- Geo-location monitoring and behavioural analysis pin down criminal gang
There are many cyber security challenges faced by businesses, including hacking and fraudulent transactions. As people rely more on technology as part of their daily activities, the challenges to security become ever more prevalent.
VoguePay (www.voguepay.com) was born out of the need to help millions of businesses process their payment links to and from Africa, notably in Nigeria. We help both large and small businesses collect their payments in local currency and convert to and or pay out in major internal currencies e.g., GBP, USD, EURO. Operating in this market gives us a unique insight into the security challenges faced by our type of business. However we at VoguePay, could not have prepared ourselves for what we were about to encounter; we did not factor death threats into our calculus.
The criminal syndicate committed what they thought to be ‘the perfect crime’. Having beaten the security systems put in place by foreign and local banks and credit card companies, the fraudsters couldn’t have foreseen that attempted processing through VoguePay would be their biggest mistake.
In January this year VoguePay’s technical team reported that the system’s security algorithm had detected an increase in deliberate collaboration between a company named BYOYONDEB INVESTMENTS LIMITED (www.yondeb.com) and other criminal groups. They had been evading detection and prosecution thus far due to shortages in geo-location monitoring and behavioural pattern analysis systems on other platforms from where they migrated to VoguePay in January.
The fraudsters were using a similar deception to the following example, the detail of which we cannot divulge due to ongoing investigation: the criminals obtain a set of credit card numbers issued in the USA. These are cloned on to a UK issued card. This card is then used in the UK by the criminal gang for transactions via a merchant in China.
This technique takes full advantage of the lack of cross-border coordination when it comes to fighting cyber-crime. In addition, due to the data protection act, payment processors can only provide the name that appears on a card, when suspicious transactions are under investigation. Additionally, if the card is cloned the bank fraud investigators are usually unable to confirm whether a transaction is genuine or not. Cyber criminals are well aware of the constraints affecting cyber-security authorities; coordination, cooperation, culture and budget, and exploit this to their advantage.
This is what emboldened Mr. Yusuf Babalola (the head of BYO-YONDEB INVESTMENTS LIMITED) and his accomplices, so much so that they came to the VoguePay office in Lagos with the sole purpose to intimidate our staff, destroy properties and issue stern death threats. Accompanied by his ‘enforcers’, Mr. Babalola ordered us to cease our investigations and pay him the six figure sum of victim’s US Dollars that yondeb.com had stolen. He added that if the instruction was not adhered to, it would be settled by loss of life. In related phone calls, Mr Yusuf Babalola swore by his life to ensure that VoguePay staffs are murdered and the Company’s properties perish.
Despite the level of intimidation, the VoguePay team stood their ground and concluded investigations, coordinating with the local security agency to arrange arrests. The security agency visited the BYO-YONDEB INVESTMENTS LTD office, but unsurprisingly the office was empty and the criminals had absconded. Mr. Babalola continues to threaten VoguePay over the phone. However, the police are closing in on these criminals and in the meantime VoguePay has put additional measures in place to protect ourselves and property. Our dream of enabling honest small and medium sized businesses in Africa with the capability to grow and succeed, cannot be stopped by death threats.
We have identified that there needs to be cross-continent collaboration between payment processors, card issuers and security agencies in terms of reporting and investigating incidents and apprehending perpetrators. Currently there seems to be a reluctance to tackle the problem at its roots, with some security agencies having the attitude that businesses can mitigate these challenges via insurance pay outs. This is incorrect and only fuels the fire.
There is no single security tool to eliminate cyber security threats. Businesses must work together and constantly review their KYC procedures and create new security capabilities to combat these challenges. Cyber Security is everyone’s business.