KCB Group allays concern on alleged data breach

By Victor Muyakane.

In statement to newsrooms, the KCB Group has expressed awareness of the recent claims of an alleged data breach in its android mobile app, but has rubbished the claims asserting that its systems are completely safe.

According to KCB, an investigation into the truthfulness of the hack claims has found them false, leading East Africa’s largest bank to term the alleged data breach as malicious misinformation.

KCB went further to assure their customers that all platforms and data are highly secured and that KCB’s systems including the mobile App have been extensively tested and validated by internal and the best external data security experts.

KCB states that multiple layers of encryption, private keys and unique authentication are among the key embedded data security features that safeguard the mobile app.

The bank is now threatening to take legal action against the originators of the hack claims.

On their part, the hackers reveal that the flaw in the KCB app’s structure allows for an ‘information leakage vulnerability’ that leads a hacker to gain possession of confidential customer information.

Chris Irakoze, the Burundian programmer who allegedly conducted  the hack and  broke the news states that the confidential information amounting to close to 500,000 names and numbers of their customers could be used by malicious parties by sale those phone numbers.kcb hack

He reasons that there are plenty of people who would pay for personal numbers. Irakoze also opines that hackers could also sell the information to a competing bank as well as a scam or phishing attack type which would allow targeting of KCB customers.







There has been recent instances where KBC customers have gone on social media expressing outrage at receiving phishing attacks in for of unsolicited SMSs from unverified sources, to which KCB responded with a warning that they might be from criminals.kcb hack phish kcb hack phish2

kcb scam

…“During the previous year, we discovered that despite the use of SSL to encrypt information passing through Internet coming from the android app to the KCB server, the app does not check the server certificate.

The server certificate is like an identity card. This is what allows you to know if the website to which it sends the password is the KCB one…..” Irakoze states.

….” For the hacker to recover your password must first create a fake server that will pass for that of the KCB. Then find a way to get between you and the server of the KCB. This is called a Man in the Middle attack.

In the best case, the hacker will retrieve the identifiers of one person and in the worst case, the hacker will hack the DNS Server of the KCB which will allow him to recover the password for all users of android app.”  He opines.

The hackers posted a video on YouTube detailing the process of hacking the bank’s mobile app.

At this point, nothing is known of the intentions of the hacking revelations and the details supplied by Irakoze .



Latest posts

MPs ponder law change following fuel hike uproar

Ronald Owili

313 test positive as 13 succumb to Covid-19

Christine Muchira

Three arrested for selling heroin in Mwingi town

Beth Nyaga

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More