Africa Map
Rebecca Wanjiku
As mobile-money services become a prime target for cybercriminals, African providers are facing growing pressure to enhance security features.
The mobile phone has become a tool of trade across Africa, allowing for money-transfer services in a region with spotty banking infrastructure. Users, however, are complaining that cybercriminals are starting to divert money transfers made via mobile phones.
Safaricom was the first company in Africa to introduce an m-money service, called M-pesa, followed by several other providers. MTN, which operates its Mobile Money service in 21 African countries, has stepped up its network security and enhanced controls to guard against collusion.
“MTN maintains stringent user access management procedures as well as periodic review of the logs of critical systems and transactions,” said Mazen Mroue, chief information officer at MTN Ghana.
These steps are being taken in the face of mounting security threats. In its 2010 security forecast, VeriSign identified mobile devices as a common target for cybercriminals as more people access the Internet for software updates and mobile commerce services.
“An attack on the mobile device operating system will affect the phone contacts, mobile banking log-ins and passwords and any other valuable information stored on the device,” according to Kenneth Silva, VeriSign Senior Vice President and CTO.
Apart from firewalls and other routine security technology, Mroue says MTN does periodic penetration testing, staff training on security and provides online forums for the staff to be updated on security challenges.
Security analysts in Kenya feel that mobile money is going to be a main target for malicious attacks as more banks, airlines and utility companies set up mobile money service servers and interconnect with other networks.
“There are security vulnerabilities with mobile network operators and banks that do not take physical security as a threat and server rooms are accessible to anyone within the IT department,” said John Gichuki, an independent consultant who has set up some of the mobile money systems in Kenya.
Tyrus Kamau, a consultant who does penetration tests for some of the network operators in Kenya, also feels that the main security threat is personnel — for example, when bank or mobile phone company workers conspire with retail point-of-service agents to steal money from unsuspecting mobile money users.
Kamau points that criminals can also invest in technology, allowing use of a technique called SIM cloning, that allows them to register m-money accounts in their names. He says, however, the technology is too expensive for most cybercriminals in Kenya.
The experts may be divided over the source of major vulnerabilities but meanwhile, a growing number of users of m-money services in Kenya say they have started losing money through mobile transactions.
Last month, Safaricom faced accusations of irregularity within the M-pesa network, when crooks diverted money sent to people who may not registered as M-pesa users.
When M-pesa was introduced, old SIM cards would not completely work with the new service. Only users with new SIM cards could register as M-pesa users. User of phones with old SIM cards could use the service, but as unregistered users who had to pay more to retrieve money at service agent offices. According to Safaricom rules, money sent via M-pesa is returned to the sender if not withdrawn within seven days.
