Getting your Trinity Audio player ready...

Airtel Mobile Commerce Uganda Limited (AMCUL) the mobile money and digital payments arm of Airtel Africa Plc needs to overhaul its outdated mobile money system to a more dynamic and secure system if it is to avoid repeated hacks in which billions of money have been stolen- an ICT and Cyber Security expert familiar with the AMCUL system has told CEO East Africa Magazine. 

The expert was commenting on the recent “Root Cause Analysis Report” shared by AMCUL’s Chief Executive Officer, Mr. Japheth Aritho Kinyua with the CEOs and the ICT/Cybersecurity Committee of the Uganda Bankers Association (UBA).

According to the report, hackers whom Mr. Kinyua said, appear to have had “detailed knowledge about the highly confidential configuration of the integration with partners” broke into the systems of two AMCUL partners from where they accessed and stole from virtual accounts maintained by banks at AMCUL.

It is believed UGX7.6 billion was stolen.  

In the Root Cause Analysis report, Mr Kinyua says several steps have been taken to secure the relatively old legacy mobile money system, as well as partners, were being onboarded to a more secure “Open API” system. 

Kinyua, in his letter, said that amongst other steps, AMCUL had barred access to the system for all partners and a new designated independent port with unique IP addresses for each of the partners set up. All partners’ usernames, passwords and pins had been reset and a combination of the three would henceforth be required to authenticate logins. He also said AMCUL had put in place, a password rotation system that would require users to reset their passwords every 45 days.  

All the above was done for users still on AMCUL’s old mobile money platform, called Enterprise Integration Gateway (EIG).  Kinyua also said AMCUL was also working with partners to initiate migration to a more secure “Open API (developer portal) which has more enhanced security futures including OAUTH where partners manage their own credentials”.  

The expert, who spoke extensively to CEO East Africa Magazine however said these changes were just the tip of the iceberg and did not adequately address the challenges raised by Uganda Bankers Association (UBA) ICT/CyberSecurity Committee. He said failure to comprehensively address the challenges raised by UBA, still left AMCUL, its users and partners exposed.

An Airtel Money Shop- experts have poked holes in the security of Airtel Money’s platforms, saying it endangers the security of the entire mobile money ecosystem.

“The changes are good, but this is just the tip of the iceberg. Airtel is just buying time. Airtel needs to ditch their legacy system altogether and make concrete steps to address the key issues raised by the bankers,” the source said adding: “Maybe AMCUL is misusing its massive market power to bully the banks. The regulator needs to step in,” said the source, who preferred anonymity for fear of reprisal from AMCUL.

“Over and above what AMCUL has done, they also need a robust suspicious transaction monitoring (STM) system. This is a very key element of any core financial services system. AMCUL  has been struggling; their risk team has been asking for a fraud monitoring tool in vain. This is why the UBA Cybersecurity team amongst their demands to AMCUL, there was a requirement to install a real-time capabilities system to monitor transactions. An STM system, because it is real-time, can monitor transactions as and when they happen, and flag issues immediately,” said the expert.

“In this digital era, every day thousands of suspicious transactions are flagged for closer scrutiny. The transactions have certain patterns- they will usually emanate from dormant accounts or new SIM cards. They are also irregular in terms of absolute size and or quantity normally transacted by a given client. Suspicious transactions monitoring, helps any financial services platform to flag such transactions and ensure proper authentication of the sources and purpose is done, before either rejecting or passing it. This is difficult to do if you do not have a real-time system, such as AMCUL has,” added the expert. 

According to AMCUL’s own account of events, the suspicious transactions were filtered by one of the banks, who then alerted AMCUL.

Relatedly, the expert also said, AMCUL need to have in place a dynamic sim-swap monitoring system that limits the nature of transactions a new SIM card can do.

“As observed by Airtel, most of these frauds are either insider jobs or by people with high-level access to the system. You will notice there is a high incidence of phone thefts and what these thieves are targeting is SIM cards. Once the fraudsters have access to your phone, it is easy to SIM swap and or SIM clone. Thieves can also have access to passwords sent to your stolen phone to allow them access the victim’s mobile or internet banking. What modern platforms have done- especially after the Pegasus Fraud of 2020, is install SIM swap monitoring systems. This system limits the functionality of a new or newly swapped  SIM for a specified period in the hope that during this time, the victim is able to report or at least for proper authentication that the SIM in the right hands,” the expert detailed. 

The expert also said the same system or other similar systems are also able to detect dormant SIM cards and limit their functionality.

“Most of these fraud are carried out using SIM cards that have been dormant, as they do not belong to real people. Modern systems can detect dormant SIM cards that have not been used recently either for voice or data or mobile money and can reject mobile money transactions therefrom. This is what modern and dynamic systems do. If a SIM card has not been used for some time and all of a sudden it shows up on the system with mobile money transactions, the system should be able to detect and raise a red flag until it is authenticated. I am not aware that AMCUL has this system in place,” added the expert. 

Both issues of SIM card registration and a fraud monitoring system were also raised by the Uganda Bankers Association, in their 8th November letter to AMCUL as one of the things that needed fixing.

The bankers, therein, noted that there were “many loopholes still apparent In the SIM card registration handling” and said, “This is an area of major concern to the UBA given the avenue for fraud perpetration it opens up.

“Airtel is to ensure better controls around SIM card registration Management,” the bankers wrote.

They also required Airtel to confirm the existence of automated fraud management solutions”, but this issue was side-stepped in Mr. Kinyua’s letter to the bankers.

Some of the other key issues that the bankers wanted AMCUL to address that remain unaddressed, to date or at least were not addressed in the AMCUL CEO letter to the bankers, including the need to carry out a forensic investigation into the fraud incident led by a mutually agreed competent independent 3rd party team of experts as well a requirement to have an independent 3rd party to review the security protocols that Airtel claims it had put in place.  

The expert concluded that Airtel could be getting away with these deficiencies because of its power in the mobile money market.

“We all know that AMCUL, being a big player in the industry, somehow, even the bankers themselves will struggle to prevail upon them because it controls a big, part of the Mobile Money ecosystem, which the bankers are all fighting to take a bite of. Right now Airtel has only four escrow partner banks, and MTN has over 10. So many of the banks would like to have a pie of the Airtel ecosystem which is still up for grabs,” he said.

“This is why probably the CEOs Committee of UBA, poured cold water on what were proper security protocols recommended to them by the UBA ICT/Cybersecurity committee, which also included reporting AMCUL to the Central Bank if it failed to cooperate. At the end of the day, the CEOs committee sacrificed the security and integrity of the banking system, at the altar of making money,” concluded the expert.

AMCUL’s Chief Executive Officer declined to respond to our inquiries for a month, despite a reminder.  

Tagged: