Africa’s fintech network has surged in the last two years and the continent’s firms have grown exponentially from $132.8 million raised in 2018 to a record of $285m in 2019 in venture capital investments, making last year the sector’s best year yet and proving readiness to scale up, given the high mobile phone penetration levels and the boom in mobile financial services.
Majority of African emerging economies, especially in sub-Saharan Africa, are said to be the fastest-growing digital payments market in the world. In fact, the development of mobile technology has paved the way for Africa’s fintech revolution where South Africa, Nigeria and Kenya account for 65.2 per cent of Africa’s fintech startups with Uganda closely emerging in influence.
This progress is expected to be driven by the deepening payments infrastructure, population and urbanization growth, GDP growth above the global average, increased mobile and internet penetration, as well as a supportive regulatory landscape for electronic payments and financial inclusion.
Albeit, this growth is being threatened by insecurities in the payments sector characterized by illegal transactions. Operating over the internet makes banks and fintechs vulnerable to cybercrime and while mobile payment methods offer a convenience, they do so at increased risk of attack as the recent Stanbic bank-MTN- Airtel cyber intrusion in which hackers are suspected to have made away with billions of shillings amply demonstrates.
Whilst most banks and fintechs are abreast with and have implemented ordinary online security software solutions to guard against threats, attackers have demonstrated that a lot is to be desired by metamorphosing attacks to new and unpredictable tricks such as identity theft of CEOs, spear phishing and other social engineering techniques to occasion great financial loss on the continent.
According to Bryan Hamman, Arbor Network’s territory manager for sub-Saharan Africa, South Africa has experienced the most cyber-attacks across Africa since 2014 with criminals impersonating executive CEOs through social engineering tactics to steal money from companies, according to the South African Banking Risk Information Centre (SABRIC).
SABRIC CEO Susan Potgieter revealed that the criminals engaging in CEO fraud extract information from company websites and other online platforms to identify the details of CEOs, financial directors and other senior individuals, which they use to target employees.
This calls for robust awareness exercises amongst employees to spot red flags. Furthermore, SIM swap fraud is being used to not only steal credentials and capture one-time passwords (OTPs) sent via an SMS, but also to cause financial damage to victims by resetting the accounts and allowing fraudsters to access currency accounts not only in banks, but also in Fintechs and credit unions.
Again, banks and other financial institutions have a rich history of resilience and have, collectively, built a trusted brand. fintech companies, on the other hand, historically fall a little short on these fronts.
Currently, fintech companies in most countries are not bound by any serious legal and regulatory regimes, focus more on scaling and evolving, and many simply do not have the resources to build suitable security infrastructure. fintech companies do not have the resources that most banks ordinarily possess; they find themselves more exposed. It should be remembered that this is not the first time that fintech is falling prey to hackers and fraud.
Between May and December 2011, a group of MTN employees illegally accessed money from the MTN mobile money system by creating fictitious journals and exiting the money through the MTN Public Access shop by creating fictitious subscribers and colluding with some MTN mobile money agents.
The employees were, fortunately, apprehended and successfully prosecuted. There have since been subsequent disputed reports of other successful hacks. To stay protected and safe from cyberattacks, fintech companies and banks must now see constant employees’ education as priority.
They must train their personnel and teams on data protection and disaster management, build and maintain cybersecurity infrastructures designed to detect, withstand, and repel cyber threats and promptly report cases of cyberattacks.
To further bolster safety, fintech companies should conduct constant risk assessment and natively integrate automated next-generation security systems “designed to provide consistent, prevention-based protection on the endpoint, in the data center, on the network, and in public and private clouds,” and to limit the amount of data that can be gleaned from any compromise.
Research indicates that 35 per cent of the bank security breaches are external, and 65 per cent of the breaches are internal with over 95 per cent aided by insiders.
Financial institutions need to limit staff that accesses sensitive data and reinforce vigilance in companies by strengthening the cybersecurity skills of engineers. It goes without saying that the foregoing recommendations require a robust budget set aside to facilitate a quick implementation of the solutions.
The author is a lawyer and CEO at AddSecurity