URA hackers awaken Ugandans to reality of Internet crime
On June 20, the Uganda Revenue Authority (URA) arrested four men suspected of hacking into its systems for a year, causing revenue losses amounting to Shs 2 billion.
Richard Kibalama, an Information and Communication Technology specialist, Guster Nsubuga, a businessman working with Cargo Supplies Limited, Farouk Mugere and Patrick Owora, both clearing agents with Shafa Clearing and Forwarding were picked from the compound of URA offices at Nakawa House in Kampala.
The suspects had allegedly gained illegal access into URA’s Automated System for Customs Data (ASYCUDA), a computerized customs management system that handles international trade, including customs declarations for goods and services, transit information, tax assessments and payments.
Their interest was reportedly in vehicle registration data, into which they had falsely fed details of over 200 vehicles. The four suspects have been charged with six counts of unauthorised use and interception of computer services, electronic fraud and unauthorised access to data before the Anti-Corruption Court.
In May, URA recalled the vehicles for verification, after noticing that they had not been “properly registered.” Shortly after, thugs broke into the tax body’s offices and vandalized computers in an apparent attempt to sabotage the investigations.
The incident highlighted the new challenge that faces URA – from ordinary corruption and bribery, the tax body now faces computer crime against “smart” IT specialists who manipulate data to their advantage.
URA says its system has been under attack for over a year, with glitches reported every month as a result of hacking. Unlike physical burglary, where break-ins are noticed immediately, hacking (breaking into computer system to get access to information or just for fun) requires shrewdness and expertise to detect. URA says the system hacked was 12 years old, which explains why the hackers had little trouble accessing it.
The break-in has forced URA to upgrade.
“We have procured a new web-enabled data system with the highest standards of security. Hackers are always advancing but we are protecting ourselves inside and outside,” says Patrick Mukiibi, URA’s commissioner for investigations.
IT experts warn that in a business environment where most transactions are computerized and systems are connected to the Internet, anyone could fall victim, and hackers can gain access to any database if the computer information security is weak. They can attack a bank, manipulate personal account details, and draw payments from mobile money systems.
“It is a collective responsibility and we all need to stay alert,” says Joseph Mugisha, a computer and information security expert.
Experts say hackers are not always looking for money. They can hack into a system to steal data, for fun, or to crash systems and deny access. Hackers take advantage of weak security features in the computer networks, hence the need for strong firewall protections. “It is always advisable that you close all ports except the necessary ones when configuring the firewall,” says James Mukasa, a consultant with IT World Kampala. Mugisha said it was possible the URA hackers had inside help that gave them access codes into the internet connections. “How did they get access codes to the internet, the computer network, or the server without help? Or maybe they had hacking software, which I doubt,” he said. Detecting hackers can take a long or short time depending on the system. Some systems are set with alarms to identify and alert to unauthorized users. “If you are not monitoring your computer network regularly, it can take long to know it is being hacked into,” Mukasa adds.
Mugisha thinks IT teams need to incorporate simulated hacking drills into their routine. “Fire fighters have testing drills to prepare for actual fires, identify loopholes in their response and lower risks,” says Mugisha. “I think ICT team at URA needs to do hack drills more often to test their system. It would be a good starting point to question the hackers how they got in to build a stronger computer system security.”
Mugisha also cautioned that IT managers should back up data offsite so that in case of theft, they do not lose everything.
URA electronically enters data for imported vehicles at Malaba customs port and at the main office during registration.
“If there is a problem, then it starts with somebody who input data into the system,” Mukiibi says. He said the tax body is tightening its security systems. This includes recalling some vehicles for re-verification. “Sometimes it can be those who interface with clearing agents in an illegal manner. When caught that’s fraud,” he Mukiibi said. “We are going to prosecute whoever interfaced with our system illegally.”
Breach of URA’s system appears to have awakened Ugandans to the reality of cyber fraud. Government last year enacted the Computer Misuse Act, 2011, but its effectiveness is yet to be proved. Under the Act, unauthorized access to a computer system is an offence that attracts, on conviction, a fine of up to Shs 4.8 million or 10 years in prison. However, legal experts say the fine is a small price for criminals who have made Shs 2 billion from their fraudulent activities.