Sennaike David, a security architect, has revealed that United Bank for Africa, UBA, and other Nigerian banks had their customers’ data exposed to hackers, who sell it to fraudsters.
In a post shared on his LinkedIn profile, David recalled that in January 2023, he came across a post on the dark web stating they were selling the private data of a Nigerian fintech, access to servers, username and password and API keys, and private customer data.
”I saw the post and couldn’t buy the items because of how expensive they were, so I decided to check the validity of some of their sample data. To my surprise, they were valid, and the security situation of the fintech was lacking. From investigations, I could view any user’s profile (including BVNs, phone numbers, Names, and Emails), edit all users, and manipulate different details.
”The manipulation of some details would have led to a total compromise of the fintech. I stopped there and reported it to the organisation. After a back and forth for a while, they temporarily patched,” he revealed
”It is alarming that every bank has at least five critical vulnerabilities that could be exploited to gain complete access to its infrastructure. After all, they conduct penetration tests every quarter. This begs the question of who are the professionals conducting these penetration tests, and are they just running tools and scanners blindly and not doing the manual work? I say this because doing the manual work guaranteed the exploitation of every bank on that Wikipedia page. Is the Nigerian banking system a ransomware disaster waiting to happen?” David queried.
The cyber security expert, however, encouraged financial institutions in Nigeria to adopt Bug Bounty programmes, which he said exposes you to many talented hackers willing to test your platforms and reports crucial vulnerabilities