• 2 comments
• Print
• Email
• Tweet
• Reset

Kenya is experiencing a growing number of crimes using information and communication technology tools, Internet security analysts say. Crimes range from scamming mobile-phone users to high-level Internet fraud costing financial institutions millions of dollars.

Deloitte East Africa reported that Kenyan banks lost 3 billion shillings ($24 million) in 2010. The agency said banks have been defrauded through identity theft, illicit electronic fund transfers and credit card fraud.

"Criminals have become very creative and taken advantage of the increased use of information technology to defraud individuals and corporate organisations, but we are trying to come up [with] deterrent measures," said Permanent Secretary in the Ministry of Information and Communications Bitange Ndemo.

Other Internet-related crimes include hacking websites belonging to large firms and government agencies, according to the e-Government Directorate in the Office of the President. In January, more than 100 websites belonging to various government ministries and agencies were hacked in a single day, according to the directorate.

But Katherine Getao, head of the e-Government Directorate, said the damage was limited due to a swift response by the government-run Kenya National Computer Incident Response Team, an agency created to advise and co-ordinate responses to cyber security incidents in the country.

Nonetheless, the agency is still in its infancy and lacks adequate capacity to respond to serious cybercrimes, Getao said.

Banking crimes go unreported

Gabriel Mbuvi, head of the Kenyan police Banking Fraud Investigations Unit, told Sabahi that failure by many financial institutions to report cases of online fraud has been a major challenge.

"If such things happen and they keep mum, it will be difficult for us to act, but we have managed to address [crimes] that have been detected and reported to us in time," he said.

Mbuvi said police estimate that only 60% of fraud cases are reported by banks because most institutions do not want negative publicity.

"A lot of fraud, like false accounting, is never reported. Sometimes the victims weigh the loss against the time to be taken in court and the possibility the money will not be returned," Mbuvi said. "Lack of an effective cybercrime law has made it difficult for the police to comprehensively detect and deal with some of the crimes."

Internet highways leave all vulnerable to attacks

Internet security analysts say Kenyan firms are vulnerable to cyber-attacks due to piecemeal implementation of security technology.

Sosthenes Bichang'a, managing consultant of O'Sullivan Associates, a Nairobi-based regional forensic audit firm, said Kenyan firms are often exposed to fraud due to their failure to incorporate technology in their internal fraud detection and prevention processes.

"People who perpetuate these crimes are up-to-date with technology, but some of the [corporations] are fighting them using outdated techniques and often are not able to anticipate and prevent these crimes before they take place," Bichang'a told Sabahi.

Loren Bosch, managing director of Internet Solutions, a pioneer Internet service provider in Kenya, partly blamed the proliferation of cybercrime on the high-speed Internet that came with the undersea fiber-optic cables.

"My view is that neither Kenya nor East Africa is a particular target," Bosch told Sabahi. "Once the highways are open, the world really is a village on the Internet. Websites are now more accessible than before, even to crooks."

Bosch said recent hackings are likely to be theatrics as hackers try to show off to their peers by attacking sites run by banks and government offices, which are expected to have robust security measures.

"In our experience, the banks are very serious about security and have deployed every possible mechanism to secure their customers' data," Bosch said. "The largest threat to the access information of individuals still remains phishing." In phishing scams, perpetrators send e-mail messages that appear to be from reputable agencies, but are actually attempts to steal personal information through deceit.

Security systems need improvement

Roy Akalah, Kenya chapter president of the Information Systems Audit and Control Association, said, "The attacks could be a combination of amateurs and seasoned hackers who might be doing it for fun, to prove a point or with criminal intent. But this could culminate in a national security threat, given the success rate of the past reported incidences."

"It is a wake-up call to all, including authorities, as it is a pointer that there is indeed interest and next could be strategic national installations, including the security organs," said Akalah, who also acts as director of back-office operations and customer service for the Kenya Commercial Bank Group.

The United Nations International Telecommunications Union (ITU) has expressed concern about the region's security systems. In mid-February, ITU signed an agreement with the Communications Commission of Kenya (CCK) to improve the skills of personnel working with the Computer Incident Response Team.

"The importance of a safe online environment in Kenya cannot be gainsaid," acting CCK Director General Francis Wangusi said in a statement. "As the industry regulator, CCK will implement its mandate of putting in place an enabling online environment for individual Internet users, government organisations and private businesses by facilitating the establishment of the response unit."

Vijay Balabhadra, general manager at Techno Brain, a regional software firm, said, "There is need to continuously train IT experts in various organisations in network management, server management and other areas. They may have had the training, but in technology, things change fast."

"Kenya should plan on improving surveillance on its systems frequently and bridge the gap between the judiciary and IT experts to fast track prosecution of cyber criminals," he told Sabahi.