I've heard about a new mobile microfinancing application/service called M-Pesa, which is gaining popularity overseas...
on cheap mobile phones. How does it work, and how does M-Pesa security protect financial transactions on low-grade devices?
The M-Pesa service -- M for mobile, pesa is Swahili for money -- was launched in 2007 by Vodafone and is a transactional and store of value platform. It allows users to deposit, withdraw and transfer money, as well as pay for goods and services with a mobile device, all without needing a bank account. It has proved very popular with millions of users in over 10 countries, including India, South Africa and Egypt.
M-Pesa is not a cryptocurrency like bitcoin; there is no anonymity and users have to deposit and withdraw money via a network of M-Pesa agents. These agents have to review original identification documents of anyone opening an account in order to fulfill the same Know Your Customer requirements that banks are obliged to meet. All money deposited in the M-Pesa service accounts is held in escrow, so funds remain at all times the property of M-Pesa users. As every transaction completed on the M-Pesa platform is electronic, it can be monitored by the local providers, which run anti-money laundering checks and provide regular reports to the appropriate regulator. There are also cash in, cash out and transfer transaction limits, so the M-Pesa service is not an attractive option for criminals looking to launder money, particularly as the location of the device used for a transaction can be recorded. Cryptocurrencies, on the other hand, allow individuals to send and receive payments without intermediary financial institutions and are not backed by currency deposits, relying instead on a shared public ledger called a block chain to record and validate transactions and ownership. They are not aligned to any form of regulatory framework and are not legal tender in many countries.
The M-Pesa service allows users to transfer money from their M-Pesa account, using PIN-secured SMS text messages, to other users and nonusers, who can then exchange it for real money. This reduces the risks associated with counterfeit notes, insecure money deliveries and having to carry cash. M-Pesa has introduced a feature called Hakikisha to reduce the chances of an attacker being able to spoof transaction authorizations and minimize cases of users sending money to unintended recipients, by showing a pop-up screen that contains the details of the intended recipient prior to the transaction being completed. Of course, criminals can still steal someone's mobile device, but all M-Pesa service transactions have to be confirmed by entering a 4-letter PIN and the application locks after five consecutive incorrect PINs are entered. There is also the additional risk for the criminal of having to be physically present at an M-Pesa agent to withdraw any money.
The internal security of the M-Pesa platform is somewhat of an unknown. It will no doubt come under attack like any other service handling financial transactions, but the low transaction limits and physical presence requirement to withdraw cash make it a less attractive a target than many other mobile payment systems.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Learn more about bitcoin and cryptocurrency safety
Discover how traditional banking is changing with mobile payments
Read more on the pros and cons of other disruptive technologies like M-Pesa
Dig Deeper on BYOD and mobile device security best practices
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading