Aug 16, 2022 | Blog

Boosting The Safety And Security Of Mobile Money Transfer Transactions In Africa

Boosting The Safety And Security Of Mobile Money Transfer Transactions In Africa

This is the 20th post in a blog series to be published in 2022 by the Secretariat on behalf of the AU High-Level Panel on Emerging Technologies (APET) and the Calestous Juma Executive Dialogues (CJED)

Africa has a wealth of economic potential in nearly every socioeconomic development sector. As a result, Africa's young population presents enormous opportunities for harnessing digital technologies and underscores the necessity for Africa to prioritize digital technologies. This is due to the fact that digital transformation is a driving force behind inclusive, innovative, and long-term socioeconomic growth. By making goods and services easier to obtain and more widely available, technological advancements and digitalization are helping Africa's economy create jobs and combat poverty while also reducing inequality. In essence, this is helping to achieve the Agenda 2063 of the African Union and the Sustainable Development Goals of the United Nations.[1]

Digital technologies can promote Africa's economic integration, generate inclusive economic growth, stimulate job creation, bridge the digital divide, and eradicate poverty.[2] Furthermore, the African Union (AU) has labelled digital technologies as one of the enablers to leapfrog Africa into sustainable and inclusive socio-economic development and growth. For example, the African Union's Digital Transformation Strategy for Africa (2020-2030) has characterised the utilisation of digital technologies and innovation as a prerequisite to transforming African societies.[3]

Financial technologies (fintech) applications are one of the domains digital technologies have revolutionised across the African continent. Fintech is effectively augmenting, streamlining, and digitalising the conventional structure of financial services.[4] These applications have established financial ecosystems that are providing solutions to address some of the gaps in the provision of financial services. Consequently, fintech is progressively growing and changing the financial services value chain and boosting financial inclusion to encourage socio-economic development and growth.[5] This also enables various financial operational mechanisms such as depositing payments, paying bills, and obtaining financial assistance. For example, these are executed through mobile money banking, mobile payment, crowdfunding platforms, insurance technology, blockchain, and cryptocurrency.[6]

Fintech applications such as mobile money are potentially expanding access to financial services to approximately 300 million unbanked and underbanked Africans.[7] The upsurge of fintech firms and substantial banking investments into digitalisation has further enhanced innovation, strengthened local economies, and catalysed equitable, inclusive economic development and growth across Africa.[8] There were about 548 million registered mobile money accounts by the end of 2020, with approximately 150 million active users every month.[9] However, safety and security challenges associated with these technologies should be addressed for better absorption and enhanced trust and confidence in their applications from African users.

Notably, mobile money transfers are transactions involving money transfers between individuals, such as remittances, social benefits, reimbursements and all sorts of transfers which can occur between two persons. There are also payments from individuals to companies and vice-versa, such as purchases, subscriptions, bills, insurance contributions, taxes, and payments to suppliers. Mobile money systems facilitate emergency payments and electronic money transfers to adjudicate domestic financial matters. This is demonstrated by the number of global mobile users, which has increased from 0.8 billion in 2014 to 1.8 billion in 2019.[10] In Africa, the East African Community has reported an increase in mobile money transactions ranging between 33 billion Uganda Shillings in 2009 and 32,506 billion Uganda Shillings in 2015.[11]

The mobile money transfer service is vulnerable to fraud through a virus to execute fraudulent financial transactions targeting online banking customers. In such cases, the malware can be spread to retrieve data and authentication information from various personal accounts.[12] Subsequently, the malware can then perform some money transfers from the user's account to a mule's account. This kind of attack is usually undetectable for traditional anti-viruses without the capacity to jointly analyse events linked to the network and the susceptible mobile money applications. To address these safety and security challenges, appropriate mobile money security and detection features for these services should be formulated and implemented.

Some of the safety and security of financial technology-enabled transactions challenges include identity theft, authentication, phishing, vishing, SMiShing, personal identification number (PIN) sharing, and agent-driven fraud.[13] Thus, the application of mitigation measures such as better access controls, customer awareness campaigns, agent training on acceptable practices, strict measures against fraudsters, high-value transaction monitoring by the service providers, development of comprehensive legal documents to operate mobile money services should be implemented. There are other challenges, such as eavesdropping and weak cryptography. However, modern data networks and smartphones are offering substantive opportunities for improvement.

The opportunities for African countries to address these challenges on mobile money applications include user security measures, server-side practices, and the policy environment. These opportunities include addressing the critical vulnerabilities to enhance the protection of user credentials and the payment history that may essentially result in the fabrication and modification of transactions.[14] Some android-based mobile money applications can correctly validate the transport layer security (TLS) certificates through default certificate verification systematic mechanisms.[15] On the other hand, some mobile money transfer developers have adopted the utilisation of keys to encrypt the user PIN to enable a secure authentication process for the service.

In some cases, the protected TLS certificate validation is effectively enabled through the crypto implementation in money on mobile, and the messages are sent over plaintext HTTP. This enables the systems to safeguard user data confidentiality and transaction integrity through user authentication of transactions. However, when these systems are attacked, the user may pay the price of limited security. This is because certain security aspects, such as fraud detection algorithms, can be costly. The server configurations should also be patched through user-biased cryptographic technologists.[16]

It has been reported that the limited applications of mobile money transactional applications involve some characteristic privacy and safety policies associated with the technology. Sometimes, the privacy policies are cryptic and rarely outlined in the most common languages that are commonly used within the country. In other instances, the mobile application does not identify the user from which the data being utilised was collected from. Consequently, this presents vulnerabilities in misappropriation and misuse of mobile money services in some African countries. The African Union High-Level Panel on Emerging Technologies (APET) advises that it remains essential and crucial to establishing well-written and well-outlined privacy policies.

For example, these loopholes may even provide some criminals with a significant platform to undertake cybersecurity crimes. Unfortunately, the hasty expansion of this application presents African countries with limited time to formulate thorough law enforcement mechanisms against such cybersecurity acts and regulatory mechanisms.[17] Notably, the mobile money cybersecurity challenges may arise from various mobile money value chains such as the network providers, vendors and agents, customers, and employees. Because of the limited policy and regulatory frameworks governing the utilisation of the technology, APET observes that it becomes difficult to enforce and, in some instances, even apply law enforcement mechanisms to protect the various stakeholders along the mobile money value chain.

Some prevalent crimes within this value chain include fraudulent top-up using compromised or stolen credit cards, identity and subscription fraud, dealer and agent fraud, commissions fraud, internal employee collusion fraud, social engineering fraud, SIM swaps and roaming fraud.[18] Therefore, despite the immense benefits of enhancing access to financial services, the acceptance of the usage and the implementation of mobile money transfers have significantly remained limited due to security challenges related to the system. There have been some research studies that have been conducted to understand mobile money security, particularly in Africa, India, and South America. However, APET suggests more research to understand and formulate better implementation mechanisms and frameworks to inform policy development and implementation.

With the increased mobile money transactions taking place in Africa, there is a need to protect the systems against information breaches and abuse. APET notes that this is even more important in the complex and changing environment with emerging stakeholders with varying interests and objectives. Fundamentally, most African countries do not have straightforward policies specifically addressing information security roles and responsibilities and overlaps.[19] Therefore, APET is challenging African countries to explore and strengthen their existing information security management policies, procedures, practices, and standards. African countries are also encouraged to constantly investigate and regulate the vulnerabilities and limitations of the existing information security management policies, procedures, practices, and standards, particularly regarding mobile money transactions.

APET is also advising African countries to develop and recommend information security management frameworks for mobile money systems and validate the information security management frameworks developed. In such cases, a multi-case qualitative strategy can be adopted to formulate well-structured mobile money systems that can address user information security challenges and concerns.[20] The mobile money agents can efficiently register mobile money end-users, manage mobile money information, and implement mobile money systems. Fundamentally, the data collection can entail observation, face-to-face interviews, and incorporate review processes of existing policy, procedural, regulatory, and practical mobile money services. This can result in coordinated n and efficiently managed mobile money activities

Despite the benefits of mobile money systems, reports are exhibiting that the existing policies, procedures, regulations, and standards of mobile network operators are not well-equipped to address information security oversight challenges.[21] This limits the capacity to safeguard financial information in mobile money systems efficiently. This is because the information security management roles are not shared among all mobile money stakeholders. Furthermore, the anonymous and non-registered mobile phone users allowed to access mobile money services are potentially posing an information security risk to mobile money users. Moreover, privacy is not prioritised in mobile money transactions. For example, third parties are allowed access to customers' financial information, yet there are insufficient compliant monitoring and controls systems. As a result, this gap provides a suitable environment for information infringements and manipulations of mobile money transactions.

Therefore, APET advises African countries to improve their information security management frameworks for mobile money systems. This can strengthen the existing mobile money regulations, policies, procedures, and practices and allow mobile money payments to operate based on trust. Furthermore, mobile money operators should introduce identification procedures for mobile money recipients when withdrawing their money to enable tracing and verification of illegal mobile money transfers.

A mobile money cybercrime attack was observed in Uganda in 2020, where an estimated US$3.2 million was stolen by hackers using over 2,000 SIM cards.[22] There are also reports that Kenya's M-PESA mobile application has utilised money laundering, bribery, and ransom payment during kidnapping and extortion activities.[23] To address these challenges, APET advises that cyber security and personal data protection frameworks can provide credible frameworks for such cybersecurity activities in Africa. These can be monitored through electronic transaction organisation, personal data protection, cybersecurity promotion, e-governance, and cybercrime fight.

APET believes that mobile money cybercrimes can be prevented by incorporating machine learning and artificial intelligence-enabled real-time monitoring and visualisation technologies to secure financial transactions. To further strengthen mobile money transactions, APET advises that additional features such as risk classification, anti-money laundering (AML) watchlists, and activity monitoring can adequately safeguard mobile money transactions from potential criminal activities and fraud incursions.

Interestingly, some African countries such as Rwanda and Nigeria are strengthening their regulatory and supervisory technological solutions to strengthen mobile money's safety and security. For instance, the National Bank of Rwanda utilises an automated electronic data warehouse to streamline reporting and supervisory processes of more than 600 financial institutions such as banking and microfinance institutions and savings and credit cooperative organisations.[24] In such cases, mobile money data is automatically retrieved daily to monitor mobile money transfer operations.[25] As a result, this enables efficient tracking and identifying potential money laundering activities.

The Nigerian Central Bank and Nigeria Inter-Bank Settlement System are creating a "data stack" incorporating data warehouses and dashboards to enhance risk-based and immediate financial supervision.[26] This also provides information for developing new policy frameworks to strengthen regulatory interventions and financial inclusion provisions on mobile money transactions. Thus, APET encourages African countries to replicate such approaches to secure the applications for mobile money transfers in Africa.[27]

In conclusion, APET advises that African countries formulate anti-money laundering controls and specifically establish mobile money controls to safeguard mobile money and value transfers. APET realises that it is difficult to balance financial integrity and financial inclusion; however, the risk-based approach can enable African governments to implement adequate safety and secure anti-money laundering measures. This can effectively preserve the financial integrity of mobile money transactions and enhance financial inclusion ambitions.

 

Featured Bloggers – APET Secretariat

Justina Dugbazah

Barbara Glover

Bhekani Mbuli

Chifundo Kungade

Nhlawulo Shikwambane

 

 

[1] https://au.int/sites/default/files/documents/38507-doc-dts-english.pdf.

[2] https://www.worldbank.org/en/news/feature/2021/09/24/narrowing-the-digital-divide-can-foster-inclusion-and-increase-jobs.

[3] https://au.int/sites/default/files/documents/38507-doc-dts-english.pdf.

[4] https://www.analyticssteps.com/blogs/what-fintech-examples-and-applications.

[5] https://acetforafrica.org/publications/covid-19-essays-on-innovation-and-recovery-for-africa/fintech-an-inclusive-pathway-to-economic-recovery/?gclid=Cj0KCQjwidSWBhDdARIsAIoTVb1ej8AaoRXQPi_NUVY-MGe_EaleGP4rLVov3jxoG40h7yamrvJZrn4aAkPtEALw_wcB.

[6] https://pubdocs.worldbank.org/en/230281588169110691/Digital-Financial-Services.pdf.

[7] https://www.gsma.com/mobilefordevelopment/wp-content/uploads/2021/03/GSMA_State-of-the-Industry-Report-on-Mobile-Money-2021_Full-report.pdf.

[8] https://www.cio.com/article/220543/digital-banking-boosts-financial-inclusion-new-business-models-in-africa.html.

[9] https://www.forbes.com/sites/tobyshapshak/2021/05/19/mobile-money-in-africa-reaches-nearly-500bn-during-pandemic/?sh=73c81dad3493.

[10] https://web.worldbank.org/archive/website01523/WEB/IMAGES/IC4D_2-4.PDF.

[11] https://www.theeastafrican.co.ke/tea/business/mobile-money-fraud-crime-rate-increase-in-uganda--1356614.

[12] https://www.frontiersin.org/articles/10.3389/fcomp.2021.563060/full.

[13] Ali, G.; Ally Dida, M.; Elikana Sam, A. Evaluation of Key Security Issues Associated with Mobile Money Systems in Uganda. Information 2020, 11, 309. https://doi.org/10.3390/info11060309.

[14] https://genesis.imgix.net/uploads/downloads/FSS-Vodacom-Public-Policy-Series_Future-proofing-Mobile-Financial-Services_November-2019.pdf.

[15] Razaghpanah, Abbas & Akhavan Niaki, Arian & Vallina-Rodriguez, Narseo & Sundaresan, Srikanth & Amann, Johanna & Gill, Phillipa. (2017). Studying TLS Usage in Android Apps. 350-362. 10.1145/3143361.3143400.

[16] https://www.cepal.org/sites/default/files/events/files/day_2-session_5-security_privacy_concerns-kevin_butler.pdf.

[17] https://enactafrica.org/research/interpol-reports/mobile-money-and-organised-crime-in-africa.

[18] https://www.subex.com/blog/demystify-mobile-money-risks-and-money-laundering-with-better-monitoring-controls/.

[19] Jamshed S. (2014). Qualitative research method-interviewing and observation. Journal of basic and clinical pharmacy, 5(4), 87–88. https://doi.org/10.4103/0976-0105.141942.

[20] https://academic.oup.com/wbro/article/33/2/135/5127166.

[21] https://finmark.org.za/system/documents/files/000/000/267/original/Final-Report-on-Mobile-Money-in-South-Africa.pdf?1603094540.

[22] https://allafrica.com/stories/202010080867.html.

[23] https://cashessentials.org/africas-mobile-money-industry-is-infiltrated-by-crime/.

[24] https://datahelp.imf.org/knowledgebase/articles/1906552-fas-what-is-mobile-money-how-is-it-different-fro.

[25] https://blogs.worldbank.org/psd/leveraging-suptech-financial-inclusion-rwanda.

[26] di Castri, Simone and Grasser, Matt and Kulenkampff, Arend, The ‘DataStack’: A Data and Tech Blueprint for Financial Supervision, Innovation, and the Data Commons (May 7, 2020). BFA Global, 2020, Available at SSRN: https://ssrn.com/abstract=3595344.

[27] https://bfaglobal.com/wp-content/uploads/2020/01/R2AWhitePaper.pdf.