Breaking News
Translate

Cashless Society: Is Nigeria ready for the information security challenges?

By Tope Aladenusi and Amaka Azike
With few days to 2012, the year that the Central Bank of Nigeria intends to implement a cashless society, many question our readiness for this transformation. In the last decade, there has been a significant shift in the way business is conducted in many parts of the world.

The use of cash as an exchange for goods and services has been replaced with the internet to accommodate a host of online services. As buyers and sellers increasingly transact business miles away from each other, there has been an increased demand by both parties for alternative means of payment.

The recent modes of payment include electronic payment, mobile payment, debit card, credit card, etc. Further research shows that the reliance on physical cash has gradually been replaced with electronic cash. Today, transactions are carried out on electronic networks, which instantly debit the account of the payer and credit the payee.

The predominant question on the minds of many is what is a cashless society? Will all cash be eliminated? The simple answer to these questions is NO, however; a cashless society is a society that minimizes the use of cash by providing alternative channels for making payments. After all, money is not necessarily physical cash; – money is what money does.

The concept of cashless society has been implemented in many countries especially in the developed countries where its citizens are inclined to the use of technology. One of the main quests for migrating to a cashless society is the move towards globalization and reduced cost of cash management.

The ability to purchase goods across borders is fostered with the ease of instant payment not necessarily with physical cash but electronic cash, for example purchases made online at Amazon and e-bay, further driving the world into a global village.

Besides the ease of purchasing goods and paying for services that can be done within and outside one‘s geographical location, another major drive towards the cashless society is cash management. According to a recent publication in the Vanguard newspaper, it was noted that in 2009, the total cost spent on cash-in-transit was N27.3 billion, while cash processing stood at N69 billion.

While the benefit of moving a society to a cashless era is in no doubt enormous, the shift is not as smooth as it seems. Countries like Singapore took seven years to embark on this journey and the ?silent revolution‘ of the payment system in the US occurred over decades.

While the transition to a cashless society is expected to be quicker in Nigeria , owing that we can learn from other countries and do not have to re-invent the wheel, it may not be foolhardy for people to ask if reliable and secure infrastructure has been readily deployed to go live on a large scale.

Currently, Nigerians can only boast of a wide spread use of ATM cards in major cities, which allow for cash collection when the need arises. Most markets and even large supermarkets do not have Point of Sale (POS) machines that allow for purchase of goods with cards.

Online shopping is not so popular when compared to countries like the United Kingdom , because these platforms are yet to be implemented or trusted. Indeed, technical infrastructure to propel the move towards a cashless society is still lacking. One significant resource is power and internet connectivity which is still very much a challenge.

While many argue that Nigerians’ resistance towards moving to a cashless economy may be as a result of its traditional attachment to cash, it is worth noting that many Nigerians may resist this move as a result of their perception of the readiness for this move.

There is also the legitimate concern with identity thefts or scams that have been experienced in developed nations. This is further exacerbated by a fear of security breach that is expected in a cashless society. In fact, recently, in April 2011, an American hacker pleaded guilty to stealing more than 676,000 payment card details worth more than $36 million.

The question on our minds is; -with the move towards electronic cash, can the financial institutions give a reasonable assurance of the security of customer data?

Many financial institutions are currently excited about the opportunities of a cashless society, but it is a thing of note that every opportunity comes with its own attendant risks. Are these institutions aware of the risks of a cashless society? Has a proactive process been implemented to address these risks?

While many financial institutions have some form of supporting policies in place, some of these policies were generally established before the explosion of mobile devices as well as the move to a cashless economy. Are efforts being made to make such policies current?

Do security strategies exist in financial institutions to address the new set of technical and organizational capabilities to govern security development, deployment, and management — as well as the supporting policies to control costs and manage compliance?

The security of electronic cash cannot be the sole responsibility of financial institutions. A careful look at the source of security breach on electronic cash over the decades points to sources such as from third-party processor of payment data, as seen in the breach that occurred at CardSystems Solutions in Tucson , Arizona.

In 2005, at CardSystems, about 40 million credit cards were said to have been stolen by an intruder exploiting the vulnerabilities on the company‘s system. Security breach can also come from retailers, for instance in 2006, a UK retailer suffered a data breach where more than 4,000 credit cards were said to have been stolen by hackers.

Even POS machines, as small as they may look, come with their own set of security challenges. POS devices are usually based on standard PC architecture; therefore they share many vulnerabilities like weak or default configurations, missing security patches and weak password and account policies.

Therefore, are we making conscious efforts to perform a security assessment of POS devices or put other information security measures at the retailers‘ and third-party processor‘s end?

Other source of data breach can be from the point of the end users‘ mishandling of their card or revealing card details. In 2010, Panda Security’s anti-malware laboratory (PandaLabs) reported that hackers are creating 57,000 new websites each week that exploit many of the major high-profile brand names.

In the investigation, PandaLabs found that banks, by far, comprise the majority of fake websites with 65% of the total. Hackers in Nigeria that are yet to go sophisticated with electronic payments systems are currently capitalizing on end users ignorance to steal card details either through fake websites, spam/phishing emails or via other social engineering techniques.

While there has been several user awareness sessions to motivate end users to embrace the cashless society initiative, have we considered addressing the potential security challenges as part of the awareness sessions? Are we teaching people how to drive and also explaining the road signs that signify danger?

Mobile money services recently came into Nigeria and it is anticipated to reach majority of Nigerians who are currently unbanked. With an estimate of over 90 million mobile phone users in Nigeria while only about 25 million Nigerians have bank accounts, experts are optimistic that this will be another revolution in the country‘s financial landscape.

But the increasing reliance on mobile phones and smartphones for carrying out financial, business and also personal transactions has made them an attractive target for malware writers. According to a recent study released by the Kaspersky Lab, at the end of 2010, about 153 families and over 1000 variants of malicious programs targeting mobile devices were recorded. With the advent of mobile money in Nigeria , have we put measures in place to tackle such challenges?

Many ask about the preparedness of regulators and law enforcement agencies? Are financial institutions and payment processors required to comply with baseline standards such as the Payment Card Industry Data Security Standards (PCI-DSS)? Have ground rules been set on disciplinary actions of non-compliance with the baseline standards? Do we have competent staff fully equipped for this paradigm shift?

Tope and Amaka are information security specialists.

All rights reserved. This material and any other digital content on this platform may not be reproduced, published, broadcast, written or distributed in full or in part, without written permission from VANGUARD NEWS.

Disclaimer

Comments expressed here do not reflect the opinions of vanguard newspapers or any employee thereof.