Data for fraud: How the biometric system exposes Nigerians to cyber thieves
In December last year, an unidentified middle-aged man surfaced on social media, threatening to kill himself at a United Bank for Africa (UBA) Iju branch, Lagos State, alleging that the bank transferred his money to hackers who compromised his account. By Tunde Omolehin. First published in RM Times.
It was gathered that the man had earlier reported an unfamiliar debit transaction of N450, 000 on his account to the bank. The bank asked him to get a court order to prove he had no business with the recipient, who apparently is a hacker.
“He came to the bank and complained at the Customers’ desk how his Bank Verification Number (BVN) was compromised by an unknown person but was asked to get a court order, only to be informed upon his return that the transaction had been facilitated in favour of the supposed hacker,” Sanusi Amao, one of the security guards where the incident unfolds told RMTimes.
“Incidents like this are frequent in the bank hall, but most victims stay silent on it and bear the loss. The fact is that the bank will never take responsibility for any account details that an outsider has compromised.”
RMTimes further gathered that the victim was neither refunded nor compensated for losing his hard-earned money in such a way.
But Mrs. Lillian Okon was lucky to have been refunded the sum of N191, 000 after being swapped from her bank account by similar hackers who specialise in cyber fraud.
“Honestly, I never believed that the money would ever come back to me, but I thank God for the EFCC for being the hope of the common people like me,” she states.
Mrs. Okon, in January 2021, had received a call from an unknown person who claimed to be an official from the bank she domiciled her account.
“A male voice requested my bank account details that the Federal Government wanted to credit my account with the Covid-19 loan I had applied for,” she reveals.
“Within a minute of giving my details, I started receiving some debit alerts that showed that I authorised some transactions from my account,”Adegoke said.
The Police in Osogbo, Osun State, later apprehended the suspects following a report by a Point-of-Sale Operator who grew suspicious of their activities. They subsequently handed them over to the EFCC for further investigation.
Until the incident, Okon said, she had no prior knowledge that a third party could gain access to her bank details without submitting her ATM code and Bank Identification Number, with an acronym known as BVN.
“I gave the caller my birth date, full name, and some data about myself, but not that of my bank or secret codes,” she tells RMTimes.
“The e-fraud has been massive since the introduction of its cashless banking system in 2014 by the Federal Government. In fact, in most cases, the bank officials are complicit in giving out details of customers to the fraudsters.” according to Zainab Mohammed, a university’s under-graduate studying cyber-security
In the last few years, both data theft and cyber-crimes have become so widespread that the arrest and prosecution of the suspects have become a major preoccupation of the EFCC.
They are often referred to as Yahoo boys in Nigerian parlance. The groups were a new breed of young people specialising in defrauding Nigerians and foreigners through various online tricks.
The prevalence of e-fraud between 2020 and 2021 had the Central Bank of Nigeria issued a fraud alert about the activities of cyber-criminals who are taking advantage of the current coronavirus pandemic to defraud citizens.
The Apex bank says cyber-criminals were taking advantage of the COVID-19 pandemic to defraud citizens, steal sensitive information or gain unauthorised access to computers or mobile devices using different techniques.
Fraud Index Rises
According to a report from Consumer Awareness and Financial Enlightenment Initiative, CAFEI, a nonprofit organisation, Nigeria topped the countries prone to cybercrimes.
The report, released in 2019, projected a total sum of US$6 trillion will be lost by 2030 to cybercrime within and outside Nigeria.
The CAFEI also shows that, in 2018, commercial banks in Nigeria have lost a cumulative N15 billion (US$39 million) to electronic fraud and cybercrimes. This was a 537% increase on the N2.37 billion loss recorded in 2017. Over 17 600 bank customers and depositors lost N1.9 billion to cyber fraud in 2018.
Similar losses were also revealed by PwC’s Global Economic Crime and Fraud Survey 2020, which showed that the total cost of cybercrimes in Nigeria is worth about $42 billion.
Aside from that, investigative data from the EFCC in Lagos state for the second quarter of 2021 indicated that Lekki District was the preferred location for many cyber fraud syndicates.
According to the report, between April and June 2021, the command’s Advance Fee Fraud and Cyber Crime Sections recorded 402 internet-related fraud arrests.
Unsecure Data?
A financial expert, Dare Omoluabi, says the mass e-registration of citizens using biometrics systems via facial photographs, fingerprints, and the issuance of a unique identification number may have encouraged fraud related to falsely using consumers’ bank accounts.
“If you have been following data on fraud-related cases, you will agree that all can be traced to individuals’ biometric data flipping into the hands of these cyber-criminals and fraudsters,” Omoluabi asserts.
“The moments they can lay hold on such data like your National Identification Number (NIN) or Bank Verification Number (BVN), then rest assured that everything about you can be manipulated,” emphasised Omoluabi.
However, he expressed concern over requesting the Bank Verification Number (BVN) of applicants as a prerequisite for the NIN registration.
RMTimes recall that since the introduction of cashless policy via National Identification Numbers in 2014, and subsequent mandatory use of Bank Verification Numbers for online transactions, there have been ever-growing perpetrators of fraud in the finance sector in Nigeria.
The Federal Government had mandated the National Identification Management Commission (NIMC) by the NIMC Act No. 23 of 2007 to establish, own, operate, maintain and manage the National Identity Database in Nigeria.
It also charged the Commission to register persons covered by the act, assign a unique NIN, and issue General Multi-Purpose Cards (GMPC) to those who are citizens of Nigeria and others legally living in the country.
But Joshua Olufemi, Founder and Executive Director of Dataphyte, and co-researcher of “Security Playbook of Digital Authoritarianism in Nigeria”, believes there is evidence that large volumes of personal data, “including biometric information stored on multiple centralized databases, have been frequently compromised.
“For instance, when you register for and purchase a new SIM card and insert it into your phone, walk into a banking hall to open an account, register your business with the tax authorities, and then proceed to register for your National Identity Number (NIN).
“You avail people in these private and public organisations the opportunity to track your physical locations and movements, to track and stop your financial transactions, to track and intercept your communications, to block your online content and communications.
“There is evidence that large volumes of personal data, including biometric information stored on multiple centralized databases, have been frequently compromised, increasing citizens’ exposure to privacy intrusions, targeted advertisements, identity fraud, and blackmail.” Olufemi told RMTimes.
Getting a NIN from the NIMC offices across the country is not something you would do without getting yourself prepared for it, says Mr. Segun during a cross-section interview with some awaiting NIN applicants in Sokoto state.
The 35-yr-old who appeared frustrated in a long queue says: “You have to commit your time, money and energy and in the end may not get it at ease.”
“This is about the fourth time I am doing SIM re-registration and verification within the same year; either they call me to say the registration wasn’t successful or something else,” he laments.
“Yet fraudsters are still committing different crimes using SIM without hiding the lines. When you report such criminal acts, it is still difficult for the security agents to fish out the fraudsters.”
Unease, Compromised
RMTimes investigation reveals different prices for ‘capturing’ alone and ‘capturing with printout’. Getting a slip of Identify card is not without a fee illegally attached to it by NIMC officials in most biometric collections in some locations visited by RMTimes.
Many applicants seeking to obtain NIN allege the sale of the registration form at unofficial fees was a day-to-day business among officials who use security guards as ‘middlemen’ or ‘agents’ to avoid being caught in the act.
“For processing, they collect between N5, 500 and N6, 000 from us,” says an applicant who spoke on the condition of anonymity.
An agent who approached the reporter to ask if he was interested explains that the cash charges are to fast-track the process through extra efforts.
“The charges are to buy fuel for the generator and ensure that we subscribe to a faster internet connection rather than waiting for the system provided by the Government,” he states.
One applicant at the NIMC headquarters in Osogbo Osun State, Adekemi Sule describes the process as cumbersome. “Some people come to the centre as early as 6 am to queue,” she observes.
The story is the same in other centres visited within the metropolis. There is also an allegation that the NIMC officials collected between N2, 500 and N3, 000 from intending registrants to start the registration process.
But the spokesperson of NIMC, Kayode Adegoke, said the Commission will always ensure maximum security of its systems and database because of the critical nature of the identity data that the Commission collects, manages and maintains as critical assets for the country.
“We assured members of the public that it would continue to uphold the highest ethical standards in data security on behalf of the federal government and ensure compliance with data protection and privacy regulations,” he said.
Data Protection
Experts say Nigerians are unaware that data protection right is the process of safeguarding important information from corruption, compromise, or losses incurred.
“Lack of adequate knowledge about what data protection entails is no doubt making Nigerians’ data vulnerable to breach,” says Dr Nafiudeen Adetutu, a data scientist at the Ladoke Akintola University of Technology Ogbomosho, Oyo State.
“Many Nigerians still don’t take the protection of their data privacy seriously. This explains why their data and personal information are breached by some dubious companies and individuals whose custodies the data is kept.”
“And this is one of the reasons experts said every Nigerian should be fully aware of data protection and privacy in order to prevent these online criminals,” he stresses.
“The citizens have to be able to apply Section 6 (a,c) of the National Information Technology Development Agency- NITDA Act 2007 in pursuit of the data rights infringement which is the current national law on data protection in Nigeria as of today.”
The regulation aims to protect the right to privacy, create the right environment for digital transactions and job creation, and improve information management practices in Nigeria.
Deji Idowu, a security expert, also advised that banks should ensure that they put the right personnel in charge of their sensitive online departments to ensure that no foreign body has access to it.
“Security against fraud in banks is a holistic battle. Banks should not only ensure that competent people are employed to man their IT department, but they should also continue to ensure that those employed are dutiful and sincere,” he adds.
Adejoh Moses, a Chartered Accountant, says customers were culturally unfamiliar with security issues around digital transactions.
“Even well-educated people run the risk of falling victim to social engineering and identity theft traps in this country,” he observes.
“Bank institutions must go beyond educating customers on the protection of crucial information to actual data protection and integrity amongst operators and stakeholders. Customer education is required in countering security threats in digital payments.”
The accountant points out: “the various channels collecting citizens’ biometric data such as Private Businesses, Banks and Telecommunication Service Providers, and Foreign Embassies must ensure that the process of collecting or gathering citizen’s biometric data is secure and not compromised.”