Government and commercial online services could become the next frontier for illegal activity in Africa, security experts are warning.
As more people get access to the internet across Africa, governments and businesses are increasing their online presence but there are questions about how secure these websites are.
The email scam using a message from someone pretending to be a relative of a dead African leader asking for bank details is well known, but now tactics have changed.
Today’s cyber-criminals do not need users’ approval or awareness to access valuable data, which could lead to the theft of a large amount of money.
For example, a recent cybersecurity report on Kenya says businesses are losing about $146m (£96m) every year to cyber-crime.
Kenyan cybersecurity analyst Freddy (not his real name) showed me how the average Kenyan website lacks adequate protection.
Working on a dummy site with a typical level of security, he showed me how it was possible to hack into it.
“This will take me about 15 minutes,” he said as he typed away, writing code.
As predicted, in just a quarter of an hour, he had full access to the database and was able to change the administrator password and upload his own material.
Freddy is one of the good hackers who advises companies and defends them from attacks rather than exploits the problems, but he feels the response to the online risks is inadequate.
This situation is replicated across the continent.
South Africa’s Sunday Times newspaper reported that hackers launched 6,000 cyber-attacks against South African infrastructure, internet service providers (ISPs) and businesses in October alone.
Bright Mawudor, a Ghanaian cybersecurity expert at Pukyong National University in South Korea, says that most African banks, government agencies and ISPs, in the face of competition, prioritise what their website can do and how fast new features can be released to the public.
Security is an afterthought, he argues.
“These websites are usually outsourced to software development companies who get pressured to deliver quickly,” he says.
“Something that should take about a month has to be delivered in a week and is thus sub-standard. They always make a mistake and the hacker just has to find one.”
Government website threat
Rather than creating their own systems from scratch, there is a tendency to take a shortcut and use existing popular templates, which Mr Mawudor says can easily be breached.
He says he knows of several African governments that use these for their websites that can contain sensitive information including individuals’ personal details, which can be used for identity theft.
According to the recent Kenyan cybersecurity report, most African-based businesses, particularly small and medium-sized enterprises, are unable to withstand cyber-attacks.
“If there was the threat of a physical attack you would see a lot of fences and guards,” says William Makatiani of Serianu Limited which was behind the report.
“Unfortunately with cyber-attacks, very few people can detect them and you can go for up to a year without knowing you’ve been attacked.”
At the Serianu offices in the Kenyan capital, Nairobi, big screens show world maps with yellow spots appearing in different countries representing cyber-attacks happening in real time.
As these continue, Mr Makatiani suggests the main reason some companies are waking up to the threat is because they are losing money, but he says they are only disclosing these incidents discreetly.
The types of crimes are also becoming more sophisticated – moving from password theft, to stealing credit card details to attacks on computer networks.
Even if the worst-affected businesses like banks and insurance companies improved their security, the ISPs are accused of not doing enough to create sufficient security for the small businesses they serve.
South Africa recently opened a virtual cybersecurity hub in its capital, Pretoria, to help business, government and civil society work together on responses to these incidents.
Research firm Columinate suggests that South Africa is one of the world’s cybercrime hotspots.
State Security Minister David Mahlobo pointed out that for the country to be adequately protected, there needs to be more awareness of the threats.
This situation is mirrored across the continent and has led Mr Mawudor to help found Africahackon, a forum bringing together cyber-security experts, from university to corporate level, to discuss how to take the initiative on these issues, rather than wait for the security gaps to be exploited.
The group works with a lot of young people with newly-acquired computer skills who might otherwise be tempted to use them for illegal activity online.
“You can never stop cyber-attacks but you can employ the best practices to curb them,” says Mr Mawudor.
“This will be a process over time and not a one-day event.”