Mobile money: finding security risks for investment opportunities

Across the globe, much of financial services are done using mobile phones. From point-of-sale purchases to sending money to friends or family, digital wallets and using apps for payable services such as rides, food delivery, and bill pay, our world is intrinsically tied to mobile digital financial services (mDFS). The potential to bring efficient, seamless, and easy access to money for citizens of countries in the midst of change is high- and so is the potential for fraud. Governments need to prepare for and defend against fraudulent actors. This involves investing in stronger infrastructure and deploying more secure production requirements as current ones become obsolete with a transition to 5G in many sectors. For example, many regions rely on unstable networks and have limited access to internet. 

Limited resources can impede progress. The ever-expanding array of attacker strategies aimed at stealing or compromising financial and personal data, combined with continuing challenges in creating a foundation that provides access to both broadband internet and banking-related services, results in significant variations in the ability of both individuals and businesses to securely access mDFS.

In our quest to provide tech for public good, we at MITRE Engenuity are rising to the challenge and have developed an analytical risk model that uses information from a nation’s current systems to produce recommendations of resource investments that will most efficiently lower risk associated with attacks.

The model provides a flexible yet consistent approach. First, it identifies the most relevant cybersecurity threats and obstacles to secure access in a given sector. Following this analysis, it then recommends the policy and technical approaches most applicable to expanding and improving secure mDFS access.

Technical + Policy

This model simultaneously draws upon a “unique blend of deeply technical subject matter experts across multiple disciplines,” says Cynthia Wright, model researcher and MITRE Principal Cybersecurity Engineer. She notes that it is based on a model that pinpoints potential means of attack on financial services enterprises and its insights were mined from industries including “international cyber capacity building, cybersecurity engineering, systems engineering, and cyber threat intelligence.”

Drawing upon MITRE’s deep cyber threat modeling expertise and its International Cyber Capacity Building Framework, the MITRE Engenuity mDFS Risk Management Model (RMM) uses a “dual lens” approach that combines both technical and policy/governance risk factors and mitigants to create a comprehensive and multi-dimensional view of the challenges that threaten the mDFS ecosystems.

Cultivated from this extensive array of expert knowledge and resources, the mDFS RMM is one of the most comprehensive models ever developed for the mobile space. Users identify recommendations tailored to their country’s unique technology and policy environment that will reduce risk, improve access, and increase trust.

Validation results have arrived

Cynthia also shared that, as part of our support to the mobile money cybersecurity initiative for the Bill & Melinda Gates Foundation, MITRE Engenuity conducted a study to test the efficacy of the RMM by applying it to several countries with very different technology and policy/governance ecosystems, for example levels of financial inclusion and access to internet connectivity: Bangladesh, Kenya, Nigeria, Rwanda, and Togo.

Overall, the research validated the RMM, since for each country it could identify a combination of technical and policy approaches that would more widely improve access and security than technical approaches alone can provide. In the next step of validation individuals and organizations deeply familiar with the countries will examine the policy/governance recommendations provided by the model and determine their relevance for assisting the countries in improving their mDFS ecosystems. (The technical security recommendations are straightforward and well-validated in other models.)

Accessing model output

As a companion to the model generating the recommendations, MITRE Engenuity developed a dynamic software platform that automates the methods that the model uses. This enables users who are not cyber experts to select relevant characteristics in the chosen community and use them to assess what risks are most prominent. The platform also generates both technical and policy/governance recommendations that can be used to apply risk mitigation strategies, such as enabling security mechanisms like PINs, passwords, and biometrics.

This platform is ready for pilot testing for a particular objective and application in any of the following use cases:

• Donor Nations or Assistance Organizations:
  • Use the RMM to identify which of the prominent risk factors in a specific country or area best align with assistance goals and resources, as an aid to focusing resourcing efforts.
  • Identify technology or governance approaches that are appropriate to a specific country as an aid to developing achievable goals and incentive initiatives.
• National Governments:
  • Use the RMM to optimize limited resources by narrowing the risk landscape. Identify where policy/governance approaches can mitigate risks, even in a diverse technical ecosystem.
  • Identify incentives or disincentives that may affect mDFS access and security, such as specific policies toward licensing, fees, taxation, etc. Identify less obvious contributing factors to mDFS adoption and security, such as gender policies, education curricula, the presence of a national digital identification program, or the availability and security of agent networks, that could be modified through policy.
• Technology (including Fintech) Companies and Regulatory entities:
  • Identify approaches such as specific technology features and standards that can provide widescale improvements in ecosystem security.
  • Identify national or regional trade and cooperation approaches that could help or hinder adoption of mDFS technologies, applications, etc.

Give it a go

We think it is time for widespread use and feedback from the nations driving and benefiting from this work!

MITRE Engenuity wants to define and implement more features, engage with content creators or maintainers, and support ongoing development.  But it needs input from real-world users. Access the tool and run a risk assessment.

The MITRE team is happy to accept questions about any of the topics discussed in this article or feature requests at [email protected] and to read about the cyber risk model management tool.