Africa has often walked its own path in finding ways to service the diverse needs of the continent, whether that is with technology solutions that were built on legacy platforms or new, innovative solutions to go to market. Successful companies that operate across Africa have had to be agile and flexible in developing solutions and being creative in the application of these services, in a difficult environment due to the diverse nature of the region.
Digital transformation is accelerating across Sub-Saharan Africa, underpinned by increasing access to broadband connectivity. Governments, public institutions, the private sector and development organizations are increasingly using digital platforms to improve lives and fuel economic growth across the continent.
The COVID pandemic has accelerated this digital transformation considerably, with better services such as mobile broadband and improved data packages whilst access to hardware has been helped by the introduction of options such as smartphone financing and other such programs.
Digital services via web, mobile web and apps are an ever-greater proportion of consumer transactions. In an environment where people are comfortable managing their daily financial and transactional interactions via the 2G phone networks (USSD) the move to fully digital app or mobile web has the potential to simplify the user experience and provide enhanced capabilities such as extensive ecommerce, advanced financial services, gaming and next generation media consumption as the technology platforms which utilize these services become more widely adopted.
However, this change increases risk and financial exposure for the companies providing these services as new platforms provide new ways for cybercriminals to attack. Africa has major challenges that it needs to overcome in order to appropriately manage and prevent emergent fraud risks.
The Challenges
Firstly, identity verification is still a challenge across a portion of the continent; in some countries up to 45% of the population does not have any formal identity verification. It is common in Africa for a phone number to become a unique identifier for a customer that wants to transact online or send money. This in turn creates three main challenges that can cause fraud risk exposure and loss in an organization.
If identity fraud is a challenge due to the lack of valid formal identification capability, then how do you really validate an individual in a digital-only transaction. Can you rely on the phone number or device being utilized, how do you verify who is using the phone or are multiple devices being used by an individual attacker compromising your service? In the recent LexisNexis Risk Solutions cybercrime report the global average attack rate for online new account opening was over 10% across the globe, in high-risk markets the percentage is even higher, demonstrating the level of online attacks organizations can expect to receive in digital channels and a higher attack rate than traditional physical interactions.
The second is account takeover fraud, this is a popular cyber-attack tactic in the African marketplace, particularly in the financial and telecoms markets. A fraudster seeks to gain control of a user’s account in order to manipulate a service or gain benefit from the utilization. SIM swap fraud is one of the most prevalent forms of account takeover. If a fraudster can manipulate a telecom company to allow them to initiate a sim swap on a phone account, this means the fraudster can use this account for their own purposes such as the manipulation of mobile money services including payments and money transfers.
The key to preventing account takeover is establishing a trusted relationship with customers and having a way to identify that the authenticity of the individual attempting to perform a transaction. Firms should be aware that relying solely on methods such as SMS/OTP or password protection is no guarantee of online ID integrity.
The third challenge to preventing cybercrime is a lack of awareness around the dangers of social engineering. Unfortunately, the average user in the region is still not fully aware of how social engineering cyberattacks compromise their personal data and the value of this data in the cybercriminal world.
The manipulation of individuals to pass on personal data is common across the world, but they particularly target markets where individuals either don’t realize they should not provide or can be persuaded with the promise of significant revenue to pass over personal data or identity information.
Therefore, scams and schemes are run either to utilize their details to commit fraud or even use their services as “mules” where money or goods can be passed through to facilitate fraud.
We know from the latest LexisNexis Risk Solutions cybercrime report that adults under 25 are one of the main targets for social engineering cyberattacks. This is partly due to this demographics’ much more relaxed attitude towards sharing their personal details with individuals they do not know. This problem is compounded in countries and continents such as Africa where you have disproportionately young populations. In Africa around 40 countries have populations where over 50% are under the age of 25.
How To Prepare and Manage the Risks
This is where sourcing and implementing the appropriate digital technology detection and prevention tools at the very start of roll out of any digital services is essential. One of the first controls that should be implemented in early digital adoption is Device Identity. Device fingerprinting, as it is sometimes known, becomes essential in the fight against new account opening fraud in the digital space. If you can reliably identify the device making the transactions and not rely on physical indicators given in a transaction (such as phone number, IMEI etc.) then you can dramatically enhance the quality of transaction validation.
In the digital interaction world, there are a great deal of hidden identifiers that are bound to a device within a transaction, these are not normally analyzed or understood, as many standard fraud controls focus on the actual transaction details.
However, these hidden indicators can be analyzed and profiled in order to give a unique device fingerprint. This fingerprint can then be utilized and analyzed in order to detect when suspect digital transactions are in progress. If you combine this with a device identity knowledge base gained over billions of transactions worldwide it creates an ability to identify when a fraud attacker is utilizing compromised details, spoofing or manipulating data in order to commit an identity fraud attack.
Many identity fraud attacks will often include the provision of falsified information or details in possession of a fraudster. For example, email; in an identity fraud the fraudster is unlikely to use the genuine email of a consumer, as they will not want the risk of any transmission to that address, so they will utilize a falsified entry or details of one they have created or have a relationship with. Email intelligence can be utilized to identify this kind of scenario in progress, and in combination with device identity fingerprinting can identify fraud in progress and enable prevention of attacks, by highlighting anomalies in email and device relationships and historic associations or use.
Device identity fingerprinting is also essential in combatting account takeover, by analyzing a user’s regular transactions and interactions, it is possible to assign device identities to a consumer identity, this digital consumer identity can then be analyzed against every transaction. Any irregularities in the digital consumer identity can then be analyzed to highlight potential manipulation or takeover in progress. This can be effective in preventing loss and protecting genuine customers from attack. Used in reverse this can actually be very effective in identifying trusted customers and allowing them greater freedoms of interaction and remove unnecessary step up or verification processes that may be imposed, thus streamlining the customer experience.
These types of controls can make online, mobile web and app-based services much more secure than traditional technologies and provide a better customer experience at the end of the day. As the region looks to advance the utilization of digital platforms digital security technologies around device and digital identity should be implemented from the very beginning. Implementation will not only create a much-improved customer experience through these services, but it will also enable the organization to manage and prevent risks and attacks from the very start, and as utilization grows, exposure to risk will be minimized throughout the customer journey.