Cybersecurity for Mobile Financial Services: A Growing Problem
Mobile phones are helping millions of low-income customers to access financial services for the first time, but they are also exposing them to new cyber threats they could never have imagined. A few years ago, a friend of mine in Uganda — let’s call him Jonathon — learned this firsthand.
The trouble started when Jonathon happened to glance at his mobile phone and noticed the words “NO SERVICE” on the screen. At first, he wasn’t concerned. His mobile network occasionally went down, and within a few minutes his phone reconnected to the network.
Later that day, however, he tried to use his mobile money account to send his wife some money so that she could take their son to a doctor, but the transfer failed. When he checked his balance, he learned that the entire amount he thought was in his account — more than $100 — was gone.
What happened to Jonathon is becoming more commonplace in countries where mobile money is popular. For instance, the Serianu 2017 Africa Cyber Security Report estimates that cybercrime in mobile-based transactions costs businesses $140 million per year in Africa. So, what exactly happened to Jonathon? Why is this becoming more common? And what can providers and policy makers do to prevent it?
What happened to Jonathon's money?
This part is easy to explain. A criminal got into Jonathon’s account and sent all his money to a group of friends, perhaps as little as $10 each. After receiving the transfer, each friend went independently to an agent and cashed out. They gave most of the cash to the criminal, keeping some for themselves. This type of low-level money laundering happens regularly in the modern criminal environment.
How was Jonathon’s account accessed?
A more interesting question is how the criminal got access to Jonathon’s account in the first place. To carry out this type of crime, a criminal needs the victim’s account credentials. Specifically, he or she needs two pieces of information: the victim’s mobile money account number (usually a mobile phone number) and PIN.
Getting someone's mobile phone number is fairly straightforward. Sometimes the victim is a well-known figure or shares his or her contact details on social media. In other cases, the victim is overheard giving his or her number to a friend in a bar.
Criminals have various ways of obtaining their victims' PINs too. The old-fashioned way is to stand behind customers at an agent's shop and watch them complete transactions (i.e. shoulder surfing). Unfortunately, many people are still unguarded when typing their PINs. Some people even write their PIN on the back of their mobile phone, which displays a disappointing lack of awareness of the implications.
However, industrial-grade PIN harvesting is supplanting these slow approaches to obtaining individual PINs. There are many opportunities to acquire DFS account numbers and the associated PINs without ever meeting (or even knowing) the person whose money is being stolen. USSD is the most common form of access to mobile money services in developing countries, and it does not offer much protection for these sensitive credentials. Credentials can be collected in a number of ways that providers and policy makers should be aware of.
- Someone using a laptop in a coffee shop can capture all of the USSD sessions (including PINs) for everyone using a nearby cell tower.
- If a criminal wants to target a specific group of people, such as businesspeople attending a conference in a hotel, he or she can set up a fake cell tower with nothing more than a laptop and a mobile phone attached to it, looking as if it is simply being charged. The criminal can then trick everyone’s cell phones into connecting to the fake cell tower, giving him or her access to the group’s transactions.
- Someone with access to the mobile operator’s network – say, a disgruntled staff member – can connect a laptop to the network and quietly log users’ credentials as they enter them over the network.
- If criminals want to target a particular person (e.g., a high-net worth individual), they can do it from a laptop without even being in the same country. Criminals often do this by using USSD to push a message to the victim's phone that looks like it is from his or her DFS provider, saying that because of a security issue they need to re-enter their PIN. The information they enter is then returned directly to the criminal.
How was Jonathon’s account used in the attack?
Obtaining Jonathon’s credentials was only the first part of the attack. In this type of crime, the criminal then has to use the stolen credentials to access his money. For example, through a SIM swap.
A SIM swap is the transfer of a mobile phone number from its original SIM to a new SIM. It is an important service that allows customers to keep their number and account after acquiring a new SIM card. Unfortunately, the service can be misused to transfer a victim’s mobile phone number to a new SIM (resulting in the “NO SERVICE” message on their mobile phone) without their knowledge or permission. The new SIM is placed in a mobile phone, at which point the criminal uses the captured PIN to access the target’s account and send money to be cashed out and laundered. Afterwards, the SIM swap is reversed, and the victim’s mobile phone comes back to life — but the money is gone.
What can providers and policy makers do to help customers like Jonathon?
By the time Jonathon realized something was wrong, his money was long gone. While it might be possible to trace the people who carried out the money laundering, it is virtually impossible to get Jonathon’s money back – and in his country, Jonathon is liable for the loss, not the DFS provider. It would have been better if the service had been better secured in the first place. As detailed in the slide deck below, there are some simple measures that providers and policy makers can adopt to protect other mobile financial services users from cyberattacks.
This is a very important post! Thanks for this perspective, Paul.
I work in Myanmar, where most people are coming online for the first time. DFS is in its earliest days here, but it's growing rapidly. Quite frankly, the DFS providers aren't doing enough to prepare clients for the literacy required to transition into a digital world, especially on issues of personal security like PINs and Password protections. The social enterprise I lead is launching a campaign this week that uses a combination of entertaining animated shorts to reduce customer suspicion of DFS products, a heuristics-style e-training to build understanding of e-wallet security and use cases, and calls to action linking them to DFServices. But all of this is undermined if the providers haven't done their part in securing their systems! Can you comment on what the reality is on the ground in Myanmar DFS? What about the security of smart phone-based mobile money transactions relative to USSD?
The tech based service delivery mode i.e mobile is smart but how to make the users in the informal sector more smarter than the device? Technology intrusion is too fast to facilitate more to the criminals than to get accustomed in the poverty sector
Thanks for the great and detailed post and deck - one of the clearest and most comprehensive I've seen. You describe some of the controls that are possible to deal with both the risks of feature-phone and smart-phone based apps. I think there is a lot more that both operators and DFS providers can do regarding the risks associated with SIM Swaps (For example, would it be wise to put a temporary hold on mobile money transactions for a period after a SIM Swap? Or to introduce extra verification for SIM Swaps for accounts with high DFS balances?).
For smart phones, there is an additional risk of fake apps that may intercept or impersonate a DFS transaction. This is a proven vector in mobile banking, and is surely due to migrate to the DFS space soon.