The Computer Society of Kenya

Since 1986


Tuesday July 24,2018

Recent reports showing how tech-savvy youth are compromising our digital services to fleece unsuspecting customers confirms that our digitisation efforts are moving faster than our information security efforts.

Banks, telcos, utility companies such as Nairobi Water or Kenya Power have been in the forefront of making their services convenient and more accessible for their customers.

Banks and telcos are heavily regulated and some of the rules require regular security audits of their information systems. So how come cybercrooks are having a field day, reaping where they have not sown?

The answer lies in the mantra, the weakest link in the security chain is actually the human link, the customer.

One may hire the most sophisticated security expert, instal the most expensive firewalls and adopt international information security standards like the ISO 27000 but still get hit – through the gullible customers.


Using what is known as social-engineering techniques, the crooks aim to gain the confidence of the victim by pretending to be from the service provider and subsequently gaining privileged information from the unsuspecting customer.

In the early days of mobile money, many crooks would send you a fake SMS claiming you have erroneously received a certain amount of money into your M-Pesa account.

Immediately afterwards, they would frantically call you, pleading that you reverse the transaction by sending the money back to them. After you ’refund’ the said amount, you then realize the caller never send it to you in the first place.

You have just been conned into surrendering part of your hard-earned money to the crooks.

Since this kind of fraud has become widely known, Kenyans are more aware and now check their mobile money balances before trying to reverse any transactions. But the crooks have moved on to the next trick.

They now call you pretending to be from the a service provider and tell you that your SIM card has been registered twice. They claim they are under instructions to disable the SIM card – unless you prove you own it by sharing some of your personally identifiable information (PII), like PIN numbers.

Once they get sufficient PII from you, they proceed to duplicate and replace your SIM card in order to access your online services such as M-Pesa, bank accounts, and money-lending services.

By the time you complain and the service provider intervenes to restore your mobile phone access, you discover the crooks have wiped out all your money and left you with several huge loans from the many mobile lending apps.


To make it easier for you to release information about yourself, they will already have harvested a lot of information about you from third-party sources. There are just too many sources of personally identifiable information floating around the country without adequate protection.

Crooks can harvest PII from simple sources like that visitors book that is prevalent in most buildings and offices that Kenyans are forced to register in before being granted access.

PII can also be extracted from the digital service itself. Sending a small amount of, say, twenty bob to a random mobile number will quickly give you a confirmation SMS with the name of the recipient.

Alternatively, the crooks can type in a random account number into the many Water or Kenya Power mobile, web or email apps in order to get your bill, which comes with a rich source of user details.


The IEBC app was also a good source of citizen data that could be harvested to build your profile so that by the time the crooks call you up, they have sufficient background knowledge about you to easily trick you into believing they are authentically calling from the service provider’s offices.

So how can all this be stopped?

Beyond ring-fencing their information systems by adopting international standards and doing regular info-system audits, service providers must invest a good chunk of their budgets in regular user education.

After all, the weakest link in their security chain is and will always remain the user.

Share this page