Africa faces some unique challenges pertaining to the security of mobile communications. A common misconception is that African networks and Africans themselves are not high value targets, and that they’re not on the radar of any of the major Advanced Persistent Threats (APTs) or crime rings. This is unfortunately not true.
As a rule of thumb, cyber criminals seek to monetize illicit access to information by the easiest, lowest risk means available to them. And, put simply, data on African networks is often an easier target carrying a lower risk of being caught.
Africa boasts over 300 million Internet users, and its top five economies are actually global leaders in key aspects of mobile commerce. As an example, the M-Pesa mobile money transfers platform is one of the largest in the world, processing over 6 million transactions every day in Kenya alone – more than Western Union does globally. And, while nearly $2bn is exchanged via M-Pesa every month, cash still reigns supreme across much of Africa, accounting for 9 of 10 transactions. This represents massive growth potential for a platform that could conceivably be used to defraud millions of Africans, and M-Pesa is but one of many m-Commerce platforms experiencing massive growth across the continent.
Africa’s uptake in mobile technology has not gone unnoticed. While it is true that a Westerner’s account details do have a higher price than the same data stolen from an African, the reality is that African data is actively being targeted, stolen, and sold on the black market.
In December of last year, Kenya arrested 77 Chinese nationals operating a large cyber crime ring with sophisticated equipment capable of duplicating ATM cards, and intercepting SMS messages, mobile banking communications, Point of Sale systems, and others. It is unclear how long the group had been operating within the country, or to what extent they’d been able to execute. What is clear is that the group was well-resourced and had the means necessary to do some real harm to African financial institutions and their customers.
They aren’t alone. In the first quarter of 2015 alone, Kaspersky Lab detected over 103,000 new malicious mobile programs. As alarming as this number is, attacks are not only growing more prolific, they are getting more sophisticated as well, and systems which do not implement defense-in-depth practices, enabling rapid detection and eradication, are unable to keep up. The most common, and oftentimes most effective, attacks rely upon SMS intercept or SMiShing (SMS text-message phishing), tactics, which exploit the end user’s lack of awareness of threats.
African government and business leaders with whom I work often express a desire to ‘leapfrog’ from a low level of technological advancement up to the latest and greatest, thereby skipping the intermediary steps the developed world has undergone to arrive at the relatively mature footing we are at today. This approach has merit with respect to technology itself, however it does little to address the knowledge gap underpinning the real issues at work here.
While African information and communication technology (ICT) usage has begun to take off, regulations pertaining to cyber security standards continue to lag, and a dearth of resources and attention are being applied to developing the skills and education required to build sustainable cyber security into these new systems. This is resulting in both some risky practices and also leaving a massive pool of potential victims unaware of risks, best practices, and countermeasures.
As any cyber security expert worth his/her salt will tell you, there is no single tool, process, or technology that can solve this problem. African governments need to turn their attention towards developing practical regulations designed to protect sensitive information and education programs designed to promote awareness of security at each level of society. Businesses need to perform thorough risk assessments, seeking independent subject matter expertise wherever possible. Consumers, like everywhere in the developed world, need to exercise vigilance in their online activities, because even the most secure systems can’t protect a user who doesn’t know how to protect themselves.
