Kenyan banks face challenges with secure online transactions
International banks are not as successful as in other markets
A weak legal regime, fraud and security weaknesses have stymied the growth and adoption of online banking in Kenya, according to industry insiders.
International banks such as Standard Chartered and Barclays have ventured into online services but not as successfully as in other markets. Standard Chartered recently launched a paperless branch, where all transactions are virtual, while Barclays launched a banking app aimed at attracting more mobile and online users.
According to the Central Bank of Kenya's annual bank supervision report, Kenya has 44 banking institutions and 26 offer various online banking products such as online accounts, funds transfer, credit card application and payments, and mobile money transfer. Mobile money services are offered through third party USSD (Unstructured Supplementary Service Data) services.
Vulnerable core banking servers, printed passwords to the Central Bank Virtual Private Network and weak third party mobile banking servers are key security sticking points in the banking industry, according to John Gichuki, an independent penetration tester who has worked locally and abroad.
"In the external penetration testing I identified that an attacker can gain access to the banking network through vulnerable third party servers like mobile banking or find a way in through rough access points reachable from the customer care areas," said Gichuki.
"The funny thing is that I have done several banking security assessments and I have shown these vulnerabilities but most bank IT admins don't want to fix them, saying they need these services running, even where I have shown a full penetration to the server," Gichuki added.
In December last year, Standard Chartered customers were hit by a series of attacks where bank accounts were cleaned out, forcing the bank to tell customers to reset passwords for ATM machines.
"Insider fraud is the leading threat to online banking as well as mobile banking in Kenya; employees sitting in a trusted environment are usually least suspected of committing fraud," said Tyrus Kamau, an independent security consultant who specializes in penetration tests.
Standard Chartered insists there was no internal breach of its core network and that the problem affected the whole industry, even though customers from other banks did not report as many problems during the series of attacks.
"We had no internal security breach; the incidents in December last year affected the industry," said Bhartesh Shah, East Africa head of consumer banking at Standard Chartered. "The immediate actions we and the industry have taken are on improved physical security at ATMs and dedicated 24 hour surveillance on suspicious transactions, done electronically."
Shah said that the longer-term solution to the threats is to migrate to chip-and-PIN cards, expected to be in place from the last quarter of this year.
The Central Bank report details the benefits of technology in delivering valuable services in the banking sector but does not include ways the law, banking rules and regulations will be amended to reflect changes in the sector.
"Our legislation governing payments and banking is still largely based on the assumption of a paper-based system, whilst there has been some progress to give digital transactions recognition under law, a lot more needs to done to facilitate the growth of a digital economy," added Shah.
One of the major challenges Kamau identifies is that the banks are audited by international security firms, yet they continue to have vulnerabilities, leading local security experts to question the methodologies applied by the firms during the process.
Lack of public awareness on phishing scams and malware attacks were also identified as major threats by the Central Bank. In most cases, banks protect their online banking platforms with SSL certificates and then require end users to authenticate their IDs before each transaction but end users do not always contact the bank even when their browsers report untrusted certificates, which indicates phishing or breach.