Being defrauded through unauthorised card transactions is one of the biggest fears of the average Nigerian who operates a bank account. Safety of an account or at least whatever is left in it after a transaction, ranks high on why a number of Nigerians are sceptical about digital payments, or even owning a card in the first place.
Aribidesi Lawal, risk manager, Visa West and Central Africa, in a chat last week, which coincided with the company’s security awareness week, discussed some of the prevalent forms of cyber security attacks in Nigeria’s financial system, and how they are being combated with some tools he says have been offered to banks for free. Excerpts:
E-commerce attack
In Nigeria, the most prevalent fraud that we are seeing is Card Not Present (CNP) fraud, and to address it, Visa has a solution called e-commerce threats disruption (eTD).
Some people will say if you use your card on a particular web terminal, afterward you discover your card being used on several other terminals. That is what we call skimming. The CBN has done a very good job of ensuring banks install Anti-Skimming Devices (ASD) on their ATM terminals, but most skimming do not occur on ATM terminals, rather online. So we at Visa have raised the bar by ensuring that through innovation, we came up with eTD to combat e-commerce skimming that happens online.
What we do is constantly scan web merchant’s terminals, to detect presence of malware being used to skim cards. Once we detect the malware, we immediately notify the merchant and the acquirer, then work with them to bring down the malware. Thereby ensuring that anyone who uses their card on that web terminal, the card will not be skimmed. No bank pays a dime for the eTD tool, and that way we are able to reduce the incidence of e-commerce attacks in our ecosystem.
ATM Cashout
This is a cyber attack on bank networks, where the aim is to use cards mostly outside Nigeria to make cash withdrawals. While it is a big concern for us in this region, we have been able to prevent attacks and timely detect as they happen. What we use is a tool called Vita Sign. Through this tool we have been able to raise the bar, especially in places where the central banks do not have the adequate monitoring tools to combat cash out attacks. We have been able to come in and work with them to ensure that activities of cybercriminals are detected.
Several attacks have been stopped in our markets whereby we had to reach out to the banks to say; please can you confirm this transaction if it was initiated by the customer, and then they come back to say No, this is fraud. This is also offered free.
BIN (Bank identification Number) Attack
This is when criminals use tools to simulate and check if they are able to accurately predict the correct “card number” on either a debit or a credit card. When they generate a number, they test it online, mostly with small ticket transactions like one cent or one naira to see if they have been able to accurately generate a valid card.
Every bank has a BIN, so what they do is that from the BIN of one card, they try to simulate and generate other card numbers based on the BIN. They don’t do it manually but mostly use a tool to come up with a range within the BIN, and then test it on a merchant that is sometime in connivance with them.
The Cyber criminals do not use one or two cards but simulate several card transactions on the web terminal to see if those cards are actually valid. If for instance a card is used in a web terminal, and gives response showing wrong CVV or CVV 2 or wrong expiry date, it means the card number is correct, but those accompanying parameters are the ones not valid. This is being solved using the Card Attack Tool (CAT), which detects account enumeration as it happens. It is also offered free to clients, and works in a similar way with eTD by constantly checking for fraudulent activities.
CALEB OJEWALE
