Banks under siege from ATM hackers

Dar es Salaam. Local banks are among the victims of the largest global heist in which financial institutions lost an estimated $1 billion after hackers--mainly from Eastern Europe, Ukraine, Russia and China--broke into the banks’ network between 2013 and 2014.

The hackers targeted as many as 100 banks, e-payment systems and other financial institutions in 30 countries--including Tanzania, the US, China and European nations--and stole as much as $10 million in each raid, according to a report released last week by Russia’s largest maker of anti-virus software, Kaspersky Lab.

NBC Limited was among the local banks that were hit in the online raid. Hackers managed to withdraw hundreds of millions from Automated Teller Machines (ATMs) from within and outside Tanzania. Virtually all mainstream local banks have in recent weeks been victims of a huge number of ATM thefts that have cost the institutions billions of shillings and left customers in great distress.

NBC has, for instance, been hard hit by the wave of card skimming, and has in recent weeks seen many of its customers lose millions of shillings in high tech fraud.

Investigations by The Citizen indicate that hackers have laid their hands on information on the bank accounts of many customers of the local banks and created fake ATM cards that they use to withdraw money from ATMs in and outside the country.

The latest victim of ATM theft is the community of the University of Dar es Salaam (UDSM), which has lost nearly Sh100 million to card skimming.

The Citizen on Sunday has a list of about 25 employees of the university comprising professors, senior lecturers and other staff who have each lost between Sh800,000 to Sh7 million in electronic theft. Fourteen of the victims bank with NBC and have lost about Sh60million in total in the past six months.

Two professors, who wish to remain anonymous, have lost Sh6 million and Sh7.2 million each in ATM hacking. The fraudsters reportedly share bank information and personal identification numbers they have hacked from local banks with partners as far away as the United Kingdom and the United States of America.

The UDSM workers accused the banks of taking too long to refund their money and have now consulted lawyers to help sort out the matter.

One UDSM staff (name withheld) this paper managed to talk to says he went to NBC’s UDSM branch on 27 January to pay a certain institution from his account but the teller told him he did not have enough funds as his balance was only Sh14,000. He then asked for his bank statement, only to discover that more than Sh800,000--which is his net salary--had been withdrawn.

The statement showed that the money was withdrawn from London in the form of Sterling Pounds using MasterCard. Another professor had his cash withdrawn in Italy using the same means. 

Victims have complained that the bank has been slow to process the refunds. The banks are said to have assured them that they would receive their money in 45 days--much too long for people who had already lost all their money.  

“I am increasingly frustrated with our banks,” said a UDSM staff whose January salary was withdrawn in London. “Instead of serving their clients, it appears they are feeding on the blood of their clients. This is cannibalism.”

The wave of ATM theft that has hit local banks comes barely four months after the United States Federal Bureau of Investigation (FBI) asked neighbouring Kenya to help arrest a ring of international bank hackers and cyber criminals based in that country.

According to the FBI, the group comprising Nigerians has stolen $2.5billion (Sh4 trillion) from banks and other institutions around the world. The FBI named 11 suspects, some of them specialists in card skimming--illegally copying information on a card--while three reportedly conspired with bank staff to identify accounts with large sums of money.

Local bankers fear that the hackers could also be operating in Tanzania and probably on a much bigger scale than in Kenya.

On Friday, NBC admitted that card skimming posed a real threat to local banks--and that the problem was not exclusive to NBC but affected the banking industry across the globe.

“Other banks are suffering as much as we are,” NBC Public Affairs Manager William Khallage said during an interview with The Citizen on Sunday. Members of the Tanzania Bankers Association are reported to be addressing the problem jointly.

According to NBC, most of the complaints of card skimming they registered involved transaction made outside Tanzania and particularly in Western Europe. How much local banks have lost so far in card skimming remains a top secret, with banks reluctant to disclose any losses for fear of eroding customer confidence.

TBA remains tight-lipped and efforts to establish the loss have proved futile. An impeccable source at the Bank of Tanzania (BoT) has, in the meantime, told The Citizen on Sunday that the sum banks have lost in the past two years runs into billions and there is evidence that ATM theft have risen in recent weeks. CRDB, Standard Chartered, Barclays and NMB have fallen victim of ATM theft in the recent past.

NBC has announced that it is establishing SMS alerts to notify all its customers of any transaction involving their accounts. The bank says all its ATM machines have been programmed to adapt Europay, MasterCard and Visa (EMV) standards to enhance security features.

An EMV standard is a global device for authenticating card transactions using microchip technology. The device was developed in 1994 in a joint effort by Europay, MasterCard and Visa that sought to establish guidelines to ensure joint global payments, fraud security and the relevance of worldwide card networks.

Microchip technology is considered the most secure for ATM cards. The chip has a secret code that stores the customer’s details and it is hard to hack. NBC says it has improved all its technology and all its ATMs are EMV compliant.

Said NBC Chief of Staff and Strategy, Mr Elvis Ndunguru: “All our ATMs are EMV compliant. The next thing we are going to embark on is to phase out old ATM cards and start issuing EMV compliant cards. We plan to start this exercise in March.” Players in the banking industry blame the rising incidents of ATM theft on lack of cyber-security laws to curb the vice.

This has made it virtually impossible to prosecute perpetrators of cybercrime, particularly those involved in ATM theft.

“We are having a difficult time addressing these problems because we lack laws to curb cybercrime,” Mr Ndunguru said. “It is so vital for us to have such a law.”

The government has been promising to draft legislation on cyber security for nearly two years. In September 2013, Bank of Tanzania (BoT) said new legislation against cybercrime was at the stage of final touches. It is understood that the Central Bank has for some years been working with other players to draft three bills to provide a legal framework for electronic financial transactions in an effort to fight cybercrime.

The Electronic Transaction Act, Data Protection and Piracy Act and Computer and System Misuse Act would provide a legal basis to address cybercrime.

The Data Protection and Transaction Act would criminalise unauthorised access to data and other information. The Computer and System Misuse Act would check computer crime and Internet fraud. The new law would also criminalise unauthorised access to computer systems and using a computer to commit a crime.

Communication Minister Makame Mbarawa and his deputy, January Makamba, were unavailable for comment.