Mobile money fraud: Two factor authentication, an algorithm to end this menace
29th May 2021
Mobile money is the fastest, convenient, but until recently the most reliable means of doing online payments in Ghana.
The government of Ghana is striving to build a cashless economy to reduce the risk of people carrying huge cash around.
Mobile payments provide a mechanism for conducting financial transactions using a mobile device as an alternative to using cash, cheques, or credit cards.
The mobile device is linked to a bank account, card account (credit, debit, or prepaid), or stored value (e.g., prepaid wallets, online stored value, stored value cards) from which money is deposited or withdrawn.
Mobile money services, however, are extremely attractive to fraudsters. The recent requirement of needing an ID (Identity Document) card to make a withdrawal at the MoMo agent shows that the fight against MoMo fraud is still yet to be won.
This policy of showing your ID card fails to address ownership as it is done in the bank because it only confirms that the face on the ID is the face requesting for withdrawal.
When the ID card is entered into the system, it does not confirm that the name on the MoMo account is correct with the name on the ID card because I could use my brother’s ID card and the system will still allow the agent to make the withdrawal for me. In the bank, a copy of the ID card is made and kept for future reference, but this is never done by the MoMo agent.
This policy confirms that you own a valid ID card, but the fraudsters can input any arbitrary ID number and the system will still allow them to withdraw your money.
The SIM card they will use is fraudulently registered and cannot be traced. It is therefore prudent to stop the fraudsters than to wait for them to commit the crime.
Below is a proposed system for MTN Mobile Money transactions. This algorithm shall weed out any issue of fraud in the system.
Algorithm: Making a withdrawal
The drawer (customer) will generate a code using the amount to be withdrawn and the agent’s merchant This code can only be used to withdraw from the said agent. The code expires after 5 minutes.
The merchant will take the drawer’s code and key it into the system. It will display the amount of money to be withdrawn to the agent and request the MoMo agent to confirm if he/she can pay out such an amount with his PIN.
The process from the MoMo agent will then generate a prompt for the drawer to also confirm with his/her MoMo.
Both parties (drawer and agent) get a text message notification confirming the transaction.
Loopholes this system will plug
Remote generation of cash out prompt: This is eliminated because the drawer is now the only person who can generate a code for cash out to a specific MoMo Nobody can sit anywhere to generate this code because the backend application creating this code would be encrypted and cannot be decrypted within 5 minutes, since the code is only live for that duration.
Assuming fraudsters use social engineering to get me to key in my PIN, the generated code will come back to my phone and not to the fraudster. This means the fraudster now has another task by trying to deceive me to send them the code, which will then be used to initiate the withdrawal. This is not the end – the fraudster must again deceive me to enter my PIN for the final withdrawal of my money. It will take the devil to get me to do all this without noticing that my money is being taken away.
Remote withdrawal of money: This system requires that the drawer and the agent to be physically next to each In mobile technology, your phone is constantly registering its location to the network every 4-secs.
During the location update process, the cell_ID of the phone at that moment is sent as part of the location update. There shall be a cross-referencing system to compare the location update details of the agent and the drawer to confirm they are physically close to each other before the code is generated.
The below diagram shows the MoMo withdrawal algorithm.
Algorithm: Sending money to another Momo user
The sender will generate a code using the amount to be withdrawn and the receivers mobile The network operator (MTN in this case) will send this code to the sender.
The sender then initiates the process to transfer the said amount to the
A text message is sent to the sender and the receiver confirming the
loopholes this system will plug
Remote generation of cash out prompt: This is eliminated because sender is now the only person who can generate a code for cash transfer to another MoMo Nobody can sit anywhere to generate this code on my behalf. Again, by using social engineering to get me to generate this code, it will be sent to my phone and not that of the fraudster.
In conclusion, if these algorithms are implemented as outlined, the issues of MoMo fraud shall be a thing of the past. This algorithm gives the user the power to request and complete a transaction and even when the initiation process is attacked, the next phase is still in the firm grip of the user to either continue or reject the whole transaction process.
The drawback of the existing system is that the user has only one authentication to complete a transaction, and this gives the fraudsters chance to strike only once. In the proposed system, the fraudster will have to strike three times before they can withdraw money from their victim. This can only take SATAN himself to be this lucky on their victims.
Business24.com