Burundian Programmer Exposes KCB System Security Flaw As Customer Details Emerge Online

KCB Bank, one of Kenya's largest banks by customer numbers, appears to have suffered a massive data breach as a file with the details of more than 500,000 customers, including their names and phone numbers appeared online.

The information was brought to light by Burundian hacker Chris Irakoze, who first mentioned the data breach in September.

Chris explains that the data was collected from an 'information leakage vulnerability', where a flaw in the KCB app gave him access through a Python injection to sensitive data, including the technical details of the Web application, environment, or specific data of the user.

In our case the KCB leaked the numbers and names of their customers. One of the things that a hacker can do would be to sell those phone numbers. There are plenty of people who would pay for personal numbers. A hacker could also sell the information to a competing bank. A scam or phishing attack type which would allow to target customers of KCB. In the best case, you will have spam, and in the worse you will lose your money. I wonder if it hasn’t already started.Chris Irakoze

Chris explains that he was able to do a reverse search comparing all possible phone numbers from 254 700 000 to 254 799 999 with the data obtained through the app's vulnerability. If a number belongs to a KCB customer, the search would reveal the person's name from the database. The whole process took slightly less than two months.

Customer Details
The data includes the names and numbers of KCB customers

These revelations come as KCB customers report unsolicited text messages reportedly coming from the bank offering loans at low interest rates.

While the bank has taken steps to alert customers about potential fraud through the text messages, this vulnerability could explain how the customer data was obtained in the first place.

Chris discovered the flaw while looking for vulnerabilities in another KCB service, known as KCB Iwacu, which the bank rolled out in Burundi and Rwanda.

KCB Iwacu is similar to KCB Mtaani, a service that enables customers to deposit or withdraw money from an agent using their phones. The customer would initiate a transaction through the KCB app or via USSD, after which a transfer is made to the agent's account. After receiving a confirmation message from KCB and gives you money.

The vulnerability, Chris explains, lies in the fact that the agent receives confirmation by SMS. Anyone can spoof a text message and change the number of the sender. A hacker could then steal the money using only the phone number and the name of the agent. KCB's agency banking services use Point-Of-Sale machines, which make the attack more difficult but not impossible.

Chris checked the KCB app, and found that while it has all the necessary security features to protect user data transmitted over the network, but misusing them allowed a man in the middle attack which would have allowed a hacker to take complete control of user account.

The KCB app is no longer available in Burundi, but different versions of the app are in use in Kenya and Rwanda.

Following this discovery, Chris reportedly reached out to KCB, alerting them to the flaw in their system. Under Kenya's proposed Data Protection Act of 2012, anyone collecting sensitive data from the public must put in place appropriate technical and organizational measures to safeguard the data against the risk of loss, damage, destruction of or unauthorized access to personal information.

An agency that holds personal information shall ensure that the information is protected, by such security safeguards as are reasonable in the circumstances against loss, damage and destruction; and access and use by an unauthorised person, modification, or negligent disclosure or use The Data Protection Bill, 2012

UPDATE - 20/10/2016

When contacted for comment, KCB responded that they were aware of the claims of a data breach, and all customer data and platforms were safe.

Chris has detailed how he was able to find the information via the flaw in the KCB app, and how he and his team wrote a Python script to extract the data in a blog post.

UPDATE - 21/10/2016

KCB Bank has issued a statement in response to the revelations from this article:

We wish to assure all our customers that our platforms and data are highly secured. KCB Group systems including the mobile App have been extensively tested and validated by our internal and the best external data security experts. Multiple layers of encryption, private keys and unique authentication are among the key embedded data security features that safeguard our mobile app.

There is no breach to our systems.KCB Bank Kenya