Tag Archives: cybercrime

Uganda Communications Commission @20 Years. Celebrating Incompetence!!!

Posted on March 28, 2018 | 2 comments

Uganda has traditionally been structured in such a manner that most of what you need to do or trade in has to lead you to the capital city, Kampala. Take a look at most of the government services that citizens require and try to find out how they accessed them ten or twenty years ago. Passports, Driving permits, decent health services, car registration, business registration, Tax registration among others, all had to be accessed from offices based in Kampala.

The advent of technology was a breath of fresh air, something which the Uganda Revenue Authority took advantage of by setting up regional and border point offices that were able to offer services to the general public that were initially the preserve of the Kampala Office.

The advancement in technology has also meant an advancement in the perpetration of crime. Following a spate of very sad security incidents involving the murder of innocent lives through the use of mobile technologies, as usual, the government agencies were caught flat footed. They rudely woke up from their slumber and in a reactionary manner decided to undertake measures aimed at minimising this threat in future. Led by the Uganda Communications Commission (UCC), it is hard to know who comprised the team that has been working behind the scenes but a couple of interventions were undertaken:

1. In March 2017, an order was made by UCC to the Telecoms to deactivate unregistered SIM cards. Something which was never fully implemented.

2. Come March 2018 after the murder of 23 young ladies in 2017 eventually culminating in the murder of Susan Magara in February 2018, the issue of unregistered simcards resurfaced leading to a new directive by UCC to halt the sale of SIM Cards.

3. On the 27th of March 2018, there was a change of heart by UCC when they decided through another directive to annul the SIM Card ban. However, under stringent conditions. It is these conditions that are the subject of discussion.

The UCC statement, Ref: LA/440 titled, Clarification on SIM Swaps / SIM Replacements outlines the conditions under which one can obtain a SIM Swap/replacement as;

  • Production of a valid police report

  • Presentation of a letter from The National Identification and Registration Authority (NIRA) verifying and validating that a SIM card holder’s national ID is authentic.

  • Re-registration of the applicant for a SIM card by the telecommunications operator using biometrics and a photograph.

  • Issuance of fresh sim card registration form.

  • Ensuring that the SIM card holder shall be using the SIM card in a genuine Type Approved device.

Background to SIM registration

Reading through these conditions takes me back down memory lane. In 2012, the then Ministry of ICT mooted the idea of registering SIM Cards with the UCC as the lead agency to realise it by 2013. The idea was a good one that got hijacked by selfish interests hence being subjected to poor planning.

Back then, there were proposals mooted on how best to achieve the SIM Card registration with two schools of thought emerging. One was that the UCC takes over the registration process by bankrolling the creation of a centralised database that all Telecoms companies can feed into. The second option was leaving the registration burden to the Telecoms as well as the handling of the eventual databases.

Most professionals preferred the first option because it ensured that customer/citizen information was held by a Government entity and this very information could later be used to merge with databases of other government departments like the Passport Office, Uganda Revenue Authority, National ID among others. With a futuristic mindset, we anticipated a time when there would be a need for different players, not only telecoms but also financial institutions, Health Service providers etc to access a centralised registration database for verification services. The feelers from UCC at that time were that they did not want to spend any money on the process hence preferring to offload that burden to the Telecoms.

The downside to the second option of letting the Telecoms manage the registration databases independently was likely to be in the creation of unnecessary multiple databases all doing the same thing. In a bid to make the process as cost effective as possible, the Telecoms were likely to be tempted to make the registration process as basic as possible and this is what is responsible for the inaccuracies in the registration information of most phone owners.

For an organisation littered with highly trained professionals, one is left wondering why there is a chronic lack of a futuristic thinking and approach towards managing projects.

The burden created of linking Telecoms to the NIRA database wouldn’t have surfaced if UCC had in the first case taken ownership of the SIM registration database to create a single centralised repository. However, as someone who knows abit about how most of these government institutions work, it comes as no surprise. The fact is that:

  • Government Institutions do not like to work together. UCC and the National IT Authority ( NITA) don’t see eye to eye oftentimes. There is always this sibling rivalry that they exhibit. Take the example of a time when UCC and NITA each decided to set up CERTs (These are entities set up to study computer/technology vulnerabilities as well as offer support to victims or the general public). How many activities have you seen UCC and NITA engage in jointly? As the government implementer of Technology, NITA should be allowed to play a key role i NITA all this. Their silence is a message in itself.

  • All initiatives are looked at as Procurement deals. What I mean here is that most focus is put on what is going to be purchased and how much it shall cost as opposed to designing a system that will stand the test of time. This is the reason why you find a lot of excitement around the implementation of Phone Tapping or Pornography Detection technology whose cost is definitely inflated. Word in the local tech corridors has it that the President was overly pissed off when the head of a Government agency inflated the cost of procuring some technology equipment to some obscene amount in millions of dollars only for him to learn later that it cost a very minute fraction of the amount of money he approved for release.

  • Crisis is best. There is a preference to wait for or create a crisis by these Government agencies because decisions are then expedited and there is less scrutiny of the transactions hence creating room for the hyper inflated transactions that see many of the line individuals smile all the way to their banks. One just needs to look back at the 2007 Commonwealth Summit (CHOGM) that was held in Kampala and how through crisis management a lot of money was swindled by various officials. Same template, different stage.

Before you get that new SIM card, UCC says;

  • Produce a valid Police Report. What is the logic in all this? If I have lost or have a corrupted sim card which is already registered under my names and I can prove my identity, why should I need to report to the Police? It is common knowledge that this is a move that at best will achieve the goal of wetting the beaks of police officers.

    You not only provide the paper and pen on which they re going to write, but they also expect you to part with at least UGX 5000/= which is clearly a bribe.

    It doesn’t matter how much one shouts, all police stations in the country behave the same way and one person’s rants cant change them.

    Secondly, you cannot have two SIM cards sharing the same number. With this as a given fact, the risk of rogue SIM cards existing on the network is minimised and hence doesn’t warrant the extremely naive action being taken.

    A better approach would have been the need for one to prove their identity through presentation of the National ID. By the time I have a functional SIM card, then the telecoms company has my registration details. So, that would be enough to verify the information on my submitted ID. The lack of it would probably call for acquiring one.

  • Presentation of a Letter from NIRA verifying the validity of one’s National ID. This is definitely a laughable requirement. To be honest, how hard is it to forge this letter, if I really have to? We are talking technology and you want to drive us back to the stone age? Whoever thought this up should try watching The Flintstones and The Jetsons Cartoons, only then shall they appreciate the difference between 2018 and 1986.

    Secondly, are we short of quick fix technological solutions that can be used pronto to verify these IDs? There is a Code (That grey shaded area) at the back of each ID, how hard is it to use that for verification? Unless of course if it was placed there for fashion purposes.

    We all know that NIRA has its offices in Kampala. What happens to someone from Butaleja who wants a letter, do they have to board a taxi to Kampala, spend an entire day or two lining up to get a letter, spend a night or two in Kampala all in the name of getting a letter? Besides, the likely congestion will lead to more corruption opportunities at the NIRA offices for those that want to get their letters processed swiftly.

    Whoever proposed this seems to think that Kampala is Uganda.

    Do not add more misery to our already suffering people. If this requirement stands, then NIRA should open up offices in each district. Wake up you guys!!!

  • Re-registration of the applicant for a SIM card. Why? Why? Why? If I may show my frustration the way my son does each time I give him a task that doesn’t seem to make sense. Did the Telcos lose our previous registration details? Why take one through the same rigorous process? The only thing I can accept is the biometrics verification which wasn’t done in the earlier phase. The rest is near to nonsense and a waste or our man hours.

  • Issuance of fresh sim card registration form. Is this a redesigned form that has more fields than the previous one we filled in? Why duplicate matters? Is there an option for an electronic version of this form? If the insistence is on hard copies, then I recommend the promoters of this requirement to watch the cartoons I mentioned earlier. Maybe they will get the point. I am compelled to assume the worst, our SIM Card registration data might be messed up.

  • Ensuring that the SIM card holder shall be using the SIM card in a genuine Type Approved device. This is the most redundant of them all. Very uncalled for especially from an entity that should be at the cutting edge of understanding telecommunication technology.

    I could come with a type approved phone for the mere purpose of getting my new SIM then revert to the non Type Approved phones thereafter. However, the current infrastructure of the telecom operators has the ability to weed out the non Type Approved phones on the go. This therefore means that you do not have to even state it as a requirement at this stage, it’s already taken care of.

    Such redundant thoughts drive us into wondering whether some officials do deserve the hefty salary perks they get at the expense of the tax payer.

We are now hearing about the development of an api aimed at enabling third parties access the NIRA ID Database. The financial sums being mooted for this basic task are already mind boggling for something that can be executed by local developers. A conveniently placed foreign entity is apparently in line to take on this task.

Whoever cursed Uganda must have done such a good job!!

All this could have been avoided if in the first case UCC had taken on the ownership of the SIM registration database and went ahead to design a modular system that could plug into any other databases like that of NIRA upfront. Why is such basic thinking a luxury?

As we celebrate incompetence by continuing to reward non performance, the original intentions of technology making the governance of our citizens easier are being continuously raped.

For God and My Country

James Wire is a Small Business and Technology Consultant

Blog: wirejames.com

Twitter: @wirejames

Email: lunghabo (at) gmail (dot) com

2 Comments

Posted in Technology

Tagged , , , , , , , ,

ATM Fraud hits Ugandan Banks – Customer Beware

Posted on October 19, 2015 | 2 comments

Shamira (Name not real) received the long awaited call confirming her proggie with some friends that evening. Excitedly, she jumped into her Vitz and raced off to the nearest ATM for some money. On arrival, she inserts her card in the ATM, executes her transaction and leaves smiling, looking forward to a fun filled evening.

A few metres from the ATM, a silver Subaru Forester with tinted windows is parked by the roadside and seated inside is a one Kasoma (Name not real). With a laptop and WiFi connection, he’s monitoring the card Skimmer he had just inserted in the ATM machine’s card entry slot. As Shamira inserts her card, the skimmer is able to extract relevant card data which he gets in real time. Then aided by a micro camera mounted inside the ATM closet, he’s able to see the pin code Shamira types to access her money. That’s all he needed.

Kasoma proceeds to make a duplicate card which he feeds with data from Shamira’s Card. He then uses the duplicate card to withdraw money from Shamira’s account and upon her next visit, she gets welcomed by the famous message, “Unable to proceed with transaction due to insufficient funds on your account.”

For as low as US$ 200 you can buy an ATM skimmer on the internet and using a regular WiFi enabled laptop, all you need is identify ATMs that aren’t tightly monitored and you’re good to go.

This is the reality the banking customer is faced with today. A group of Bulgarians was convicted in 2012 after orchestrating this scam in Kampala thereby defrauding many ATM users.

The recent fiasco with Centenary Bank that led to the nullification of all ATM card PINs  followed by the Bank CEO’s statement aimed at calming down the general public as well as silencing the speculation that arose shouldn’t be taken lightly.

In a well calculated and crafted video message, the CEO attributed the bank’s extreme action to a software update process that is ongoing. However, as someone who has dealt with Software and Hardware systems for many years, I am more than convinced that the bank is not being generous with the information it avails the public.

It is a fact that numerous banks are falling victim to electronic crime in Uganda and while some cases have been reported, most are dealt with under the hood for fear of alarming the public as well as diminishing their already strong brands based on trust. The situation is further complicated by the high level of insider dealing.

What is ATM Card Skimming? The copying of encoded information from the magnetic stripe of a legitimate card, making use of a card reader for fraudulent purposes.

Card skimming seems to be the most wide spread form of ATM fraud going on but there are others like;

  • The Card Trapping devices; Where a thin ribbon of Xray tape is inserted into the card slot. The loop it has traps your card and makes it appear like the bank has repossessed it. A ‘Good Samaritan’ then offers to help you and advises you to type in your PIN Code in order to have the ATM card returned. When it fails, you walk away believing that your card has been captured. He then proceeds to remove your card and withdraw your money using the pin he saw you punch in.

  • The Exit Shutter Manipulation Fraud; In this one, you insert an ATM card and punch in the pin in order to get money, select the amount you need and as the dispensation of the funds begins, you place your hand on the money exit shutter for a few seconds triggering the message that there is a fault with the shutter. This then causes the machine to reverse the transaction at the ATM switch by the amount requested thereby crediting your account once again. However, on release of the exit shutter after a few seconds, the ATM dispenses the amount previously requested since it was manually halted during the dispensation process.

  • The Matchstick hack: By inserting a matchstick in one of the keys on the ATM keypad like the Asterix (*), Clear or even Enter keys, a customer will come, insert their card, punch the PIN but fail to transact successfully since the keypad is kind of disabled. Meanwhile the criminal is nearby observing your PIN. Upon failing, the customer withdraws their card and moves on giving the criminal a chance to go to the ATM, remove the matchstick and punch in the customer’s PIN. He then transacts on the ATM account even with the card withdrawn since the machine retains the card’s details for some time.

  • By pressing a special sequence of buttons on the ATM keypad, some ATMs can be placed in the privileged ‘Operator Mode.’ While in this mode, numerous variables can be altered with the most prominent one determining the denomination of the bills loaded into the machine’s currency cartridges. Once done, one then proceeds to make the ATM withdrawal and by fooling the ATM into dispensing Ushs 50,000/= notes instead of Ushs 10,000/= notes, one is able to get more money from the ATM than their actual recorded funds transaction request.

There are many more frauds out there and as their complexity increases, so does the pressure on the financial institutions increase too. Ugandan banks need to wake up and start protecting their customers.

The largest perpetrators of these ATM scams are organised criminal gangs from Western Europe and as they find it ever harder to penetrate banking systems in Europe and America, they are going to shift their focus onto softer targets in Africa where the uptake of technology is spiralling albeit haphazardly.

How can you protect yourself from ATM fraud as a customer?

  • Familiarise yourself with the ATM machines of your bank especially the card slot entry area. This will help you notice anything that is out of the ordinary before you transact. Keenly observing the ATM machine and its surroundings should be top on your priority list before transacting.

  • As you punch in your PIN, shield your hand and the keypad with your body or the other hand to ensure that any installed cameras do not capture your PIN details. In some cases, heat sensitive thermal Cameras are used which can detect the keys you punched long after you’ve finished putting in the PIN. So, to be safe, you can go the extra mile and cover some form of tissue or cloth on your finger as you input the details.

  • Use familiar ATMs. Be careful which ATM machines you go to. In case you’re not comfortable with the area an ATM is located, then do not transact. ATMs in dimly lit areas or visited late in the night might be more susceptible to fraud.

  • When distracted during an ATM transaction, immediately cancel your transaction and collect your card before responding to anyone who has distracted you.

  • Always change the Card’s PIN from the original number given to you (this number may sometimes be part of the data on the magnetic strip and could be discovered by thieves who have stolen your card).

  • Do not accept assistance or guidance form anyone however helpful they may seem.

  • If your card is trapped or swallowed by an ATM, do no leave the ATM immediately. Call the bank or even better wait until you can see someone else successfully transact from the very ATM machine you’ve used before you can prove that it wasn’t a mere fabricated blockade.

  • Feel the Card entry slot. If you detect anything loose around it, then you have reason to suspect that a skimmer could have been inserted. Call and report your findings to the bank.

In case you’ve already fallen victim, try any of the following;

  • When you discover a card reader or card-trapping device, don’t remove it. Call the bank authorities or Police ASAP because the crooks may be watching the ATM and want to recover their equipment.

  • In case of a lost card, immediately notify your bank and terminate any further transactions on your account.

  • When approached by someone suspicious at the ATM, calmly observe them and keep track of whatever possible detail you can come up with then proceed to submit a report to the bank or the Police.

As for the banks, there is a need to;

  • Setup a Joint ATM Security Team: ATM fraud can’t be addressed in isolation. Ugandan banks need to appreciate this and swallow humble pie. The more they work together to confront this challenge the higher the chances of registering success. Such an effort needs to be complemented by other agencies like the Police CyberCrime unit, the National IT Authority among others.

  • Train ATM Fraud Experts: From basic card skimming to malware use, ATM hacking is scaling greater heights by the day. The banks need to avail specialised training to some of their staff to tackle ATM fraud.

  • Install Machine Alarms. These help alert when the ATM shell is tampered with.

  • Upgrade Cards. From the simple magnetic ATM cards, banks need to make upgrades to the Chip and PIN technology since currently most fraudsters can only compromise the magnetic stripe on the card and not the chip.

  • Raise Customer and Staff awareness of ATM Fraud. This can be done through posters, screen messages and inserts in mailings to customers. Just like openness worked a great deal in combating the HIV/Aids scourge in Uganda, the same could apply to the ATM fraud challenge which is likely to grow in leaps.

Shamira and You can help avert the looming ATM hacking crisis but above all, we need the banks to cooperate and be more open about this problem.

Twitter: @wirejames

2 Comments

Posted in Technology

Tagged , , , , , , ,