Washington DC — Mobile phones are helping millions of low-income customers to access financial services for the first time, but they are also exposing them to new cyber threats they could never have imagined.
A few years ago, a friend of mine in Uganda -- let's call him Jonathon -- learned this firsthand. The trouble started when Jonathon happened to glance at his mobile phone and noticed the words "NO SERVICE" on the screen.
At first, he wasn't concerned. His mobile network occasionally went down, and within a few minutes his phone reconnected to the network.
Later that day, however, he tried to use his mobile money account to send his wife some money so that she could take their son to a doctor, but the transfer failed. When he checked his balance, he learned that the entire amount he thought was in his account -- more than $100 -- was gone.
What happened to Jonathon is becoming more commonplace in countries where mobile money is popular. For instance, the Serianu 2017 Africa Cyber Security Report estimates that cybercrime in mobile-based transactions costs businesses $140 million per year in Africa.
So, what exactly happened to Jonathon? Why is this becoming more common? And what can providers and policy makers do to prevent it?
This part is easy to explain. A criminal got into Jonathon's account and sent all his money to a group of friends, perhaps as little as $10 each. After receiving the transfer, each friend went independently to an agent and cashed out.
They gave most of the cash to the criminal, keeping some for themselves. This type of low-level money laundering happens regularly in the modern criminal environment.
A more interesting question is how the criminal got access to Jonathon's account in the first place. To carry out this type of crime, a criminal needs the victim's account credentials. Specifically, he or she needs two pieces of information: the victim's mobile money account number (usually a mobile phone number) and PIN.
Getting someone's mobile phone number is fairly straightforward. Sometimes the victim is a well-known figure or shares his or her contact details on social media. In other cases, the victim is overheard giving his or her number to a friend in a bar.
Criminals have various ways of obtaining their victims' PINs too. The old-fashioned way is to stand behind customers at an agent's shop and watch them complete transactions (i.e. shoulder surfing).
Unfortunately, many people are still unguarded when typing their PINs. Some people even write their PIN on the back of their mobile phone, which displays a disappointing lack of awareness of the implications.
However, industrial-grade PIN harvesting is supplanting these slow approaches to obtaining individual PINs. There are many opportunities to acquire DFS account numbers and the associated PINs without ever meeting (or even knowing) the person whose money is being stolen.
USSD is the most common form of access to mobile money services in developing countries, and it does not offer much protection for these sensitive credentials. Credentials can be collected in a number of ways that providers and policy makers should be aware of.
- Someone using a laptop in a coffee shop can capture all of the USSD sessions (including PINs) for everyone using a nearby cell tower.
- If a criminal wants to target a specific group of people, such as businesspeople attending a conference in a hotel, he or she can set up a fake cell tower with nothing more than a laptop and a mobile phone attached to it, looking as if it is simply being charged. The criminal can then trick everyone's cell phones into connecting to the fake cell tower, giving him or her access to the group's transactions.
- Someone with access to the mobile operator's network - say, a disgruntled staff member - can connect a laptop to the network and quietly log users' credentials as they enter them over the network.
- If criminals want to target a particular person (e.g., a high-net worth individual), they can do it from a laptop without even being in the same country. Criminals often do this by using USSD to push a message to the victim's phone that looks like it is from his or her DFS provider, saying that because of a security issue they need to re-enter their PIN. The information they enter is then returned directly to the criminal.
Obtaining Jonathon's credentials was only the first part of the attack. In this type of crime, the criminal then has to use the stolen credentials to access his money. For example, through a SIM swap.
A SIM swap is the transfer of a mobile phone number from its original SIM to a new SIM. It is an important service that allows customers to keep their number and account after acquiring a new SIM card.
Unfortunately, the service can be misused to transfer a victim's mobile phone number to a new SIM (resulting in the "NO SERVICE" message on their mobile phone) without their knowledge or permission.
The new SIM is placed in a mobile phone, at which point the criminal uses the captured PIN to access the target's account and send money to be cashed out and laundered. Afterwards, the SIM swap is reversed, and the victim's mobile phone comes back to life -- but the money is gone.
By the time Jonathon realized something was wrong, his money was long gone. While it might be possible to trace the people who carried out the money laundering, it is virtually impossible to get Jonathon's money back - and in his country,
Jonathon is liable for the loss, not the DFS provider. It would have been better if the service had been better secured in the first place. As detailed in the slide deck below, there are some simple measures that providers and policy makers can adopt to protect other mobile financial services users from cyberattacks.
This article was originally published by the Washington-based Consultative Group to Assist the Poor (CGAP) which is a global partnership of more than 30 leading development organizations that works to advance the lives of poor people through financial inclusion.