Equity Bank’s Ksh179M Heist Unveils New Cyber Threat: The ‘BIN’ Attack

HomeNewsEquity Bank's Ksh179M Heist Unveils New Cyber Threat: The 'BIN' Attack

Equity Bank’s Ksh179M Heist Unveils New Cyber Threat: The ‘BIN’ Attack

Cybercriminals have targeted Equity Bank and made away with Sh179 million in what is being described as the biggest heist in card fraud this year.

In a leaked letter by the bank’s insider seen by Kenya Insights, Sh179,677,736 was stolen from the bank’s MasterCard GL and transferred to 551 accounts.

How Equity Bank got hacked

In the letter signed by Gerald Munyiri, Equity’s General Manager of Security & Investigations alerting the Banking Fraud Investigations Department at the DCI seeking help in investigating and prosecuting perpetrators, it details how the hackers moved the money from MasterCard and quickly spread it to the 551 accounts within the bank and through M-Pesa.

“Early 15/04/2024 the bank’s risk department discovered an upsurge of transactions emanating from the bank’s Incoming Master Card GL. Preliminary investigations revealed that between 09/04/2024 and 15/04/2024, Ksh. 179,677,736/- was paid out from the GL fraudulently to the 551 Equity Bank accounts.” Part of the letter reads.

It continues, “Additionally, Ksh. 63,023,983/- was sent to Safaricom Mpesa and Ksh. 39,047,344/- to eleven commercial banks.”

From the letter, Equity has managed to block a fraction of looted cash by locking the accounts in question and is in talks with Safaricom to trail help in retrieving the rest of the cash that was offloaded through M-Pesa.

Equity Bank’s history with hackers

The bank is not new to claims of fraud and customers losing money in unclear circumstances a look into their social media accounts would paint a vivid picture of the complaints.

The bank’s cybersecurity systems have been faulted by experts for being vulnerable making it an easy target for hackers.

A recent case where a cybercrime gang including Kenyans were jailed in Rwanda for targeting the bank in a hacker attack, could explain how this is done.

In 2022, eight Kenyans who had hacked the bank were handed eight-year jail terms and fined Sh5.6 million.

The eight were part of a 12-man gang arrested in 2019 by the Rwandan Investigation Bureau (RIB) that included three Rwandese nationals and a Ugandan.

The gang arrested in Rwanda had successfully hacked in Kenya and Uganda and were on police watch when they were finally caught in Rwanda.

The gang was arrested while hacking into Equity Bank accounts and funneling the cash to Rwandans to draw out funds through Eazzy banking and ATMs.

The Kenyans include Dedan Muchoki Muriuki, Samuel Wachira Nyuguto, Kinyua Erickson Macharia, Godfrey Gachiri Githinji, Eric Dickson Njagi Mutegi, Reuben Kirogothi Mwangi, Damaris Njeri Kamau and Steve Maina Wambugu.

The hackers operating with insiders to identify targets with huge deposits tried to intercept the lender’s 14-branch network and wrote computer scripts to move money to several local accounts of accomplices.

They attempted hacking using the Eazzy banking platform, which the bank and security agents intercepted since they had been alerted on their operations, including the recruitment of Rwandans they would use to take cash out of the accounts.

Cybercriminals are using ‘BIN’ attacks in card fraud

While it’s still not clear how the Equity’s heist was executed, the Bank Identification Number (BIN) attack appears to be a clear guess.

Cybersecurity networks may be getting stronger, but cyber-criminals always seem to outpace that progress by coming up with more sophisticated tactics.

The latest troubling trend to emerge in the space is the use of “BIN attacks” by cyber-criminals to target small businesses. This involves manipulating the BIN of credit cards, allowing fraudsters to test stolen card details through trial and error on unsuspecting e-commerce sites.

This sophisticated cybercrime tactic not only poses financial threats to businesses but also leaves consumers questioning the security of their online transactions.

Behind the scenes of the ‘BIN’ attacks

Kenyan banks have been losing staggering amounts of money over the past years. What initially seemed like a clerical error has turned out to be a sophisticated cybercrime technique that put both businesses and consumers on edge.

Cybercriminals start by obtaining the first six digits of a credit card, known as the Bank Identification Number (BIN). With this information, they employ trial-and-error methods to decipher valid combinations of card numbers, expiration dates, and security codes.

The stolen card details are then tested through small transactions that are hardly noticed, to determine their validity. Once confirmed, fraudsters either sell the compromised card numbers or use them for larger fraudulent transactions.

Many find themselves victims of unauthorized transactions. Despite never using their cards online, some victims get shocked to discover transactions on their accounts, leaving them with doubts about the safety of their financial information, even though the bank reimbursed them.

Contrary to popular belief, credit card numbers are not as random or infinite as consumers might think. With 16 digits on a card, removing the six-digit BIN leaves just 10 digits that adhere to a specific pattern.

The relatively limited possibilities make it feasible for cyber-criminals to use automated systems to rapidly guess valid combinations, posing a significant challenge for traditional security measures.

Role of financial institutions and businesses

While the affected businesses call for tighter safety protocols, the responsibility is not solely on the banks. Financial institutions, often the victims themselves, issue cards but are not always the entities processing the transactions.

The attacks highlight the need for a multi-layered defense, with businesses employing robust fraud protection tools and payment processors like Stripe and Square that prioritize online store security. This is needed since the aftermath of a BIN attack can be financially crippling for businesses.

According to the Central Bank, bank card fraud occurs in several ways, including phishing, which is when fraudsters send an email or text message that appears to come from one’s bank or a reputable financial institution.

“They use various tactics to get you to share confidential information such as your PIN, account number, login details, and passwords,” the CBK notes on its website.

“For instance, they may state that your account has an issue and that you need to update or verify the information through a website link or mobile phone device. Thereafter, they use the details to steal money from your account.”

Fraud may also occur when card skimmers illegally copy information from the magnetic strip of a credit or ATM card. They then create copies of the card and make changes to one’s account.

ALSO READ:

In other instances, thieves use misplaced or stolen bank cards to make unauthorized purchases before the owners report them missing, the CBK adds.

According to data from the BFID, Kenyan banks lost Sh1. 5 billion (approximately US $17.64 million) over the last year, with only a third being recovered by investigators.

Last week, the National Assembly assented to the Computer Misuse and Cybercrime (Critical Information Infrastructure and Cybercrime Management) Regulations, 2024, giving security agencies more power to regulate cyberspace activities to curb fraud.

The regulations enhance protection measures for critical economic sectors such as telecoms, banking, transport, and energy.

They stipulate how to deal with issues including scams, identity theft, hacking, and internet fraud, and also address the cybercrime capacity and capability building for the public, businesses, government institutions, and private entities, to enhance their cybersecurity preparedness and prioritize cybersecurity.

Kenya’s highly digitized economy linked with mobile money through telcos and banks has made the country a target for cybercrime and online fraud.

Adapting to evolving threats

As cyberattacks become more sophisticated, businesses must adapt to protect themselves and their customers. Popular platforms like Stripe and Square can serve as valuable allies in the ongoing battle against cyber threats, providing an additional layer of defense for businesses and their customers.

In an era where convenience and speed define online transactions, the dark underbelly of cybercrime poses a persistent challenge. BIN attacks, with their focus on small businesses, remind us of the fragility of digital financial ecosystems.

As businesses and financial institutions work to bolster their defenses, consumers are encouraged to remain vigilant and report any suspicious transactions promptly. The delicate balance between ease of use and security continues to be a tightrope walk in the digital age, with each innovation met by an equally cunning cyber threat.

Equity Bank’s Ksh179M Heist Unveils New Cyber Threat: The ‘BIN’ Attack

MOST READ