The growth of mobile money transactions has brought about unique challenges, including IT-savvy fraudsters.
Revealed at the AITEC Banking and Mobile Money Comesa in Nairobi, this new type of fraud is forcing security managers to review existing operating systems.
The AITEC conference, themed 'Innovation for a new era of financial inclusion and regional integration', comes with rising interest in mobile money across the world and how it can be harnessed to deepen financial access, especially in developing countries.
Kenya recorded nearly $1 billion in mobile money transactions in December 2010, according to the Central Bank of Kenya.
But the switch from traditional methods of transferring and storing money to mobile banking has raised a new security issues for the banking industry.
Most mobile banking platforms use unstructured supplementary service data (USSD) for transactions. USSD is a communication technology used to send text between a mobile phone and an application program in the network.
But fraudsters can intercept mobile banking data while it is being transmitted or when it is stored on servers. Mobile data is encrypted while in servers - making it difficult to breach - but is not encrypted when the data is being transferred over the network. However, most network systems have built-in encryption mechanisms, encoding any data that passes through the network.
Weakest link
Experts at the conference shared their experiences in tackling these challenges. “Most applications are not designed with security in mind. Security issues can come through either internal breach or external threats,” said Titus Gitau, product manager of Amiran Communications.
According to Gitau, internal threats include system administrators having unchecked access to the system, without a monitoring process in place. “You need to have layers of security on the phone side of the system and at the data centre.”
However, the weakest link in the mobile money chain is at the point of registration, where double authentication is required to make sure customers' phone numbers match the account in which they hold their money. Even with this base covered, the system needs consistent monitoring, as fraudsters are always searching for ways to exploit the system.
A recent report by Kenya Bankers Association (KBA) and Anti-fraud Police Unit revealed that most cases of fraud happen in close collaboration with staff, especially in the IT department, with identity theft a rising trend.
One Kenyan bank reported how criminals would falsify bank customers' IDs, and approach bank staff, requesting personal details to be changed, including telephone numbers.
"Since we thought we were dealing with genuine account holders, we had no reason not to change the details of the customer," says one customer care employee of the bank. Once the contacts details are changed, the fraudster can transfer funds from the account using the new contact numbers.
At base, mobile money security hinges on subscriber authentication, radio interface encryption, subscriber identity confidentiality, and transparency of security features.
Swindling Mpesa
Kenya's widely-acclaimed mobile money transfer, Mpesa, has tied up the personal nature of mobile handsets and identification cards to beef up security of the system. All Kenyans above the age of 18 years are required to have IDs issued by the government.
The ID (or passport for foreigners) is required when customers register for Mpesa, and it is subsequently used for any transaction, with users required to produce their ID when depositing or withdrawing money from Mpesa agents.
This helps agents verify the transaction through a code received on their phone, correlating the users ID and the transaction details. But even with this secure identification system, fraudsters still find a way round the system to defraud unsuspecting Mpesa customers by sending fake lottery wins to random customers.
The fraudsters then ask customers to send money via Mpesa to the swindlers.
However, security analysts point out, this scam is outside the security system and relies on customers 'co-operation'.
Another security issue is on the service supply side, where mobile money networks operate in a regulatory vacuum. By not using the interest accrued by deposits made by customers, mobile money transfer systems in Kenya side-stepped being regulated by the Banking Act.
This has left the service in a regulatory grey area, where the deposits are kept in a commercial bank, leaving customers exposed in the event of the bank's collapse.
The Central Bank of Kenya is reluctant to regulate the emerging industry, saying this may stifle innovation and suppress the growth of the sub-sector.
Share