The BVN is one of the most important pieces of personal information owned by any bank account owner in Nigeria. It can be used to identify individuals, open accounts, authenticate transactions, and lots more. As far as banking in Nigeria is concerned, it is a person’s identity.
With increasing rates of cybersecurity risks across the world, more people are becoming conscious of how the information they share online can be used to cause harm to them. However, a side-effect of that consciousness is also unnecessary panic.
Seeing as the BVN is a person’s identity, there’s a healthy level of panic or concern with the potential of its exposure to malicious characters like hackers and fraudsters. But how much of it is true?
If your BVN is exposed to a hacker, can they use it to withdraw funds from your account? How about obtaining loans in your name?
To understand the true extent of the BVN’s vulnerability, I had a chat with Nosakhare Oyegun, Head of Retail product and partnerships at Kuda Bank. With over six years of experience in Nigeria’s banking sector, Nosa has a significantly better understanding of the security challenges associated with BVN exposure.
But first, a little detour to explain what the BVN is for confused readers.
What is BVN?
BVN is short for Bank Verification Number, a unique identifying number code that every Nigerian bank account holder is required to have. Since February 2014, the Central Bank of Nigeria has mandated every Nigerian bank account owner to register for the BVN.
Every person’s BVN is unique, and as the name implies can be used to verify the person’s identity. Although the BVN is unique to every individual, it can be used to open multiple bank accounts with different banks.
During the BVN registration, people are typically required to submit their biodata, including their bank account, full name, phone number, email, and other personal identifiable information.
If you’re a bank account owner, you can check your BVN by dialing the USSD code: *565# on the phone number attached to your bank account/BVN. It works for all banks and networks.
Can your BVN be used to hack your account or withdraw it?
On its own, the BVN cannot be used to withdraw funds from a person’s bank account or hack it. However, it is still a crucial piece of information that can be used to that end.
One common kind of fraud that hackers attempt with people’s BVNs is Identity theft. While the BVN does not give direct access to your personal account, many banks and financial institutions use it for verification/authentication i.e. they use the number to confirm that you are who you say you are. Combined with other information like date of birth, bank account number, etc., a BVN can be potentially used to steal a person’s identity. That stolen identity can then be used to obtain access to the person’s bank accounts.
“Some banks use BVN or BVN information for account recovery so someone with your BVN can hijack your account based on the information on it. In the past, BVN was also needed to enroll for USSD banking. Hackers could rob a person, look up their BVN with a short code and enroll them in USSD banking. From there, they control their account and withdraw from it.” Nosa shared.
What information can your BVN be used to access
While your BVN cannot be used to directly withdraw from your bank account, it does contain some important information that can be used by hackers. With the right tools, hackers can usually find out a person’s name, email, bank account, home address, phone number, and picture using their BVN.
It is important to keep this in mind because some hackers use this information to perform social engineering or phishing attacks on people. A common tactic is to call pretending to be your bank and volunteer the information they have obtained to convince you to give them more information like an OTP or card details.
Keep in mind that your bank will never call you asking for any information that can be used to access your account like your full card details, transaction pin, or one-time password (OTP).
What should you do when your BVN is compromised?
There’s no sure way to know if your BVN has been compromised. Not until the hackers make an attempt, at least. The attempts can come in multiple ways, so you have to be careful.
“My sister-in-law got her BVN details exposed recently. She doesn’t live in Nigeria so she uses my burner number when she’s in town. When her BVN got compromised, I started getting a lot of phishing messages on the number. They tried to open an FCMB account one time. Another time, they called me pretending to be bank customer service asking for an OTP,” Nosa said when speaking about the dangers of having a compromised BVN.
“The best thing to do once your account has been compromised is to change the contact information linked to your BVN - email, and phone. It’s not the easiest thing to update, which is why I don’t recommend being in that position to get compromised” he added.
To change the information on your BVN, you’ll have to visit one of your bank branches and fill out a form to alter your biodata. This prevents hackers from having access to your information.
Information is power, and power in the hands of the wrong people will be used for wrong. While the BVN on its own is useless to hackers, it is still important information that we should try to keep private. Here are a couple of tips for keeping your BVN safe from hackers:
- Never share your BVN with anyone — even if they’re not hackers, they might not be as careful as you, and may mistakenly share it with other people
- Never post your BVN online
- If you write your BVN on a piece of paper or physical surface, make sure it is kept in a secure location or discard it once you’re done using it.