This is sequel to JULIANA AJAYI’s article, last month, on the cost of cybercrime in Nigeria and efforts to combat it.
Since the 1970s, when telephone hacking began, humans, with the aid of technology, have been perpetrators of cybercrime.
First known as phreakers, due to the acts on the telephone system, which allowed them to disguise their voices and tones to make specific calls that would eventually grant them free calls. In America, the perpetrators were able to recognise that the mode of operation for telephone systems was based on certain tones, which they imitated for personal reasons.
Computer programmer, John Draper, was a popular phreaker. He hacked the system and made free telephone calls alongside men like Steve Jobs and Steve Wozniak, who have gone ahead to establish one of the biggest technology companies in the world, Apple Inc.
Brett Johnson, referred to by the United States Secret Service as ‘The Original Internet Godfather’, has been a central figure in the cybercrime world for almost 20 years. He founded and led Counterfeitlibrary.com and Shadowcrew.com. One of the top experts in cybercrime, cybersecurity, fraud and identity theft, Johnson now assists companies to protect themselves from cyberattacks.
ShadowCrew is known as the forerunner of today’s cybercrime forum. Several scams perpetrated in the world today originated with ShadowCrew.
After Johnson’s arrest in 2006 for cybercrime and money launderingt to the tune of $4m, ShadowCrew was discovered as an international organisation of approximately 4,000 members.
From telephone hacking in the late 1970s through the late 1980s, hackers proceeded to financial institutions, organisations, agencies, corporate bodies and individuals.
With the advent of the Internet, cybercrime has been emboldened and risen rapidly. It is also deemed to be one of the largest and most active form of crime, globally.
Data breaches
According to Norton, an anti-malware and security software company, more reports about data breaches impacting millions of consumers have surfaced, noting that Small and Medium-sized Enterprises tend to be affected, Point of Sale transactions having 60 per cent involving credit card.
Some of the industries identified as be most affected by POS data breaches are restaurants, retail stores, grocery stores and hotels. These businesses are identified as easy targets for cyber attacks due to the ease and access cybercriminals get from the businesses, lax security and policies.
“The POS systems that these companies use to ring you up are basically computers that often run on Windows, and are susceptible to the same threats that a regular Windows-based computer is vulnerable to. The credit card data is first stored on the machine and unencrypted for processing purposes. When malware finds its way into the machine, it goes after the unencrypted payment information. The malware collects data and then sends the information to a remote server,” Norton says.
Other ways of breaching data include employees using office computers to surf the Internet, and checking their emails and social media during free hours, which allows the spread of malware via phishing and social engineering sent as malware in email attachments or malicious links.
Safety measures
A 2022 Data Breach Investigations Report by Verizon notes that Credentials, Phishing, Exploiting Vulnerabilities and Botnets are four key areas of the DBIR that should be thoroughly handled by organisations, which, without proper handling, are unsafe.
The report states that Ransomware, a type of malware that encrypts files on devices, has continued its upward trend with an almost 13 per cent increase, a rise as big as the last five years combined for a total of 25 per cent this year. It also highlighted that Error continues to be a dominant trend and is responsible for 13 per cent of breaches.
“The human element continues to drive breaches. This year, 82 per cent of breaches involved the human element. Whether it is the use of stolen credentials, phishing, misuse or simply an error, people continue to play a very large role in incidents and breaches alike.
“In keeping with other studies revealing risks inherent in the extended enterprise, business partners were involved in 39 per cent of the data breaches by our investigators,” the report states.
Study shows that some of the safety measures that can be adopted to avoid data breach and cyber attacks include regular monitoring of bank accounts, credit reports and other financial accounts for suspicious activity. In cases of any suspicious or fraudulent activity, the financial institution concerned should be contacted immediately.
Data breach incidence should be well investigated with the provision of reliable and timely information relevant to the investigation.
Consumers of companies that have suffered a data breach should closely monitor their banks and financial accounts.
Phishing and pharming
Considered to be one of the commonest forms of cybercrime, phishing involves the theft of identity and other personal information. Phishing can involve information theft such as card numbers, bank information or passwords on websites that pretend to be legit. Phishers usually lure their victims with enticing, and sometimes irresistible, offers.
Following the outbreak of the Coronavirus Disease in 2019, the number of phishers in Nigeria increased. People get unsolicited COVID-19 palliative text messages and emails requesting a click to access the funds. While some may have been able to escape falling victims, many have fallen prey.
According to Cisco, phishers start by identifying their target and creating email and text messages that appear to be authorised but contain dangerous links, attachments or lures that trick their targets into taking an unknown and risky action.
Joanna Oke received a text message offering her an opportunity to work at Shell from someone posing as her fellow corps member. The message read thus, “Abosede, good morning. It’s me, James Victor, your ex-corps mate in Kebbi State 2020 A. I tried calling your line, but it is not connecting. My inlaw secured me job in Shell Oil Company, Rivers State branch. Internet employment is going on now and it’s very urgent. Call me, if you wish to (sic) apply.”
Miss Oke said she was amazed at how the scammer knew the state she served, her batch, and her year of service.
These perpetrators use emotions such as fear, curiosity, urgency and greed to compel recipients to open attachments or click on links designed to appear to come from credible companies and individuals.
Pharming, on the other hand, can result in identity theft when a fraudulent website is clicked. It is a scamming practice in which a dangerous code is installed on a person’s computer leading them to fraudulent and harmful websites without their consent.
Nyman Gibson Miralis, an organisation that provides professional advice and representation in complex international cybercrime investigations, says pharmers exploit host name in several ways, in an attempt to gain users’ personal information.
Some of the tactics pharmers use include misspelling domain names – to mislead users into using the pharmer’s website; using malicious software also known as malware, domain hijacking and Domain Name Server cache poisoning considered to be the most dangerous with the ability of spreading among other servers.
Regulatory framework for BVN
The Central Bank of Nigeria’s regulatory framework for Bank Verification Number is a strategy developed by the CBN to ensure the effectiveness of the Know Your Customer principles, coupled with promoting a safe, efficient and reliable payment system.
Uniquely designed for Nigerian bank users, the BVN, according to the CBN, gives a unique identity across the banking industry to each customer of Nigerian banks.
The framework is meant to serve as a guide to participants in the provision of BVN operations in Nigeria. The participants include the CBN, Nigeria Inter-Bank Settlement System, Deposit Money Banks, bank customers and other financial institutions.
Importantly, the framework mandates and advocates security and data protection, while instructing that parties involved in the BVN operations should emplace secure hardware, software and encryption of messages transmitted through a secured network, noting that BVN data should be stored within the shores of Nigeria and not be routed across borders without the consent of the CBN.
It states that users of the BVN information shall establish adequate security procedures to ensure the safety of its information and those of its clients, which shall include physical, logical network and enterprise security.
Other relevant information included in the framework included that access to BVN information by customers shall be obtained through secured channels with appropriate authentication. BVN participants shall also ensure that BVN information is treated as confidential.
In August 2021, Yomi Abosede received a call on her phone from a supposed bank officer, who needed to verify her bank details. Narrating her ordeal, she recalled how faint-hearted and frail she became after losing over N50,000 in one day.
“I was in the house with my daughter, who collected the phone, as I hesitated to speak with the caller,” she said.
The fraudstaer had told her, “We are calling you from your bank to verify your BVN and card PIN. We know it’s the same number as the one we have here, but we are confused about the last digit whether it is zero or two.”
According to Abosede, everything the caller told her about her bank details was correct, though he said he wasn’t sure about the last digit.
“For some minutes, I kept receiving alert messages on my phone for withdrawals and airtime purchases. To show the extent of their wickedness, the N100 balance remaining was immediately cleared off too.”
POS operators are also at risk of cybercriminals. Some POS attendants and operators, who spoke to Financial Street, identified that one of the major threats to their business is fake alerts/transfers, which results in losses.
For Isaac Babatunde, a fake alert made his employee to incur losses on his businesses.
“About late last year, I opened a branch somewhere and my sales representative ran into loss with the issue of fake alert. They played on her intelligence and cashed out money,” he said.
Small businesses have been said to be the lesser but softer targets for cybercriminals, while having their eyes on larger corporations. Larger corporations or companies may be more complicated than small businesses due to their tightened security and POS systems in multiple sites connected to a centralised server, as identified by Norton.
