AHMED R. KUNNUMPURATH
Obe Kofe was a 25-year-old Nigerian national who received a bachelor's in computer science from American University in Nigeria. However, after graduating, he could not find a suitable job in his home country and was looking for overseas positions, preferably in Saudi Arabia, one of the richest countries in the Persian Gulf.
His friend and schoolmate, Martin Gil, worked for a travel agency in Nigeria and had connections with overseas recruitment agencies. When Obe told him about his dream of working abroad, Martin immediately asked, "What about a job in Saudi Arabia? I know an agent there who could help you get a work permit." That was just the opportunity Obe was looking for. He jumped at the chance and told Martin, "Why not? I would love to! Please pass my name and information to your friend and let me know what he says."
Two days later, Obe had a phone interview with the Saudi recruiter, and the following week his work permit was prepared. Obe took the first flight he could to Saudi Arabia.
Once in Riyadh, the capital of Saudi Arabia, Obe discovered that his work visa did not ensure him a lucrative job and — much to his surprise — he had only been granted a three-month visitor's visa. However, he befriended some Nigerian expatriates who let him stay with them while he looked for work. After a week of fruitless job hunting, one of his roommates, Ian Smith, promised to find him a permanent position in his friend's company, which was Nigerian based. Obe took a clerical job for the time being.
Ahli Commerce Bank (ACB) was founded in Saudi Arabia and grew into one of the leading banks in the Persian Gulf. It had more than 2,000 employees, 90 local branches and 20 overseas locations in Egypt, the United Kingdom, France and Jordan.
Although it was an old, established bank, it was also the first in Saudi Arabia to have a fully computerized system and to offer Internet banking to its customers. ACB purchased its Internet-banking program from Arizona Internet Banking Software, a leading Asian vendor, and it was a very sophisticated system. However, as new technology usually comes with a learning curve for those who have to use it, ACB's customers were slow to warm up to Internet banking, and the software had a few critical issues. But the customer base grew and slowly accepted the new online service, and even customers with little computer knowledge learned to appreciate the service as an easy way to make transfers and request account services. ACB introduced user identifications (IDs) and passwords for its customers and allowed them to transfer funds among their accounts and to third parties.
The Internet Banking Unit (IBU) at ACB, headed by Danny Alto, was a well-organized department that handled problems with Internet banking, user IDs, passwords and the execution and monitoring of transactions. There were two or three employees working at any given time in IBU; shifts ran throughout the day and during weekends and holidays.
Customers who wanted to apply for Internet banking services had to fill out a standard application form and submit it to their branch. Once IBU received it, a staff member checked the information provided, verified the signature and had a supervisor approve the application. Then the software program generated a user ID and password. Customers were issued their user IDs and passwords in separate envelopes that required signed acknowledgments of receipt. After the acknowledgments were returned to IBU, the user IDs and passwords were activated. An IBU employee called customers to tell them they could start using the Internet-banking features.
IBU's procedures required a senior staff member to verify via telephone the user ID and other details provided in a customer's application when the department received online instructions to transfer funds from one account to another. Only after confirmation was received would IBU execute the transaction. If an employee could not speak to the customer, a message would be left on the customer's answering machine under the assumption that the customer would receive the message and confirm the transaction later. However, it could be difficult for staff members to reach customers, so sometimes transactions were executed without following this failsafe. But IBU had not received serious complaints, and everything seemed to be going smoothly.
One Saturday afternoon, ACB's customer service center received a call from A. J. Simon, a Belgian national who held an account with the Riyadh branch. A. J. claimed that $40,000 had been transferred from his checking account without his authorization. He did not remember requesting any such transaction in the past two days. He was upset and desperately wanted to know the reason for the transfer.
The call center employee checked A. J.'s account and saw that an online transfer for $40,000 had indeed been executed that day through an Internet banking transaction, and he forwarded the matter to ACB's IBU. Unfortunately, because it was a weekend, there were no supervisors available. However, the message was logged by an IBU staff member and flagged.
The next morning, when a supervisor was in the office, a thorough investigation was launched. I was an internal auditor at ACB and took the case. The records indicated that the transfer from A. J.'s account was initiated by a request to send the money to a third-party bank account in Jed-dah. By the time A. J. discovered it, the transaction had been completed, and close scrutiny revealed that A. J. had not been contacted to confirm the transfer request.
The head of IBU, Danny Alto, called the operations department to recall the funds but was told by Jamie Edwards, the operations supervisor, that the payment had already been processed in the name of Obe Kofe to an account at International Commercial Bank (ICB) in Jeddah. Jamie requested the beneficiary bank recall the funds, but ICB had already closed for the day and was, therefore, unable to honor the request.
The funds could not be frozen, but Jamie placed a block on A. J.'s account to prevent further fraudulent transfers. IBU was ordered to provide a report of the Internet transactions that occurred during the past two days.
While we were investigating the fraudulent transfer from A. J.'s account, three other customers called to complain that they received text messages on their mobile phones informing them of unauthorized debits from their accounts. IBU was able to act quickly enough to prevent those transfers from being processed and requested that the operations department block them. A. J. and the three other customers were outside the country when the transactions were requested and they were all directed to Obe Kofe's account at ICB. We passed our information to the Saudi police and continued with our internal investigation.
We found that two employees were directly involved in the processing of the fraudulent Internet transactions and decided to start our investigation by interviewing them. The first IBU staff member we spoke with, Mary Suzan, had been with the bank for one year. She told me the transfer request came through late in the afternoon and, although she tried calling the customer several times, she could not reach him, so she left a message on his answering machine requesting approval of the transfer. Mary admitted that when she left for the day, she forgot to mention the outstanding approval to her replacement; the employee who took over for her did not suspect anything unusual and forwarded the transfer request for processing. Subsequently, the operations department executed the payment.
We made a follow-up request with ICB to refund the amount transferred from A. J.'s account to Obe Kofe's accounts, but ICB informed us that Obe had already withdrawn $30,000, so the funds could not be remitted. We requested ICB freeze the remaining $10,000 until we could get a court order for the money. In the meantime, Obe tried to withdraw the balance using a different bank's ATM, but he received a message saying the request could not be processed and he should contact his branch for information. The next morning ICB received an angry phone call from Obe; he shouted at the branch manager and wanted to know why his account had been frozen. The branch manager asked Obe to visit the branch the next morning to discuss the issue. Obe agreed to go to the bank the next day, but he did not show up. We think he became suspicious and decided not to risk a visit. The branch manager tried to call him several times, but his phone had been disconnected.
Our IT security officer traced the Internet protocol (IP) addresses from where the transfer messages originated and found that, except for one request that originated in the UK, the messages were sent from Nigeria. However, the IP address did not help much in identifying the original fraudsters because authorities in Nigeria and the UK did not pursue the culprits. Riyadh's police service requested the IP address details and began its own forensic investigation.
We tried to review recordings of the defrauded customers' phone calls to the service department, but found out that full records were not available and supervisors were not reviewing the calls on a regular basis as they should have been.
Our investigation proved almost certainly that customer accounts were accessed by an organized group of hackers working outside the country who gained access to customers' stolen user IDs and passwords. The account data could have been compromised in a few different ways:
The customers responded to phishing e-mails claiming to have come from ACB and requesting confirmation of their IDs and passwords.
The customers checked their bank accounts on public computers — for example, in an Internet cafe or library — that had key logging software installed on them. The software sent their online banking IDs and passwords to the culprits.
The customers did not have up-to-date antivirus software on their home computers, allowing them to be infected with spyware.
Whatever the case, customer negligence was a factor in each instance; they were unknowingly exposing their user IDs and passwords to cyber criminals.
Police traced the fraud to one suspect — Obe Kofe — who turned out to be a small fish in a big pond of cyber criminals. Police took him into custody for questioning, but he said he did not know the higher-ups on the chain of command and denied involvement in a fraudulent scheme. However, he could not explain how A. J.'s $40,000 made it into his account or why he decided to withdraw it. As the interview progressed, Obe agreed to partially repay the withdrawn amount; he said he could not repay the full amount because he was unemployed and he requested a grace period of three months to settle. Police discussed the matter with ACB's upper management and legal counsel, who agreed that Obe could remit only $20,000 of the illegally withdrawn $30,000. ACB refunded the remaining $10,000 to A. J.'s account.
Obe disclosed vital information about others involved in his scheme to Saudi Arabian intelligence officers as part of a plea bargain that included his release from jail and deportation to Nigeria. We later learned that the Nigerian government managed to identify the masterminds of the crime and arrested them. Despite the fact that Obe received a light sentence in Saudi Arabia, only days after his return to Nigeria, he was killed in a car collision. Local authorities in Nigeria suspected that members of the cybercrime gang whom Obe exposed in Saudi Arabia were involved in his death, but the incident was not investigated.
Note
Lessons Learned
This was my first investigation of an Internet fraud and I was eager to learn how these types of crimes are committed and how to investigate them. We used system experts to retrieve IP information used in the transactions and interviewed the staff members involved to identify weaknesses in our system. The control step of sending text messages to clients before Internet transfers were executed turned out to be the most effective part of the process. It empowered the victims to identify fraudulent transactions and alert the bank, usually in enough time for ACB to stop the transaction from being processed. However, there was a catch — if a customer's Internet account could be hacked, the phone number on record could be changed by the hackers.
This case also taught me how to investigate Internet fraud by locating the IP address used by the criminals to access the system. The IP addresses in this case were from Nigeria and the United Kingdom. Unfortunately, the local police in those countries did not attempt to locate the individuals behind the IP addresses, so that information resulted in a dead end. With more responsive outside investigators, however, IP addresses could be used to track criminals and prevent further losses.
I also learned of an inherent weakness in ACB's Internet-banking process — staff had to call the customers and confirm each transaction before it was processed. This manual intervention led to human errors and negligence. Proper follow-up on the calls was not necessarily made and the telephone recordings were inadequately maintained. In A. J.'s case, the staff member said she called his cell phone but it was turned off, so she left him a voice mail requesting confirmation of the transfer. A lack of internal communication caused the transfer to be completed before A. J. heard the message.
We also learned that customers were not protecting their user IDs and passwords as well as they could have. Computers should have up-to-date antivirus software installed to stop Trojan horses, spyware and other dangerous viruses from invading the system and stealing confidential information. We learned the importance of educating customers to prevent them from conducting online bank transactions on public computers. One of the victims in this case admitted that he used public Internet cafes in the United Kingdom while there on a business trip. In response to this need for education, management began to publish leaflets and brochures that illustrated proper precautions for clients to take to protect their online account information. After this case, ACB stopped allowing bank-to-bank transfers through the Internet. Online transactions are now limited to ACB accounts because they are much less risky.
Ahmed R. Kunnumpurath, CFE, CIA, has a bachelor's of commerce degree. He is an experienced banker with more than 25 years of extensive experience in the fields of financial control, internal control, internal auditing, anti-money laundering and financial fraud investigations in both conventional banks and Islamic banks. He currently works as a senior fraud examiner in one of the leading banks in the Persian Gulf.