A commercial bank headquartered in Kampala has lost at least Shs5.5 billion in two separate incidents of computer fraud carried out in the institution over a period of less than one year.
Information available to the Monitor indicates that the bank lost Shs3.56 billion when fraud was carried out on its Bill Pay System, and another Shs1.95 billion when the fraudsters accessed the agent banking platforms.
The Bill Pay System caters to the payment of utilities such as water, electricity, school fees and pay television typically via mobile money. In both incidents, the fraudsters used computers of loans’ officers attached to different upcountry branches of the said financial institution.
We also understand that black hats used login credentials of tellers based at the headquarters of the institution. A report put together following an internal investigation carried out by the lender in the aftermath of the initial heist of Shs3.56 billion suggests collusion between people inside the bank and other actors outside its purview.
“The fraud was orchestrated by parties external to the bank, but with strong assistance by elements inside the bank,” the report, a copy of which the Monitor has seen, reads.
It has, however, now emerged that as the bank was still dealing with events around the Shs3.56 billion, fraudsters struck again in August, making off with Shs1.95b. Information available to this publication indicates that the fraudsters, using a computer assigned to one of the loans’ officers at a branch in Bwaise, a Kampala suburb, but using login credentials of a teller at the bank’s headquarters in Kampala’s central business district (CBD), transferred money to their clients listed under the agent banking platform.
Our sources further disclosed that the money was sent as ‘float’ to the agents, who subsequently withdrew the money.
Float in mobile money is the sum total of money that a mobile money agent immediately has access to.
It can be physical cash, e-money or bank account funds. Mobile money agents use float to either cash in or cash out electronic money when a customer comes calling.
First heist
Information available to this publication indicates that the first heist of Shs3.65b was carried out on October 4, 2023.
“The fraud was discovered on the evening of that day after the bank teller failed to balance her books for the day,” a source within the bank revealed. The bank subsequently enlisted the services of the Information Technology (IT) department.
The latter discovered that all the bank’s systems had been entered using a computer of the bank’s loans officer based in Kabale, Kigezi Sub-region. The IT department also confirmed that the transfers were made using the login credentials of a teller at the bank’s headquarters. Documents that the Monitor has seen indicate that varying sums of money were wired out to 40 fraudulent transactions.
These involved 31 different lines of mobile money agents and were carried out on that day—October 4,2023. There, however, were cases where one agent received more than one disbursement. In one case, for example, one agent received Shs427.9m.The money was sent to the said agent in four different tranches. The first was of Shs98m. That was followed by tranches of Shs99m, Shs97m, Shs98.9m and lastly one of Shs35m.
Gatekeeping deficits
Mr Apollo Ssekitoleko, an IT expert, told the Monitor that such fraud could only have occurred because of weaknesses in the system. Indeed information obtained by this newspaper suggests that the gatekeeping system at the bank was at the time too weak to deter fraud.
An internal document we have seen suggests that by the time the fraud was carried out, the system did not have an auto time out. Once a teller logged in, the account would remain active until the same teller would log off.
“The system had not been equipped with a function to send out a One Time Password (OTP) while one was logging on. The OTP would have provided an extra layer of security, but without the OTP, one would have direct access to the system,” the report reads further.
This publication has also been able to establish that at the time the fraud occurred, there were no transaction limits beyond which tellers required authorisation to disburse.
Dual control, which would have required supervisors to authorise transactions, had also not been put in place.
Twist in events
This publication has learnt that where- as the teller whose login credentials were used and the loans officer, whose computer was used, were initially arrested, matters at the bank took a sudden twist on January 15. This was after one of the accused erstwhile bank officials was put on the spot following the system breach.
The summons came a day after burglars broke into the accused’s residence in Mutongo, a Kampala suburb, and made off with the bank’s laptop, a personal phone and a wallet. Information available to this publication indicates that the bank official in question was summoned by the institution’s top brass.
The bank official, whose name—much like the bank’s—we are withholding, was accused of having per- formed what was described as “a brutal attack” on the bank’s systems. Mr Ssekitoleko described the brutal attack method as one of those in which hackers use trial and error methods.
They do this by trying out different passwords or login credentials in order to gain access to systems. We also understand that an erstwhile bank official was also accused of having elevated their status and running a series of commands on the bank’s system without authorisation.
That same day—January 15—the accused bank official was taken to the Central Police Station (CPS), Kampala, where a case was opened. According to documents obtained by the Monitor, the financial institution has since terminated the services of the accused official for allegedly breaching the bank’s policy as spelt out in the institution’s human resource manual. The erstwhile bank official is accused of having obstructed investigations into the theft of the Shs3.56 billion fraud by losing a bank laptop.
“The laptop got lost during investigations of the Bill Pay fraud, the timing and circumstances made it impossible for the investigations to progress. You al- so neglected/refused to make a statement on the loss of the said laptop. The acts breached the bank’s human resource procedures' manual,” reads the erstwhile bank official’s October 25 dismissal letter.
In the same letter, the erstwhile bank official is accused of breaching the bank’s core value of integrity by misrepresenting facts around the losses suffered during the alleged January 14 burglary in which the bank’s laptop was lost.
“You were dishonest when you reported loss of Shs355,000 at Mutungo Police Station during the burglary into your house, contrary to the loss of Shs250,000 during the same burglary as reported at Old Taxi Park Police. The inconsistencies breached the bank’s policy captioned in the Human Resource Procedures’ Manual,” the letter further states.
Information available to this publication indicates that the erstwhile bank official appealed against the decision. The appeal was, however, rejected during a meeting held this month. Others whose services the bank has since terminated include the loans’ officers whose computers were used to facilitate the cases of fraud and two IT specialists. The bank tellers whose login credentials were used in the two cases are, however, still in the employment of the bank.
Investigations scuttled?
It should, however, be noted that at no point in time were any of the mobile money agents to whose accounts the money was disbursed were taken into for questioning. As the case was in the Bill Pay fraud, the agent bankers linked to the loss of the Shs1.95 billion are yet to be summoned for questioning.
Sources at the CPS, Kampala, told the Monitor that the investigations officer, Mr Obeid Ankunda, to whom the case had been assigned, was in a surprise move transferred to Masaka in April before he could call in the mobile money agents to record their statements. The sudden transfer led to questions about the motive, but Mr Kituuma Rusoke, the police spokesperson, said the public should not read too much into what happened in April.
“An officer can be transferred because at any one stage, you can still hand over a case. A case has a ladder of investiga- tion. At times administratively, we may choose if it is so sensitive,not to (transfer), but I don’t see any reason why an officer should not go on transfer and someone else picks it (investigation) from where you stopped,” Mr Rusoke said.
Matters were also not helped by the fact that investigators were not allowed access to the core banking system, which would have enabled tracing who had accessed the system and at what time.
A 53-page report, the product of a forensic investigation that was conducted between November 2023 and February 2024,suggests that both the bank and the mobile money service providers did not honour the investigators requests for access to systems and information.
“Forensically analysing the core banking system was desired, but all requests were not honoured by the concerned parties. Furthermore, it was crucial to correlate the time of the last money withdrawal from the agents to establish a chronology of events and the time when the transactions purportedly reflected in the core banking system. However, the request for this data from (service provider) also received no response to date,” reads the report