Exposed: The modus operandi of SA’s cyber crime cartels…
The chilling methods of South Africa's cyber crime cartels and cyber criminals are laid bare by Tiaan Lombard, a cybersecurity and intelligence expert. Speaking to BizNews, he says: "If I want to gain access to, let's call it a banking system or a judicial system, whatever the case may be, it's a matter of entering into the bank, leaving a flash drive in the toilets with a key holder and a couple of keys on it that not identifies me and somebody somewhere is going to pick that device up and stick it into their computer. And at that moment, you are compromised." He says such devices can be ordered online to commit cyber crimes. "These are done by highly, highly skilled, organised cartels that know that South Africa does not have the ability to stop this.."
Sign up for your early morning brew of the BizNews Insider to keep you up to speed with the content that matters. The newsletter will land in your inbox at 5:30am weekdays. Register here.
Watch here
Listen here
Summary of the interview
South Africa's vulnerability to cybercrime is starkly exposed by Tiaan Lombard, a cybersecurity expert. Speaking to BizNews, Lombard reveals the chilling tactics of cybercrime cartels, including planting compromised USB drives in public places to infiltrate critical systems. These sophisticated operations highlight South Africa's lack of defenses against highly organized cybercriminals. Lombard emphasizes the ease with which these devices can be ordered online, leaving the nation vulnerable to devastating cyberattacks.
Extended transcript of the interview ___STEADY_PAYWALL___
Chris Steyn (00:01.898)
Today, we take a deep dive into the shadowy world of cyber criminals and their operations in South Africa. We speak to Tiaan Lombard, a cybersecurity and intelligence expert. Welcome, Tiaan.
Tiaan Lombard (00:17.285)
Good afternoon Chris, how are you?
Chris Steyn (00:19.742)
I'm fine, thank you. Thanks for joining us. Let us start by asking you to define cyber crime and cybersecurity fires briefly.
Tiaan Lombard (00:31.737)
Cybercrime, cyber security, security is the ability to lock people out of your house. That is the lock that you put on your door. It's how I protect my passwords, how I keep my network safe, my firewalls. That is what cyber security is all about. Cybercrime is obviously, know, breaching those types of systems, et cetera, breaking the lock, getting access to, you know, to your house.
And cyber intelligence on the other hand is how this information is being used. Where is it being used? How is it being used? What is it being used for? Et cetera.
Chris Steyn (01:13.982)
Okay, so who does cybercrime primarily and how do they do it?
Tiaan Lombard (01:20.566)
Okay, everybody in that sense. What is happening is cybercrime has been committed by your everyday wannabe, you know, I wanna be a hacker, I wanna learn how to hack and we can download all sorts of tools, et cetera, from the Internet, you know, that gives us access. But there's a more serious element to this because whatever is available to law enforcement, whatever is available to the general community outside is also available to your bigger criminals, your cartels, call it that, you what they are today in South Africa.
How it's committed is, you know, we all sit at home thinking, you know, who's going to want to hack me? What are you going to do with my information? And quite frankly, we are not the targets in that sense. Nobody is really interested in what you're keeping on your computer, nobody wants to know about the photos of you feeding your cat, etc. But you are also affected obviously in the way of your business. If you need to gain access to any business or corporate institution or whatever institution it is out there, nobody wants to hack anymore. To give you the scenario, we've got: If you've got your house, you put a bigger lock on, you know, to make sure that nobody breaks in. You put burglar proofing and electric fences, et cetera, around your house. That is normally your security that you would implement. And the bigger the lock, the longer it takes to break the lock. So your security experts that's out there are mainly focusing on protecting your information, protecting your data, et cetera.
But the problem comes…And most of your cybercrime is not committed via hacking. In fact, very small percentage of that is being committed via hacking. With today, social engineering is a bigger danger. If I want to gain access to, let's call it a banking system or a judicial system, whatever the case may be, it's a matter of entering into the bank, leaving a flash drive, you know, in the toilets with a key holder and a couple of keys on it that not identifies me and somebody somewhere is going to pick that device up and stick it into their computer. And at that moment, you are compromised. Now, you can order these devices online. You can import them into South Africa. It's available to you, to me. Our law enforcement have got no clue how these devices work, how they are being packaged and shipped.
And to give you an indication, Chris, you look at a little device like this. It is a USB communicator or a frequency modulator that you plug into your laptop that communicates with either a mouse or a keyboard or a combination of those two. And these are things that we use every day. You take a normal flash drive and we as corporate companies give these as gifts to people. We leave them lying around on tables. Fancy gifts like a little light like this. It's a little light that's a very fancy cute gift when you're going to one of these events or conferences where they have IT stuff and the guys give you a device like this as a nice little present. But this is not just a normal device. This device, as you can see at the end of it, has a big little head. We have USB flash drives, which is a normal flash drive that plugs into a computer or, as I said, know, a module that you use for controlling your keyboard. And this applies to charging cables, a phone charge cable, charging cable for your devices, etc. By merely asking somebody, may I borrow your charger? That device has got what we call an OMG cable. That device is built in a keyboard and the USB flash drive. And the most dangerous thing about this is or even this is you plug it in. It's an innocent light that you plug into your computer. But built into this is a keyboard that the moment you plug it in, there's no security on your on your computer on your system that says, listen, somebody is trying to access your computer because you as the user need to use a keyboard to log into your computer.
Tiaan Lombard (06:05.78)
And the moment I put this device into my computer, that is a built-in little keyboard that sends commands to the computer that I'm logged into. So I don't need to anymore break into that computer via external mechanisms, breaking the network, going through firewalls. I already have a user in the bank, in the judicial system, in the police, wherever, that has already got access to that system.
And all I needed to do was give him a device to plug in. I am now logged in with his credentials. I'm logged in with him having access to that computer. And the danger is that, as I said, these things can be ordered online. They sell them for a couple of hundred bucks online. You can buy them on eBay, et cetera. We import them into South Africa and we are using them for malicious use.
The problem here comes, it is not the everyday person that wants to see what his wife is doing or, you know, have a look at, as I said, your cat's photos. These are criminals, very, very serious criminals that know what the dangers of these things are and how to use them. Gaining access to your computer the moment you plug this thing in or the USB flash drive. It is a keyboard that now sends commands to your computer and the computer thinks it's you sending those commands via a keyboard. Which means I have now got full control of your computer system. I've got full control of your entire computer. I've got access to your emails, I've got access if you've got stored on your computer or your browser, your details about your login details. I've got all that information. I've got access to your Facebook, whatever you use your computer for.
I have access to that. And that is where the dangers are lying. Now this really same information, obviously, as I said, is being used by more dangerous people like the cyber criminals, et cetera, and your cartels, currently the biggest problem in South Africa.
Chris Steyn (08:17.822)
Now, in which industries in South Africa are they most active?
Tiaan Lombard (08:26.611)
All industries, all industries in South Africa is affected. You must understand that, as I said, when you've got a house and you put a lock on your house, there's always somebody wanting to break in. There's always somebody wanting to steal your TV or your bicycle or whatever it is that they can sell for money.
The problem here is that the value that you can now achieve…you must remember our entire lives today is electronic: our communications, our phones, our computer systems, everything today is electronics. And the dangers with this is that it being electronic, we can shut down power stations. It's been done with Stuxnet on, you know, infiltrating your hardware on your computer, you know, making it difficult for you to really be in control. Because if the computer tells you, you know, the cooler is running, the temperature is perfect, everything is fine. We listen to that computer and we make our decisions based on what the computer tells us. So if it tells us, you know, the systems are all running fine. As long as it's running fine, I am fine. Taking control of your hardware on your phone. Your phone can be switched on remotely. Your microphone can be switched on remotely. Your camera can be switched on remotely. Everything can be done remotely now on your phone. Your phone is just as big a danger because it's just another computer. For that matter, a banking terminal is another computer. An ATM is another computer. So these are all devices that's easily affected by cybercrime. So it is taking in every aspect it's happening.
We've got it in Home Affairs. As I said, you take a duplicate person being registered on Home Affairs. That duplicate person is now roaming around in South Africa as a complete different person. The face might be the same and that person is roaming around either with your information or with a completely new identification created, committing crime and then vanishing in the woodwork because that person does not really exist. It is a ghost on Home Affairs.
Tiaan Lombard (10:50.988)
We see this predominantly in NSFAS, the National Student Financial Aid Scheme, whereby you have ghost students created on Home Affairs platforms where this person is alive, is a real person, he's got a name, he's registered, and as long as that criteria is met, the National Student Financial Aid Scheme will fund him. It is happening in our universities, it is happening in every aspect.
A big concern, for instance, is if you look at your Small Claims courts and these types of courts where there's a small dispute. I owe you a hundred rand and you take me to the Small Claims Court. The Small Claims Court says can I please have the evidence? Can you please put this information for me on a flash drive? And you've got two people fighting over a hundred rand.
But the intent is not a hundred grand. The court will say, well, Tiaan, give Chris, a hundred grand, you owe her, we found you guilty, so please pay her. say, But prior to the trial, I've already loaded all the information trying to fight my little case onto a flash drive, which I've given the judicial system. And the Magistrate, the Judge, the Master, whoever it is, plugs that device into his computer, your judicial system is compromised.
You can imagine what access you have if I've got the ability to manipulate evidence, if I've got the ability manipulate to make evidence go away or to create evidence. And that is where your big crime comes in.
Chris Steyn (12:36.48)
So how often do you think this is happening, Tiaan?
Tiaan Lombard (12:42.956)
It's happening permanently. You must understand computers have the ability to process 24/7. Your banking services, your network access, wherever you're communicating to, there is a permanent online availability. And as long as a computer is turned on, that computer has got the capacity to be utilised.
When it comes to applications, let's call it brute force hacking, where you infiltrate the system, you load a little programme on three or four servers, and those four servers will attack a specific target. Whether it's for being denial of service attacks, or whether it is being hacking that system with consistently sending new passwords to try and gain access, a computer has the ability to do this 24/7.
Humans go to sleep. We go to work in the morning from eight until five, you work, but it only takes two seconds to pick that device up, put it into your computer, and that from there on, it infects every other computer around you and it infects every other network, depending on what it is the criminal wants to achieve.
So it is happening way more often than any other crime in South Africa, keeping in mind that our entire lives nowadays are focused around technology, are focused around systems and computer systems data. It is not just here's a house anymore, I can break in, I steal the TV and the TV is gone. You can steal multiple TVs over and over and over in the same house by having access on those systems.
The danger in cybercrime is much, much, much higher. It's much more frequent than any other crime because it affects, first of all, as I said, taking my entire life is on computer, is on electronic systems, is on databases, et cetera. And these, all this information is permanently being accessed by criminals, by systems and using it for their own benefit, not necessarily always exposing themselves.
Chris Steyn (15:14.464)
So, yeah, describe to us how this is affecting South Africa and its citizens.
Tiaan Lombard (15:22.953)
On a personal level, we all sit back and we say, you know, it can't touch me. It's nobody's really interested in my, in what's going on on my computer. Nobody's really interested in me having a conversation with my mom on the phone. But from a citizen point of view, as I said, you are the person going into the toilets, picking up the flash drive, sticking that into your computer. You are the person receiving the flash drive, the phone charging cable, a little fancy device like this, you are the person receiving that and you are merely a tool in the middle of this entire operation. Once you have been compromised and you don't even know you've been compromised, you have now plugged that device into a system. Whether it's a banking system, whether it's at the Department of Justice, wherever you've plugged that in, that entire system, that entire organisation has been compromised. And that is how it's affecting us.
As in a personal level not that much. I'm only being used, but when it comes to the systems in South Africa, we're now looking at judicial, we're looking at police, we're looking at education, we're looking at financial systems, we're looking at what operates this country, what runs this country. And today the entire country relies on technology. We rely on computer systems, we rely on databases. Our courts rely on computer systems. Our industries rely on electronics managing these devices, whether it be in PLCs or…
Everything is affected by cybercrime, bringing South Africa into a very, very serious light because of…Taking our financial system, instance, South Africa is one of the best countries in the world when it comes to our banking system. So we have the expertise in South Africa with our banking systems, with our fancy technology that we've got. But as good as we are with, you know, executing all these fancy technologies and systems that we've got, we've also got those very same criminals in South Africa utilising that information or that.
Tiaan Lombard (17:44.073)
And the problem is they are more prone to using it than what our judicial system is able to fight this. We as a police, we already know what the housebreakings look like. Any policeman knows how to handle a housebreaking. But the moment you enter into a cyber war, where you've got cyber crimes being committed, 90% of our police do not know how that crime has been committed.
I have been, you know, in many instances where I've testified in various, you know, forums or judicial or legal systems where I've, you know, been a witness, expert witness. You very quickly realise that the Magistrate, the Judge sitting there, the Commissioner sitting there does not have a clue what cybercrime is. You often have a case where the Prosecutor does not understand how this happened, what happened. And then trying to explain to the Magistrate or the Judge or these guys what exactly took place, how this happened, that becomes very complicated.
Chris Steyn (19:03.808)
Where does this leave South Africa in the world view? We've been Grey-listed. How does cyber crime link to our Grey-listing,or does it?
Tiaan Lombard (19:15.417)
Absolutely does, yes. If you look at South Africa currently, we are a country that is recognised worldwide at this moment as a country from which most of our financial crimes are taking place. Let's have a look at online crimes. You have got so many online scams, for instance, going on, whereby people are asking for your credit card details or, you know, invest in this scheme or invest in that scheme. The company, you know, is online for a few days, a few months, a few weeks until they get caught out, but they disappear in no time.
And a lot of these crimes, if we look at, you know, the MTI, you know, the Ponzi, the schemes, the… all the different crimes happening in South Africa are originating in South Africa.
And the rest of the world is looking at South Africa and saying, hang on, you know, there's a whole lot of financial crimes happening here. Now, making this worse is you're sitting with a judicial system that needs to fight this. When the judicial system does not understand this, it's not going to help either. If the policing does not understand this, it's not going to help. By not being able to fight it.
You know, when it comes to cyber security, we've got what we call a Red Team and a Blue Team. Your Red Team would be the person trying to attack a system, gain access to the system, and the Blue Team would normally be the person trying to keep you out. That is your cyber security expert, knowing where to find you, how to trace you. And if you look at the Red Team, Blue Team scenario, South Africa currently is a Red Team. We are currently infiltrating the world. We are using South Africa as a platform or…as you know, we've got all the brilliant systems in place. We've got dedicated online 24/7 data centres. I look at African countries not having necessarily all those, you know, abilities and technologies or data centre capability hosting in South Africa. That tells you how South Africa's infrastructure is.
Tiaan Lombard (21:38.442)
Now, if we as South Africans are sitting here, and using our technology worldwide. Online is worldwide. If I play something online, you can pay with your credit card online, I've got your credit card details. I've taken your money, number one, and number two, I've got your credit card details. There on forth, I can do whatever I want to with it. The problem is these are not just being done by small individuals. These are not done by private individuals. These are done by highly, highly skilled, organised cartels that knows that South Africa does not have the ability to stop this. We know that South Africa does not have the knowledge really in our policing system, judicial system, et cetera, you to combat this.
And we are using this infrastructure and technology that we have in South Africa to really go out there and present ourselves to the world and saying, well, here's an opportunity for us to make money on crime worldwide. And then the problem is not being able to stop that. So the rest of the world looks at South Africa and says, OK, yes, we know there's a cybercrime problem or there's a financial crime problem. There's difficulties in that country. So we Grey-list them. Being Grey-listed means that immediately affects me as a citizen. It affects you. The repo rate goes up, taxes are being increased, etc. And we at the end of the day are paying for it without really knowing that I was involved at some point by just sticking a flash drive into my computer.
Chris Steyn (23:18.048)
So are you saying that our most sensitive information as individuals and the most sensitive information in the judicial and in the legal and in the policing systems and in Home Affairs, it's all compromised? Unsafe.
Tiaan Lombard (23:35.006)
Absolutely, absolutely, it's compromised. First of all, because we do not really understand how this took place in 90% of the cases, we do not even know that it's happened. You must understand the dumb criminal goes in, steals your credit card information and goes and use it and buys himself a toy, whatever the case is, and he's won once. The smarter criminal does not notify you, he does not let you know he's got your information and he will use that information, you know, on a bigger scale to access every aspect of your life in order to, you know, commit those crimes. And the problem is, as I said, we all think of crime affecting me. It is not just affecting me as a person, it is affecting organisations, institutions, the people that we trust with our information. That is where it's the worst effect.
Chris Steyn (24:34.752)
What is the most damaging case of cyber crime that you personally know of, if you can tell us?
Tiaan Lombard (24:48.444)
One of the most common ones we know of is, and it's not that much, one of the most common ones that's already publicly known is NSFAS, the National Student Financial Aid Scheme. We're sitting with ghost students. Now you can imagine at the 41 billion Rand budget, if a portion of those students…now let's just look at where's the money going to, always follow the flow of money. You remember, it's not the student coming out committing this crime.
Tiaan Lombard (25:18.33)
You come out of school, you've got Matric, you now need to go to university and you want to study. So you as a student do not really have the ability or you don't have all the connections in let's say Home Affairs, in this class, in universities, et cetera. You don't have all those connections as a student. But now you're sitting with a cartel that would take this opportunity when the moment you go for your ID, you know, we're going to give you two IDs. We're going to give you the same photo, slight difference in your name, different ID number, and you're alive. Now you've got two ID numbers. You're going to take those two ID numbers and you're going to go to the university. You're going to apply to be accepted at the university. Now for both those ID numbers to be accepted at the university, you need somebody there to assist you. Once you've been accepted at the university, you can now go to the National Student Financial Aid Scheme and say, please, can I have some money to sponsor me? I'm going to need somebody there to also, you know, help me with that. But as I said, where does that money go? A portion goes to sustenance, transportation, books, education. But the majority of that funds goes towards accommodation. So now you've got an accommodation drive where whoever started this needs to have access, he needs to have somebody at Home Affairs to assist in creating the ID. He needs to have somebody in the university to allow the student to study on two or three or four or five or multiple IDs. The same applies for the funding and the same applies now, obviously, because that fund ultimately ends up at some accommodation place or some place. Now, from what we know already, you've got some of these organisations making, you know, borrowing that money out, we're talking hundreds of millions, using it to borrow money out. We've got, we are aware of buildings being bought, massive buildings being bought, then being utilised back into the system to rent it out for more accommodation. So it's a big money-making thing. That is just one example that is a university or the National Financial Aid scheme, Student scheme. So the…
Tiaan Lombard (27:40.449)
That is one example. If you look at how cartels are using this even in getting access to information of a criminal being investigated, for instance, by the police. Let's say the Hawks is investigating me for some or another cybercrime. You now have criminal cartels coming in, making use of this information, gaining access to systems and using that information to either go after you, liquidate you; they did now get clear access to every criminal element that you have had as a criminal. They've got access to your connections. They've got access to your friends in that world, whether it is being leaking your bank statement, whether it is being finding information that they should not get on you. You've now got access to other criminal networks and that is what your cartels are growing on, is the ability to find those elements in the society that has got certain accesses and they will target them, infiltrate them, use that information against them, whether it is for blackmail, whether it is for whatever malicious intent.
The criminals that we now have in South Africa, as I said, is no longer, you know, somebody just trying to steal your information. We all have the idea that hacking is somebody hacking into my bank account and stealing my money. That does not happen to us. Our financial institutions are secure. Our financial systems are secure. It is everything around that that is now being manipulated, utilised, used by very serious criminals who knows that South Africa does not have the ability to stop this.
Chris Steyn (29:44.79)
That's what I was going to ask you. What can be done to stop it, or mitigate it at least?
Tiaan Lombard (29:52.183)
Yeah, that's it. That's a…it's going to have to start with regulation. There's a lot of regulation that's been created. We look at, you know, the the Electronic Communications and Transactions Act of 1998. We look at, you know, RICA. Most people don't understand why they RICA. The ICA in the RICA is Interception of Communications Act. It gives, you give the government
permission to access your communications, your systems, anything, record a phone call if need be. Now, you're sitting with a problem where if they have access to that, everybody else has access to that.
Read also: