Salim Idd, a Nairobi-based internet security expert, is increasingly worried about new developments in the virtual world of internet.

Using his personal computer located in the city centre, he casually taps his keyboard in an attempt to gain unauthorized online entry into a local bank’s database.

He flits through the back-end of the financial institution’s e-banking website, looking for a weak point that will let him access personal information of the bank’s customers.

In seconds, he has found it. It may sound like a movie script but this is the other side to internet banking that not many Kenyans are familiar with.

In the recent past banks have been boasting about their use of technology to cut costs and improve efficiency of service delivery.

But the reality is that in doing so, the majority of them end up exposing themselves to a wide range of cyber-crime, including hacking.

“Sixty per cent of our banks have insecure systems,” says Mr Idd as he probes the system using an internet connection and what he terms as ‘rudimentary’ hacking skills.

In Kenya, the recent growth of technology-based banking services has put financial institutions in the same class as mobile service providers; a prime targets for hackers.

Technology market players say hacking is expected to grow in the coming months as more businesses go online with the arrival of fibre optic internet and the high internet speeds it offers.

Internet security experts say the advent of high speed connectivity will draw the attention of international hackers who were previously put off by the amount of time it took to break into local websites using slower satellite connections.

While local hackers are also anticipated to increase their activities, the international hacker community poses the biggest threat to local business because they are more experienced and talented.

“Fibre has placed Kenya at the same level as first world economies and will certainly drive growth. But for every benefit there are risks, and at this moment the most serious threat to the economy is the lack of security online,” said Mr Idd, who is the chief technical officer at a company that undertakes security consultations for local firms.

Security analysts say Kenyan firms are not prepared for the potential security threat, especially financial institutions which present the most attractive targets due to the lure of money that can be easily siphoned from accounts.

Industry data indicates that just one out of every 20 banks in the country currently uses an email encryption service that makes their systems less vulnerable to attack.

Experts warn as the banking community drives more of its processes online, emails and related technological products will serve as the prime means of communication for money sensitive procedures such as credit card transactions, money transfers and direct debits.

This creates more avenues for hackers to gain access to personal data or access funds in online accounts.

They cite the example of a local hacker, who managed to gain entry into CDSC accounts held by one stock broker and transferred stocks between accounts without either the owner or the broker realizing during the 2008 post election violence period.

More alarmingly, lack of adequate online security procedures may expose the over seven million users of mobile money transfers platforms to fraud as their accounts become more accessible to malicious programmers. This is because the SMS functionality that drives services are not encrypted.

“Organizations need to know we are in a new era of technology and information where hacking, information leaking, and business espionage are real threats,” said John Gichuki, a security analyst at Lanet Consulting.

He advises firms to urgently undertake internal and external security assessments with the aim of realizing at least 90 per cent security.
Although many companies believe they have installed secure systems, analysts blame the lack of adequate training of most web developers for the current sorry state of business security.

Mr Idd said most programmers were being trained to focus more on the design aspect of websites rather than security — securing the most obvious areas of a site but leave gaping holes elsewhere.

According to data from global security firm Symantec, there’s an average of over 245 million attempted malicious code attacks across the globe every month.

“As malicious code continues to grow at a record pace, we’re also seeing that attackers are profiting from creating customized threats that steal confidential information, particularly bank account credentials and credit card data,” said Stephen Trilling the vice president of Symantec Security.

by Kui Kinyanjui of the Business Daily, as appeared on 13th August 2009