involved, which makes them keep quiet to save face or their reputation.
“They don’t care if it is employees’ information that was revealed or something not related to customers accounts, they want to preserve their money which may cause losses to the bank,” he said.
The Nigerian Cybercrime Act was signed into law in May 2015. This piece of legislature covers all issues pertaining to cybersecurity in the country.
However, Section 21 of the Cybercrime Act mandates individuals and organisations to report cyberattacks when they happen to the National Computer Emergency Response Team (CERT) to manage such incidents.
The Chief Executive Officer of Livestock247.com and RiceAfrika.com Maigari Ahmadu, a Lagos-based entrepreneur, said Nigerian organisations placed a low priority on cybersecurity.
“We operate on a porous cyberspace cloud in Nigeria because there are no government policies to guarantee the safety of our systems when exposed to danger.
“Nigerian tech companies need to do a lot to protect their systems by mitigating breaches, how it happens and how to secure their systems in the future, but it weighs low in terms of their order of priority,” he said.