African banks have been forced to address online security after being targeted by malicious attacks.
Availability of cheaper bandwidth and the expansion of online banking services to include transactions have led to increased use of online banking, which has meant a rise in phishing scams and other malicious attacks.
Most African banks have legacy systems in place, which can pose a security challenge when it comes to online services.
"African banks have not given enough attention to security; we are currently involved in several PCI compliancy projects where we are assisting banks in building their security foundations from scratch, because their systems have not been up to standard," said Paul Dominjon, financial services solution expert at Symantec in South Africa.
While many banks had invested in upgrading or replacing legacy systems, Dominjon identified maintenance and implementation of multichannel security as a major challenge.
The most prominent attack was last month and involved South Africa's FNB online banking clients, who were unable to access services.
"The slow system response was due to exaggerated database activity that resulted in a huge increase in volumes," said Michael Jordaan, FNB CEO, in an apology letter sent to clients.
Regarding online security at FNB, Jordaan said the bank had sorted out the issues and would compensate clients for losses.
In many cases, security breaches have involved criminals defacing Web sites or phishing attacks by scammers stealing bank-account information.
"Criminals operate based on a risk-versus-reward equation. If they find a way to make or steal money that has low risk and high reward they will expand in that market, invest more time and hope for a return on investment," said Steve Santorelli, ex-Scotland Yard detective and director of global outreach at Team Cymru, a nonprofit Internet security research company.
For many criminals, it has become easier to exploit the computers of users of online banking services than to try to hack into the systems of banks, which may have invested heavily in security software.
"Why spend months trying to hack a well-fortified bank server when you can use off-the-shelf code to hack a user's home computer, which might not have any antivirus, firewall or software updates? You can compromise their machine in seconds, steal their banking passwords or just piggy-back into their account next time they log in themselves," Santorelli said.
In Kenya, one of the bank's online banking sections was hacked and users were redirected to a site operated by people based in Nigeria. Users were not aware at first because the site was made to look like the authentic banking site, and only in looking at details such as branches was the fraud detectable.
"Most banks in Kenya have the standard online security mechanisms in place; however, clients need education on what to look out for between a genuine banking site and a fake one. If not, it doesn't matter how secure the platform is because customers lose," said Tyrus Kamau, a security consultant in Nairobi.
As more people take advantage of affordable bandwidth and access online banking services, the question of genuine versus pirated software on PCs is also going to arise.
IDC East Africa estimates that about 85 percent of PC users in the region use pirated software, which makes it impossible for users to download software updates for antivirus or operating systems.
Reprinted with permission from Computerworld Kenya. Story copyright 2009 Computerworld Kenya Inc. All rights reserved.
Post new comment