NIC Bank’s Data Breach,Hack and subsequent Extortion

Allow me to write this post as a letter to NIC Bank, I feel  despite the numerous times I have advised them to rectify their security to better protect us,their users, its simply gone to deaf ears.Well here goes.

Dear NIC Bank,

How are you? Hope you are well. This days when I wake up every morning I have developed a routine I read all my tech blogs, check my email and check my NIC bank portal for fear of breach, for fear that my hard earned shillings may have been skimmed by some hungry hacker or even worse my data may have been sold on silk road. I know many wonder why am still banking with you if all I do is complain, I mean if you constantly argue with your spouse then its better walking out and sparing yourself the agony, but like a cocaine addict am hooked, am hooked to your seamless banking process, the short cues in banking halls, the cute banker chics you guys have, the asset finance and off course the online banking portal that has proved to be your Achilles heel.

If you have been reading my blog you may be aware I have written 2 posts the first one NIC-BANK’s poor Ebanking System and possible security Flaws dated 24th April 2014  and the second NIC-BANK’s improved Ebanking System subsequent to my Exposé  dated 11th November. In the first I alerted you of the gaping holes in your security.  I also expressed my fear that someone else may have found this flaw and not being as noble as me, exploited it for profit.  I was pleased when a few months later I noticed you had bumped up your security and added OTP to the online portal. But if you remember I mentioned that this may be a little to late, I wrote in part

To begin with if indeed the data they served was compromised they they should have purged the entire username password combo provided, instead they only solved the issue of passwords. The problem with this is a keen to a naked woman only covering her boobies, the rest of her is available for your ocular pleasure. The same applies if I had a set of pswd and usernames and the pswds change without the usernames changing then am already at first base if I had the old data. The next thing would be a clever combination of hacking tactics ranging from social engineering, actual key logging on the device to harvest the apps password and generating an OTP afterward, sitting on the data and joining all those IRC chats on the dark web and tor that list exploits on major brand software and the just cleverly generating the OTPs for your self etc

Fast forward to a couple of days ago, wifey called me up at work and informed me that there were a couple of guys arrested on the grounds of extorting cash for data. Allow me to speak a little about the 2 hacker guys, first I condemn heavily their extortion of money for data. The 2 guys asked for 200 bitcoins from this we can see this guys aren’t exactly noobs but also we can see that they are just average hackers. Allow me to explain why

There exists a market on the dark web, the other part of the internet where Google doesn’t even dare go, where all the hackers meet and chat exchange tools etc. I remember the first time I showed wifey the dark web she was blown away by the level of sophistication there, I mean if you think of the internet we use as  5/10  then the dark web is 10/10. This is the first place where kids grow up worshiping Anonymous and the Lulz, the place where lizard squad was born and their skills sharpened. Back to said market, its called Silk road, silk road buys anything from weapons to kiddie porn.Its like the wild wild west of the Internet. So Where am I going with this..allow me to indulge you and generalize as well. Kenyan Banks should be aware that there are guys out there who wont send you an email and ask for cash, there are guys who will sell hacked data, attack vectors etc on silk road and then from there the Chinese or Russians will get a hold of it and wreck havock, the things that this guys can do is even beyond the scope of this blog.

Long story short, the 2 guys will probably be found guilty right, they will end up in kamiti and get Anally raped and we will forget about the whole thing. One or two guys will get fired and new ones hired they will come with bravado and a big solex padlock to lock the server rooms. But do you think anything will be done.Look at the stock price following the hack, did it even dip a point,NO,look at the ques did they even shrink by a fraction,No.

This banks need to be monitored by the Central Bank, not only on banking practices but also on security,its all good that CBK protects your cash from fraudulent manipulation by the banks but that shouldn’t end there, they should protect Wanjiku from Chinese hackers who had a cluster setup in their house with enough brute force power to use said data hacked by the 2 to make them millions. Kenya has to wake up to the fact that the rest of the world has invested billions on cyber security and are still getting  hacked (look at sony,xbox etc) what do you think will happen when this hackers discover easy targets in Kenya/Africa? You will see several hacking rigs being setup and the smart ones wont even move from their desk, the 4 fiber connections to Kenya make remote hacks even easy.

So in parting NIC go ahead sentence them,sure cast stones on them but don’t forget you are to blame for what is happening/ what will happen