In January this year, police arrested a hacker (name withheld) after one of the most sophisticated e-heists to date in Uganda’s mobile money history.
Using his training and expertise in IT systems, the 48-year-old slogger hatched a complex hack into the mobile money systems of agents and made away with millions of shillings from their mobile money lines. And he was on course to writhe millions more out of the mobile money system. His plan initially succeeded before it was snapped.
He was arrested following one of his e-swoops in which he diddled mobile money agents in areas of Mukono, Jinja, Misindye, Kiira division, Nagalama – east of Kampala.
An immediate search led to the recovery of Airtel lines and a hacking machine. He was later to tell police that instead of detaining him, they should enlist him to deploy his expertise and skills to fight the vice.
This hacker’s story is but one of just a few reported cases of mobile money and online banking fraud in Uganda – a menace that is debilitating an otherwise vibrant, convenient, inclusive, and highly practical IT based payment system.
This frequent system break-in, raises questions on the technical vulnerability and integrity of the mobile money system (and banking systems that are integrated) in the country.
As global adoption of services based online and mobile telephony increases, so do fraudulent schemes propagated through hacking.
System Vulnerability
A survey by Global System for Mobile Communications, a lobby organisation that represents the interests of mobile network operators worldwide, identified several vulnerabilities that affect both the mobile money and online banking systems. These have led to swelling in mobile money and online banking fraud cases.
According to GSM, these vulnerabilities are caused by several design, device and infrastructure inadequacies. These include ineffective security on mobile phone devices (weak passwords, unencrypted data and outdated software), weak authentication mechanisms (PIN, SMS) which can easily be intercepted by Sim card swapping and phishing.
The others are social engineering – where unsuspecting (low cybersecurity aware) users are tricked to provide their information, login details, OTPs. Sim card swapping and cloning, insecure APIs and infrastructure, malware and mobile trojans also expose system to penetration. The rapid integration of systems (brought about by the fast growth in infotech and fintech) have left less attention to security, but more to integrate-ability of systems.
According to GSM impersonation schemes are the most prevalent ways that systems have been penetrated. Identity fraud ranked as the highest mobile money deception scheme, followed by social engineering schemes, SIM swap fraud, insider fraud and cyber fraud.
In Uganda, insider involvement is emerging as the most significant concern, with most intelligence reports pointing to involvement of staff or workers of the banks or mobile telephone networks working in cahoots with the hackers, to skim money from the mobile money and/or bank systems. Internal actors include not just staff of mobile money service providers, but also agents and third-party systems providers.
This wrong elements in the network of people involved in the backend of the mobile money and banking systems are the biggest headache in the case of Uganda.
According to Allan Rwakatungi, the Founder of Xente Tech, a fintech platform in Uganda mobile money fraud reflects ‘ how our society does things’ – attributing most of the fraud to social engineering.
Rwakatungi discredits the idea that financial services’ systems are the problem- that they are the ones that are vulnerable and susceptible to fraud, by drawing examples from across the globe.
“The systems we use (including credit cards) are the same systems everywhere in the world,”
A case of banks
For Micheal Niyitegeka, executive director of Refactory, a Kampala based software skilling academy, social engineering is the biggest industry challenge. Fraudster use this tactic of manipulating, influencing, or deceiving victims to gain control over a computer system, or to steal personal and financial information.
“Of course, the targets are usually individuals that have good account balances, and as such there is always the inside conduit that facilitates information transfer. With the limited digital literacy, the fraudsters find it easy to manipulate their targets,” he explains.
Niyitegeka quotes a 2022 survey conducted by the audit firm KPMG, which included 300 Small and Medium Enterprises and major business organisations. The study showed that 3 out of 10 of the region’s businesses had experienced cyber-attacks.
According to the survey, there is a general lack of knowledge and awareness of digital infrastructure and emerging technologies among business actors, which makes it difficult to mitigate potential future risks. This lack of preparedness contributes to the rise in cyber-attacks.
Niyitegeka argues that one of the primary concerns plaguing banks in the region is the fact that even with increased investment in cybersecurity infrastructure, the vice is on the upward trend, because keeping up and ensuring that all safety nets are in place is a tough challenge, because of the fluid nature of cyberattacks.
“Many financial institutions in the region struggle to keep pace with evolving cyber threats, often due to limited resources, technical expertise, and outdated security protocols,” he says.
Niyitegeka says much as the COVID-19 pandemic brought about creativity and accelerated the adoption of online banking and digital transactions, it also further amplified the risks associated with cyber threats.
Fraud grew with Covid-19
According to both Bank of Uganda and Uganda Communications Commission, post Covid-19, there was a surge in subscription to mobile financial services, and along with it increase in cases of fraud. According to the two regulators, the number of mobile money fraud related complaints within the industry rose to average of 300,000 per month, as compared to 150,000 – six months prior to Covid- 19.
Lockdowns, social distancing, and avoiding contact with surfaces (including money) occasioned by Covid- 19 pushed up the usage of the mobile financial services.
In the case of one Mobile Network Operator, the Innovations for Poverty Action consumer protection survey found that 46 percent of people surveyed had received a scam call since Covid-19 began. Of those, 49 percent involved the fraudster impersonating the Mobile Network Operator customer care staff.
The increased volume of transactions has also amplified the susceptibility to cybersecurity threats, including phishing and hacking. Moreover, the surge in transaction values raises concerns about potential money laundering activities.
The most notable case recorded by the financial regulator in this regard was the UGX 8 billion “black box attack” of one of the mobile money service providers back in 2022, in which hackers entered a betting firm’s online platform, to wheel off money.
Regulatory Challenges
Nyombi Thembo, the executive director of the Uganda Communications Commission says the evolution of mobile money from a simple money transfer service to a multifaceted financial platform has undoubtedly enhanced its utility. However, the expansion of the services also introduces new challenges, such as increased exposure to consumer disputes and regulatory complexities.
Ugandans also still face a challenge of authentication of ownership at transaction withdrawal points which remains a vulnerability exposing users to the risk of unauthorized withdrawals, leading to financial losses and reduced trust in the system.
Eroding trust
Allan Sempala Kigozi, the acting chief executive officer at Unwanted Witness says, the impact of fraudulent financial activities has a huge impact on the digital economy as it erodes confidence in it.
Unwanted Witness is a civil society organisation that champions promotion of online freedoms, protection of digital rights, a safe and secure digital environment, and responsible use of technology in Uganda.
Sempala says overtime, fraud erodes trust in digital financial systems hence discouraging individuals and businesses from engaging in online transactions, which hinders and undermines the growth of digital commerce and financial inclusion efforts.
He adds that fraud has raised privacy and data security concerns because of compromise of personal information forcing individuals to become hesitant to share sensitive financial information online, limiting their participation in digital financial services.
On his part, Rwakatungi says the impact of financial fraud on the digital economy is increasingly making digital financial services expensive to run with the high operational costs incurred by the service providers, transferred to consumers through transaction fees.
He cites the example of the recent new requirement by Bank of Uganda for service providers to verify transactions above one million shillings, as a big expense for [telecoms]. He said implementing this directive will require verification machines to be rolled out which might lead to higher costs of transactions.
Way forward
According to Rwakatungi, it is important that all actors endeavour to secure their platforms using the best industry practices, do IT and compliance audits and undertake background checks.
At the policy regulatory level, The National Payment System (NPS) Act 2020 brought about a significant shift in the regulatory structure of Uganda’s Mobile Financial Services (MFS) sector. This shift involved a structural separation of financial service regulation, which now falls under the jurisdiction of the Bank of Uganda (BOU), and the infrastructure regulation, which remains the role of the Uganda Communications Commission.
The two regulators have rolled out measures to ensure stringent risk mitigation measures, enhanced security protocols and transaction monitoring systems. Initiatives like Know Your Customer (KYC) was introduced by Bank of Uganda as a mechanism to authenticating the identity of users. However, this practice poses a significant security risk as well, as the current mainly physical records are susceptible to loss, theft, or unauthorized access. To address this challenge, its proposed that biometric fingerprint scanners capture and store customer information electronically, reducing the reliance on paper records.
For the case of banks, Gideon, Nkurunungi the Chief Executive Officer of ICT Association of Uganda argues that through advanced research, the industry stakeholders needs to invest to seek insights on how deployment of AI (artificial Intelligence) techniques can be used to predict and prevent fraud.
“Developing predictive models or understanding data on fraud in our perspective is going to set new standards in the fight against financial crime,” he said.
By combining these technical, procedural, and educational strategies, mobile money service providers and banks can significantly reduce the risk of cyber fraud, protecting both their customers and their systems.
The Infrastructure Magazine prides in providing Depth, Context, Insight, Perspective to industry issues. Is there any issue that you want to give depth, insight, context, perspective to? Contact our partnerships team: [email protected] or WhatsApp: +256 752 665 775
