This article has a fear factor but that is not its purpose. It is a didactic article meant to help you secure your money. Imagine a triangle with three sides-security, functionality and ease of use. Imagine a ball inside that triangle. That triangle is called the triangle of security. If the ball moves close to ease of use, security and functionality are sacrificed. That is why applications that are very user friendly often have security challenges. For example, to save you stress, the system asks for permission to save your password, so that next time you don’t have to type it. Great deal,but what if a fraudster has access to your device, opens the application and does not have to worry about guessing your password?
If the ball moves towards security, functionality and ease of use will suffer. Imagine having to remember a password that has upper case, lower case, numbers and special characters. Not fun right? What about if you must remember that for three critical applications? You feel stressed. Right? You are not alone. It is called “password fatigue”. And it takes the joy of using applications from many of us.
If the ball moves towards functionality, then ease of use and security will be relegated to back seat. More functionalities mean more vulnerabilities. More vulnerabilities mean more threats. More threats mean more exposures. More functionalities mean pressure will be on users to understand more technical issues. We all have limits. If users’ technical limits are overstretched, it means mistakes will be made. Mistakes can translate into frauds. In worst case scenarios, mistakes can lead to death.
That is why the job of enterprise and information security architects is so challenging. They have to come up with a best-fit system that keeps everybody happy(at least, most) and still meets security requirements. The ball must be balanced in a position that enable the organization to meet its business objectives and minimize its exposures.
Now that you have a picture of what happens if the ball moves too close to an element, let’s look at Nigerian banking industry where customers are now getting the fun of their lives. In the early 2000s,Automated Teller Machines (ATM) were rarity in Nigeria. Virtually, all transactions must be conducted in the banking hall. “ Private banking” was the exclusive of the elite in the country. Only the rich can transact on their accounts without leaving the comfort of their homes.
Things took another turn when the “wizkids” of the second generation banks began to close the gap between Nigerian banking and European banking systems. Technological innovation became the buzzword. From the mid-2000 till date, the banks in Nigeria have not stopped trying to outdo each other in making banking transactions simpler, smoother and faster.
From ATMs to internet banking, instant transfer and now USSD short codes, the average Nigerian banking customer’s head is in the clouds. Going into the banking hall is now regarded as “ stress” as you can do virtually everything with your mobile phone. With the short codes introduced by the banks, you can transfer money and buy recharge cards. That is the good news. The bad news is that your phone number is now linked to your account. Invariably, your phone number is your account number. Therefore, anybody that has access to the phone number you register with your bank has access to your bank accounts. So, if you lose your phone on an outing, it is no longer just about the phone but also the funds in your account. If the phone falls into a wrong hand, this is the scenario that might play out. The individual that picks up your phone will first check your inbox to see your bank alerts. This will give information about your bank and perhaps, your bank balance. If there are no alerts, your apps will be checked to see which bank’s app is on the phone. If there are no banking apps, your browsing history will be checked for information about the banks ‘sites you have visited. Once your bank is determined, a short code will be sent to determine your bank balance and the rest is history.
This scenario is not far-fetched. An online friend shared with me how he was robbed of his phone ,debit card and other valuables. The next morning, he rushed to the bank to check his balance. He was relieved to discover that his money was safe. He blocked the debit card and was issued a fresh one. He joyfully left the bank and started processing a new sim card. Unfortunately, before he could get a new sim, his money had been moved via short code of his bank. If he had known, he would have blocked his account till the old sim had been blocked or he got another sim in replacement. It was an avoidable loss caused by knowledge gap.
So how do you safeguard yourself from USSD short code exposures? I recommend the following:
• Move the bulk of your bank balance to an account with strict instructions for banking hall transactions only (sounds old school but it might save you heartbreaks)
• Delete bank alerts immediately you read them (you don’t want to help a potential thief with information)
• Keep the number of the contact center of your bank handy
• Understand beforehand the process of blocking SIM card and bank accounts
• If you lose your phone, block your SIM card and bank accounts immediately
• Do not publicize the phone number that is linked to your accounts
• Take good care of your phone and keep it in sight always
In conclusion, as the banking industry moves more aggressively to make life easier for its customers, the customers owe themselves the responsibility to know the inherent risks in these hi-tech services and how to manage them.
Akinwale Akindiya ACA
Information Security Consultant