When TheNiche published the story of how banks and mobile money firms were hit by Heartbleed bug on May 11, 2014, perhaps not many readers realised the devastating impact of the worst web vulnerability for what it was.
But the Nigerian Interbank Settlement Systems Electronic Funds Transfer (NISSEFT) shed more light on it recently, disclosing that banks and mobile money vendors lost N6.2 billion to internet fraud in 2014, against N485 million in 2013.
The NISSEFT said transactions that passed through electronic channels of internet and web banking (e-money transactions) accounted for the highest risk to users, followed by web applications and automatic teller machine (ATM).
The growth in e-crime is connected with the widespread vulnerability of websites to Heartbleed bug in the servers of millions of websites which compromised some websites between mid 2013 and April 2014.
The bug created a hole that allowed hackers to get in and around the secret language on sites and made it possible to steal information stored on servers.
Impact on mobile money vendors, others
The story published by TheNiche detailed how mobile money industry leader, Pagatech, and Switch Teller Pay as well as some banks were hit with huge scam liabilities from abroad.
One bank and Paga rowed over a big ticket transaction in which the bank debited Paga with N250 million in error, caused by Heartbleed bug.
Paga, an indigenous mobile money services provider in the forefont of Nigeria’s cashless policy, had made mobile money transaction cheap and simple, but it created loopholes scammers capitalised on.
Also affected is Switchtellerpay, a company also into mobile money transfer, with Pagatech as its card processor.
On www.mypaga.com, a client could pay bills, buy airtime, transfer money, pay the salaries of employees, et cetera.
With just a telephone number and email one could sign up for an account. No additional KYC (know your customer) information was required unless one wanted to be a merchant, or a company wanted to use the medium to pay employees.
Customers funded their accounts online using VISA or MasterCard. Just click the fund account section on the page, type in the amount, select the card type, type in card details; and the account was funded.
Later Paga also enabled the Western Union section on the page, through which a customer could pick up funds transferred via Western Union without having to go to the bank.
One could receive the fund on the Paga website and get his Paga account credited instantly. The transaction could be effected with the correct transfer information and security question and answer.
From the same account one could send money to anyone who has a Paga or bank account.
But this easy, energy saving processes came in handy for hackers who used it to empty bank accounts and the credit cards of victims whose personal details were obtained through Heartbleed bug.
However, Paga has upgraded security details and now requires clients to furnish more KYC information.
Cash card con
All one needed to sign up was an email and telephone number. Scammers could steal or buy registered SIM cards and open several email accounts with false information, which could be used to sign up for a Paga account.
From mid 2013 to March 2014, fraudulent fellows discovered that the section of Paga website which allowed one to fund account using his card had a loophole.
The VISA card section accepted and processed the Nigerian debit card. Fraudsters went for the foreign version of the card because it does not require a PIN and often has more funds.
Fraudsters get credit card information (number, expiry date, and CVV2 which is the last three or four digits on the back of the card) from hackers who sell it to them or give it to them for free but share the loot.
Largely affected in the scam are VISA credit card holders.
On the Paga website, a customer has a funding limit of N100,000 per transaction and N1 million limit per day.
With tonnes of hacked credit card information, fraudsters funded their Paga account in Nigeria and transferred the cash to any bank using the withdrawal to ATM section of the website.
They could have made huge purchases in Nigerian online stores such as Konga and Jumia and paid with their Paga account.
With innovation in electronic finance portals by mobile money services firms, scammers could do little with credit card information, as they need the full details of their victims – name, card number, expiry date, CVV2, account holder’s full address, zip code, telephone number linked to account, et cetera.
But with the elimination of these details, millions of dollars stolen from mainly American credit card owners were transferred indirectly to Nigerian bank accounts through Paga accounts, but left no trace of personal bank accounts.
To avoid being traced or caught, scammers could shop online and provide unverifiable pick up addresses, and pay bills for people in exchange for cash at a discount.
Western Union con
With internet enabled android, IOS, Windows smartphones, one could easily access a variety of websites and several thousand mobile Apps. On the www.mypaga.com website, they have the accept Western Union transfer section.
This section is a safe haven for internet fraudsters, as they do not have to go to the bank and have their identity scanned for security reasons.
With identity information, scammers could be arrested easily when a foreigner complains that he has been conned.
In place of identity information (know your customer details), all that customers are required to do is key-in transfer information on their Paga account.
Scammers loiter in banking halls with their Paga account website opened on their tablets. They look around for ignorant victims who want to cash Western Union transfer.
They stay close to a target and spy on the information filled out on the form. At times they offer to help a victim correct a filling error, only to pick up information.
Before the victim is attended to in the bank, the already has the funds diverted on the click of a button on his smartphone and handy tablet and quickly disappears from the banking hall.
By the time the victim is attended to, he hears from the bank teller that the transfer has already been claimed.