Technology

Fraudsters count on banks and fintechs not talking

by ADEDEJI OLOWE is an executive director at SystemSpecs

January 4, 2018 | 12:42 pm
  |     |     |   Start Conversation
Privacy concept: computer keyboard with word Fraud, selected focus on enter button background, 3d render

Electronic fraud is a significant reason why many Africans especially Nigerians, including highly educated middle-class, do not want to do transactions online or use digital products. While a lot is being done with efforts such as Two Factor Authentication, customer opt-ins, etc., frauds still go on because banks and payment providers do not share information with each other.

 

Fraudsters are still having a field day because of one thing – evil thrives in darkness.

 

Recently one of my friends running a payment company called to find out what we could do to some people who did fraud on his platform. As a matter of practicality, I told him nothing.

 

Think about it, what if he went to the police? Unless the fraudsters were so brazenly sloppy, the Police probably can’t investigate to catch them. He will spend the next few months going back and forth like a poorly installed pendulum, some random arrests could be made, but in the end, just like others, nothing would happen.

 

So, he did what every payment company or bank has been doing since – improved his systems, licked his wounds clean and moved on with life. I’m dead sure he’s silently cursing them under his breath.

 

But my gut feelings told me these bad guys did not just start with him – they have been on this less than illusory career for long. And that is the crux of the matter.

 

In South Africa, the banks, payment providers, and just everyone came around to form the SAFPS (Southern African Fraud Prevention Service). If you did a bad thing and your name strolls into their list, trust me, your transactions will continue to fail, but you will know why.

 

International internet service providers also use large crowd-sourced databases of spammers (SPAMHAUS) where source IP addresses and domain names of spammers are logged. If you spam and your name goes there, your emails will never be delivered again (to those who use the database for filtering spams). Major companies in Nigeria, including almost all banks, use SPAMHAUS to protect their email infrastructure.

 

So why do we not have the same thing in Nigeria? I am very sure if my friend had a service he could check transactions against; the boys who scalped him, may have been stopped from getting their loot. And let’s say he was their first port of call, if he reports them, they won’t be able to hurt anyone again.

 

The Central Bank of Nigeria (CBN) and Nigeria Electronic Fraud Forum (NeFF) did the right thing recently when the CBN watchlist was inaugurated. My banks have been sending me warning messages not to misbehave because if my name should enter that list, my own don do.

 

This list is limited to only banks and BVNs alone. However, we know that fraud surface area covers extend to emails, phones (those spammy BVN update alerts), IP addresses, etc. Another challenge is that many frauds happen on platforms beyond banks. For example, fraudsters routinely log into wallet systems to defraud hapless customers.

 

A centralized global repository of fraud information, accessible and non-partisan would go a long way to instil confidence, and just allow everyone to snore longer at night. The cost of transactions also goes down as cost attributable to fraud losses would not be overlaid on transaction fees anymore. However, without this repository and other means of squelching fraud, innovations from smart Fintechs may never reach that critical level as payers will always be frightened to go online.

 

If they could pull this off in South Africa, why not Nigeria? It would be to everyone’s benefit to collaborate and crowdsource information.

 

Nevertheless, crowdsourced fraud information comes with risks as well. What do I do if a payment provider maliciously put my name on that list and my transactions get flagged? What if someone takes them to court and asks for $1B damages for failed transactions?

 

A shared repository of fraud information doesn’t remove the requirements for proper risk management – which most fintechs lack. I mean, risk management is as boring as hell, no place in the awesome sexiness of a startup. True? False! Adhering to regulations, PCI-DSS, ensuring that changes follow maker/checker processes, logging everything that moves, encryption, hashing before and after changes, etc. guarantees your neurons are used for product development, not recovery efforts.

 

You can’t underestimate the need for testing. Quality assurance is another major area of lack for fintechs and this is probably responsible for 70% of the holes that the fraud lizards crawl through. Beyond normal happy path, regression, a double-blind ethical hacking can pinpoint gaps that need plugging.

 

Beyond all these, collaboration and information sharing will go a long way to keep the bad boys at bay; Christmas is around the corner, and everyone wants to hammer.

Tags: , , , ,

by ADEDEJI OLOWE is an executive director at SystemSpecs

January 4, 2018 | 12:42 pm
12893  |   93   |   0  |   Start Conversation

Big Read |  

Analysis
Does Conoil need a makeover?

Does Conoil need a makeover?

One of Nigeria’s oldest company, Conoil Plc is looking like a company in need of a game changer as its...



MTN Felele

Banking App