Wednesday, September 08, 2010

Kachumbari Remembered

Four years have passed on...Kachumbari - The True Kenyan Villager...we remember.


I read an interesting article in the EAStandard of September 8, 2010. It's about an interesting fraud where money was transferred from several banks in thousands of shillings only to be received by another bank in millions.

An example was KShs 388,400 which was transferred from an account at the Co-op Bank, Kimathi Street destined for KCB, Moi Avenue. The destination account in KCB was credited with USD 388,400 (KShs 30,295,200).

Another transaction involving USD 96,800 had been transferred from another bank in KShs but credited into a KCB account at UN Gigiri branch in dollars and withdrawn immediately.

An interesting question immediately popped up in my mind – How did they do it?

We can of course glean that this is a simple, yet brilliant, play on the currency field. There is definitely a system breach involved here. What I don’t know is whether the inter-bank Electronic Funds Transfer system could have been breached (insider attack) or whether a man in the middle attack occurred.

Help me fill in the blanks. Is there any IT or banker guy out there who can outline a likely scenario on how such a fraud can take place?


Have you wondered what all this fuss about hacking is about? You might have asked yourself what is hacking and how is it done. The hacking process is really quite simple. You can compare it to a burglary because the concept is basically the same. A burglar will ask himself how and when he will break in, what is he looking for and how can he cover his tracks so that he is not caught.

Hackers are abit more systematic so they break down their attacks similar but more explicit stages: Stage 1 is gathering information about the target system; Stage 2 is an analysis of this gathered information; Stage 3 entails researching of the target system’s vulnerabilities and the fourth and final stage is the implementation of the attack. This modus operandi is universal and can be successfully transplanted into any other criminal activity. Understanding and adhering to these stages means that twenty five percent of your job is done and dusted, even before you begin.

Let’s begin with the first stage, gathering the relevant information about the target company and its computer systems. At this stage any kind of data is relevant. Knowing the company’s business core activity, the Board/Management structure, the physical location, branch locations, the approximate number of employees, product range and computer system infrastructure details are obtained.

Sources of information include websites, financial statement reports, discarded documents and of course the employees (through social engineering). Gathering of information also means the hacker has to determine how many computers are publicly exposed to the internet. Among this is the web server which is usually a good starting point. Scanning is done by using various software tools akin to the burglar’s “bag of tricks”. The scan results will outline the system’s characteristics, for example, the open ports, its internet location, the IP addresses of its computers and whether the web server (that hosts the company website) is in-house or not.

The second stage is the analysis of the information obtained. At this point the hacker wants to determine where to apply his most effort. Should the emphasis be more towards social engineering? Or should it be at hacking away, in ungodly hours of the night, trying to find out the vulnerabilities of the targeted computer system. A simple example would be where the hacker learns that the senior system administrator usually visits a certain bar every evening. The next step is to find out whether he carries his laptop home. The hacker can observe the said employee leaving the premises to establish this fact. Better still is to pretend that he is colleague and he makes a call to the office security (some minutes after 5pm) asking whether they have seen the said laptop the system administrator told him to collect from the office. They will unwittingly tell you that they saw him leaving with it.

Next step will be to break-in to his car when he’s inside the bar. This will save the hacker vital time because he will obtain crucial access data like passwords from the stolen laptop. The data from such a laptop, if relevant to the attack, would negate the next stage which is researching the vulnerabilities of the company’s systems.

The sole objective of this next stage is to determine the vulnerabilities of the systems so as to exploit a discovered vulnerability to gain entry. The experienced burglar also conducts this stage by either visiting the premises to find out which window is usually left unlatched at night or uses an insider to describe the vulnerabilities of the house. The hacker does the same.


If you have been recently keeping track of crime news reports in Kenya, you will have noted that there has been an increase in using mobile phones to apprehend criminals, for example Onyancha. Just like everyone else, criminals have woken up to the fact that we are all in a wireless grid that can work for and against them. Among all wireless technologies available the mobile phone has had a profound impact in all facets of our lives, especially the criminal underworld.

The mobile is now an integral component of the overall security component of individuals and organizations. The potential for its abuse as a tracking device makes it an information security issue. That is why locational tracking via mobiles, is a security concern we should all be aware of.

Before I outline the security implication of carrying that mobile, allow me to outline the coming locational services that might be on pipeline for implementation in the near future.

The mobile has become a platform on which various services are been bundled into. M-Pesa (money transfer), Skiza tunes/downloads and commodity price checking are among the most popular. Services based on the location of the mobile phone are the next frontier. These services are known as Location Based Services (LBS). Various applications have been developed in the context of LBS for example weather reporting. Once a mobile user enters a new area, the weather report of that area will be sent to your mobile. So if you are a truck driver you will be able to receive weather updates each time you cross a province or country.

Another very important location service is the Wireless Emergency Services (WES). When a mobile user calls the emergency 112 number, the location of the caller is determined by the service provider through the Automatic Location Identification (ALI). This location is then forwarded to the police or emergency responders. These locational services will really improve the quality of our lives especially in health and criminal emergencies like road accidents and carjacking.

It is evident that the benefits of location tracking can assist many Kenyans. Using ALI to track kidnappers, rapists and their ilk provides an immediate benefit to the society by swiftly tracking and removing criminals from our midst. There is however a flip side to this situation. Whereas ALI provides evident benefit it also poses a serious personal risk to mobile users. This facility, if abused, can be detrimental to innocent mobile users. In this age of interconnected networks (internet, GSM, CDMA etc) the security structures that are needed to protect this feature, by service providers, should be scrutinized in the interest of public good.

Various scenarios come to mind. Imagine a demented individual wants to stalk a spurned lover or a disgruntled employee wants to get back at the employer who laid him off. Accessing ALI to locate a potential victim would be possible from both the human and technological access points. Hacking into a service provider’s telecommunication system would allow a hacker to sell real-time locations of people to criminally intent people. By using social engineering techniques and outright threats, employees of service providers who maintain the ALI system, would be vulnerable to blackmail and physical harm.

There is definitely a greater good in using location mobile tracking to combat crime. We should however be cognizant to its potential abuse. As a consequence ethical and legislative frameworks should be developed to ensure that ALI is only used for the greater good of the Kenyan society.