In May 2019 DFCU bank detected a case of fraud which was reported to CID head offices at Kibuli in Kampala and a general enquiry file was opened- (CID HDQTRS GEF 604/2019) to aid in investigations.
DFCU had chosen to remain tightlipped about the case had it not been the pressure mounted by online news stories about the incident which the bank officials considered to dismiss as malicious and grossly misrepresented to damage the reputation of the bank.
This website for instance reported in July 2019 that DFCU bank had been hacked and over $2.6m dollars customers’ saving accessed and stolen.
Mnay online news tabloids published details of the execution, identities of the the fraud and bank’s branches that were affected. This compelled Uganda Police to come out to acknowledge that it had launched investigations into the matter although detectives at Kibuli had feigned ignorance when we approached at first.
Daily Inspector understands that such case related to breach of the bank’s system is highly concealed for fear of losing customers.
“These incidents happen but banks rarely report such to police. Banks choose to take action internally,” said a detective who asked not to be mentioned who has handled such incidents.
Whereas DFCU notified its clients that the police was handling the matter, the bank is yet to update the public -three months later- about the investigations and the findings on whether the culprits had been apprehended and loopholes plugged.
Jude Kansiime, DFCU head of marketing/ acting spokesperson said, “the investigations are still on going” when contacted about the updates.
Jude had said he was not in position to reveal details as he first needed to contact the relevant department handling the matter.
But as a policy this website again understands that DFCU officials don’t reveal information to the media which is deemed “sensitive.”
After exposing the identities of those behind the $2.6m fraud, we are told that those who exposed the culprits received threats on phone by people believed to have been part of the execution of this scam.
Further, anonymous individuals calling themselves detectives threatened to arrest those who exposed the culprits questioning their sources of information.
The investigation reveals shocking details of which companies and government institution are involved in facilitating the scam.
Our sources however, asked to remain unnamed because of the sensitivity of the matter.
Sources listed giant telecoms – MTN and Airtel and also National Identification and Registration Authority (NIRA) as key entities used to extract information to help in execution of the fraud.
The criminals connived with bad elements in these institutions (above) to access data.
“The hackers needed the following information, customers ID e,g nation ID and passports no, names account number, telephone contact and date of birth,” said a source.
Our investigation reveals that after obtaining such details it was easy for the culprits to log into DFCU website or download the bank’s wallet application and register for mobile banking and start transacting right away.
“Here the most important thing is the telephone number. It has to be swapped first,” a source says, and that is how telecom firms mostly MTN and Airtel come in.
Conniving with wrong elements in MTN and Airtel, customers’ numbers are swapped to access customers’ data which corresponds with what NIRA has.
“The only information needed from DFCU would be the bank account and the balance of the customer,” added a source.
The connivance at DFCU can’t be ruled out because the bank audit trails and therefore DFCU would be able to know which staff checked whose account.
The investigations further reveals that after registering for mobile banking the masterminds get a token on the swapped simcard which validates the whole registration process.
And at that stage they are able to transfer to another account, withdraw using simcards and even transfer to other banks.
“Basically the fraud begins from swapping customer’s simcard and validating the details from NIRA.”
National Identification and Registration Authority (NIRA) publicist Gilbert Kadilo when contacted he did not give clear information
MTN Uganda admitted that there could be “bad apples” that connive with outsiders to leak data. However, the acting spokesperson Martin Sebuliba said he was unaware that such could have happened at MTN. “I don’t know what you know but I can tell you that we are guided by one principle and the regulations of the regulator. We don’t compromise on that.”
Airtel mouthpiece Summy Namaganda when contacted insisted that for a customer to swap a simcard, his/her ID must be provided which is stored in the telecom’s system. And therefore if there is any breach the owner is easily identified.
This post has been seen 2381 times.