After the 27th October 2022, digital fraud incident in which a number of banks lost several billions of shillings from their Airtel Money Wallets (OVAs) held at Airtel Mobile Commerce Uganda Limited (AMCUL), the mobile money company has spoken out, explaining how the incident happened.
According to a very confidential letter to the Chief Executive Officers of Financial Institutions that belong to the Uganda Bankers Association (UBA), written by Mr. Japhet Aritho Kinyua, the AMCUL Chief Executive Officer, the heist was carried out by fraudsters with “detailed knowledge about the highly confidential configuration of the integration with partners” which they used to compromise the log-in credentials of some AMCUL’s partners and proceeded to enable debits from virtual accounts, held by the affected banks.
The debited amounts were then channelled through several Airtel Money SIM cards.
“On 27th October 2022, Airtel Money Uganda received a notification from one of our partners that amounts in their Airtel Money Wallet (OVA) were being depleted at a higher rate than normal without any corresponding transactions at the partner’s side. Airtel checked the wallet and noted that there was an increased number of transactions most of which turned out to be fraudulent,” Kinyua wrote in a 25th November 2022 letter, a copy of which CEO East Africa has obtained.
“Analysis of VPN logs between 13:15 and 19:41 shows unusually high traffic coming through partner A’s trusted connection. The fraudsters were able to send debit instructions using partner A’s secure connection, calling up partner B’s API interface, and transacting money from partner C’s wallet ID,” Kinyua further wrote.
We understand that Partner A referred to in the letter is True African. It is not clear who Partner B is. Partner C is the affected banks.
“We observed that usernames, passwords and PINs were set for partners to authenticate requests. Analysis of XML files logged by the API revealed that. Partner A’s environment was compromised enabling access to the Airtel mobile money platform. Partner B’s API interface ID was used and partner MSISDN did not match. The fraudsters appear to have had detailed knowledge about the highly confidential configuration of the integration with partners and compromised the login credentials to enable debits from the OVAs. Successful transactions were executed in Airtel Mobile Money platform,” Kinyua further explained.
The AMCUL boss, however, said that other than the banks, “preliminary investigations revealed that the incident had no impact on any balances on the mobile money subscriber wallets and all our customers’ balances were not impacted.”
The letter is the first attempt by AMCUL at providing a root cause analysis that the bankers have been demanding from AMCUL to allow them to assess how secure the AMCUL system was and how to protect their own in turn. A root cause analysis was initially a precondition to restoring Airtel services on the various UBA-member banks’ platforms hours and days after the hack had been identified and stopped halfway, but we understand AMCUL took advantage of its market power to ‘bully’ the banks into relaxing their conditions and restoring services, even as most of the gaps identified in the Airtel system remain unfixed.
To date, most of the bankers’ demands remain unmet and the AMCUL CEO’s letter offered very little information on when this would be handled.
Mr Kinyua’s letter was however tight-lipped about how much was stolen and from which bank. He also did not disclose the names of which of their partners, the hackers had gone through to break into the Airtel system.
However, according to New Vision, Uganda’s leading daily, quoting police sources, the hackers are said to have stolen UGX7.6bn from virtual accounts held by banks at Airtel and evacuated their loot via Airtel Money, using 1,840 SIM Cards.
Steps taken by AMCUL to plug the holes and secure the system
According to Mr. Kinyua, within hours of detecting the fraud, “all suspected partner wallets were immediately blocked to avoid any further transactions and the suspected subscriber numbers were blocked to avoid any more funds from being cashed out”.
He also said an “incident management committee was immediately set up to investigate the incident further and devise solutions to restore the services”.
Kinyua said that since then, AMCUL had among other steps closed all ports and traffic from impacted ports and those of partners that deal in bulk payments and bank-to-wallet transactions and new ones created.
“Each partner was created for a new designated independent port. This can only be accessed by this partner(one-to-one IP and Port), i.e., Port Mapping,” he said.
He also added that all partners’ usernames, passwords and pins had been reset and that a change had been implemented that would now require all partners to authenticate their logins, using a combination of a Username, Password and/or PIN.
He also said AMCUL had put in place, a password rotation system that would require users to reset their passwords every 45 days.
All the above was done for users still on AMCUL’s old mobile money platform, called Enterprise Integration Gateway (EIG).
Kinyua also said AMCUL was also working with partners to initiate migration to a more secure “Open API (developer portal) which has more enhanced security futures including OAUTH where partners manage their own credentials”.
However, the steps taken by AMCUL are just a handful of the various security upgrades that the bankers demanded that AMCUL puts in place. Mr. Kinyua’s letter did not offer any guidance to the bankers on when or if some of the security upgrades and audits would be done.