Entersekt CEO, Schalk Nolte, looks at the growing security risks for banks and financial institutions in Africa and explains why complacency is no longer an option.
Despite some consolidation in the African banking market, most of the banks we are speaking to remain confident about future opportunities on the continent. However, we have noticed security steadily making its way towards the top of the agenda for bank executives, and rightly so.
Africa’s relative lack of infrastructure is both a blessing and a curse for banks. While access to traditional services is still a challenge, innovation in technology can offer big opportunities. Mobile has become the de facto means of banking in many parts of Africa and, as mobile penetration – particularly smartphone penetration – increases, this is allowing banks to connect with more of the population than ever before, and to do so in a more targeted, personal way.
A study looking at trends in banking in Sub-Saharan Africa, released in June 2015 by the European Investment Bank, noted that the Sub-Saharan Africa (SSA) region leads the world in mobile money accounts. While just 2 percent of adults worldwide have a mobile money account, in the SSA region, 12 percent have one. Although the base is still low, financial inclusion through mobile is growing fast.
While this is encouraging for the continent and the banks involved, banking CEOs are increasingly concerned about systemic risk and, more importantly, about the growing risk of cybercrime.
Cybercrime cutting into operational profits
The Kenyan government alone is losing KSh five billion (US$50 million) yearly on cybercrime and the number is expected to grow. In fact, in March last year, 79 percent of African banking executives surveyed by PWC saw cyber-risk as an inhibitor of growth.
Frankly, we are not surprised. Globally, security is too often seen as a grudge purchase, and is brought in as a last resort and, even worse, often after a critical breach has already taken place. This can cause serious reputational damage to the banking and payments ecosystems.
Complacency around the security technology employed to authenticate a customer in particular is still rife. Despite all the international best practice, many banks still seem comfortable with using one-time password (OTP) technology as their primary means of authenticating their customers. Technology, one must add, that is already decades old.
Back in 2012, the Australian telcos warned their local banks that SMS was not secure and urged them to re-look at how they protected their customers. At the time, Communications Alliance chief executive John Stanton said it plainly: “SMS is not designed to be a secure communications channel and should not be used by banks for electronic funds transfer authentication.”
This is not the end of the challenge. Many banks have shifted to two-factor authentication (where users have a password and make use of a token or phone as the second factor), but Gartner warned back in 2009 that any two-factor authentication relying on a browser can be beaten. The company went on to suggest banks make use of a fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification.
Over the years we have seen a marked rise in man-in-the-middle attacks and these are receiving particular attention from African security analysts. These are best described as attacks criminals designed to secretly intercept and possibly tamper with messages between two parties who believe they are communicating only with one another. Many unsuspecting banking clients have become victims of phishing attacks through clicking email links, downloading fake or altered mobile apps or through the use of unsecured public wifi connections.
This is a real challenge for banks. They do work to educate their clients on safer browsing habits, but this is simply not enough. Banks must take responsibility for securing financial or personal data. The same is, of course, true for all organisations that hold sensitive information. Regulations around this are growing incredibly onerous and, if companies can’t guarantee they are protecting the consumer, they will be subject to very hefty penalties.
This is not just a compliance challenge
If banks want to improve their bottom line, they must own the channel through which they communicate with their clients. This channel is the proverbial goose that lays the golden egg. In a downturn economy especially, financial institutions are developing and rolling out incredibly innovative new products. This is all pointless, however, if the end user – the client – doesn’t trust your technology enough to complete a transaction.
One thing we know for sure is that criminals are constantly evolving and refining the ways they access data and funds. Each year, we send our developers to top global cybersecurity conferences. We expect them to know exactly what the latest exploits are and to build technology at least 12 to 18 months ahead of the fraud curve. We also engage white-hat hackers to stress test our systems, exposing potential flaws and allowing us insight into problems before they exist.
In short, if banks want to ensure they can leverage the mobile channel for increased profits, they cannot afford to be complacent about security. We know that the criminals are thinking three steps ahead. Shouldn’t our banks be doing the same for their clients?