Mobile Banking fraud rising in Kenya 

The Kenyan financial sector has inevitably found itself unable to resist technological indulgence.  The wave of offering customer’s alternative channels has been largely driven by MPESA penetration across the county.  Banks, MFB, SACCOs, are offering digital channels that have laid a strong base for low cost banking and have extended banking services beyond the branch level.  In Kenya, mobile banking isn’t just a point of differentiation but a source of revenue for progressive financial institutions.  A customer satisfaction survey conducted by Kenya Bankers Association(KBA) found that mobile banking was the most preferred channel in 2021 at 58.4% up from 52% the year before.  

Despite the promises of digital banking, Mobile banking in Kenya has faced a threat.  Cyber criminals have been targeting mobile banking platforms to defraud the institutions.  Banks and Saccos have been hit hard with losses amounting to approximately to Ksh. 106 million in 2021 experienced in the industry.  The cyber criminals are targeting the mobile platform due to the ease of accessing their loot after compromising the financial institution. 

The threat landscape.

The mobile banking platforms have become a favorite for cyber criminals to target.   Yelbridges forensic investigations indicate that the platforms have a higher risk as compared to other channels offered by the financial institutions.  Majority of the cyber frauds reported across East Africa emanate from mobile platforms availed by the financial institutions.  

Yelbridges knowledge base highlights the below are key factors to rise of cyber incidents on Mbanking platforms;

1. The vendors of the mobile banking solution build solutions focusing on functionality overlooking security of the application. Thus, as long as the application meet the functional requirements, then the product is considered fit for Go-Live. It’s imperative for the vendors to show use of the Secure Software Development Life Cycle (SSDLC) that accommodates all the right procedures of software development.  

2. When institutions onboard a mobile solution, they rarely conduct a security assessment to understand the risk factor being introduced into the business infrastructure. Although in rare cases – QA (Quality Assurance) is done, it mainly focuses on functional requirements overlooking the security requirements.  

3. Inadequate Security visibility/monitoring of the mobile solutions implemented by the institution. Some of the fraud incidents investigated and curated in our investigation and Penetrations tests indicate a clear lack of monitoring of the transactions to pick legit from the non-legit transactions. This lack of visibility makes it easier for attackers to practice and eventually exfiltrate without notice on the platform.  

4. In some scenarios, investigations have also shown that the third parties are sometimes involved in the fraud cases. Here’s how, when a new feature is introduced into the mobile banking or there is a problem that needs to be addressed from a code level the support/developer’s interface directly with the production environment changing the applications sometimes without supervision and the process may end up not passing through the QA team as it meant to be. Some malicious developers may then go ahead and introduce malicious code that later is utilized to defraud the institution. Change management for critical infrastructure such as the mobile banking platforms should be key and well documented.  

5. The institutions do also lack security visibility over their own infrastructure. The vendor of the mobile platform may have done the due diligence to ensure the mobile platform is secure, but if the infrastructure in which it is being deployed to is flawed, the mobile application also becomes flawed. The institution needs to be doing timely security assessment – Both Blackbox and Graybox – in order to understand where their cyber health is and the risk factor. With this, all platforms deployed on any infrastructure of the institution will be known.  

The Risk Factor

There are several factors that are put into consideration while doing a Mobile Assessment. These factors should be checked by the QA team to ensure that the application is safe. As Yelbridges, we are guided by the global OWASP Top 10 – Mobile to ensure that the mobile app is secure.

Some of the most abused factors include;  

1. API Abuse – For the mobile apps to become functional, they utilize APIs heavily to ensure smooth, reliable service are offered to the members or end consumers of the financial institution. Due to the nature of the APIs having to interact with the backend systems, developers are meant to secure the APIs to ensure that the communication to and from them is verified and authentic. In most cases, the developers overlook this aspect and assume since the connection is not visible to the end-consumers, then they don’t need to secure that.  Attackers have since then utilized the APIs to abuse the Mobile banking Apps. By sending and manipulating data through the APIs, they are able to de-fraud the financial institutions. 

2. Insecure Communication – When designing a mobile application, data is commonly exchanged in a client-server fashion. When the solution transmits its data, it must traverse the mobile device’s carrier network and the internet. Threat agents might exploit vulnerabilities to intercept sensitive data while it’s traveling across the wire. Exploitation of this flaw could lead to individual user’s data theft and account take overs. Poor SSL setup can also facilitate MiTM (Man-in-the-middle) attacks and phishing which from a business level, could lead to Fraud and reputation damage.  

3. Brocken/Insecure Authentication – Poor or missing authentication schemes allow an adversary to anonymously execute functionality within the mobile app or backend server used by the mobile app. Weaker authentication for mobile apps is fairly prevalent due mobile devices input form factor. Although some institutions have put in controls such as 2FA (Two factor Authentication) some that have not have fallen victim and those that have may have the 2FA only on authentication and not transactions. This makes the attackers with a hijacked authenticated session be able to conduct attacks without further verifications.  

4. Insecure Authorization – Once the adversary understands how the authorization scheme is vulnerable, they login to the application as a legitimate user. They successfully pass the authentication control. Once past authentication, they typically force-browse to a vulnerable endpoint to execute administrative functionality.  The technical impact of poor authorization is similar in nature to the technical impact of poor authentication. The technical impact can be wide ranging in nature and dependent upon the nature of the over-privileged functionality that is executed. For example, over-privileged execution of remote or local administration functionality may result in destruction of systems or access to sensitive information. 

5. Reverse Engineering – An attacker must perform an analysis of the final core binary to determine its original string table, source code, libraries, algorithms, and resources embedded within the app. Attackers will use relatively affordable and well-understood tools like IDA Pro, Hopper and other binary inspection tools from within the attacker’s environment. Generally, all mobile code is susceptible to reverse engineering. Some apps are more susceptible than others. Detecting susceptibility to reverse engineering is fairly straight forward. First, decrypt the app store version of the app (if binary encryption is applied). Then, use the tools outlined in the “Attack Vectors” section of this document against the binary. This can be prevented through code obfuscation with tools like IDA Pro, ProGuard and Hopper.  

6. Code Tampering – Modified mobile banking applications are surprisingly more common than you think. There is an entire security industry built around detecting and removing unauthorized versions of mobile apps within app stores. Depending upon the approach taken to solving the problem of detecting code modification, organizations can have limited to highly successful ways of detecting unauthorized versions of code in the wild. One of the ways to ensure that the end consumer is having the right applications installed is by sensitizing them to only download the applications from verified app stores like Apple store and play store for Android users. Otherwise installing applications from other avenues could lead to installation of malicious code on the applications. 

With those being the highly exploited avenues, Yelbridges works towards ensuring that these security flaws are identified and fixed before they are exploited in the wild. As a way to improve the security posture, monitoring becomes key towards the entire infrastructure and frequent assessments to ensure that there are no new risks being introduced to the business.  

Be sure to check out our other article here.