ATM Fraud hits Ugandan Banks – Customer Beware

Posted on October 19, 2015 | 2 comments

Shamira (Name not real) received the long awaited call confirming her proggie with some friends that evening. Excitedly, she jumped into her Vitz and raced off to the nearest ATM for some money. On arrival, she inserts her card in the ATM, executes her transaction and leaves smiling, looking forward to a fun filled evening.

A few metres from the ATM, a silver Subaru Forester with tinted windows is parked by the roadside and seated inside is a one Kasoma (Name not real). With a laptop and WiFi connection, he’s monitoring the card Skimmer he had just inserted in the ATM machine’s card entry slot. As Shamira inserts her card, the skimmer is able to extract relevant card data which he gets in real time. Then aided by a micro camera mounted inside the ATM closet, he’s able to see the pin code Shamira types to access her money. That’s all he needed.

Kasoma proceeds to make a duplicate card which he feeds with data from Shamira’s Card. He then uses the duplicate card to withdraw money from Shamira’s account and upon her next visit, she gets welcomed by the famous message, “Unable to proceed with transaction due to insufficient funds on your account.”

For as low as US$ 200 you can buy an ATM skimmer on the internet and using a regular WiFi enabled laptop, all you need is identify ATMs that aren’t tightly monitored and you’re good to go.

This is the reality the banking customer is faced with today. A group of Bulgarians was convicted in 2012 after orchestrating this scam in Kampala thereby defrauding many ATM users.

The recent fiasco with Centenary Bank that led to the nullification of all ATM card PINs  followed by the Bank CEO’s statement aimed at calming down the general public as well as silencing the speculation that arose shouldn’t be taken lightly.

In a well calculated and crafted video message, the CEO attributed the bank’s extreme action to a software update process that is ongoing. However, as someone who has dealt with Software and Hardware systems for many years, I am more than convinced that the bank is not being generous with the information it avails the public.

It is a fact that numerous banks are falling victim to electronic crime in Uganda and while some cases have been reported, most are dealt with under the hood for fear of alarming the public as well as diminishing their already strong brands based on trust. The situation is further complicated by the high level of insider dealing.

What is ATM Card Skimming? The copying of encoded information from the magnetic stripe of a legitimate card, making use of a card reader for fraudulent purposes.

Card skimming seems to be the most wide spread form of ATM fraud going on but there are others like;

  • The Card Trapping devices; Where a thin ribbon of Xray tape is inserted into the card slot. The loop it has traps your card and makes it appear like the bank has repossessed it. A ‘Good Samaritan’ then offers to help you and advises you to type in your PIN Code in order to have the ATM card returned. When it fails, you walk away believing that your card has been captured. He then proceeds to remove your card and withdraw your money using the pin he saw you punch in.

  • The Exit Shutter Manipulation Fraud; In this one, you insert an ATM card and punch in the pin in order to get money, select the amount you need and as the dispensation of the funds begins, you place your hand on the money exit shutter for a few seconds triggering the message that there is a fault with the shutter. This then causes the machine to reverse the transaction at the ATM switch by the amount requested thereby crediting your account once again. However, on release of the exit shutter after a few seconds, the ATM dispenses the amount previously requested since it was manually halted during the dispensation process.

  • The Matchstick hack: By inserting a matchstick in one of the keys on the ATM keypad like the Asterix (*), Clear or even Enter keys, a customer will come, insert their card, punch the PIN but fail to transact successfully since the keypad is kind of disabled. Meanwhile the criminal is nearby observing your PIN. Upon failing, the customer withdraws their card and moves on giving the criminal a chance to go to the ATM, remove the matchstick and punch in the customer’s PIN. He then transacts on the ATM account even with the card withdrawn since the machine retains the card’s details for some time.

  • By pressing a special sequence of buttons on the ATM keypad, some ATMs can be placed in the privileged ‘Operator Mode.’ While in this mode, numerous variables can be altered with the most prominent one determining the denomination of the bills loaded into the machine’s currency cartridges. Once done, one then proceeds to make the ATM withdrawal and by fooling the ATM into dispensing Ushs 50,000/= notes instead of Ushs 10,000/= notes, one is able to get more money from the ATM than their actual recorded funds transaction request.

There are many more frauds out there and as their complexity increases, so does the pressure on the financial institutions increase too. Ugandan banks need to wake up and start protecting their customers.

The largest perpetrators of these ATM scams are organised criminal gangs from Western Europe and as they find it ever harder to penetrate banking systems in Europe and America, they are going to shift their focus onto softer targets in Africa where the uptake of technology is spiralling albeit haphazardly.

How can you protect yourself from ATM fraud as a customer?

  • Familiarise yourself with the ATM machines of your bank especially the card slot entry area. This will help you notice anything that is out of the ordinary before you transact. Keenly observing the ATM machine and its surroundings should be top on your priority list before transacting.

  • As you punch in your PIN, shield your hand and the keypad with your body or the other hand to ensure that any installed cameras do not capture your PIN details. In some cases, heat sensitive thermal Cameras are used which can detect the keys you punched long after you’ve finished putting in the PIN. So, to be safe, you can go the extra mile and cover some form of tissue or cloth on your finger as you input the details.

  • Use familiar ATMs. Be careful which ATM machines you go to. In case you’re not comfortable with the area an ATM is located, then do not transact. ATMs in dimly lit areas or visited late in the night might be more susceptible to fraud.

  • When distracted during an ATM transaction, immediately cancel your transaction and collect your card before responding to anyone who has distracted you.

  • Always change the Card’s PIN from the original number given to you (this number may sometimes be part of the data on the magnetic strip and could be discovered by thieves who have stolen your card).

  • Do not accept assistance or guidance form anyone however helpful they may seem.

  • If your card is trapped or swallowed by an ATM, do no leave the ATM immediately. Call the bank or even better wait until you can see someone else successfully transact from the very ATM machine you’ve used before you can prove that it wasn’t a mere fabricated blockade.

  • Feel the Card entry slot. If you detect anything loose around it, then you have reason to suspect that a skimmer could have been inserted. Call and report your findings to the bank.

In case you’ve already fallen victim, try any of the following;

  • When you discover a card reader or card-trapping device, don’t remove it. Call the bank authorities or Police ASAP because the crooks may be watching the ATM and want to recover their equipment.

  • In case of a lost card, immediately notify your bank and terminate any further transactions on your account.

  • When approached by someone suspicious at the ATM, calmly observe them and keep track of whatever possible detail you can come up with then proceed to submit a report to the bank or the Police.

As for the banks, there is a need to;

  • Setup a Joint ATM Security Team: ATM fraud can’t be addressed in isolation. Ugandan banks need to appreciate this and swallow humble pie. The more they work together to confront this challenge the higher the chances of registering success. Such an effort needs to be complemented by other agencies like the Police CyberCrime unit, the National IT Authority among others.

  • Train ATM Fraud Experts: From basic card skimming to malware use, ATM hacking is scaling greater heights by the day. The banks need to avail specialised training to some of their staff to tackle ATM fraud.

  • Install Machine Alarms. These help alert when the ATM shell is tampered with.

  • Upgrade Cards. From the simple magnetic ATM cards, banks need to make upgrades to the Chip and PIN technology since currently most fraudsters can only compromise the magnetic stripe on the card and not the chip.

  • Raise Customer and Staff awareness of ATM Fraud. This can be done through posters, screen messages and inserts in mailings to customers. Just like openness worked a great deal in combating the HIV/Aids scourge in Uganda, the same could apply to the ATM fraud challenge which is likely to grow in leaps.

Shamira and You can help avert the looming ATM hacking crisis but above all, we need the banks to cooperate and be more open about this problem.

Twitter: @wirejames

2 Comments

Posted in Technology

Tagged , , , , , , ,

The Uchumi Supermarket Ponzi Scheme killing Small Businesses

Posted on October 14, 2015 | 6 comments

The year was 2002, Uchumi Supermarket opened it’s first retail store outside the Kenyan borders in Kampala, Uganda amidst a lot of fanfare and pomp. The branding alone was enough to attract the trigger happy Kampala elite whose love and admiration for anything new lasts as long as it takes a matchstick to burn. I was among those sucked into the craze of shopping there and indeed the service levels were quite impressive. Little did I know that it was a matter of time before I became a supplier of this very supermarket chain.

In 2009, I was able to get one of my company’s products onto their shelves and honestly, it was such a big break for the business. What begun as a symbiotic affair where we supplied and were paid (albeit after a 45 – 60 day period), eventually became parasitic. The supermarket from as far back as 2010 begun falling back on its payment promises and one had to occasionally ‘go native’ in order to be considered for payment. Eventually we stopped supplying them and as a result accumulated unpaid invoices over two years old.

How did Uchumi respond to our plight as unpaid suppliers? The company simply took on new suppliers who had no idea how much of a bad business partner they were getting in bed with. These new suppliers would also supply for about a year then cease upon realising that they are offering interest and security free loans to Uchumi. The cycle continued to the extent that in one interaction with their Finance Manager a one Richard, I did warn him of the imminent collapse of the Ponzi Scheme they were engaging in. I proposed to him that a meeting between Uchumi Management and Suppliers would help generate ideas on how the situation could be turned around. Unfortunately, some of these powder milk stuffed corporate expatriates for lack of a better term have no clue about what it takes to maintain a business ecosystem and only focus on ensuring that their salaries hit the bank account as well as massaging the egos of their god fathers.

At this point I chose to sit on the sidelines and watch the gradual collapse of a giant. In a matter of just one year, the Uchumi Ponzi Scheme has fallen apart in Uganda. However, what do we learn from all this?

Small Businesses that form the bulk of suppliers to the supermarkets are the biggest victims of such corporate financed misadventures. Businesses that have outstanding payments with Uchumi of between US$ 500 and US$ 5000 are not less than 600. This translates to a supplier debt of at least US$ 1.5 Million. Now these are the businesses that you and me set up with plans of growing into something bigger tomorrow. To be made a fool of by such a major retailer that continued to carry out promotions even when they were at bleeding point is the biggest insult I have ever witnessed. I am only glad that our products are selling in most of the major retail outlets and the loss of Uchumi can’t drive us out of business but what happens to that Mama Mboga (Poor little lady who packs ground nuts and sim sim snacks to supply in order to fend for her fatherless children)? Family incomes are shattered, this has a rebounding effect on individuals’ lives but for the corporate smugglers in form of Managers and owners at Uchumi, it’s business as usual.

Look at this interesting trend, in 2002 when Uchumi came to Uganda, they were already facing teething problems in Kenya that led to the company being put under receivership in 2006 and eventually being delisted from the stock exchange. Uganda gave them a lifeline as it was a cash cow till the same internal thieving and stock control problems that caused the Kenyan collapse caught up with them. Now that Uchumi Uganda is on it’s knees (as expected anyway), they are rapidly opening up branches in Rwanda. One only wonders for how long they will profitably operate in that market before the same cancer that plagues the Kenyan and Ugandan operations permeates there. As of writing this, Uchumi has closed their Freedom City, Garden city, Nateete, Kabalagala and Gulu branches in Uganda. They are neck deep in lawsuits and it looks like this time round, the Kenyan Government just might not bail them out like it did in a politically brokered deal when the Kenyan operations had hit rock bottom.

The scene of this has been in the Supermarket space but similar cannibalistic attributes are being witnessed in different industry sectors. A friend that runs a small business that offers services to Advertising Companies keeps lamenting about the delayed payments that take at least six months to come through.

Why then should the Small Business owners always be blamed for the horrendous statistics quoted that “90% of Ugandan businesses never live to reach 5 years?” The major cause is clear and it is a cash flow problem usually induced by supposedly professionally run big businesses. The Uchumi Ponzi Scheme is a case in point.

Without appearing to be a prophet of doom, if Uchumi doesn’t clean up house right from the top (A fish starts rotting from the head – Acholi Saying) the Rwanda operations will bite the dust within two years from now leaving many small business owners destitute. Word coming in indicates that Uchumi Tanzania is likely to close shop soon too with suppliers and workers are already protesting.

Like the Telexfree fraud, Uchumi Supermarket is taking Suppliers on a wild goose chase.

Someone stop Uchumi’s Ponzi Scheme. NOW!!!

6 Comments

Posted in Business

Tagged , , , , ,