Saturday, July 28, 2007

Identity Theft in Kenya



Some time back I came across the above notice in Nakumatt's website. It was warning their Smart card holders that there are some "devious" operators, masquerading as Nakumatt officials, roaming around with the intent of obtaining bank details from them. Of course once these details are acquired various cyber criminal activities can be conducted. Identity theft is one of the most nefarious.

Has Nakumatt over-reacted by crying wolf about identity theft this early? Let's find out.

Willie Sutton, a notorious American bank robber of a half century ago, was once asked why he persisted in robbing banks. "Because that’s where the money is" he is said to have replied. It is obvious that crime follows opportunity. Where is the money in Kenya today? It's in the software and opportunities abound - MPesa, electronic banking (Equity), increased usage of debit and credit cards, electronic utility bill payments and many others.

The recent technological advances we have experienced have had a significant impact on many aspects of our life namely banking, stock exchange, retailing, education, health etc. When the digital tsunami (EASSy or TEAMS) eventually arrives it will be fait accompli that all our money will be in binary code.

This dependency has brought with it increased vulnerability which has spawned various "devious" activities, as Nakumatt so explicitly put it. Identity theft is one of the most lucrative cyber criminal activities around. In 2002 worldwide identity theft losses measured $73.8 billion and losses for 2003 were estimated at approximately $221 billion. The opportunities are abundant and this makes Kenyan businesses and individuals "ripe for the picking".

Identity theft occurs when a fraudster steals your name and other personal information for fraudulent purposes. It is a form of crime where somebody uses a false identity to commit a crime. This type of crime has been made considerably easier to commit due to the inherent loopholes that exist in ICT systems.

The main documents used for harvesting identity details include birth certificates, bank statements, credit/debit card slips, driving licences, passports and land registry documents. These documents are all over, someone can bribe a Posta employee to intercept your bank statements. What about "man-in-the-middle" attacks (fixed or wireless) that intercept your online bank passwords, e-mails and other crucial digital information? Financial information can also be supplied to rings of fraudsters by corrupt bank staff. Cheques are a considerable risk. Banks have this habit of writing your account number, ID number and PIN number at the back. As a result all your details are conveniently located in this document.

This threat is not only a source of worry for individuals. Businesses have to consider identity theft when evaluating risk. This isn’t the old risk model which concerned itself with a forged company cheque every once in a while.

How do you protect yourself? Do not use your mother’s maiden name or place of birth as a security password. In other words use a ‘stronger’ password and never use the same password for all your online or ATM accounts. Do not carry address details in your wallet. Cross check your credit/bank records frequently for any untoward expenditure. For those who use office messengers to collect their personal mail from GPO or City Square, your vulnerability is high. Try and restrict personal details to your personal post box whose access you can control. Don’t leave personal documents lying around in the office or home and dispose of personal documents properly by either shredding or burning them.

The threat of identity theft was illustrated by the recent arrest of seventeen Kenyans in Kansas City (USA). They are charged with massive fraud where they allegedly stole identity information (including social security numbers), predominantly from elderly nursing home patients, and used it to prepare both federal and state tax returns using tax preparation software. They then allegedly prepared false W-2 (wage and tax statement) information, listing employers that the identity theft victims never worked for, false residence addresses, and other false information.

Kenya needs a legal and institutional framework that enables identity theft victims to easily reclaim their identities, reputation and credit rating. The Kenya Information and Communication Technology Board should be at the forefront in addressing this serious issue and in sensitising Kenyans about this menace.

Nakumatt is justifiably worried about its vulnerability...so should you.

NB: I would wish to extend my congratulations to Ms Catherine Ngahu on her appointment as chairperson of the Kenya Information and Communication Technology Board.

No comments: