Sophist
Platinum Member
- Mar 26, 2009
- 4,486
- 3,408
Hii ndio hasa sababu ya yote, ni mkakati ya 2010, basi.
Wizi wa $77milion kupitia tra.go.tz
Wizi wa $77milion kupitia tra.go.tz
- Thread starter Mwikimbi
- Start date
Hivi issue ya Kasusura iliishia wapi. Walimfunga au alishinda kesi. Maana bongo bwana acha tu.
Lole Gwakisa
JF-Expert Member
- Nov 5, 2008
- 4,768
- 2,361
Umenena mzee, cant we see the link?
HAIWEZEKANI KABISA kupoteza such a large amount of Govt Money na wote tukabaki midomo wazi!
It is so easy to trace a large amount of money kwa vile lazima ziache trace kote zinakopita.
Je walipozitransfer kwenda account ya TRA.go.tz Manager wa benki hiyo hakuona alarm bells?
Na zilipoondolewa (ZOTE) bado Mamanager wakaona sawa tu?
You can fool some of the people some of the times but not all the people all the time.
In short hii inafanyiwa kazi na si kwamba wanatanua nje wahusika ila kila kitu chao kimekuwa confiscated na wako nje kwa dhamana...Uelewe wizi huu unachunguzwa na PCCB na si polisi kwa sababu maalum...Labda ukiwauliza vizuri watakueleza...na ni kweli kuna wengine wamejificha bado sababu wanajua wenzao wamepatikana na ni chain na vilevile priority was to get the money robbed na ni kweli its huge but sio $77m...
Invisible
JF Admin
- Feb 26, 2006
- 16,286
- 8,380
By Staff Writer
September 27, 2009
At least five Tanzanians are part of the syndicate that planned and executed a massive financial fraud that saw the Tanzania Revenue Authority lose an estimated $77million, The Guardian on Sunday can reveal today.
Earlier reports claimed that the theft involving the siphoning of tax collections paid by the Tanzania Telephone Company Ltd (TTCL) was masterminded by an international syndicate, but The Guardian on Sunday has learnt that some of the top men behind this scam are the sons of some prominent civil servants.
Five local companies operating in Dar es Salaam received the stolen billions, acting in the same capacity in which the 13 companies that looted taxpayers' billions in the external payment arrears account (EPA) scandal benefited.
So far investigators from the Prevention and Combating of Corruption Bureau (PCCB) have established that these five Tanzanians are the prime suspects who siphoned Sh5,876,680,677.74 ($5million) in taxes meant to have been paid by the TTCL to the TRA.
The Guardian on Sunday has also established that the PCCB has so far confiscated almost 20 luxury cars, including a BMW-M3, Range Rover Vogue, Toyota Lexus and others believed to have been bought with the stolen money.
The PCCB also investigated 14 upscale houses built between July and May which are suspected to have been financed with the dirty money.
The posh houses are located in the Mbezi Beach, Sala Sala, Bahari Beach and Masaki suburbs of Dar es Salaam as well as the Buhongwa suburb outside of Mwanza city on the southern shores of Lake Victoria.
The carefully orchestrated theft was carried out between June 2008 and January 2009, before the TRA detected the missing money with the Tanzania Interbank Settlement Systems (TISS) - the electronic money transfer system introduced in the country in 2004.
The five suspects known so far are Marcus Masilla from TTCL, Tuseke Anangisye and Paschal Mayila from the TRA, and Faraji Augustine and Nicholas Kwale from NBC Ltd.
One of the suspects was arrested in Nairobi while trying to escape. He was repatriated to his country two weeks ago according to sources within TTCL and PCCB.
According to details seen by The Guardian on Sunday, at least three local banks were used in what could be the second biggest corporate fraud in the country's history after the 2005 looting of the central bank's EPA account, in which the government lost $131 million in dubious payments to 22 local firms.
The banks used to transfer at least part of the stolen TRA money include Standard Chartered Bank, National Bank of Commerce and Barclays Bank, The Guardian on Sunday has established.
After detecting the theft, TTCL and the TRA jointly informed Tanzanian police in January this year, but after four months of investigation, the Force had still failed to apprehend the suspects.
Alarmed by the police failure, TTCL officials approached Anti-corruption czar Dr Edward Hosea who finally assigned his investigators to the case in May to investigate and possibly prosecute the suspects.
Now four months later, the PCCB has finished its investigation and is currently waiting for the Director of Public Prosecutions (DPP) Eliezer Feleshi to give his consent, so that the suspects be taken to court.
Contacted on Friday, Dr Hosea said, "It's true but I can't give more details as the first case has already been sent to the DPP's office for approval before the suspects are taken to court."
"We have reached advanced stages in two different cases but I am barred by the law from giving details about what's going on," he said, adding that, "The main point is that our financial industry stinks of corruption and fraud." According to sources within TTCL and the TRA, in order to detect how the deal was planned PCCB investigators accessed mobile phone text messages sent by key suspects and then targeted their accounts based on incriminating details within those messages.
"One of the areas where we got the clue was through their mobile phone communications…they used to link up regularly during their illicit operations." A source from PCCB who declined to be named citing the sensitivity of the matter told The Guardian on Sunday.
It is believed that the paymaster at TTCL and his counterpart at the TRA had formed a money laundering system taking advantage of the loopholes within the computer system of the two agencies to steal taxpayers' money.
After authorising tax payments to TRA, a recruited agent from the TTCL paymaster's office informed his counterpart at the tax authority, who then intercepted the payments and distributed them to five different companies with accounts at NBC, Standard Chartered and Barclays Bank.
The money was intercepted through the computer system before it even reached the TRA's large taxpayers' account at the BoT, though the data at both TTCL and the TRA continued to show that the billions in tax payments had been made.
According to investigators, the fraudsters were able to log onto the system using a special code on TRA.go.tz and then intercept the money that was being transferred from TTCL to the TRA via the TISS system -the online system introduced five years ago to facilitate payments in excess of $8,000 (Tsh10 million).
The theft was done on a monthly basis according to details obtained by The Guardian on Sunday.
"I can call it an unholy trinity that involved employees from TTCL, TRA and local banks… It was a well crafted theft, but it did not involve the BoT," a senior official from the Central Bank told The Guardian on Sunday.
Source: GUARDIAN ON SUNDAY
September 27, 2009
At least five Tanzanians are part of the syndicate that planned and executed a massive financial fraud that saw the Tanzania Revenue Authority lose an estimated $77million, The Guardian on Sunday can reveal today.
Earlier reports claimed that the theft involving the siphoning of tax collections paid by the Tanzania Telephone Company Ltd (TTCL) was masterminded by an international syndicate, but The Guardian on Sunday has learnt that some of the top men behind this scam are the sons of some prominent civil servants.
Five local companies operating in Dar es Salaam received the stolen billions, acting in the same capacity in which the 13 companies that looted taxpayers' billions in the external payment arrears account (EPA) scandal benefited.
So far investigators from the Prevention and Combating of Corruption Bureau (PCCB) have established that these five Tanzanians are the prime suspects who siphoned Sh5,876,680,677.74 ($5million) in taxes meant to have been paid by the TTCL to the TRA.
The Guardian on Sunday has also established that the PCCB has so far confiscated almost 20 luxury cars, including a BMW-M3, Range Rover Vogue, Toyota Lexus and others believed to have been bought with the stolen money.
The PCCB also investigated 14 upscale houses built between July and May which are suspected to have been financed with the dirty money.
The posh houses are located in the Mbezi Beach, Sala Sala, Bahari Beach and Masaki suburbs of Dar es Salaam as well as the Buhongwa suburb outside of Mwanza city on the southern shores of Lake Victoria.
The carefully orchestrated theft was carried out between June 2008 and January 2009, before the TRA detected the missing money with the Tanzania Interbank Settlement Systems (TISS) - the electronic money transfer system introduced in the country in 2004.
The five suspects known so far are Marcus Masilla from TTCL, Tuseke Anangisye and Paschal Mayila from the TRA, and Faraji Augustine and Nicholas Kwale from NBC Ltd.
One of the suspects was arrested in Nairobi while trying to escape. He was repatriated to his country two weeks ago according to sources within TTCL and PCCB.
According to details seen by The Guardian on Sunday, at least three local banks were used in what could be the second biggest corporate fraud in the country's history after the 2005 looting of the central bank's EPA account, in which the government lost $131 million in dubious payments to 22 local firms.
The banks used to transfer at least part of the stolen TRA money include Standard Chartered Bank, National Bank of Commerce and Barclays Bank, The Guardian on Sunday has established.
After detecting the theft, TTCL and the TRA jointly informed Tanzanian police in January this year, but after four months of investigation, the Force had still failed to apprehend the suspects.
Alarmed by the police failure, TTCL officials approached Anti-corruption czar Dr Edward Hosea who finally assigned his investigators to the case in May to investigate and possibly prosecute the suspects.
Now four months later, the PCCB has finished its investigation and is currently waiting for the Director of Public Prosecutions (DPP) Eliezer Feleshi to give his consent, so that the suspects be taken to court.
Contacted on Friday, Dr Hosea said, "It's true but I can't give more details as the first case has already been sent to the DPP's office for approval before the suspects are taken to court."
"We have reached advanced stages in two different cases but I am barred by the law from giving details about what's going on," he said, adding that, "The main point is that our financial industry stinks of corruption and fraud." According to sources within TTCL and the TRA, in order to detect how the deal was planned PCCB investigators accessed mobile phone text messages sent by key suspects and then targeted their accounts based on incriminating details within those messages.
"One of the areas where we got the clue was through their mobile phone communications…they used to link up regularly during their illicit operations." A source from PCCB who declined to be named citing the sensitivity of the matter told The Guardian on Sunday.
It is believed that the paymaster at TTCL and his counterpart at the TRA had formed a money laundering system taking advantage of the loopholes within the computer system of the two agencies to steal taxpayers' money.
After authorising tax payments to TRA, a recruited agent from the TTCL paymaster's office informed his counterpart at the tax authority, who then intercepted the payments and distributed them to five different companies with accounts at NBC, Standard Chartered and Barclays Bank.
The money was intercepted through the computer system before it even reached the TRA's large taxpayers' account at the BoT, though the data at both TTCL and the TRA continued to show that the billions in tax payments had been made.
According to investigators, the fraudsters were able to log onto the system using a special code on TRA.go.tz and then intercept the money that was being transferred from TTCL to the TRA via the TISS system -the online system introduced five years ago to facilitate payments in excess of $8,000 (Tsh10 million).
The theft was done on a monthly basis according to details obtained by The Guardian on Sunday.
"I can call it an unholy trinity that involved employees from TTCL, TRA and local banks… It was a well crafted theft, but it did not involve the BoT," a senior official from the Central Bank told The Guardian on Sunday.
Source: GUARDIAN ON SUNDAY
Invisible
JF Admin
- Feb 26, 2006
- 16,286
- 8,380
Mkiangalia kila sehemu wameandika tra.com lakini ukweli ni kuwa mtandao wa TRA ni tra.go.tz hivyo tumerekebisha hilo.
Je, Wewe una akaunti benki? Unatumia ATM card? Umewahi kufuatilia unakatwa kiasi gani kila unapotoa hela kwenye ATM? Ukichukua statement huwa ukiona umekatwa Sh 400/= unahoji? Unadhani benki yako ina wateja wangapi kama wewe? Unadhani nyote mkikatwa Tsh 400/= mara 3 kila mwezi mtalalamika hata kama hamjatumia huduma ya ATM? Unadhani makato hayo yanamnufaisha nani?
Benki zina wizi ambao wakati mwingine kuuhoji ni ngumu sana! Mwizi ni mwizi tu, si wa kuonewa huruma. Walikuwa wanaficha uozo huu na kuna waandishi wamehongwa sana lakini walisahau kuwa hakuna marefu yasiyo na ncha!
Je, Wewe una akaunti benki? Unatumia ATM card? Umewahi kufuatilia unakatwa kiasi gani kila unapotoa hela kwenye ATM? Ukichukua statement huwa ukiona umekatwa Sh 400/= unahoji? Unadhani benki yako ina wateja wangapi kama wewe? Unadhani nyote mkikatwa Tsh 400/= mara 3 kila mwezi mtalalamika hata kama hamjatumia huduma ya ATM? Unadhani makato hayo yanamnufaisha nani?
Benki zina wizi ambao wakati mwingine kuuhoji ni ngumu sana! Mwizi ni mwizi tu, si wa kuonewa huruma. Walikuwa wanaficha uozo huu na kuna waandishi wamehongwa sana lakini walisahau kuwa hakuna marefu yasiyo na ncha!
Jenerali QoyoJB
JF-Expert Member
- Aug 13, 2009
- 304
- 160
Wakubwa nawakubali nyie kweli great thinkers, sasa kama hao watu wanafahamika kwanini wasikamatwe? au kuna wakubwa? wawekeni hapa tuwajue waandishi wafuatilie kama nyie mwaogopa.
LazyDog
JF-Expert Member
- Apr 10, 2008
- 2,473
- 199
Something similar. Nimeikwapuka toka kwa Subi,
Source: http://blogs.pcmag.com/securitywatch/2009/09/new_banking_trojan_steals_your.php
Last week we described how banking malware is getting more sophisticated. Now security vendor Finjan's Malicious Code Research Center has issued a report (their Cybercrime Intelligence Report, Issue 3, 2009) describing new techniques used by a new trojan and its operators that attempt to hide their activities from the user and banks with improved sophistication. They also report on users tricked into laundering money through their accounts.
The new trojan they describe is named URLZone, a botnet of about 6000 systems when they examined it. Not only does it conduct bank transactions on the user's system, but it monitors HTTP for the bank site and modifies the numbers that the user sees for transactions it conducts so that the user doesn't think much of it. It's also careful not to draw down too much so that the account goes out of balance. It steals between $4000 and $15000 from each account, but picks a random number to further evade anti-fraud systems. So far the activity has only been witnessed in Europe, specifically Germany, but it should work as well in the US.
The same gang hires people over the Internet for "work at home" projects and tricks them into accepting transfers from the victims of the bank crimes. The "money mules" unwittingly help the criminals to hide their activities. Finjan calls this "Anti-anti-fraud."
The full report includes screen shots of victim bank transactions, the command and control system and even source code for the command and control (apparently in Perl).
By not being greedy with each individual account and instead working to keep the heat off themselves the attackers made a pretty good total haul: around 300,000 euros in 22 days.
The anti-fraud measures evaded by this gang are perhaps the primary defense these days against bank fraud, so this attack is particularly troublesome. Nevertheless, it relies on a trojan operating on the user's system, so best practices can still defeat it: run as a less-privileged user, don't click on unsolicited links, run anti-malware, and keep your operating system and applications patched.
The new trojan they describe is named URLZone, a botnet of about 6000 systems when they examined it. Not only does it conduct bank transactions on the user's system, but it monitors HTTP for the bank site and modifies the numbers that the user sees for transactions it conducts so that the user doesn't think much of it. It's also careful not to draw down too much so that the account goes out of balance. It steals between $4000 and $15000 from each account, but picks a random number to further evade anti-fraud systems. So far the activity has only been witnessed in Europe, specifically Germany, but it should work as well in the US.
The same gang hires people over the Internet for "work at home" projects and tricks them into accepting transfers from the victims of the bank crimes. The "money mules" unwittingly help the criminals to hide their activities. Finjan calls this "Anti-anti-fraud."
The full report includes screen shots of victim bank transactions, the command and control system and even source code for the command and control (apparently in Perl).
By not being greedy with each individual account and instead working to keep the heat off themselves the attackers made a pretty good total haul: around 300,000 euros in 22 days.
The anti-fraud measures evaded by this gang are perhaps the primary defense these days against bank fraud, so this attack is particularly troublesome. Nevertheless, it relies on a trojan operating on the user's system, so best practices can still defeat it: run as a less-privileged user, don't click on unsolicited links, run anti-malware, and keep your operating system and applications patched.
Source: http://blogs.pcmag.com/securitywatch/2009/09/new_banking_trojan_steals_your.php
Tatizo letu hamna mwenye nazo, nafikiri angekuwepo sidhani kama angeruhusu wacheze mali zake kama hivi. Na huu mchezo upo kwa muda mrefu ukiziba hapa watatafuta pengine pakuzibua....lakini Mungu yupo na wajue kuwa mshahara wa dhambi ni mauti na karama ya Mungu ni uzima wa milele
KipimaPembe
JF-Expert Member
- Aug 5, 2007
- 1,285
- 698
Ndugu yangu,
Usidanganyike. Nchi hii itaangamizwa tuu ikiwa hatutachukua hatua. Nchi huwa zinaangamia watu wanapotazama mambo ya ovyo kama haya kwa macho eti mungu hatakubali waangamizwe. Unadhani watanzania wana nini cha kuwazidi wasomali wanaoangamia kila kukicha.
Tukikubali kushuhudia uovu huo huku tukisubiri mungu afanye kazi yake, tunajidanganya kwani mungu hata fanya. Nchi ikisambaratika hawa wanaosambaratisha wataishia kuchukua uraia marekani na kwingineko. Huko Somalia, wasomali waliohusika kuifikisha nchi ile pale ilipo, wengi wapo nje na wanaendelea kutanua tuuu. Huyu mungu hawaoni??
sahau mungu, chukua hatua. ..........
saidhorizons
Member
- Aug 10, 2009
- 37
- 4
Ni ruhusa kuchapisha makala hii kwenye gazeti lolote la Tanzania au website inayosomwa na Watanzania bira kubadilisha content au nia ya mwandishi na hakikishaga unatowa credit kwa JamiiForums pamoja mwandishi wa makala Saidhorizons.
What happened to the tax payers' billions of shillings and who was asleep at the switch when this fraud and money laundering were taking place? It's one thing to be robbed at gun point but completely another when the "alleged" financial fraud or scam appears to be an insider job perpetrated by trusted employees that are paid to protect government resources. Presumably, whoever is responsible for this scam is someone who has been thoroughly vetted to perform this critical and sensitive function. How can that be possible? I think some of the managers and directors in the respective institutions must know precisely what happened than they are letting on.
In spite of the banal accusations and counter-accusations that are trumpeted in the local press, there are some basic and fundamental questions that no one is bothering to address in the emotion and heat of the verbal war, and for this, I can't help but single out for special mention the BOT, the custodian and operator of the newly introduced Tanzania Interbank Settlement System, and the TRA, the owner and operator of the TRA Electronic Payment System. I am singling out these two institutions not because I think they are directly responsible for the fraud, (no one knows that for sure), but because they are, or at least they should be better equipped to identify the weaknesses in the Interbank payment settlement system and the TRA Electronic Payment System that can be exploited by cyber criminals. This would allow the investigators to derive some useful insights into the inner workings of these complex systems so that action can be taken to fix the problem, now that we are finding out, to our utter dismay, that these systems have huge security holes through which you can virtually drive a train or pilot an aircraft carrier much to our complete shock and horror!.
Government investigators need to approach this problem with reckless abandon otherwise it might get worse if the guilty parties are not quickly identified and punished. Our initial reaction is to start asking the BOT and TRA some tough but fair questions: What kind of vetting was performed on both systems before they were declared ready for prime time? There was, of course, one way to find out: test the systems. I am assuming, therefore, that pilot trials were performed on both cases and one of the key objectives of the pilot trial was clearly to determine conclusively how the system would stand up against fraud by trusted insiders or by international cyber criminals.
Were the system interfaces and domains of responsibility clearly defined and assigned, including the hand-over or handshake protocol between one management domain and another? Usually cyber attackers take advantage of the security weaknesses at these handover interface points between systems where often domain responsibility may be poorly defined or not at all. This would be the case if this type of technology and expertise is over the heads of the people involved in the system definition and specification. I am not particularly referring to Tanzanians, even in the US I have come across IT amateurs (commonly known as vilaza) masquerading as IT consultants and getting paid ridiculously high wages for their incompetency!. These are the type of issues and reasons that have made a pilot trial an essential and integral part of any newly introduced technology based financial system. Pilot trials provide the opportunity to make appropriate changes to the system or introduce new business processes if necessary prior to deployment in order to plug in any identified security holes before an irreparable and expensive $77 million damage is inflicted as we are sadly finding out now.
Be that as it may, it is abundantly evident, even to the hoi-polloi (yaani sisi akina pangu pakavu), that the person or persons responsible for the operations management and security systems for TISS and the TRA Electronic Payment System (EPS) must have been asleep at the switch, literally, if they found out months after the fact that a whole $77 million of the people's tax revenues cannot be accounted for! Either that or some of them were part and parcel of the cyber-crime syndicate that successfully conducted the fraud. Let's examine some of the evidence:
At the risk of losing some of the readers, I would like to let you (the reader) in on a little IT secret that anyone that is vaguely familiar with these modern electronic payment settlement systems would know. Without boring you (by getting too technical), a Payment Settlement system like TISS or TRA's EPS is comprised of several subsystems: a Terminal Access Device (TAD), The Core Transactions Database System, the Payment Gateway, Operations Control System or Terminal (OCT), and the Extranet, which is a kind of secure private network that can only be accessed by authorized participants. For the purpose of this discussion and in the interest of time I will focus only on the Terminal Access Device and the Operations Control Terminal or Management System.
The Terminal Access Device (TAD) is a workstation (Windows or Linux PC based) that is supplied to each participant or clients (eg, TANESCO and TTCL) by the entity that operates the system. Presumably, in this case the TAD is was recommended, tested, supplied and managed by the BOT if the BOT is responsible for operating TISS. Clients such as TANESCO and TTCL use the TAD to post transactions (eg, make fund transfer requests) as well as perform regular housekeeping tasks such as generating daily reports, usually at the click of a mouse. Needless to say, access to the terminal is highly secure and severely restricted for obvious reasons. Only a handful of thoroughly screened and trusted employs are provided with carefully monitored access to the system.
One of the industry's preferred secure access technology implemented in many of these systems is known as Secure ID (or SecurID) which is a computer authentication mechanism developed and marketed by a company known as RSA. It is widely used in the ICT industry because it is a highly secure and hacker-resistant. The standard user-name and password access security that most computer users are familiar with is just not secure enough for the financial and banking sectors.
Passwords can easily broken even by high school computer hackers let alone sophisticated and international mafia-like cyber crime syndicates with deep pockets. A system that is entrusted with the safety of millions of tax-payers dollars deserves to have the best security that money can buy in order to prevent unauthorized and ill-intended users from causing massive damage. This much we know with a reasonable degree of certainty. What I am personally not sure is what security system has been implemented on either TISS or TRA EPS but I hope it is not the standard user-name, and password or PIN number because that would not be secure enough for such a sensitive and vital financial system.
The other subsystem I would like to spend a bit of time explaining is the Operations Control Terminal (OCT) or Management System (It goes by different names). It is also a workstation (windows or Linux PC based) that is equipped with sophisticated system management software that is primarily used to monitor the TISS and EPS systems. Only the operators (BOT in the case of TISS and TRA in the case of EPS) of the systems would have access to the OCT; clients such as TANESCO or TTCL do not and should not have access to the OCT and this is done deliberately to ensure the utmost security of the system. Transactions posted by clients (TTCL and TANESCO) can be and are monitored but the clients are not necessarily aware that such monitoring is taking place or if they do they may not know what is being monitored. Which is just as well because they need to be kept in the dark for the security of the system.
A powerful application package associated with the OCT that I would like to bring to your attention is the Audit Trail software. Its job is to maintain a chronological log or history of all the key events or transactions that have been performed on the system by each person that has been granted access. That would be considered the minimum must-have capability or function included in such a system, assuming of course that the system procurement team was reasonably conversant with the importance of having such technology and that there was no pressure from management to cut corners in order to save a dime here and a nickel there. We need to find out.
Some of the benefits of audit trail logging include: Fraud detection through the active monitoring and reporting of unauthorized or unapproved information manipulation in the system. Another important benefit of the trail logging feature is what is known as "Data-change Non-repudiation". Simply put, this means if a client changes a designated critical record in the system, for example, transfer tax funds to a CRDB account instead of a TRA account, and then denies having made that transfer. The validity of that claim can be confirmed by inspecting the audit trail log. Imagine how powerful that can be!
Examples of the type of information that can be logged in support of auditing includes: the date and time of the event (eg transfer of funds), the unique ID of the person that invoked the transfer, the nature of the transfer (eg TTCL tax remittance to TRA), whether or not the attempted transfer was a success or failure, and who else (name of person and title) may have authorized the transfer in case more than one person is required to electronically or digitally sign-off the transfer. I would imagine if the transfer involve a large remittance over, say, $1 million, a Director would have to authorize by "digitally" signing-off the transfer. I am sure you have notice my emphasis on a "digital signature" because such signatures are electronically encrypted for authenticity which means it is almost impossible to forge the signature even if you try hard.
All in all it is a rather comprehensive and powerful set of features and one would rightly think fraud is all but impossible under such a tightly monitored system. Apparently not so in our beloved Bongo, which is really a sad indictment of our society!
My questions to the institutions that are charged with the responsibility of operating TISS and EPS are: Have a similar or equivalent audit trail capability been implemented as part of the operations support system and can these logs be used to identify the person or persons that are responsible for making the $5M (or $77M whatever the case may be) transactions that are currently the subject of investigation? If not, why not? What information is missing from both management systems. or more correctly, who dropped the ball on this? Such reports should be available in the operations support systems and should be accessible in a matter of seconds or minutes, not days or months.
When did management first find out that a financial fraud has been perpetrated? Why was it not known sooner? Or more correctly, why did it take so long to detect these financial irregularities given that the operations control system is capable of detecting and reporting on such abnormalities in a matter of seconds? So many questions, so few answers. While it appears (on the surface at least) that the TRA should probably bear the bulk of responsibility instead of trying to wash their hands of their obligations. the matter can be resolved much faster if both the BOT and TRA jointly work together since their systems do interface at some point, which technically could create a security domain black-hole, or what I would like to call the "demilitarized zone" or "a no man's land" that can be exploited by astute cyber criminals.
TANESCO and TTCL should not be allowed to get off scot-free either. I certainly did not want to give the impression that they have zero responsibility in this sad saga and that they are only coming along for the ride! Not so! They should produce a digitally signed document that demonstrates that the purported funds transfer was successfully posted on the EPS system, but the question that I can't answer is that did the TRA include digital signature confirmation in their system that would confirm the transfer had been attempted and succeeded? As I have said before prima facie evidence suggests TANESCO and TTCL also have a few questions of their own to answer and who knows, they may also eventually share culpability. But first things first: at this early stage of the investigation the buck must stop with the BOT and TRA who should have done a much better job of monitoring the operations control systems for TISS and EPS respectively. Overall system security belongs in the hands of the BOT and TRA and not TANESCO or TTCL who after all are only users and have limited visibility to the rest of the system.
One last parting shot to all concerned parties in this saga: Please spare us from this melodramatic finger-pointing public relations exercise through the press. Don't send us on a wild goose chase, let's deal with the real issues and potential solutions and put the finger-pointing and confabulation aside for now. We "the people" - the rank and file - need and deserve to get real and honest answers, not some manufactured smoke screen laid-down by managers who are busy protecting their patushkas instead of seeking a solution to the problem at hand.
What happened to the tax payers' billions of shillings and who was asleep at the switch when this fraud and money laundering were taking place? It's one thing to be robbed at gun point but completely another when the "alleged" financial fraud or scam appears to be an insider job perpetrated by trusted employees that are paid to protect government resources. Presumably, whoever is responsible for this scam is someone who has been thoroughly vetted to perform this critical and sensitive function. How can that be possible? I think some of the managers and directors in the respective institutions must know precisely what happened than they are letting on.
In spite of the banal accusations and counter-accusations that are trumpeted in the local press, there are some basic and fundamental questions that no one is bothering to address in the emotion and heat of the verbal war, and for this, I can't help but single out for special mention the BOT, the custodian and operator of the newly introduced Tanzania Interbank Settlement System, and the TRA, the owner and operator of the TRA Electronic Payment System. I am singling out these two institutions not because I think they are directly responsible for the fraud, (no one knows that for sure), but because they are, or at least they should be better equipped to identify the weaknesses in the Interbank payment settlement system and the TRA Electronic Payment System that can be exploited by cyber criminals. This would allow the investigators to derive some useful insights into the inner workings of these complex systems so that action can be taken to fix the problem, now that we are finding out, to our utter dismay, that these systems have huge security holes through which you can virtually drive a train or pilot an aircraft carrier much to our complete shock and horror!.
Government investigators need to approach this problem with reckless abandon otherwise it might get worse if the guilty parties are not quickly identified and punished. Our initial reaction is to start asking the BOT and TRA some tough but fair questions: What kind of vetting was performed on both systems before they were declared ready for prime time? There was, of course, one way to find out: test the systems. I am assuming, therefore, that pilot trials were performed on both cases and one of the key objectives of the pilot trial was clearly to determine conclusively how the system would stand up against fraud by trusted insiders or by international cyber criminals.
Were the system interfaces and domains of responsibility clearly defined and assigned, including the hand-over or handshake protocol between one management domain and another? Usually cyber attackers take advantage of the security weaknesses at these handover interface points between systems where often domain responsibility may be poorly defined or not at all. This would be the case if this type of technology and expertise is over the heads of the people involved in the system definition and specification. I am not particularly referring to Tanzanians, even in the US I have come across IT amateurs (commonly known as vilaza) masquerading as IT consultants and getting paid ridiculously high wages for their incompetency!. These are the type of issues and reasons that have made a pilot trial an essential and integral part of any newly introduced technology based financial system. Pilot trials provide the opportunity to make appropriate changes to the system or introduce new business processes if necessary prior to deployment in order to plug in any identified security holes before an irreparable and expensive $77 million damage is inflicted as we are sadly finding out now.
Be that as it may, it is abundantly evident, even to the hoi-polloi (yaani sisi akina pangu pakavu), that the person or persons responsible for the operations management and security systems for TISS and the TRA Electronic Payment System (EPS) must have been asleep at the switch, literally, if they found out months after the fact that a whole $77 million of the people's tax revenues cannot be accounted for! Either that or some of them were part and parcel of the cyber-crime syndicate that successfully conducted the fraud. Let's examine some of the evidence:
At the risk of losing some of the readers, I would like to let you (the reader) in on a little IT secret that anyone that is vaguely familiar with these modern electronic payment settlement systems would know. Without boring you (by getting too technical), a Payment Settlement system like TISS or TRA's EPS is comprised of several subsystems: a Terminal Access Device (TAD), The Core Transactions Database System, the Payment Gateway, Operations Control System or Terminal (OCT), and the Extranet, which is a kind of secure private network that can only be accessed by authorized participants. For the purpose of this discussion and in the interest of time I will focus only on the Terminal Access Device and the Operations Control Terminal or Management System.
The Terminal Access Device (TAD) is a workstation (Windows or Linux PC based) that is supplied to each participant or clients (eg, TANESCO and TTCL) by the entity that operates the system. Presumably, in this case the TAD is was recommended, tested, supplied and managed by the BOT if the BOT is responsible for operating TISS. Clients such as TANESCO and TTCL use the TAD to post transactions (eg, make fund transfer requests) as well as perform regular housekeeping tasks such as generating daily reports, usually at the click of a mouse. Needless to say, access to the terminal is highly secure and severely restricted for obvious reasons. Only a handful of thoroughly screened and trusted employs are provided with carefully monitored access to the system.
One of the industry's preferred secure access technology implemented in many of these systems is known as Secure ID (or SecurID) which is a computer authentication mechanism developed and marketed by a company known as RSA. It is widely used in the ICT industry because it is a highly secure and hacker-resistant. The standard user-name and password access security that most computer users are familiar with is just not secure enough for the financial and banking sectors.
Passwords can easily broken even by high school computer hackers let alone sophisticated and international mafia-like cyber crime syndicates with deep pockets. A system that is entrusted with the safety of millions of tax-payers dollars deserves to have the best security that money can buy in order to prevent unauthorized and ill-intended users from causing massive damage. This much we know with a reasonable degree of certainty. What I am personally not sure is what security system has been implemented on either TISS or TRA EPS but I hope it is not the standard user-name, and password or PIN number because that would not be secure enough for such a sensitive and vital financial system.
The other subsystem I would like to spend a bit of time explaining is the Operations Control Terminal (OCT) or Management System (It goes by different names). It is also a workstation (windows or Linux PC based) that is equipped with sophisticated system management software that is primarily used to monitor the TISS and EPS systems. Only the operators (BOT in the case of TISS and TRA in the case of EPS) of the systems would have access to the OCT; clients such as TANESCO or TTCL do not and should not have access to the OCT and this is done deliberately to ensure the utmost security of the system. Transactions posted by clients (TTCL and TANESCO) can be and are monitored but the clients are not necessarily aware that such monitoring is taking place or if they do they may not know what is being monitored. Which is just as well because they need to be kept in the dark for the security of the system.
A powerful application package associated with the OCT that I would like to bring to your attention is the Audit Trail software. Its job is to maintain a chronological log or history of all the key events or transactions that have been performed on the system by each person that has been granted access. That would be considered the minimum must-have capability or function included in such a system, assuming of course that the system procurement team was reasonably conversant with the importance of having such technology and that there was no pressure from management to cut corners in order to save a dime here and a nickel there. We need to find out.
Some of the benefits of audit trail logging include: Fraud detection through the active monitoring and reporting of unauthorized or unapproved information manipulation in the system. Another important benefit of the trail logging feature is what is known as "Data-change Non-repudiation". Simply put, this means if a client changes a designated critical record in the system, for example, transfer tax funds to a CRDB account instead of a TRA account, and then denies having made that transfer. The validity of that claim can be confirmed by inspecting the audit trail log. Imagine how powerful that can be!
Examples of the type of information that can be logged in support of auditing includes: the date and time of the event (eg transfer of funds), the unique ID of the person that invoked the transfer, the nature of the transfer (eg TTCL tax remittance to TRA), whether or not the attempted transfer was a success or failure, and who else (name of person and title) may have authorized the transfer in case more than one person is required to electronically or digitally sign-off the transfer. I would imagine if the transfer involve a large remittance over, say, $1 million, a Director would have to authorize by "digitally" signing-off the transfer. I am sure you have notice my emphasis on a "digital signature" because such signatures are electronically encrypted for authenticity which means it is almost impossible to forge the signature even if you try hard.
All in all it is a rather comprehensive and powerful set of features and one would rightly think fraud is all but impossible under such a tightly monitored system. Apparently not so in our beloved Bongo, which is really a sad indictment of our society!
My questions to the institutions that are charged with the responsibility of operating TISS and EPS are: Have a similar or equivalent audit trail capability been implemented as part of the operations support system and can these logs be used to identify the person or persons that are responsible for making the $5M (or $77M whatever the case may be) transactions that are currently the subject of investigation? If not, why not? What information is missing from both management systems. or more correctly, who dropped the ball on this? Such reports should be available in the operations support systems and should be accessible in a matter of seconds or minutes, not days or months.
When did management first find out that a financial fraud has been perpetrated? Why was it not known sooner? Or more correctly, why did it take so long to detect these financial irregularities given that the operations control system is capable of detecting and reporting on such abnormalities in a matter of seconds? So many questions, so few answers. While it appears (on the surface at least) that the TRA should probably bear the bulk of responsibility instead of trying to wash their hands of their obligations. the matter can be resolved much faster if both the BOT and TRA jointly work together since their systems do interface at some point, which technically could create a security domain black-hole, or what I would like to call the "demilitarized zone" or "a no man's land" that can be exploited by astute cyber criminals.
TANESCO and TTCL should not be allowed to get off scot-free either. I certainly did not want to give the impression that they have zero responsibility in this sad saga and that they are only coming along for the ride! Not so! They should produce a digitally signed document that demonstrates that the purported funds transfer was successfully posted on the EPS system, but the question that I can't answer is that did the TRA include digital signature confirmation in their system that would confirm the transfer had been attempted and succeeded? As I have said before prima facie evidence suggests TANESCO and TTCL also have a few questions of their own to answer and who knows, they may also eventually share culpability. But first things first: at this early stage of the investigation the buck must stop with the BOT and TRA who should have done a much better job of monitoring the operations control systems for TISS and EPS respectively. Overall system security belongs in the hands of the BOT and TRA and not TANESCO or TTCL who after all are only users and have limited visibility to the rest of the system.
One last parting shot to all concerned parties in this saga: Please spare us from this melodramatic finger-pointing public relations exercise through the press. Don't send us on a wild goose chase, let's deal with the real issues and potential solutions and put the finger-pointing and confabulation aside for now. We "the people" - the rank and file - need and deserve to get real and honest answers, not some manufactured smoke screen laid-down by managers who are busy protecting their patushkas instead of seeking a solution to the problem at hand.
Last edited:
Msuruhishi
Senior Member
- Jun 18, 2008
- 103
- 38
Kuna habari nyingine za ufisadi ndani ya TRA bado zimefunikwa. Zaidi ya Shs. 800 milioni ziliibiwa kupitia kwenye malipo ya mishahara ya wafanyakazi. Wahusika walichofanya ni ku-inflate payroll na fedha zikishaingia kwenye benki husika (this time Azania Bank) kwa kushirikiana na watumishi wa benki fedha zile zinachotwa na kugawana. Baada ya dili kugundulika, mhusika mkuu ndani ya TRA alitoa notisi ya saa 24 na kuacha kazi. Wakubwa wake walipogundua, wakaamua kumrudisha na kumwomba aanze kurejesha fedha alizoiba kama ilivyofanyika katika kashfa ya EPA. Tayari zaidi ya Shs. 200 milioni zimerejeshwa na mambo kimyaaaa! Taarifa ni kwamba wahusika ndani ya benki walitimuka na kujificha. Ndani ya TRA wanarejea na mabo sawa tu....BONGO. Msuruhishi
asha ngedere
Member
- Nov 6, 2009
- 92
- 12
wasituzingue hapa, huu ni wizi au wamezihamishia kwenye akaunti zao nyingine! hivi hawatujui eeeh? siku tukiamua kujifunga vibwebwe itakuwa balaa jamani. mbona wanataka kuyaamsha maruhani wasiyoweza kuyapunga? nyie subirini tu.
PauliMasao
JF-Expert Member
- Nov 26, 2007
- 286
- 39
TRA Commissioner General Harry Kitilya AJITAYARISHE KUJIUZULU.
Mlachake
JF-Expert Member
- Oct 13, 2009
- 4,437
- 4,618
Mkuu uko juu!! hii hata mimi niliipata chini ya Capet. mshkaji ashatorokea nje ya nchi!!
