Mobile Money (MoMo) fraud: Two factor authentication, an algorithm to end this menace
Mobile Money is the fastest, convenient, but until recently the most reliable means of doing online payments in Ghana. The government of Ghana is striving to build a cashless economy to reduce the risk of people carrying huge cash around.
Mobile payments provide a mechanism for conducting financial transactions using a mobile device as an alternative to using cash, cheques, or credit cards.
The mobile device is linked to a bank account, card account (credit, debit, or prepaid), or stored value (e.g., prepaid wallets, online stored value, stored value cards) from which money is deposited or withdrawn.
Mobile Money services, however, are extremely attractive to fraudsters. The recent requirement of needing an ID (Identity Document) card to make a withdrawal at the MoMo agent shows that the fight against MoMo fraud is still yet to be won. This policy of showing your ID card fails to address ownership as it is done in the bank because it only confirms that the face on the ID is the face requesting for withdrawal.
When the ID card is entered into the system, it does not confirm that the name on the MoMo account is correct with the name on the ID card because I could use my brother’s ID card and the system will still allow the agent to make the withdrawal for me.
In the bank, a copy of the ID card is made and kept for future reference, but this is never done by the MoMo agent. This policy confirms that you own a valid ID card, but the fraudsters can input any arbitrary ID number and the system will still allow them to withdraw your money. The SIM card they will use is fraudulently registered and cannot be traced. It is therefore prudent to stop the fraudsters than to wait for them to commit the crime.
Below is a proposed system for MTN Mobile Money transactions. This algorithm shall weed out any issue of fraud in the system.
Algorithm: Making a Withdrawal
- The drawer (customer) will generate a code using the amount to be withdrawn and the agent’s merchant ID. This code can only be used to withdraw from the said agent. The code expires after 5-minutes.
- The merchant will take the drawer’s code and key it into the platform. The system (MTN in this case) will display amount of money to be withdrawn to the agent and request the MoMo agent to confirm if he/she can pay out such an amount with his PIN.
- The process from the MoMo agent will then generate a prompt for the drawer to also confirm with his/her MoMo PIN.
- Both parties (drawer and agent) get a text message notification confirming the transaction.
Loopholes This System Will Plug
- Remote generation of cash out prompt: This is eliminated because sender is now the only person who can generate a code for cash transfer to another MoMo user. Nobody can sit anywhere to generate this code on my behalf. Again, by using social engineering to get me to generate this code, it will be sent to my phone and not that of the fraudster.In conclusion, if these algorithms are implemented as outlined, the issues of MoMo fraud shall be a thing of the past. This algorithm gives the user the power to request and complete a transaction and even when the initiation process is attacked, the next phase is still in the firm grip of the user to either continue or reject the whole transaction process.
The drawback of the existing system is that the user has only one authentication to complete a transaction, and this gives the fraudsters chance to strike only once. In the proposed system, the fraudster will have to strike three times before they can withdraw money from their victim. This can only take SATAN himself to be this lucky on their victims.
The Author is a Telecommunications Engineer with over 15+ years experience in Mobile, FM Radio and Television technologies. He is a member of the Institute of ICT Professionals Ghana, and currently the Head of Projects for Media General Ghana. Ltd.
For comments, contact: Frederick.firstname.lastname@example.org / email@example.com