Are global mobile phones succeeding where cards are failing?

Global Fraud Focus: Examining cross-border issues

In June, the number of active mobile phones (or cellphones, as they say in the States) nearly exceeded the global population — rising from 6 billion in 2013 to more than 7 billion in 2014. (See GSMA Intelligence.)

Using mobile phones to make payments is nothing new. Mobile network operators began M-Pesa (M for mobile, pesa is Swahili for money) in Kenya in 2005. The service now has 17 million accounts. M-Pesa succeeded, in part, because Kenya is a large country with long distances between few banks. (See Enabling mobile money transfer: The Central Bank of Kenya's treatment of M-Pesa, the Alliance for Financial Inclusion.)

Only one in five Kenyans have access to traditional banking. However, now they can deposit, withdraw and transfer money, and make payments with their mobile phones. (See Expanding the Financial Services Frontier: Lessons From Mobile Phone Banking in Kenya, by Mwangi S. Kimenyi and Njuguna S. Ndung'u, Brookings.)

Many other companies offer a variety of ways to make payments using mobile phones. They include mobile airtime accounts, QR codes, mobile banking apps and "near field communications," in which a consumer simply holds a mobile next to a point-of-sale register. (See Five UK banks to launch Zapp NFC and QR payments, by Rian Boden, January 15, NFC + world.)

Increasingly, more merchants are using mobiles (and other devices) as point-of-sales' registers with such services as Square. In the U.K., the British Banking Association has launched Paym, a service that allows users to transfer money into personal banking accounts with only the receivers' phone numbers. (See Mobile phone payments system to be launched by banking industry, BBC News – Business, March 10.)

Adrian Kamellard, chief executive of the Payments Council, said in the BBC article, "The service has the potential to link up every bank account in the country with a mobile number — millions of people will be able to use it this year and we look forward to expanding Paym even further, so everyone can benefit from this easy, secure new way to pay."

How secure are these systems?

My research, to date, shows these money payment systems are secure so far despite attacks that regularly test IT platforms. A GSMA article, Managing the Risk of Fraud in Mobile Money, by Lara Gilman and Michael Joyce, suggests fraud could occur in three distinct areas: transactional, channel and internal.

Transactional

• Vishing/smishing: "Use of phone calls or SMS to gather personal details such as account numbers, PINs or personal identification details."
• Advance fee scams: "Customers duped to send funds under fake circumstances or promises."
• Payroll fraud: "Non-existent or ‘ghost' employees receiving funds."
• Reversal requests: "Customer requests to reverse transactions that were in fact successful."
• False transactions: "Sending fake SMS to make customers believe a transaction was successful. Often accompanied by a reversal request."

Channel

• Split transactions: "Agents split cash-in transactions in order to earn multiple commissions (only applies to tiered commission structure)."
• False transactions: "Agents transferring customer funds to personal account."
• Registration fraud: "Creation of accounts for false, invalid or duplicated customers for the purpose of obtaining extra registration commissions."

Internal

• Internal fraud: "Employees colluding for unfair personal financial gain."
• Identity theft: "Employees accessing and exploiting customer information without authorization."

While these risks undoubtedly are present, the authors of the GSMA article don't appear to consider the purely technical sides of transactions. Organized crime attacks every new technology to exploit vulnerabilities and use them for new possibilities to steal money. However, mobile phones have been in the hands of gangs since they came on to the market, but it appears they have no big success stories yet. Possibly phone companies are developing more secure systems and are using encryption. We've all read reports of mobile money fraud but they either 1) involved scams in which fraudsters have tricked individuals into giving their personal details 2) users passed their mobiles to others or 3) were large-scale data breaches.

A 2011 survey by Javelin Strategy & Research and PaymentOne showed that four times as many people believe direct-carrier-billed mobile payments are more secure than using credit and debit cards for online digital purchases. As confidence in mobile payments grows, so will the industry.

I've examined a number of mobile payment solutions. Some like Mi-Pay offer indemnification against fraudulent transactions while others use the latest technologies to secure their systems.

In an interview I had with Etienne Van den Bogaert, chief technical officer and acting CEO at goSwiff Ltd., he explained that its system, which facilitates mobile payments, uses multi-factor, bank-standard security measures that, he said, guarantee a secure payment. Once a user activates an account, that person has a unique pin and the mobile is identified as a unique ID. An exclusive private encryption key is attributed to the registered user and stored on go-Swiff's server, not on the mobile, which forwards a public key to the user.

goSwiff's multi-factor authentication will only allow a transaction when the unique combination of PIN, user ID and unique encryption keys are activated simultaneously. According to the company, the system also deploys a range of other security features to prevent cross-border transactions and monitor the volume and type of transaction. While goSwiff couldn't prevent a fraudster from using a genuine stolen card and PIN, it would be able to identify the user.

This type of security exceeds debit and credit card transactions. Proof: fraudsters selling enormous volumes of compromised card data on the Internet.

Can fraudsters use mobile payments for money laundering?

During my interview with author and money laundering authority, John Cassara, he said that mobile phone providers have reported few cases of money laundering.

However, he said that developing countries, in which exponentially growing mobile payments are allowing them to "leap frog right into the 21st Century," typically struggle already with money laundering and terrorist financing with traditional methods of moving money. "So combating new payment systems will be very challenging for them," Cassarra said. "Some have weak legislation and little investigative capacity."

He said the mobile money transfer industry invites abuse during the three parts of money laundering: placement, layering and integration. "It is so simple to give low-level smurfs money from illicit activities by loading up their phones each day. Integration by transfer from one account to another is simple, too," Cassarra said. "And I know there are reports where some telecoms companies are being bought with dirty money to facilitate integration. Some countries don't have the technical expertise or manpower to identify the placement and layering, and there is not much being done about it."

While fraudsters do have opportunities to launder money in countries and regions that have weak regulations and laws, large telecommunications companies do appear to have processes to counter this fraud.

Secure mobile phones? Don't be fooled

Global mobile phone manufacturers appear to be including secure new emerging systems so the "unbanked" and "banked" alike can use devices for depositing, withdrawing and transferring money, and making payments (especially in developing countries). However, as mobile money operations become more popular — and they will — organized crime will be determined to find new ways to attack and exploit vulnerabilities beyond straightforward hacks.

Tim Harvey, CFE, JP, is director of the ACFE's UK Operations and a member of Transparency International and the British Society of Criminology.

 

Dr. Richard Hurley retires as 'Global Fraud Focus' co-columnist

After seven years as a regular Fraud Magazine author — five years as a "Global Fraud Focus" co-columnist and two years as the "Fraud EDge" columnist — Richard E. Hurley, Ph.D., J.D., CFE, CPA, CFF, is moving on to other endeavors. (Tim Harvey, CFE, JP, will continue writing "Global Fraud Focus.")

"Rich has to be one of the hardest-working CFEs I know," says Dick Carozza, CFE, editor-in-chief of Fraud Magazine. "He's not only an accounting professor-in-residence in the University of Connecticut School of Business, he's also a practicing CPA and attorney. We've been so fortunate over the years that Rich has contributed his informative, practical and whimsical columns and articles to Fraud Magazine. He's an original!"

Hurley is a member of the ACFE Scholarship Committee, past chair of the ACFE Higher Education Committee and is the 2011 ACFE Educator of the Year.

"Fraud has expanded globally into activities involving numerous international participants — witness the Libor/Eubor rate rigging scandal — willing to conspire together to defraud millions of consumers worldwide," Hurley says. "The ‘Global Fraud Focus' column will continue to provide a wide lens for readers to stay focused on global fraud events."

Read more insight and discuss this article in the ACFE's LinkedIn group.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.