‪Hackers Breach Equity Bank, Sh179M Stolen From Customers Accounts

Cyber criminals have targeted Equity Bank and made away with Sh179 million in what is being described as the biggest heist in card fraud this year.

In a leaked letter by the bank’s insider seen by Kenya Insights, Sh179,677,736 was stolen from the bank’s MasterCard GL and transferred to 551 accounts.

How Equity Bank got hacked

In the letter signed by Gerald Munyiri, the Equity’s General Manager Security & Investigations alerting the Banking Fraud Investigations Department at the DCI seeking for help in investigating and prosecuting perpetrators, it details how the hackers moved the money from MasterCard and quickly spread it to the 551 accounts within the bank and through M-Pesa.

“Early 15/04/2024 the bank’s risk department discovered an upsurge of transactions emanating from the banks Incoming Master Card GL. Preliminary investigations revealed that between 09/04/2024 and 15/04/2024, Ksh. 179,677,736/- was paid out from the GL fraudulently to the 551 Equity Bank accounts.” Part of the letter reads.

It continues , “additionally, Ksh. 63,023,983/- was sent to Safaricom Mpesa and Ksh. 39,047,344/- to eleven commercial banks.”

From the letter, Equity has managed to block a fraction of looted cash by locking the accounts in question and in talks with Safaricom to trail help in retrieving rest of the cash that was offloaded through M-Pesa.

Equity bank’s history with hackers

The bank is not new to claims of fraud and customers losing money in unclear circumstances, in fact, a look into their social media accounts would paint the vivid picture from the complaints.

The bank’s cybersecurity systems have been faulted by experts for being vulnerable making it an easy target for hackers.

A recent case where a cybercrime gang including Kenyans were jailed in Rwanda for targeting the bank in a hacker attack, could explain how this is done.

In 2022, eight Kenyans who had hacked the bank were handed eight-year jail terms and fined Sh5.6 million.

The eight were part of a 12-man gang arrested in 2019 by the Rwandan Investigation Bureau (RIB) that included three Rwandese nationals and a Ugandan.

The gang arrested in Rwanda had successfully hacked in Kenya and Uganda and were on police watch when they were finally caught in Rwanda.

The gang were arrested while hacking into Equity Bank accounts and funnelling the cash to Rwandans to draw out funds through Eazzy banking and ATMs.

The Kenyans include Dedan Muchoki Muriuki, Samuel Wachira Nyuguto, Kinyua Erickson Macharia, Godfrey Gachiri Githinji, Eric Dickson Njagi Mutegi, Reuben Kirogothi Mwangi, Damaris Njeri Kamau and Steve Maina Wambugu.

The hackers operating with insiders to identify targets with huge deposits tried to intercept the lender’s 14 branch network and wrote computer scripts to move money to several local accounts of accomplices.

They attempted hacking using the Eazzy banking platform, which the bank and security agents intercepted since they had been alerted on their operations, including the recruitment of Rwandans they would use to take cash out of the accounts.

Cybercriminals are using ‘BIN’ attacks in card fraud

While it’s still not clear how the Equity’s heist was executed, Bank Identification Number (BIN) attack appears to be clear guess.

Cybersecurity networks may be getting stronger, but cyber-criminals always seem to outpace that progress by coming up with more sophisticated tactics. The latest troubling trend to emerge in the space is the use of “BIN attacks” by cyber-criminals to target small businesses. This involves manipulating the BIN of credit cards, allowing fraudsters to test stolen card details through trial and error on unsuspecting e-commerce sites. This sophisticated cybercrime tactic not only poses financial threats to businesses but also leaves consumers questioning the security of their online transactions.

Behind the scenes of the ‘BIN’ attacks

Photo/ pixabay

Contrary to popular belief, credit card numbers are not as random or infinite as consumers might think. With 16 digits on a card, removing the six-digit BIN leaves just 10 digits that adhere to a specific pattern. The relatively limited possibilities make it feasible for cyber-criminals to use automated systems to rapidly guess valid combinations, posing a significant challenge for traditional security measures.

Related Content:  Inside NMS' ambitious plan to digitize chaotic Matatu Industry

Role of financial institutions and businesses

While the affected businesses call for tighter safety protocols, the responsibility is not solely on the banks. Financial institutions, often the victims themselves, issue cards but are not always the entities processing the transactions. The attacks highlight the need for a multi-layered defense, with businesses employing robust fraud protection tools and payment processors like Stripe and Square that prioritize online store security. This is needed since the aftermath of a BIN attack can be financially crippling for businesses.

According to the Central Bank, bank card fraud occurs in several ways, including phishing, which is when fraudsters send an email or text message that appears to come from one’s bank or a reputable financial institution.

“They use various tactics to get you to share confidential information such as your PIN, account number, login details and passwords,” the CBK notes on its website.

“For instance, they may state that your account has an issue and that you need to update or verify the information through a website link or mobile phone device. Thereafter, they use the details to steal money from your account.”

Fraud may also occur when card skimmers illegally copy information from the magnetic strip of a credit or ATM card. They then create copies of the card and make charges to one’s account.

In other instances, thieves use misplaced or stolen bank cards to make unauthorised purchases before the owners report them missing, the CBK adds.

According to data from the BFID, Kenyan banks lost Sh1. 5 billion (approximately US $17.64 million) over the last year, with only a third being recovered by investigators.

Last week, the National Assembly assented to the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024, giving security agencies more power to regulate cyberspace activities to curb fraud.

The regulations enhance protection measures for critical economic sectors such as telecoms, banking, transport and energy.

They stipulate how to deal with issues including scams, identity theft, hacking and internet fraud, and also address the cybercrime capacity and capability building for the public, businesses, government institutions, and private entities, to enhance their cybersecurity preparedness and prioritise cybersecurity.

Kenya’s highly digitised economy linked with mobile money through telcos and banks has made the country a target for cybercrime and online fraud.

Adapting to evolving threats