Why cyberattacks on e-money are growing

Experts say cyber criminals keep targeting banks and telecom companies after wrapping their heads around the arcane world of money transfers. PHOTO | COURTESY 

What you need to know:

  • By October 29, such was the gravity of the technical challenge that a couple of banks thought it wise to suspend the service. It was now apparent that a group of hackers had staged an audacious digital heist. The heist, which pulled in billions of shillings, was a tightly coordinated raid on Uganda’s banking system.

At the back end of October, Airtel Uganda and indeed affected banks such as Ecobank put out statements that were uniform insofar as describing a “technical challenge” that had thrown sand in the gears of various bank-to-wallet services.

By October 29, such was the gravity of the technical challenge that a couple of banks thought it wise to suspend the service. It was now apparent that a group of hackers had staged an audacious digital heist. The heist, which pulled in billions of shillings, was a tightly coordinated raid on Uganda’s banking system.

The technical skill displayed was suggestive of an inside job as per different accounts of those investigating the heist. It all started with counterfeit national identity cards that acted as a gateway to gaining access to bank accounts and mobile money SIM cards used in the heist.

“Our system incident has now been resolved and our bank-to-wallet and bulk payment services have been fully restored,” Mr David Birungi,  the Airtel Uganda public relations manager, said in a November 4 statement, adding, “We would also like to reiterate that this incident did not impact any Airtel money or bank balances. Our systems are monitored to ensure they are performing as expected.”

The response was straight out of a crisis management textbook, according to those familiar with the subject matter.

“Reputational risk is a big factor as to why companies remain silent after a cyberattack. Customer confidence is the most important aspect for the companies,” Mr Kwame Rugunda, the chief executive officer of Savannah Cyber, a digital transformation company, told Sunday Monitor, adding that “revealing a cyberattack can drown the confidence of current and future customers.”

Mr Rugunda’s assessment is shared by other experts in the technology sector, who insist that both the government and the private sector never come clean when they bear the brunt of a cyberattack.

Mr Yona Wanjala, a digital security expert, who is also the executive director of Defenders Protection Initiative, says “cyberattacks display a level of capacity deficit that [a] particular company might be having in line with staff who can navigate … assess the risk … monitor the cyber landscape to be able to build walls of security that shield the institution from being attacked or being vulnerable to any attack.”

Mr Wanjala adds: “... that alone creates reputational damage. If the bank has that kind of incompetence then it loses trust and customers.”

Glut of cases

Over the past few years, hackers have kept cyber divisions in both state and private sector entities in Uganda busy.

In 2015, Justice Paul Mugamba—then head of the Anti-Corruption Court, warned that cybercrime is on the rise. This was after finding six former staffers of telcom companies guilty of gaining access to a mobile money system and helping themselves to more than Shs3b.

Cyber teams have, however, kept targeting banks after wrapping their heads around the arcane world of money transfers. The case that Justice Mugamba heard revolved around Shs3.2b which was transferred from the MTN Dispute Account in seven equal instalments to MTN agent lines employing fraudulent means on January 25, 2013.

Mr Peter Ochen, a senior manager at MTN, told the court that the system operates in an external environment. This, he added, involves banking agents and subscribers on one hand, as well as an internal system tailored for mobile money called Fundamo on the other hand. Tucked within Fundamo is a bank control account and the dispute account.

“A deposit is made by an agent on an escrow account in the bank. That deposit is then electronically synchronised into Fundamo through the dispute account and onward to the intended beneficiary,” Mr Ochen explained, adding that all this should happen without manual intervention.

The prosecution contended that while what enters and exits the Fundamo system is influenced by virtual cash floats, what happened on January 25, 2013, was out of kilter. Put simply, the dispute account was debited. The money that went into agent lines, prosecution revealed, was later transferred to 138 subscriber accounts. It was then withdrawn in cash or tokens. 

“…. whatever left the dispute account on the occasion comprises the money allegedly stolen,” the state contended. 

The Director of Public Prosecutions had broken down the charges into theft, unauthorised access and electronic fraud. Justice Mugamba, however, summed the entire delinquency as cybercrime, noting that “it is harmful to our society, which had found comfort in utilising mobile money services.”

“I have noted that the crime was premeditated and, therefore, carefully executed,” Justice Mugamba declared, adding, “All that was thanks to the meetings held in that respect by the convicts.”

Justice Mugamba later sentenced Edrisa Sserunkuuma, Joseph Magombe, Daniel Segujja, Henry Edgar Matovu and Irene Kauma to seven years imprisonment for theft via cyber.  

Cracking the whip

In 2016, cyber attackers got the Anti-Corruption Court busy after MTN’s network was stealthily explored at the cost of Shs16b. The offenses were committed between May and December 2011. The accused conspired to steal money from the Fundamo system by creating fictitious journals and exiting the money through a MTN Public Access shop operated by a one Joan Nabugwawo. Nabugwawo was called accused No.2 on the charge sheet. She is said to have created 17 bogus subscribers for the sole purpose of receiving funds and some accomplice MTN mobile money agents such as ALWAYZ Uganda.

Prosecution insisted that the accused shared passwords and created pseudo persons such as Ronald Sebugenyi on the system, who transacted as a “ghost” person in draining the money from the adjustment for discrepancy account through the dispute account to the 17 subscribers and accomplice MTN agents like Nabugwawo at the Public Access shop and ALWAYZ Uganda belonging to Patrick Sentongo, who was accused No.1 on the charge sheet.

The picture painted by prosecution was that once the money hit the accounts of the 17 subscribers, the numbers would be deactivated automatically since they would have burst their ceilings. The subscribers were, however, re-activated by the accused without log-in incident reports. The accused, except for Eriya Baryamwijuka, who was listed as accused No.3, resigned from the company in close succession between October and December 2011. This raised suspicion that they could have committed a crime before leaving. An audit commissioned after their departure revealed malpractices.

 In the end, Justice Lawrence Gidudu, who had replaced Justice Mugamba as the head of the Anti- Corruption Court, slapped Mr Sentongo with a 10-year imprisonment. Justice Gidudu said Mr Sentongo—the mastermind of the whole plot—acted contrary to Section 19 (b) (I) of the Anti-Corruption Act. He was also deemed to have committed electronic fraud contrary to Section 19 of the Computer Misuse Act, as well as conspiring to defraud contrary to Section 309 of the Penal Code Act.


Eye of the storm

In its 2021 report, the International Criminal Police Organisation, commonly known as Interpol, recognised Africa as being home to the fastest-growing telephone and Internet networks in the world. The continent also makes the widest use of mobile banking services. This, Interpol added, makes it prone to suffering a vast array of online scams.

In its 2018 report, the International Telecommunication Union’s Global Cybersecurity—the entity that measures the commitment of countries to tackle cybersecurity issues at a global level—indicated that the scorecard of African countries was grim. Specifically, Uganda ranks among countries that have been exposed by cybercriminals and this was there for everybody to see when in October 2020, the country’s telcoms and banking sector lurched from one crisis to another.

Uganda’s central bank says such is the central role that mobile money networks play in the country that by March 22, Shs145.6 trillion had gone through its system. Its intricate system of computerised checks and controls has, however, proved to be vulnerable as a 2020 hack showed. Cyber-attackers used nearly 2,000 mobile SIM cards to the system and a $3.2m (Shs12b) payday.

The African Union has prioritised cybersecurity in an effort to ensure that emerging technologies benefit African people and companies. The move is under the auspices of the African Union Convention on Cybersecurity and Personal Data Protection. The so-called Malabo Convention was drafted in 2011 but only implemented in June 2014. Its role is to establish “a credible framework for cybersecurity in Africa through organisation of electronic transactions, protection of personal data, promotion of cybersecurity, e-governance and combating cybercrime.” Nevertheless, by May, the convention had only been ratified by 13 out of 55 AU member states, with Uganda being among those yet to ratify it. 

In July, Mr Thembo Nyombi , the director for the Rural Development Communication Fund (RCDF) at the Uganda Communications Commission (UCC), revealed that Uganda annually loses Shs15.5 billion to cybercrime. 

“As Ugandans continue to embrace economic opportunities in the cyberspace and become more reliant on the Internet for trade and business, in the eyes of the malicious cyber actors, this increasing connectivity and adoption of digital services increases the available attack surface,” Mr Thembo said at a cyber competition for students.

Africa’s Vulnerabilities  

Africa’s Achilles heel when it comes to cyber security has been investment, with a number of studies indicating that the continent doesn’t have skilled people to tackle emerging cyber threats.

“We are lacking skilled manpower in the cyber space. Our academic institutions still have cyber as a class unit that students can take as an elective subject. Cyber is a discipline that must be treated as a full university course of its own,”  Mr Martin Karungi, a product manager at Savannah Cyber, says, adding, “Resources are available but cyber is largely not given the priority and attention that it truly deserves. This is a crosscutting concern in both the private and public sector.”
Mr Karungi, nevertheless, takes comfort in Uganda having some of the best cyber laws. 

“The cyber security index of 2018 ranked Uganda as number one country [in Africa] with a desired cyber security framework,” he told Sunday Monitor.  

In the study done by E-Governance Academy Foundation Company—a non-profit foundation that assists public sector institutions worldwide in digital transformation—Uganda placed 40 globally. This was after doing well in cyber threat analysis and information with 80 percent, protection of digital services stood at 80 percent, education and professional development at 78 percent, de-identification and trust services (67 percent), cyber incident response, fight against cybercrime, and protection of essential services all standing at 50 percent.

Uganda didn’t, however, do well in the development of cybersecurity policy (29 percent), protection of personal data (25 percent), contribution to global security (17 percent), cyber crisis management and military cyber operations (at zero percent apiece).