Monday, October 20, 2008

Is M-Banking Safe?

One of the readers of this column recently stated to me that Kenyans worry more about the safety of their money than anything else. This is arguable but there is a ring of truth to it and the advent of Mobile-Banking has raised some fundamental security questions.

Various discussions on the potential risks of M-Banking have been conducted in the media due to some recent developments. M-Pesa and Sokotele are transferring huge amounts of money wirelessly.

Equity Bank and Pesapoint have joined the wireless fest.

This situation obviously raises questions on whether the technical, legal and regulatory frameworks exist to protect consumers of these services.

It is clear that technology has once again leapfrogged our lethargic legislative and policy institutions.

We have a myriad of wireless networks existing today. They include Wireless Data Networks (WDNs), GSM (Global System for Mobile Communications), General Packet Radio Service (GPRS), Code Division Multiple Access (CDMA), UMTS (Universal Mobile Telecommunication System) among many others.

Wireless networks are inherently vulnerable and this includes GSM. Cyber criminals are able to monitor wireless traffic to determine, control and manipulate signal, bandwidth, leakage patterns and so forth. They also engage in mobile sniffing where a vulnerable access point/backdoor is identified.

Popular sniffer tools include Air Crack, Air Snare, Kismet, Arpspoof, Air Magnet etc. Most of these tools are open source and freely available. These sniffer tools are able to scan and detect MAC addresses, authentication tokens, Service Set IDs (SSID), names, signal strength, channel and other features. With time a wireless map of all vulnerable access points is constructed and discreetly distributed on the internet.

The potential for external and internal fraud is ever-present and our mobile service providers have obviously implemented various technical security measures for example encryption of the traffic across the air interface. This encryption is difficult to crack because these encryption keys change every time the authentication process is performed.

Knowledge and vigilance are formidable allies for M-Bank users. It is advisable to familiarize yourself with these wireless technologies and how they are categorized by function, frequencies, bandwidth, communication and security protocols.

It is also crucial to acquaint yourself with the legal and regulatory structures, however inadequate they presently are.

Mobile telephony providers are obligated to employ the most effective technical security measures so as to protect consumers of their services. It is not enough to swiftly roll-out services and make monetary windfalls.

The security challenges of M-Banking are not only technical. Agents are averse to keeping large sums of money in their premises lest they are robbed.

Despite these challenges M-Banking is a technological development that has provided substantial positive opportunities to Kenyans. It should therefore be safeguarded as rapidly develops throughout Kenya.

No comments: