Nigerian cyber crime net widens
As a continent, Africa is vulnerable to a plethora of Internet threats, from financial fraud and malware distribution to terrorism, drugs and human trafficking.
With 67 million Internet users as of May, Nigeria is often in the spotlight when it comes to cyber crime.
This surge in Internet usage has brought with it multiple threats. Criminals are creative, have persuasive skills and are adaptive adversaries. They have easy access to the Web to cast their criminal nets wider than ever, said Abdulkarim Chukkol, head of the Advance Fee Fraud and Cybercrime Section Economic and Financial Crimes Commission (EFCC) in Nigeria. He spoke yesterday at ITWeb Security Summit 2015, in Midrand.
The EFCC is a Nigerian law enforcement agency that investigates financial crimes, such as online fraud.
Who are the perpetrators in Nigeria? he asked. "They are all global citizens. They work individually or in small cells, they are highly mobile and loosely organised, and our field experience show they are repeat, unrepentant offenders."
According to Chukkol, some of the biggest threats Nigeria faces include phishing - targeting mostly financial institutions - with infections usually occurring via a man-in-the-middle e-mail attack. He said his organisation has also seen an increase in data breaches and insider abuse by employees and contract staff, largely due to a lack of segregation of duties.
"I believe the volume of cyber crimes will continue to grow and the chances of catching the criminals will be much less."
Chukkol said most attacks seen by the EFCC are not highly technical. "Businesses spend a fortune on hardening their systems, but all it takes is one piece of malware to get through their defences."
In terms of the victims, he said most are Nigerians. "This includes individuals, both locals and foreigners, financial institutions that are 100% reliant on critical infrastructure, and small businesses, which don't care as much about IT security. They take risks to become bigger players, and have a 'this won't happen to me' mentality."
According to Chukkol, the methods Nigerian cyber criminals use to launder the ill-gotten gains of cyber crime are advanced too, and the increased use of electronic banking systems and e-commerce have seen a rise in efforts to defraud both individuals and corporate organisations.
In Nigeria, each sector of the economy formulates its own policy to safeguard itself, and there are also policies and guidelines formulated for the industry by the appropriate regulatory agencies, he noted. These are aimed at improving knowledge, capabilities, decision-making and addressing priority areas.
"Even though government is taking steps to boost its cyber security and catch and prosecute cyber crooks, much more needs to be done," said Chukkol. "There have been several mechanisms put in place to share information and facilitate co-operation between national authorities and the private industry, and Nigeria has successfully arrested and prosecuted several cyber criminals."
Hope for SA
At the summit, professor Basie von Solms, director of the Centre for Cyber Security at the University of Johannesburg, spoke about how SA is lagging behind Africa, as its policies on e-commerce, cyber crime and cyber security have been largely fragmented and uncoordinated.
However, he spoke of a planned initiative that was born from a meeting between himself and Gerhard Cronje of the JSE. The intention of the initiative is to explore co-operation between interested parties regarding the need for Critical Information Infrastructure Protection (CIIP) in SA. The initiative will cover information sharing, as well as formalising the involvement of government.
According to Von Solms, the potential cyber security threat in SA needs urgent attention through partnership between government and industry. "A public-private partnership between government and the private industry is critical in addressing the potential threat specifically in the area of critical information infrastructure protection."
He says this planned initiative could start to create a representative "face" for CIIP in the private industry. "Even in these initial stages, a discussion could be useful and well-timed. Forming a formal representative body is not something which can happen overnight, but we must start somewhere."