The Mobile Money Fraud Wahala in Ghana

The Cyber Crime Unit (CCU) of the Ghana Police Department have said that their investigations into mobile money fraud have led to the arrest of some staff of telcos. They further revealed that some of these staff infiltrate the mobile money database and change PIN numbers, which allowed them to withdraw money from customers’ account. And to some extent, they even change the owners of the line to enable criminals who they have been in cahoot with to make withdrawals, etc.

The CID further revealed that almost 50% of customers are targeted by fraudsters and these staff working with criminals have defrauded many unsuspecting customers.

Now, MTN has come out to say that none of their staff was arrested; neither were any of them involved.

Now, back to the issue. If really, what the CCU said in relation to access to database and making changes is true, then this is a big problem. How are the PIN numbers being stored in these databases? Aren’t these PINs being encrypted? Who has access to the databases? Are write access allowed to DB users? How many DB users have write access to these databases?

To me, this is a simple issue, because in every serious organisation, the database administrator has access to the database. But, changes to customer details are not allowed to be done at low level (i.e. at database level). In other words, changes to customer details are enforced via a front-end application. These front-end applications keep logs of everything, so it’s easy to trace who changes what.

Even at database level, it is easy to track changes made by DB users. And only very few people have access to the database, so I find it difficult to believe that something like this is happening.

Anyway, the telcos have a big job on their side to instill confidence in the system, because news like this, whether true or not, erodes confidence in mobile money. And considering the unbanked customers of this country are so many, these telecos need to do something fast to restore confidence. Policies need to be put in place to ensure that when it comes to customer details, changes are not allowed at database level and only DB administrators have access to the databases – in this case, if something goes wrong, it can be easy to trace it back to them and sanctions applied.

 

Advertisements
This entry was posted in I.T. and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s