Fake Apps expose Kenyans to cyber fraud

Mobile subscription in the country grew 6.2 per cent in the second quarter of 2018

A proliferation of mobile applications on popular online stores is exposing Kenyans to increased cyber attacks and fraud, a latest sector statistics report by the Communications Authority of Kenya (CA) has revealed.

This comes in the wake of a fast growing mobile subscription in the country which grew 6.2 per cent in the second quarter of 2018(October-December).

According to CA’s sector statistics report for the financial year 2018-2019, mobile subscriptions in Q2 grew to 49.5 million up from 46.6 million in the first quarter(July-September).

Data subscription during the period increased to 45.7 million from 42.2 million in the previous quarter, meaning Kenyans are increasingly getting connected to the internet.

This has created a field day for fraudsters who are taking advantage of innocent members of the public with little knowledge on cyber attacks.

The report by CA shows a dramatic spike in malware attacks, targeting mobile devices and which has seen unsuspecting Kenyans defrauded in online platforms.

“In the three months, the National Kenya Computer Incident Response Team – Coordination Centre (National KE-CIRT/CC), detected 10.2 million cyber threats, up from 1.8 million reported in the preceding quarter, nine million of which were malware attacks,” CA says in its report.

Malware, a term used to describe malicious software, is designed to damage or disable computers. Malware includes viruses, spyware, adware, and various other types of harmful software.

Cyber threat events detected varied from Denial-of-Service (DOS) attacks which hampered the availability of computer services, online abuse which included online fraud, hate speech, incitement to violence and fake news.

Others were online impersonation via social media accounts and domain names, web application attacks which included website defacement and illegal access to online applications.

Malware attacks mainly included phishing attacks and attacks perpetrated through the exploitation of misconfigured systems.

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.

During the period under review, 12,197 cyber threat advisories were issued to the affected organizations marking 91 per cent increase from the advisories sent out to affected institutions in previous quarter.

Malware threats detected  were 9,026,924  up from  1,844,897 in Q1, Web application attacks  were 737,289 , Botnet/DDOS (453,371),  system misconfiguration(3,449) and online abuse 158.

Losses 

It is estimated that about Ksh30 billion (US$297.9 million) was lost in the country last year to fraud and cyber security threats, with banks being among the top victims.

Amounts stolen from banks through cybercrime have continued to rise year-on-year from Sh14 billion(US$139 million) in 2015.

Earlier this year, Central Bank of Kenya (CBK) governor Patrick Njoroge noted a rise in ICT-related fraud cases in recent years, as he called on banking institutions to tighten their systems.

“Cybercrime is one of the risks targeting the financial sector which is expected to increase in sophistication and frequency,” Njoroge said.

The Kenya Bankers Association (KBA) has also been calling on bank customers to be vigilant when transacting online to mitigate the risk of their accounts being hacked.

Among areas prone to hacking are public places such as hotels and restaurants where there is sharing of Wifi, as internet increasingly becomes a necessity in meeting places.

Recently, one of the country’s top tier banks lost about Sh200 million(US$1.9 million) to hackers on a single weekend.

According to industry data, less than 10 banks of the 47 operating in the country have strong security systems.

Legislation 

To help curb the vise, President Uhuru Kenyatta assented to the Computer and Cybercrimes Bill, 2017.

The legislation signed into law last year allows authorities to search and seize stored computer data. It also allows collection and interception of data in real-time.

Computer hackers face a fine of up to Sh5 million( about US$49,647 ) or a three-year jail term or both for unauthorised access, interference, interception and disclosure of passwords and cyber espionage.

In addition, the new law deals with computer forgery, fraud, cyber harassment, cybersquatting, identity theft and impersonation, phishing, interception of electronic messages or money transfers, willful misdirection of electronic messages and fraudulent use of electronic data among other cybercrimes.

The State of Cybersecurity report (2018) notes that cybersecurity has become a boardroom concern for organizations, even as governments continue to strength regulations to force data owners to exercise their responsibility to protect the privacy of data.

In the quarter ended December, the National KE-CIRT/CC  notes there was a rise in cases of malware and the sale of stolen data and credentials including personal data and credit card information.

“The cyber criminals are targeting their attacks on end-users who have limited cyber security skills,” the report notes.

Telecommunication industry 

The growing number of subscription has increased the mobile penetration rate to 106.2 per cent, CA report notes.

The penetration level of more than 100 per cent is attributed to the multiple SIM cards ownership in the country.

Kenyans also continue to transact more money on their mobile phones, with 787.8 million transactions (Person-to-person transfers and withdrawals) registered during the period,  valued at Sh.2.1 trillion.

“In the same vein, there were 586.9 million mobile commerce transactions valued at Sh.1.8 trillion person-to-person (P2P) transfers amounted to Sh731.9 billion,” the regulator says in its report.

In the quarter under review, there were 31.6 million and 223,931 total active mobile money subscriptions and agents respectively.

The data/internet sector remained on the vibrant path with the total number of active subscriptions registered at 45.7 million, out of which 47.9 per cent were on broadband.

Safaricom PLC registered the highest market share for mobile data subscriptions at 69.5 per cent whereas Airtel Network Limited reported 22.4 per cent market. Telkom Kenya Limited, Finserve Africa Limited and Mobile Pay Limited reported market shares of 7.4, 0.4 and 0.2 per cent respectively.

The total number of Dot KE (.KE) domains increased by 7.7 per cent during the quarter to 83,646 from 77,671 registered in the previous quarter.