Mobile money services are delivered through a large and complex ecosystem, multiplying the risk of cyberattacks. As a result, cybersecurity is vital in driving mobile money adoption, use and innovation. For the mobile money industry, cybersecurity is defined as a collection of practices that support the secure operations and activities of providers, and the integrity of their customers. Cybersecurity risk mitigation is more than a technical problem. To overcome cybercrime in mobile money services and the accompanying threats and challenges, a holistic framework is required.
This framework covers three dimensions:
- People (the provider’s employees, third party players, and users of mobile money);
- Process (legal requirements, internal and supply chain management policies, incident response plans, etc.); and
- Technology (inventory, and control of hardware and software assets that support operations)
Compared to other industries, financial services providers have suffered the most attacks or attempted thefts. Unsurprisingly, financial institutions spend more on cybersecurity than other organisations. Given the increasing digitalisation of financial services, ensuring that consumer trust remains intact is important for all digital financial service providers, including mobile money services.
The need for consumer trust and confidence is greater now than ever before, and will continue to grow with the use of new technology. But how should digital financial service providers ensure that their cybersecurity policies can keep consumers safe? According to the Carnegie Endowment for International Peace, digital financial service (DFS) providers need to build in external checks; they cannot rely solely on user behaviour and safe practices. For instance, numerous mobile money services include caps on the number and size of mobile payment transactions. These limits are designed to lessen the risk of systemic failure or contagion, but can also reduce the potential losses from fraud.
Separately, technical checks for other financial institutions to adopt and implement with relative ease are important. To this effect, some payment switch providers have developed open-source fraud management and anti-money laundering systems. Such accessible and interoperable systems are well-suited for a diverse DFS environment.
Third-party risks are important to digital financial service provides. Financial transactions often move across several systems. While each system may be relatively secure, the connection across systems may be vulnerable. This allows cybercriminals to target weak connections across physical systems, impersonating valid middlemen to reroute transactions and siphon funds.
Digital financial service providers need to overcome a number of challenges when educating customers on safe behaviour to build their confidence when using digital financial services. These include: literacy levels, financial resilience levels, trust in the financial system, and attitudes towards formal financial products (e.g., savings). Providers will also need to consider the medium of consumer education. For instance, while workshops can lead to an improvement in financial understanding and literacy, below-the-line approaches in familiar language can also lead to improved financial behaviour and capability. For example, viewers of a TV show in South Africa were found to behave more responsibly than a control group.
Digital financial service providers should look to develop safe behaviour and consumer confidence through a range of approaches. Providers should launch and carry out active customer awareness campaigns to educate consumers about malicious messages, phishing attacks, and spoofing. Customers should also be educated on the importance of masking their PINs or passwords, as well as avoiding shoulder surfing and writing down or sharing PINs or passwords. Safe user practices should strike a balance with the effort required. For instance, two-factor authentication can improve security significantly. Despite the additional steps that a user would have to do through, this can improve security in the long run.
For digital financial service providers, compliance with existing and applicable legal and regulatory requirements on cybersecurity is important in building trust among users. Key to this are strong cybersecurity regulatory frameworks, such as the risk-based cybersecurity approaches in Kenya and Nigeria. These guidelines require regular assessments to identify all cybersecurity vulnerabilities, threats, likelihood of successful exploit, potential impact (reputational, financial, and regulatory) to information assets, and the associated risks. The creation of these frameworks is a necessary first step, but enforcement remains difficult to achieve. However, beyond these examples, there is limited used of such frameworks in other mobile money markets. Where there is inadequate regulation, self-regulation through industry initiatives – such as the Mobile Money Certification – can serve as a solution.
Find out more about the GSMA’s recommendations for providers to improve the security landscape of mobile money services in our report: Cybersecurity – A governance framework for mobile money providers.