IFC the International Finance Corporation in a 2012 report said that Mobile money has the potential to deliver financial inclusion and will transform economies. Today, the widespread use of Mobile to carry out monetary transactions, make merchant payments, etc., has proved their prediction right. Consumers have lapped up mobile wallets, and can now transfer money and make online payments with a scan, swipe or a tap. Banks too have braced themselves up and joined the bandwagon providing their customers a wide range of mobile and online offerings.
The trend of mobile money is catching up, and simultaneously the risk of fraud and financial scams is also lurking large. Loss of money to a consumer due to money laundering, scam or a fraud has a deep impact on the reputation of the mobile money service provider. Deloitte (industry-leading audit, consulting, tax, and advisory services provider) states that “Globally, the cost of fraud in telecom industry amounts to around 2 percent of its total revenues i.e. roughly US $46 billion. From the revenue generated by phone-based banking around 2 to 3 percent is lost to fraudulent activities.”
Organized Ransomware attacks like WannaCry have also escalated. The financial services industry experiences the highest number of data breaches and fraud cases. In addition to intrusion and cyber-attack - phishing fraud, access to wallet through unauthorized SIM swap, fake KYC and commission fraud by agents is also on the rise. In this scenario, mitigating risks has become the primary objective of a fraud management strategy for mobile money - the key to this is setting up effective layers of control within the system.
The first set of control layers include:
- Access control mechanisms and encryption to protect customer information
- Setting up layers of approvals based on segregation of duties
- Reduce the threat of money laundering and terrorist financing by setting threshold limits
It is very crucial to detect every possibility of fraud and build a security wall beforehand. Hence it is important to have a detective control layer that includes:
- Monitoring activities on system access
- Detection and analysis of suspicious activity if any
- Creation of a successful escalation management framework and robust customer listening
- Monitoring agent transaction activities
- Review and management of high-value transactions minutely
- Management of a system that sends timely alerts and notifications to customers
Security from Internal Frauds using BI and Data Analytics
While the aforementioned control layers are imperative, mobile money systems should also have business intelligence and very strong data analytics to prevent or at the least identify a fraud. Threats of frauds need not be external; internal frauds like commission fraud by agents and application manipulation by authorized users can also engulf a system from within.
Here is an example of how an unsecured platform was exploited by internal forces to gain benefit and as result – billions of shillings were lost to fraud!
The key trait that saves clients from losing millions of dollars is - a prompt response/support from platform developers and the implementation of stricter controls for specific risks. Also, a layered approach of considering all entities as suspects is effective. Using data mining and analytics reports suspects are whitelisted and the list is filtered. Further, the interrogation of remaining suspects plays a crucial role in detecting and eliminating the possibility of fraud.
All this boils down to the fact that the underlying technology is pivotal in building a robust system for the mobile money. It is possible to bring down the cases of account misuse, fraud or account hacking from within the system, to zero, if the system allows -
• Minimal storage of data on device
• No storage of transaction passwords, PIN or credit card numbers on device level
• Storage of product level info and profile in not less than 128 bit AES encryption
Panamax’s Mobile Financial Solutions (MFS) product MobiFin covers all the industry level security requirements, is PA-DSS certified and has a PCI-DSS compliant infrastructure. We have a proactive consultancy approach and even a minor threat or attempt of a security breach is treated with utmost urgency and seriousness.