The developed world takes universal cashless payment systems for granted. From credit cards and online banking to massive scale business-to-business transactions, our modern economy is reliant on regular and instantaneous movement of funds. And for the most part, transactions are secure and customers are safe from electronic fraud. But can the same be said of the systems in developing countries?
Mobile money offers tremendous promise to enable financial inclusion in the global south, where in many countries more people have a mobile phone than a bank account. These systems have been viewed as an improvement to physical security because customers no longer need to carry large amounts of currency or travel long distances to make payments. However, little attention has been paid to whether these accounts are actually secure and customers’ money is safe, until now.
We recently published a security analysis of mobile money apps in developing countries, focusing on a new wave of branchless banking applications designed for smartphones. First generation SMS-based mobile money apps are already known to be vulnerable to attack inside telecommuncation provider networks.
We looked at 46 Android apps from countries including Brazil, India, Nigeria and Thailand focusing on the three most important banking functions: account registration, account login and transaction procedures. Half were found to improperly encrypt their communications, potentially allowing an attacker to steal money.
Our analysis exposed many vulnerabilities. We observed that many applications created their own communications protocols that could allow an attacker to capture account information, impersonate users and steal money with ease. Some of the weaknesses would require an attacker to be physically near their target, whereas others could potentially enable large-scale theft from anywhere in the world.
However, one application (Zuum, from Brazil) did not appear to have these problems, demonstrating that it is possible to build a technically robust mobile money application. This application was built in partnership with Mastercard, which likely helped to provide security experience. Such expertise is unfortunately not available to all application developers.