Not again was my reaction after I received a call from a friend on how her account was cleared by fraudsters after she lost her phone enroute a popular market. Let us call her Isabel. Isabel deals in foodstuff, she goes to this popular market every Thursday to buy items, on this Thursday, in the course of loading her ware, her phone fell down, but Isabel did not realize until she got home.
Isabel did not contact her bank until she retrieved her line the next day from an outlet of her Telco. All was well, until Isabel started receiving debit transactions alerts from her bank for transactions consummated the previous day, by the time, the alerts stopped, the fraudsters had withdrawn over two million naira from her account leaving her with a balance of five hundred naira only. Paralyzed by the alert, she managed to call her brother, Gabriel advised her to call her bank as it was already late and the weekend was already here.
Isabel did not know any other way of reaching her bank, except when she visits the branch close to her shop. Isabel was finally able to reach her bank via their website and after a very short emotion laden call with the agent, she confirmed her worst fears, – the loan she recently obtained to boost her business plus personal savings amounting to two million naira has been moved from her account via the bank’s mobile app and USSD to a beneficiary in one of the new digital banks.
The Financial Institutions Training Centre (FITC) report on Fraud and Forgeries in Nigerian banks for Q2, 2023 using data from Nigerian banks noted that the number of fraud cases increased in the quarter especially mobile banking and POS fraud. This report is a corollary to the Nigerian Deposit Insurance Corporation (NDIC) report of Q1 on Fraud, which reported that the number of POS and mobile fraud cases increased by 19.51% in the first quarter of 2023.
Available data show that Isabel is not alone, her story is not novel, and the methodology employed by the fraudsters are not new. The objective of this article is not to examine why mobile banking fraud is on the increase but to recommend a fail-safe approach towards protecting your funds in Nigerian banks.
Mobile Apps Authentication Methods
As stated earlier on, the methodology employed by fraudsters are not new but three main issues account for the successes recorded by fraudsters in Nigeria:
Absence of a unified Identical system: Until we have a single source of truth to identify Nigerians and people in Nigeria, impostors will continue to get away with identity theft. It is trite to further the discussion on the porosity of our borders or how easy it is to obtain or falsify our national identities.
Law Enforcement: As a nation, our security challenges are well-documented. It is expensive to go after fraudsters and bring them to justice, many times, victims of fraudulent practices do not have the resources or time to go after fraudsters or the patience to follow a reported case to its conclusion or the responsible law enforcement agency(ies) is not properly motivated or is swamped with numerous cases.
Authentication Methods: Most of our mobile apps in Nigeria use password authentication or Two-factor authentication(2FA), the challenge is that more often than not in onboarding a customer, these apps rely on knowledge factors. Information that the financial institution has about you, BVN details or Identification details, unfortunately most of these details can be gleaned from the internet, if the information seeker has a unique primary data like BVN or mobile phone.
Other authentication methods rely on biometrics, location (GPS location) and possession of tokens or special device. The challenge with these more secure forms of authentication is that you may be required to be in the banking hall of the bank and most customers are too busy to visit the banking hall until there is a fraud on their account.
The Fraudsters and their methodology
COVID-19 altered our lives in so many ways. From an Information communication technology (ICT) point of view, it blurred the importance of physically being at a place to transact or do business, it also notched our digital maturity in a way that we did not anticipate. It forced acceptance, redefined our mode of doing business and made the mobile phone part of our daily existence. The restriction on physical movement, moved banking to digital devices with little or no training for most customers. For most product managers, getting the product out there in the market was the primary focus, security was a secondary discussion.
The fraudsters in most cases are not as educated or tech savvy as we imagine them to be as evinced by the quality of their communication or documented interaction with apprehended fraudsters but rather, these are individuals with information or understanding of how applications are developed in Nigeria. These fraudsters understand the gaps created by using knowledge factors for authentication. This is why compromising a customer’s mobile phone is key. Irrespective of whatever security that you must have put in place, or the bank has implemented, it is a trade secret that once they have your SIM card, they can compromise your bank account(s).
The Phone number allows them to retrieve your BVN, with your BVN details they can retrieve other static data. With these data, they can onboard you on apps, request for a password reset, activate USSD as One-time-password (OTP) is usually the 2FA method employed by most apps, since they already have the SIM, the OTP will drop in your phone or in a feature phone, which is already in their possession. In some instances, we make it easy for them by storing sensitive details like account numbers, internet banking usernames, passwords in our phones as plain text.
Protecting your bank account
Permit me to start by saying Safety is of the Lord but then we have a role to play. Drawing from experiential and professional knowledge, you can safeguard your funds through the adoption of proactive and reactive measures to manage your mobile banking risk. For emphasis, do not think that because you do not use the mobile banking apps you are not exposed. What if you misplace your phone? We have seen instances where these fraudsters, when unable to compromise a customer’s bank account, use the details obtained from the BVN to collect loans from numerous digital lenders.
The list below is not exhaustive, not arranged in any order and you must adjust it to suit your person and financial muscle.
- You must enable SIM-lock on your phone.
- You must treat your phone as a security device, it is not to be shared or dropped carelessly or charged in remote places.
- You must password-protect your phone and if biometric lock is available, please adopt it.
- You must not save account numbers or usernames in plain English-if you must save such details, you must find a way to codify these details.
- You must protect your debit or credit cards thus where you use it, when you use it and how you use it must be pre-determined. You cannot be using your cards everywhere, anyhow all the time.
- You must not use your related data as passwords or usernames where possible.
- You must learn how not to leave millions of naira/huge amount of money as idle funds in your accounts- you can invest them and terminate the investment when you need it.
- You must know or be able to retrieve the contact center number of your bank.
- You must know the USSD code to block account/restrict account in your bank.
- You should make effort to know the website address of your bank.
- If you know that you are used to having millions/huge amount of money, you must visit your bank and set a transactional limit on your account – be wary of bank apps that allow you to easily modify transaction limits.
- If your phone has the find-phone app, activate it.
- Depending on the volume and velocity of your financial transactions, deepen your relationship with your account officer/relationship manager.
The first 10-15 minutes after your phone is compromised is very essential, how you react is largely a function of the proactive measures you have adopted:
- Calling the bank to block your card (the assumption is you know how to reach your bank)
- Blocking/deactivating your phone from a computer.
You would have observed that there isn’t much you can do after your phone has been compromised, this is because fraud prevention is an intentional act – you must have established proactive measures before the incident.
Stay safe, secure your funds, no one will do it for you.