ATM fraud: Forget EMV; Try Mobile Money

This christmas did not pass without much drama for many Kenyans. Banks had for some days before the holidays sent what looked like panic notifications advising customers to change their ATM card PIN numbers. Although I don't recall being a targeted recipient of the "Change your PIN" plea by my bank, good old twitter amplified the message at some point on 23rd and 24th December.



As fate would have it, having been unable to scamper for the seemingly account-saving change of PIN, Christmas eve would be the day fraudsters would hit my account. In the resulting helplessness of things, where else to go but good old twitter to share the experience with the rest of the world?

So off went the message, if only to tell fellow Kenyans that the earlier "Change your PIN" messages were not to be taken as jokes. Some of what followed would become history with some coverage on Citizen TV.


When old friend Henry called me up for an interview on the fiasco, one key message was in my mind to tell their TV audience. That message was;


"Using mobile money is comparatively safer than using ATM cards".


Obviously my message did not come out in the interview - it must have been so under developed in my mind that the editors could not infer much from what I said. Or perhaps the story needed to link better with the apparent agitation by Kenya Bankers Association and Pesa Point for banks to migrate their ATMs and card systems to the Europay, MasterCard, Visa (EMV) standard. The EMV platform also seems to be called the "chip and pin" system by journalists. The more I thought through my mobile-money-is-better message, the more the questions to myself piled on.

To begin with, lets see what technological challenges the fraudster has; :-

For ATM skimming; the kind of fraud that has apparently hit many Kenyans to happen, the fraudster has to have accessed the victim's account details - which details are usually encoded in the black magnetic strip on the back side of the card. The fraudster has also to somehow discover the victim's four digit PIN number related to the card; which is never stored among the other details in the card - in the case of magnetic strip cards. In short, armed with the information in the magnetic strip, the fraudster makes a clone of the victim's ATM card and the only other thing they need is the victim's pin number after which they can do anything the victim can do with the account at their safest, favorite ATM.


To setup their trap for gathering the above two pieces of information, fairly common place technology is used. In both cases of the magnetic strip ATM card, the fraudster has to overcome two technological challenges; that of cloning the information in the card and that of knowing the original card's PIN number.

In both cases, the technological challenge of knowing the victim's PIN number is easily surmountable with diminishing size and increasing abilities of spy cameras. The fraudsters' other option is to overlay a look a like key entry pad on the ATM's original pad.

To gather account information on the card matching the PIN acquired, the fraudster needs only to acquire a magnetic strip reader that can be appended in a disguised manner to the ATM's authentic reader. Similarly, a smart card reader can be appended to the authentic ATM reader in the case of EMV cards. Once the the information is read (copied) by the fraudster, their next move is to write (paste) it to their own "fake" card which becomes a clone of the original one in the victim's wallet.

For curiosity click here so read a fraudster's how-to - only if you will not join in the crime.

The human action challenge

Since most, if not all ATMs in Kenya have guards assigned to them at all times, the fraudster also must plan to either bribe away the "soldier" or somehow get the guard to sleep so that they get ample time to install paraphernalia on the ATM. The other cheaper way to get pieces of the information required by the fraudster is to be friends with a rogue bank (card center) staff or promise to share the earnings of the venture with them. For my discussion's sake I shall consider this a human challenge and not a technological challenge - the later being the substantive discussion here.

The SMS alert challenge (StanChart Scenario)


In my opinion, the fraudsters' greatest challenge for the magnetic stripe case is that of the SMS alerts sent to the victim's phone detailing when and where a transaction takes place. That allows the user to act promptly in response to the attack. SMS alerts related to Point of Sale purchases usually bear  names and locations of merchants where transactions take place. Specific location information is surprisingly missing in the StanChart SMS alert messages for ATM withdrawals. The alerts do not specify the exact location of the ATM which could assist in "nubbing" fraudsters if for some lucky convergence of factors there are contactable, and cooperative police officers or publics in the vicinity of the crime - among other factors. A workaround for the fraudsters in the StanChart case seems to revolve around the delivery time of SMS alerts. How SMS alerts seemed to get to victims 5 hours after the fraudulent transactions whereas under normal circumstances such notifications are received instantly is a puzzle. 


The Cloning Challenge

Data on magnetic stripe cards does not have "copy-protection" features and hence cloning of cards based on this technology is fairly straightforward for the criminals. This is not the case for EMV cards. At the point of making a copy of the original cards, fraudsters face a tougher technological challenge of cryptography. This is where banks, merchants and card issuers implement the EMV card system. Cryptography under the EMV standard prescribes a process where data in the smart card can be protected against modification or cloning. This is one of the features that EMV proponents have successfully used to rally banks the world over (including in Nigeria) to transition from the magnetic stripe - with Kenyan banks being left behind.

Although the EMV card system carries reduced chances of ATM fraud, Rober Murdoch  and other researchers at University of Cambridge have exposed a couple of vulnerabilities with EMV implementations. These include the wedge vulnerability, the pin entry device vulnerability, and relay attacks. Below is a UK video narrating two real life fraud experiences and a re-inaction of the fraud against an EMV card


Th more scary concern here is the insistence by EuroPay, MasterCard and Visa that liability for fraud affecting an EMV (Chip and Pin) card implementation MUST be borne by the cardholder. I leave that fight for the consumer rights activists to pick up as they seem to have success with the Digital TV migration issue case.

Mobile Money - Technologically Simpler, and Superior?

An now to my theory about better safety in Mobile Money withdrawals and purchases: This is building on a not so old article in Kopokopo's blog. In the article, Ben Lyon argued that it is safer to pay with M-Pesa than using credit / debit cards. Ben's argument relates well for "point of purchase" situations among ATM card holders and everyone needs to take note of that to begin with.

It can be argued for the specific case of "Point of Withdrawal", that technological challenges for fraudsters capturing PIN numbers in the case of Mobile Money account holders are much greater than with the ATM case. The ATM is a public machine where anyone can "legitimately" access the physical installation. The mobile phone is a personal device. A technological pin capturing scheme by any fraudster against mobile money systems can potentially be reduced to spying on usage of individual mobile phone key pad. This seems much more difficult than setting up spy cameras or overlaid key pads at the ATM accessed by multiple account holders. The question is if the mobile operators can assure people that the communication channel between the mobile phone and the mobile money authentication service is encrypted, which would reduce options for the fraudster sniffing the line for peoples mobile money PIN numbers across the mobile networks.

The mobile money equivalent of cloning the account holder information seemed complicated for the fraudster, until I thought about Sim Cloning. Although there are arguments suggesting that sim cloning is practically impossible, theoretically a fraudster could clone a SIM card if they had enough reason. They might as well steal the original sim card / phone from the account holder if SIM cloning became imposible. Of course the parallel to stealing the SIM card in the ATM fraud case is that of stealing the card from the card holder which is not an area of comparison in this article.

Critics of mobile money will say that mobile money agents are scarce geographically and may not be accessible for withdrawals at night. The same applies for ATM infrastructure, and mobile money fairs better on the same yardsticks in rural areas. More importantly, withdrawal of mobile money from ATMs is possible without using the all-vulnerable ATM cards. Instructions for withdrawing Mpesa and Airtel Money from PesaPoint ATMs is evidence to that. Mobile money's early challenges of float for deposits and agent distribution are also surmountable.

The challenge on volumes of amount acceptable within mobile money is also real. One can pay bills of $2,000 using a credit card in the UK and thats not possible in with Mobile money in Kenya. When reduced to the context of money withdrawals, Mobile money and ATM systems seem comparable since ATM systems often imply daily or weekly withdrawal limits for security.


Putting your mouth where you money is ...

With possible security loopholes in Magnetic stripe systems, EMV cards and mobile money, the discussion of which one to build on and enhance is obvious - to me. Kenyan's financial institutions, mobile network operators and independent innovators should invest resources in making their mobile money implementations more secure -  so secure that for security considerations, they stand out ahead of solutions fronted by foreign corporation such as Visa and Mastercard.

There is already a national competitive advantage built around mobile money among Kenyan institutions. From mobile money transfers to mobile banking to mobile money withdrawal Kenya is at the forefront in showing the world how to grow the platform. The solution to the ATM fraud issue should therefore not be obviously the expensive replacement of banks' the magnetic stripe card infrastructure with a smart card based EMV infrastructure. Part or most of the solution is for banks and other players to better embrace Kenya's mobile money revolution.

Conclusion: Job Creation

By the sheer fact that mobile money systems create jobs at the agency level that upgraded (EMV based) ATM machines will not create, it can be argued that putting our mouth where our money is by developing mobile money systems more is better than mass importing new ATM machines, Point of sale terminals and other related infrastructure items

Evolving thoughts on innovation, entrepreneurship and economic growth

Entrepreneurs create new businesses, and new businesses in turn create jobs. New businesses intensify competition for existing larger businesses. Increased competition forces small and large entreprises alike to innovate and be more efficient in creating value for customers. Efficient value creation results in a more productive economy hence economic growth. 

Arguably, many large entreprises in East Africa do not face much competition, enough to give research and development the priority place required for innovation to grow. Furthermore, many of the larger entreprises within East Africa are multinationals whose research and development initiatives are controlled by their parent entities abroad. Therefore innovation for such multinationals is more likely to target global markets and not local markets in developing countries where revenue streams are comparatively insignificant. The other significant proportion of large entreprises in East Africa is comprised of parastatals and government entities which are by their very design incapable of being innovative. Generally, government related corporations are so stuck in public sector dynamics that innovation and value optimization for customers is rarely a real intention among their top executives.

The role of value optimization and innovation in East Africa's economies is therefore by default delegated to smaller enterprises, start-up firms and entrepreneurs driven by the opportunities or necessities created in the market place. In a 2006 paper titled "Is entrepreneurship good for economic growth?" Zoltan Acs used Global Entrepreneurship Monitoring (GEM) data from over 20 countries to argue that not all such entrepreneurial activity contributes to economic growth. The case is more apparent in developing countries where individuals are forced into entrepreneurship by necessity (lack of jobs) rather than primarily to pursue perceived market opportunities.

Very often, independent startup ventures in developing economies are likely to fail at some point for the following reasons :-
  • Derailment by alternative opportunities - Founders can get derailed easily by employment opportunities emerging with larger companies, NGOs and government institutions promising to afford them financial comfort - albeit for the medium term. Besides formal employment opportunities for founders, start-up firms often find themselves derailed by opportunities to service contracts that are not related to their core mission. This way their 'flagship products' suffer stunted growth  as the firm evolves into a "general consulting" outfit.
  • Start-up firms easily get locked into a sub-optimal operating state where they lack finances to increase awareness of their new otherwise viable products. They lack marketing funds to acquire critical numbers of customers to break-even in their operatons. Such startups end up not growing or closing down as they find it very difficult to penetrate the market. 
  • Individuals forced into entrepreneurship by necessity are likely to lack technical or managerial skills to grow their business beyond certain levels unless they raise funds to employ the people with the right skill sets. Startups are often unable to acquire the right human resources for growing their businesses beyond the vulnerable start up phase. As a startup begins to move beyond their minimum viable product, they rapidly require to shift focus on marketing, working capital management and project management among other aspects of business management without which sustainability is not assured.
The common thread the above reasons for startup failure is "access to capital". A strong case exists therefore for entrepreneurs in East Africa to prioritize their fund raising efforts for sustainable growth. Given that debt financing for young startups is rarely an option in East Africa, entrepreneurs need to focus on other forms of financing such as grants and equity investment. That is not to forget the option of participating in entrepreneurship competition with significant prize monies such as Pivot East.

That grant financing would be preferable to entrepreneurs is a no brainer. However, although grants are accessible if one is lucky, equity based investments present better opportunities for serious startups raising funds for growth. Equity based fund raising ensures that founders think through their business seriously as investors will only touch them if they can validate their business models for significant returns on investment. Equity based investment also ensures that the founders have a better sense of business accountability by virtue of other people having a stake in the business. Equity based financing often comes with opportunities for business mentorship and networking linkages from the financing parties. The temptation among entrepreneurs often is to resist dilution of their equity ownership by introduction of investors. That mentality begs the question "would you rather own 100% of a $10k company destined for stagnation or  would you rather own 70% of a $10k company on a solid growth path to $10m?"

In conclusion, there is need for the entrepreneurs to take equity investment options more seriously for growth and sustainability of their businesses. That way the economies in East Africa can benefit from innovations and value optimizations expected from entrepreneurs and smaller businesses while the bigger corporates evolve to create value to customers more efficiently at a much slower pace.

Growing list of entrepreneurship competitions as Startup Weekend comes to Nairobi

In the last year or so Nairobi has been treated to a multiplicity of competitions and contest organised to promote local technology entrepreneurship. Depending on whether the chicken or the egg came first, one would argue that this has contributed to significant buzz and interest around East Africa’s growing tech start-up culture.

That the region is experiencing growth in the tech start-up scene is difficult to dispute. Doubting people only need to consider the tech scene’s coverage from global media houses such as The Next Web ( Mnachi Mdema’s article and Francis Pisani’s artice), the ReadWriteWeb (Curt Hopkins article), BBC (Egon Cossou’s article), Forbes.com and CNN (Dayo Olopade’s article) - to name a few.

Some of the entrepreneur competitions in the last one year that I can barely recall are IPO48, Garage48, App Circus, Huawei developer challenge. Some of the contests take a more global scope such as Nokia’s Create for millions Contest, infoDev’s Top 50 competition,Google Android Sub Sahara contest,  and Apps4Africa. Other global challenges that are still ongoing include Samsung’s Bada Developer Challenge,the Ericsson Applications Award and infoDev’s m2work Micro-work Challenge.

The list of competitions for 2011 above is almost endless. It is however incomplete without mentioning Pivot 25, the predecessor of Pivot East. Being East Africa’s premier mobile apps competition culminating in a pitching conference in June, Pivot East is to many perceived the grand showcase of mobile entrepreneurship in East Africa.

I have come across arguments in the local tech scene that developers and aspiring entrepreneurs have began to suffer from “competition fatigue” so we should “slow down” on them. I argue that we are not yet having too many competitions and that in fact we cannot possibly have enough contests of this kind in East Africa. This in my view will continue to be for as long as we have not as a society fully embraced the start-up culture. More so we should hold as many such competitions as possible for as long as our upcoming tech entrepreneurs have gaps in access to capital, markets, coaching, mentorship and other related entrepreneurship facilitation.

This weekend of 24th-26th February 2012 comes along with at least one more competition in Nairobi - Startup Weekend. The event will be hosted by Nailab at Bishop Magua Center which is gradually becoming Nairobi’s tech startup building. The competition organization in different locations globally borrows from a common format overseen and supported by Startup Weekend, a 501c(3) Non-Profit organization in the San Francisco - United States. It  is designed to be a “54-hour event where developers, designers , marketers, product managers and startup enthusiasts come together to share ideas, form teams, build products and launch startups”. The format is very much like Garage48 and IPO48 and goes as follows :-
  • On Friday Evening attendees present their best ideas in open mic pitching sessions.  
  • Over Saturday and Sunday teams focus on customer development, validating their ideas, practicing LEAN Startup Methodologies and building a minimal viable product.
  • On Sunday evening teams demo their prototypes and receive valuable feedback from a panel of experts.
In this weekend’s edition of the event in Nairobi, attendants buy tickets at a fee of Kshs 2,050 payable through M-PESA business number 111666 (received by Growth Africa Limited). Delegates attending the event finale on 26th February only, will pay an entrance fee of KES 500. More information on tickets can be found on the event website http://nairobi.startupweekend.org/tickets/

The organizers have stated in their website engagement of re-known personalites in the industry for speakers, judges and mentors.  These according to the organizers include Virtual City’s John Waibochi, ICT board’s Paul Kukubo, Paul Mwachi of Isys Software, Capital FM’s Chris Kirubi, inMobi’s Moses Kemibaro, and Craft Silicon’s Kamal Buthabati. Judging from the results of other weekend long contests held in Nairobi where teams of entrepreneurs accessed prize money, entrepreneurship capacity building, early stage investment and access to valuable networks, I would encourage many upcoming entrepreneurs to take part in this event.

Many more start-ups participating in contests such as Startup Weekend can only make East Africa grow its knowledge economy through entrepreneurship.  When more of the upcoming entrepreneurs are empowered with skills, exposure and funding, one can only bet on East Africa being able to showcase great progress in the region’s mobile entrepreneurship. The region’s Pivot East Pitching Conference and other entrepreneur showcase avenues may therefore brace themselves for bigger challenges in selecting the best of the best. 

Gearing up for Mobile Web East Africa 2012

East Africa region continues to strengthen its profile as a mobile innovation hub. As mobile developers, entrepreneurs and stakeholders prepare for Pivot East, the regions mobile apps pitching conference in June, a couple of industry related events are happening as well. These events are helping to showcase East Africa as a mobile innovation destination.
   
This week on 22nd and 23rd February, Nairobi gets to host one of East Africa’s conferences on the mobile web ecosystem. The conference was first held in Nairobi on 3rd and 4th February 2010 and comes back to the City two years later. Much has changed in the last two years and the conference is an opportunity for many to catch up with the state of affairs since mobile phone penetration and  mobile data connectivity began to increase exponentially in the region.  The conference will be at the Southern Sun Mayfair and Kenya ICT board are its official hosts.

*iHub_ and m:lab East Africa are officially supporting the event. A 30% discount is granted for iHub members attending the conference for which registration can be made online here. The event organizers also are offering 50% subsidies on delegate fees to developers and start up companies under 2 years old and less than 10 employees. The event promises to be interactive and full of insights for developers, entrepreneurs and professionals playing in the mobile web sector. With a compelling agenda, the list of speakers and the discussion panelists, delegates are likely to appreciate better the state of affairs in the region’s mobile web ecosystem.

The conference starts with Kenya’s ICT Board CEO Paul Kukubo Reviewing the evolution of the Kenyan sector from 2010 to 2012. The CEO is expected to highlight successess and challenges around, Local content, app monetisation, startup/SME financing,  and innovation hubs. Kenya’s Permanent Sectretary in the Ministry of Information and Communication is expected on the same day to speak about the government dedication and support to the ICT sector. The conference is also expected to here from Research In Motion’s Technical Partnership Manager for Sub Saharan Africa - Michael Weitzel.

Mark Kaigwa, a partner at Afr-innovator, an African technology news portal will also be there to examine the “Silicon Savanah” tag and whether it carries much substance beyond the increased marketing efforts by the Government. Other presentation and discussion themes for the first day include mobile marketing and the opportunity for app monetization and growth of brands. Frank Maina of Sponge East Africa and inMobi’s Moses Kemibaro will be speakers in this session. Entertainment and media consumption on mobile devices will be another area of discussion with Johan Nel, Chief Executive Officer & Founder, Umuntu Media speaking. Emma Kaye, Chief Executive Officer of Bozza will talk about the prospects of growth in mobile film making.

The second day commences with Strathmore University’s Joseph Sevilla exploring the trend of tech focused youth that might drive the next generation of mobile content, services and companies. Judith Owigar of AkiraChix will also speak on efforts to enhance uptake of tech-entrepreneurship by women. John Carroll, Director of Technology at ForgetMeNot Software will speak on what it takes to to cultivate a startup culture. Other presentation and discussion themes lined up for the second day include using mobile as a tool for empowerment and social good.

The second and final day will culminate in an app developer competition where 5 entrants will battle it out for $1500 worth of InMobi ad network spend and blackberry handsets among other prizes and benefits. The competitors will have five minutes to pitch.

The conference will end with an open mic session where any member of the delegation can take the podium present and discuss whatever they like in 5 minutes. Each open-mic presentation will be followed by 5 minutes of questions and answers with the audience.

A full programme for the two day conference can be viewed in the conference’s website (www.mobileeastafrica.com).