As the world has become more digitized, our vulnerabilities to hackers have become evident. In recent months we have been exposed to examples of sophisticated breaches of I.T. systems that have been used to rob banks, influence elections, and perhaps even crash a missile. It is unsurprising, then, that mobile money has not been immune from attempts by digital thieves to make a quick buck from a soft target. Within the past few weeks the biggest beast in the mobile money jungle, Safaricom's M-PESA, announced that hackers had forced their way into M-PESA's platform before being detected by Safaricom's risk management unit.
And while it is reassuring that the security breach was so quickly detected, the incident highlights the evolving nature of crime and risk in the digital age. If Bangladesh's central bank is vulnerable to hacking and theft, then mobile money account holders in Bangladesh or anywhere else could be forgiven for asking tough questions about the integrity of the country's mobile wallets.
A few weeks ago, Mondato Insight examined why some commentators and theorists are resistant towards fully digitized payment systems. While many concerns are probably misplaced, digital payment and money platforms do have one glaring weakness when compared to cold, hard cash: system failure.
Whether by accident or by design, the failure of the computer systems that underpin digital finance systems pose challenges of a previously unimaginable scale. "Technical glitches" have repeatedly over the past few years brought down the ATM networks of British banks NatWest and Royal Bank of Scotland, leaving an estimated quarter of a million people every hour shut out of accessing their own money. The 2008 financial crisis demonstrated the perils of global digital capital flows gumming up national banking systems, the effects of which would be amplified by the panic caused by ATM systems ceasing to work.
Much of the attention that has been paid to the risk of fraud in mobile money has focused on the direct threat to consumers. But while it seems far-fetched, the potential for an entire economy to be held to ransom by hackers is real and in many ways more acute. Somewhat bizarrely, we already have some inkling of what the effects of that might look like, thanks to the enforced shutdown of Uganda's mobile money ecosystem in February 2016. As the nation went to the polls to elect a new parliament and president, the national chief of police unexpectedly ordered the telecom regulator to shut down the country's mobile money platforms, in order to bring them into line with the election day national holiday that shut down the country's banks.
Whether by design or incompetence, the mobile money shutdown was without warning, leaving many Ugandans unprepared and illiquid. All those tertiary services that have become available through mobile money, such as water and solar energy, suddenly became vulnerable. Around 400,000 Ugandans use pre-paid electricity, meaning some customers were left without electricity for days. However, even in light of a rush of funds out of the system once service was restored, trust in mobile money appears to have been little dented by the enforced outage, despite laying bare the vulnerability of the entire system to malicious or capricious actors.
And while public trust in financial institutions survived this incident, attacks are becoming increasingly powerful, and neither governments nor multinational corporations should relax or adopt a 'bigger than your britches' attitude. As a recent report on cyber vulnerabilities in Kenya noted, a distributed denial-of-service (DDoS) attack on one of the world's largest network services companies in 2016 (which took down Twitter and Netfilx, among other big names) was able to call upon more bandwidth than exists within all of Kenya.
The ever-evolving sophistication of hacks aside, it is the inter-connected nature of the targets that should spook spectators. M-PESA and mobile money's size and role in Kenya's economy should be regarded as a "plausible fiscal risk", according to a report late last year from the country's Treasury. Such a warning applies as much to a technological collapse as to a liquidity crisis.
“The financial and other institutions linked to this system would be susceptible possibly amounting to the value transacted through the channel, were this risk to materialize." Central Bank of Kenya, on mobile money systems
Ironically, some of the most effective tools at the disposal of tech companies - for current purposes including MNOs with active mobile money deployments - are hackers themselves. So-called "bug bounty" programs, such as the one run by India's Paytm, actively invite techies to probe, prod and push computer systems, looking for vulnerabilities, weaknesses and errors, and reward them for their efforts. And while it shows that even today poachers can still make the best game-keepers, it still seems unlikely that only good-hearted hackers have exploited flaws in Paytm or Safaricom's systems.
But without any regulatory framework requiring the compulsory reporting of security breaches, it is therefore left to any individual company to disclose to the public when their systems have been hacked. And it is clear that the reputational damage caused by hacks of credit card records at Target and Home Depot, for example, or passwords at Yahoo, can be long-lasting, hurting the company's bottom line. However, it is even harder to see how a workable reporting regime could work in California let alone Kenya.
And this brings us back to M-PESA. Safaricom's announcement of the hack of the system coincided with the revelation that the hackers had been apprehended and were shortly due to be arraigned in court, while Kenyan online media outlets touted extensive details, including photographs, and fixated on the "flamboyant" lifestyle of one of the alleged hackers.
This raises the suspicion that it was the apprehension of the hackers and the publicity surrounding their court appearance that forced Safaricom's hand to reveal the breach. For it seems unlikely that this was the first hack of M-PESA, leaving many observers to wonder how many other breaches of the system have there been that have not been announced publicly?
Moreover, as a result of M-PESA's relatively deep integration into the country's banking system, through the operation of products such as M-Shwari in partnership with some of the country's largest banks, vulnerabilities in the country's banking system also create a potential backdoor through which customer data can be lifted by criminals. A well-publicized example of this took place last November when KCB customers, including M-Shwari account holders, had their account and phone numbers stolen. This led to a barrage of fraudulent text messages to account holders, which undoubtedly caught some consumers off-guard.
Death, Taxes and Fraud
Nonetheless, this all needs to be viewed in perspective. Fraud, much like death and taxes, is a fact of life for everyone, whether that's the Bank of Bangladesh or the mom and pop store on the street corner. What matters most is how the companies that are the victims of fraud handle the situation, and how responsive and quick they are to address their defrauded customers' concerns. The challenges posed by systemic threats to digital payment systems in developing economies such as Kenya are just as real, if not even more acute, in advanced economies that are already much more dependent on digital payments.
Much more tantalizingly, blockchain-like technology offers the possibility, no matter how far off, of money that can be traced to its owner, even if "stolen". But only the most gullible would believe that this would put an end to fraud and hacking, but the best we can ever hope for is to incrementally keep making it harder for the bad guys, while we keep shoring up our digital defenses, like Sisyphus rolling his boulder up a hill.