Banks and mobile firms are bleeding almost to death through the worst vulnerability in web history, Heartbleed bug.
Ibrahim Lamorde, Economic and Financial Crimes Commission Chaiman
The bug comes with huge liabilities from Europe, America and the rest of the developed economies. Banks and mobile money vendors are paying for scammers’ loot estimated at over N1 billion.
Hackers specialising in obtaining secrete personal account details of individuals on websites have wrecked the finances of some companies in Nigeria, some of which ask investors to beef up their capital base or explore other options for capital injection.
Heartbleed bug, one of internet’s biggest security threats, has been around for two years, but it was only discovered and patched up last month. Experts say there are still vulnerabilities.
Worst hit are banks (names withheld) and mobile money vendors, including Switch Teller Pay, Pagatech and others that accept Visa Card.
Collateral damage is estimated at about N1 billion. But industry sources said more claims from overseas victims, individuals and corporates, are still unfolding.
Heartbleed bug runs on the servers of millions of websites, leaving open a hole that allows hackers to get in and around the secret language on sites. Secret information stored on servers could be stolen.
Although the actual cost of Heartbleed cannot be determined for now, an American magazine eWEEK estimated a conservative $500 million as a starting point.
Canada’s tax authority shut down its online tax filing services to safeguard taxpayers’ information after the security bug was exposed on April 14.
Canada’s Revenue Agency (CRA) reported the theft of Social Insurance Numbers belonging to 900 taxpayers, and confirmed that they were accessed during a six-hour period on April 8.
When the attack was discovered, CRA shut down its website and extended the tax payer filing deadline from April 30 to May 5. It promised to provide anyone affected with credit protection services at no cost.
In another incident, the United Kingdom parenting site Mumsnet had several user accounts hijacked, after its chief executive officer was impersonated.
How mobile money vendors, others are hit
Pagatech, Switch Teller Pay and banks, including Zenith, Diamond, First Bank, are the worst hit with huge liabilities hanging on their necks.
Investigation by TheNiche showed that Zenith and Pagatech were at odds with each other over details of one transaction in which Zenith debited Paga with N250 million.
Paga, an indigenous firm that provides mobile money services and which is in the forefront of the cashless policy in Nigeria, has made mobile money transaction so cheap and simple that it creates loopholes scammers capitalise on.
Switch Teller Pay located in Ikeja, Lagos, which is also into mobile money transfer, uses Paga as card processor.
On the company’s website, a client can carry out a variety of financial transactions such as paying utility bills, buying airtime, transferring money to friends, family, pay employees.
With just a telephone number and an email one can sign up for an account. No additional KYC (know your customer) information is required unless one wants to be a merchant, or a company wants to use the channel to pay workers.
Customers can fund their account online using Visa or MasterCard.
All one has to do is click the fund account section on the webpage, input the amount, select card type, input card details, and the account is funded.
Paga also has a Western Union section where a customer does not have to go to the bank to pick up money transferred through Western Union as one can receive it on the Paga website and have the Paga account credited instantly.
The customer can effect the transaction online so long as he has the correct transfer information and security question and answer. From the same account he can send money to anyone who has a Paga account or bank account.
But this easy, energy saving process comes handy for hackers who use it to empty the bank accounts and credit cards of victims whose personal details are obtained through the holes created by Heartbleed bug.
The con
Since all one needs to sign up on an account is an email and telephone number, scammers steal or buy registered SIM cards and open several fresh email accounts with false information, and afterwards use these to sign up for a Paga account.
Between December 2013 and March 2014, fraudulent fellows discovered that the Paga website, the section that allows one to fund personal account with a card, has a loophole. Both credit and debit visa cards are accepted.
Fraudsters get victims’ credit card information from hackers who sell or give it out free and share the loot. Largely affected are holders of Visa credit card.
On the Paga website, a customer has a funding limit of N100,000 per transaction and N1 million limit per day.
Fraudsters fund their Paga account in Nigeria, click a button and transfer the cash to a bank and withdraw it through automated teller machine (ATM).
They can make huge purchases in Nigeria’s online stores such as Konga.com and Jumia.com and pay with a Paga account.
Before now, scammers could not do anything without the full details of credit card information of their victims (name on card, number on card, expiry date, CVV2, account holder’s full address, zip code, telephone number, et cetera).
But with the elimination of these details, several American credit card holders who are victims of scam have been left bankrupt and with bad credit score ratings.
Millions of dollars stolen from them are transferred indirectly to Nigerian bank accounts through Paga accounts without a trace of personal bank accounts.
To avoid being traced or caught, scammers can shop for valuables online and provide unverifiable addresses, pay bills for people and collect cash from those people.
Western Union con
With internet enabled android, IOS, Windows smart telephones, one can access a variety of websites and several thousand mobile Apps. On the www.mypaga.com website, there is a section on ‘accept Western Union transfer’.
This section is a haven for internet fraudsters, as they do not have to go to the bank to identify themselves.
Instead, they loiter in banking halls with their Paga account website opened on their tablets and copy the details of unsuspecting victims who come to cash money through Western Union.
They may offer to help a victim to correct a filling error, as a ploy to obtain information. Before the victim is attended to in the bank, the scammers already have the funds diverted at the click of a button on their handy tablets.
They quickly disappear from the banking hall. When the victim is attended to, the bank official tells him the money has already been picked up.
Reactions from Paga, Switch
In response to the complaints from defrauded customers, Paga has closed down its Visa Card processing channel, leaving only MasterCard. It also opened a communication channel to address complaints.
Switch Teller Pay has included identity and utility bill verification to curb the scam.