20th
Mobile Payments Security Issues
There’s no doubt that mobile phones are going to accelerate the adoption and use of the Internet in Africa for day to day activities. The question then is not if but when it will become mainstream.
If Internet usage and e-commerce will become widely adopted and utilized, then there are some speculative problems in the rather nascent mobile industry that will need to be tackled to ensure the success of this technology. In this post, I will discuss some of the issues facing e-commerce (or m-commerce in this case) that need to be addressed.
Phishing
In computing, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication.
The way mobile browsers are originally designed, it is quite easy to phish users since the mobile browsers do not normally display the address of the site that is currently being visited. This implies that a fraudulent merchant can provide a checkout link to a known payment processor and trick users into submitting their payment details on the site. Or worse still, a scammer could send text messages with a link inviting users to enter in this information. There are currently no security measures that can mitigate this risk on mobile phones.
Several months ago, several Nigerian Debit/ATM card holders fell prey to phishers when their account details were compromised by reason of a misleading email that was sent to their mailboxes requiring them to enter in their card details on a certain website. The reaction from the financial institutions was to disable online purchases that were being made with the cards. This affected quite a number of people whose accounts were not even phished in the first place. To say that the confidence for doing electronic commerce by Nigerians was eroded is an understatement. Even certain Internet savvy individuals I know don’t trust online merchants and believe they might be fraudulent.
When online purchases via the Interswitch network was started, I foresaw something like this happening due to the lack of the best security measure that should have been put in place.
Education
The majority of Africans that we intend to bring online in the coming years are not Internet savvy. A number of them don’t know how to protect themselves online. How many of them know that they should be wary of the sites online they submit their payment details to, not to talk of their own personal information?
It’s sad, there are bad guys out there and if these users are going to really engage the Internet, they will need to be trained on how to use the Internet effectively and protect themselves while they’re online.
The Solution
Now that the major issues facing mobile Internet adoption for e-commerce have been discussed, what is the solution? There’s really no single solution so I will propose a solution that can be implemented.
Apart from educating users, you will have need technology that helps to protect users and one of such that I’m really interested in is two-factor authentication.
My proposed implementation is rather simple. When a user is registering with the service, he is asked for his mobile number and a verification code is sent with which he uses to verify ownership of the mobile phone. Whenever he needs to gain access to the service, he submits a username and password. If the combination is correct, a text message with a challenge is sent to his mobile which must be entered to gain access to the system.
This will prevent unauthorized access to user accounts since the only way to beat the system will be to actually own the verified phone.
