Joseph Nderitu returned as our guest for this week’s episode of The Communications Risk Show, sharing insights derived from his time as one of the first RA professionals to assure M-PESA at mobile money pioneer Safaricom, and from the work he has done with mitigating the risks surrounding mobile money at many other leading African telcos. Safaricom has been hit with two lawsuits about M-PESA. One says the telco is lending money like a bank and should be regulated accordingly, whilst the other claims Safaricom is to blame for a wave of account takeover frauds as criminals seek to hijack accounts, including the ‘ghost accounts’ of deceased users, in order to drain the wallets and borrow money in somebody else’s name.
The regular crew also debated whether telcos are failing to appreciate the change in their risk profile as they transition towards an increasingly common model that involves the same software running on commodity hardware. Each vulnerability becomes more serious as bad actors will know many more telcos will share the same vulnerability. This then encourages a rise in ransomware attacks, data privacy hacks that target leaky APIs, and the insertion of malware through supply chain attacks. A lack of diversity in farming methods is putting banana crops at danger because diseases spread more easily and could affect harvests globally; should engineers and security professionals start treating diversity of electronic systems as a way to reduce the number of occasions when bad actors target their businesses?
Another example of reduced diversity is the extent to which different organizations and different societies are placing much more reliance on the connection between a SIM and a phone user when identifying who is accessing their services online. This has motivated an international criminal industry focused on SIM swap frauds and other methods to hijack a user’s phone account. Making phones the gateway to valuable assets like bank accounts, mobile money wallets and cryptocurrency exchanges means that criminals can easily afford to bribe telco staff to execute SIM swaps. The team debated whether this risk could realistically be mitigated and whether it is appropriate to implement more invasive monitoring of staff.
Episode 5 of The Communications Risk Show can be watched again by using the player below. Live shows are streamed every Wednesday at tv.commsrisk.com. There you will also find recordings of all past episodes, which are updated soon after each live show finishes, and links to the audio-only podcast version, which can be streamed or downloaded from Spotify and Apple.
