By Eric Mugendi
KCB Bank (Kenya), one of Kenya's largest banks by customer numbers, appears to have suffered a massive data breach as a file with the details of more than 500,000 customers, including their names and phone numbers appeared online.
The information was brought to light by Burundian programmer Chris Irakoze, who first mentioned the data breach in September 2016.
Information leakage vulnerability
Irakoze explained that the data was collected from an information leakage vulnerability, where a flaw in the KCB app gave him access through a Python injection to sensitive data, including the technical details of the web application, environment, or specific data of the user.
"In our case, the KCB leaked the numbers and names of their customers. One of the things that a hacker can do would be to sell those phone numbers. There are plenty of people who would pay for personal numbers. A hacker could also sell the information to a competing bank. A scam or phishing attack type which would allow to target customers of KCB. In the best case, you will have spam, and in the worse you will lose your money. I wonder if it hasn’t already started," said Irakoze
He further explained that he was able to do a reverse search comparing all possible phone numbers from 254 700 000 to 254 799 999 with the data obtained through the app's vulnerability. If a number belongs to a KCB customer, the search would reveal the person's name from the database. The whole process took slightly less than two months.
Customers being spammed
These revelations come as KCB customers report unsolicited text messages reportedly coming from the bank offering loans at low-interest rates.
While the bank has taken steps to alert customers about potential fraud through text messages, this vulnerability could explain how the customer data was obtained in the first place.
Chris discovered the flaw while looking for vulnerabilities in another KCB service, known as KCB Iwacu, which the bank rolled out in Burundi and Rwanda.
KCB Iwacu is similar to KCB Mtaani, a service that enables customers to deposit or withdraw money from an agent using their phones. The customer would initiate a transaction through the KCB app or via USSD, after which a transfer is made to the agent's account. After receiving a confirmation message from KCB that gives you money.
The vulnerability, Chris explains, lies in the fact that the agent receives confirmation by SMS. Anyone can spoof a text message and change the number of the sender. A hacker could then steal the money using only the phone number and the name of the agent. KCB's agency banking services use Point-Of-Sale machines, which make the attack more difficult but not impossible.
Chris checked the KCB app and found that while it has all the necessary security features to protect user data transmitted over the network, misusing them allowed a man-in-the-middle attack which would have allowed a hacker to take complete control of the user account.
The KCB app is no longer available in Burundi, but different versions of the app are in use in Kenya and Rwanda.
Reaching out to KCB
Following this discovery, Chris reportedly reached out to KCB, alerting them to the flaw in their system. Under Kenya's proposed Data Protection Act of 2012, anyone collecting sensitive data from the public must put in place appropriate technical and organizational measures to safeguard the data against the risk of loss, damage, destruction of, or unauthorized access to personal information.
An agency that holds personal information shall ensure that the information is protected, by such security safeguards as are reasonable in the circumstances against loss, damage and destruction; and access and use by an unauthorized person, modification, or negligent disclosure or use The Data Protection Bill, 2012.
When contacted for comment, KCB responded that they were aware of the claims of a data breach, and all customer data and platforms were safe.
Following all this, upon further enquiring with KCB Bank and sharing with them the details of this article, the bank went on to issue a public statement in response to the article.