Kampala, Uganda: Fresh Details Emerge about how last week’s digital fraud incident was executed.
The Airtel mobile wallet, a platform for banking transactions using the Airtel network remains inaccessible a week after the system was first disrupted.
According to a brief prepared by Airtel Uganda, to the Uganda Banker’s Association (UBA), which Our Reporter, has seen, it all started on October 27th, 2022. Yet-to-be-identified people, believed either to be hackers, former insiders, or insiders, gained unauthorized access to an interface belonging to Airtel’s third-party partner.
Therefrom, the digital thieves then accessed the platform of other aggregators and banks and dipped their digital hands into the operational virtual accounts (OVAs) held by banks in the Airtel system, from whence they wired money to various Airtel Money mobile accounts belonging to the thieves.
The money was then withdrawn through various mobile money agents. However, a sudden spike in transactions raised red flags both at Airtel and at the banks. Both parties alerted each other and swung into action.
Airtel is still tight-lipped on who the third-party aggregator is, something that has infuriated the banks. An aggregator, according to the National Payment Systems Act, 2020, means a payment service provider who facilitates electronic receipt and payment for goods and services.
“On 27th October, Airtel identified suspicious transactions on our platform and was also notified by two of our partners. Airtel immediately notified relevant partners, blocked relevant accounts, worked on recovering the amounts, and initiated investigations into the incident,” Airtel told the bankers’ association in the emailed brief.
Uganda Bankers’ Association (UBA) is an umbrella organization for financial institutions licensed and supervised by the Bank of Uganda. Established in 1981, UBA is currently made up of 26 commercial banks, 2 development Banks and 8 Tier 2 & Tier 3 Financial Institutions.
“Upon further investigations, it was discovered that transactions came through a partner’s interface on our legacy platform, accessing multiple aggregators and banks accounts, using relevant credentials. These were one-sided transactions with no corresponding leg at the partners’ accounts and impacted mainly aggregators and bank accounts,” Airtel added.
“Consequently, on 28th October, Airtel blocked all bank and aggregator transactions through our legacy platform and notified the partners. We suspect that a partner’s environment was breached, and our investigations are ongoing,” Airtel further told the bankers in an email.
According to a source who spoke to Our Reporter on condition of anonymity, Airtel Uganda has been running two platforms—one it calls the legacy platform which is the oldest and gives significant access to third parties to the platforms of all other players in the ecosystem. It is this that was breached.
The second platform, the Open API platform is telecom-to-partner straight and doesn’t have third parties in between. The Open API platform was not affected, according to the Airtel brief.
The telco however said that it had made several immediate measures to enhance security on the breached platforms such as upgrading the password policy and security modules and that as part of resuming services, the partners’ security credentials had to be updated.
The Bankers Association Head Offices in Muyenga. the association has called for more transparency from Airtel, as well as stunner security measures to deter re-occurence.
It also said that in the short term, all partners would be migrated from the breached legacy system to the Airtel Open API platform.
According to Airtel’s brief, the Open API platform was launched in 2021 after a similar incident and currently has 252 unique partners, including 4 banks on B2W and W2B services and 23 Aggregators.
The Open API Platform among other functions also supports a sandbox environment to self-test APIs before going to production as well as supports multiple integration types.
It also has a self-password management interface that enables users to set complex passwords at will. It also captures audit log trails for any changes on any user accounts.
UBA unconvinced by Airtel; demands more details and tighter security measures
However, the bankers do not seem convinced with these measures and following two meetings on 1st November 2022, the association’s ICT/Cyber Security committees recommended to the UBA CEOs committee, the highest decision-making body, that Airtel Money be blocked from carrying out any transactions on their platforms until the telco satisfactorily convinces them, it has put in place enough security measures to avoid further occurrence.
This was the second time; a similar incident was happening- the first being in 2020.
In an email to the CEOs of member SFIs, a copy of which this reporter has seen, the ICT/Cyber Security committee recommended that “no member SFI should restore services via Airtel Money as yet since the security patch and measures taken by Airtel Money are far from sufficient. Those who had done so (restored) are still very exposed and further expose the rest of the membership via other agent points shared.”
The ICT/Cyber Security committee further told their CEOs that a formal technical meeting be requested for and held with Airtel Money and by extension its 3rd party provider that runs the backend engine at which meeting UBA would demand details and a root cause analysis of the fraud incident.
“In the said meeting, the UBA ICT/Security Committee will place before Airtel security minimums and hardening, standards, architecture and reconciliation framework required to be in place before restoration of services” and should the above fail, the bankers said they would call in the Regulator (BOU).
Pending the meeting with Airtel, the ICT/CyberScurity committee has developed and recommended a security framework that would guard against similar incidents happening in the future.
This, among others, included, securing the APIs access credentials and reducing human interaction to it; securing Operational Virtual Accounts (OVA) credentials; creating mutual authentication of endpoints; data protection and integrity checks; validations and authentication checks as well as putting in place real-time reconciliation, near-time statement API and IP whitelisting and mapping.
The committee also recommended that before restoring Airtel services, the telco must first show transparency by sharing an incident report, with a full root cause Analysis. They also resolved to form a mini-UBA cybersecurity committee to verify the reports shared by Airtel. It is from this verification that Airtel shall request individual banks to connect back the services.
The bankers also demanded an immediate reconciliation to ascertain the nature and degree of loss and also demanded that Airtel share, standard API documentation with the Financial Institutions that are currently integrating with it.
Further recommendations to enhance security of the Airtel Money ecosystem include carrying out a Forensic Investigation/Audit that is specific to this incident, revision of vendor contracts and adding a series of clauses including the right to audit third parties annually, enforcing compliance to the Data Protection and Privacy Act, limiting transactions on dormant accounts among others.
However, according to our sources, Airtel has been adamant prompting the ICT/Cybersecurity Committee to escalate the matter to the CEOs Committee- which is the highest decision-making body of the Association.
“It is them to decide whether to switch off Airtel or not,” said the source.
When Our Reporter reached out to David Birungi, the Airtel Uganda, spokesperson, he declined to comment on the matter.
Paul Bukenya, the Head of Business Technology, at Uganda Development Bank and the sitting chair of the ICT/Cybersecurity Committee also declined to comment, but neither did he refute that his committee had made the above recommendations.
“I think that is a matter that only the Executive Director of Uganda Bankers Association can comment about,” he said.
Our Reporter, tried to reach Mr. Wilbrod Owor, the UBA Executive Director on phone, but he was unreachable by the time of publishing this story.
Source: The CEO Magazine.