The recent Postbank heist is an example of the lack of Parliamentary oversight on cyber security in SA, says director of the International Telecommunications Union (ITU)-University of Johannesburg (UJ) Centre of Excellence for Cyber Security Basie von Solms.
He adds that it is the duty of Parliament, and Parliamentary Portfolio Committees (PPCs) to hold hearings when new, large, IT systems based on the Internet and used by citizens are implemented and rolled out.
In a presentation to the trade and industry PPC last week, to consider opinions about legalising online gambling, Von Solms said cyber inspectors can be trained via the Certificate in Cyber Security created by the ITU-UJ Centre of Excellence for Cyber Security.
The PPC reacted positively to the model presented by Von Solms and decided it should be investigated in more detail.
Policy please
Von Solms highlighted the need for a cyber security policy in SA.
He argued that, apart from hearings on new systems, Parliament should also, from time to time, have hearings to evaluate the present state of cyber security in existing systems implemented in SA; for example, Internet banking systems.
“Citizens who suffered from some form of cyber crime, identity theft, or financial losses because of such systems, should be able to use these opportunities to complain.
“Such hearings should involve different stakeholders and users debating the security, privacy and integrity of such systems. It is the duty of Parliament and its committees to ensure its citizens are cyber secure as far as possible.”
Von Solms also said it is sad that, after the 2010 Draft Policy on Cyber Security, SA still, after two years, does not have a finalised Cyber Security Policy.
Credential abuse
Corporate SA is losing an estimated R150 billion annually to insider fraud, according to Steven Powell, head of forensics at law firm Edward Nathan Sonnenbergs.
“Insider fraud is now one of the major risks faced by SA. A dozen or so local cases during 2009/10 saw insiders steal almost R1 billion in EFT fraud alone,” he said.
Channel manager at SuperVision Biometric Systems Mark Eardley says cases of EFT fraud are increasing in all types of organisations and agrees that government's cyber security policy needs to be put in place.
“[The] majority of cyber crime, even the most sophisticated, is based on the simple exploitation of traditional IT access credentials - cards, PINS, passwords (CPPs) - it's just so easy.”
He cites several cases where EFT fraud was carried out due to credentials being abused, allowing uncontrolled IT access and activity.
The Department of Water Affairs lost R2.84 million due to password-based fraud in June 2011; Blue IQ's CEO was linked to R450 000 in fraudulent payments, claiming password theft in September 2009; the KwaZulu-Natal provincial government said R769 million was stolen in April 2010; the Social Security Agency said insiders stole passwords and diverted funds in March 2010; and the Mpumalanga education department lost R5.5 million in October 2009.
”These cases are by no means a comprehensive listing of the incidence of EFT fraud. Who knows how many cases go unreported and don't make it to court and hence into our media. For example, I heard last year of one government department where over 100 000 illicit EFT payments had been made in the previous year.
“That may sound ludicrous and would require about 2 300 payments to be made every week. But, if these were spread across the department's national payroll payments; payments to 'dummy' companies and duplicate payments to other authorised beneficiaries (eg, suppliers), I think the astonishing volume begins to become plausible.”
Finger first
Eardley adds that control over IT system access and activity needs to be strongly reinforced by creating a definitive link between system users and their activities, something which can be easily achieved through fingerprint authentication of users.
“Of course, an authorised user could still make an illicit payment, but they would be doing so in the knowledge that it was their fingerprint that authorised the transaction and links them to it, rather than an essentially anonymous password, card or PIN which anyone can use.
“The 'perception of detection' is known to be the greatest deterrent to insider fraud and the perception certainly looms large if your fingerprint is authorising an illegal transaction.”
Tighten up
Chairperson of the communications PPC Sikhumbuzo Kholwane has condemned the hi-tech cyber heist that occurred at the Postbank earlier this month.
Kholwane said he appreciates the discovery of the robbery and welcomes the investigation undertaken by the National Intelligence Agency and the police.
However, he also called on the Postbank and law enforcement agencies to tighten elements of the bank's security network.
The SA Postbank, part of the SA Post Office, became the target of cyber crime this month, losing R42 million when the system was accessed illegally and funds transferred into mule accounts.
Share
