By Victor Muyakane.
In statement to newsrooms, the KCB Group has expressed awareness of the recent claims of an alleged data breach in its android mobile app, but has rubbished the claims asserting that its systems are completely safe.
According to KCB, an investigation into the truthfulness of the hack claims has found them false, leading East Africa’s largest bank to term the alleged data breach as malicious misinformation.
KCB went further to assure their customers that all platforms and data are highly secured and that KCB’s systems including the mobile App have been extensively tested and validated by internal and the best external data security experts.
KCB states that multiple layers of encryption, private keys and unique authentication are among the key embedded data security features that safeguard the mobile app.
The bank is now threatening to take legal action against the originators of the hack claims.
On their part, the hackers reveal that the flaw in the KCB app’s structure allows for an ‘information leakage vulnerability’ that leads a hacker to gain possession of confidential customer information.
Chris Irakoze, the Burundian programmer who allegedly conducted the hack and broke the news states that the confidential information amounting to close to 500,000 names and numbers of their customers could be used by malicious parties by sale those phone numbers.
He reasons that there are plenty of people who would pay for personal numbers. Irakoze also opines that hackers could also sell the information to a competing bank as well as a scam or phishing attack type which would allow targeting of KCB customers.
There has been recent instances where KBC customers have gone on social media expressing outrage at receiving phishing attacks in for of unsolicited SMSs from unverified sources, to which KCB responded with a warning that they might be from criminals.
…“During the previous year, we discovered that despite the use of SSL to encrypt information passing through Internet coming from the android app to the KCB server, the app does not check the server certificate.
The server certificate is like an identity card. This is what allows you to know if the website to which it sends the password is the KCB one…..” Irakoze states.
….” For the hacker to recover your password must first create a fake server that will pass for that of the KCB. Then find a way to get between you and the server of the KCB. This is called a Man in the Middle attack.
In the best case, the hacker will retrieve the identifiers of one person and in the worst case, the hacker will hack the DNS Server of the KCB which will allow him to recover the password for all users of android app.” He opines.
The hackers posted a video on YouTube detailing the process of hacking the bank’s mobile app.
At this point, nothing is known of the intentions of the hacking revelations and the details supplied by Irakoze .