Is the UK ready for mobile money?
Upsettingly someone has managed to hack into my mobile phone account – by this I mean they have been able to order iPhones against my mobile number. Despite immediate action on my part to alert my mobile phone company, there appeared to have been no action by them, because the same scam was attempted again within a week. I won’t bore you all to tears with the detail – but just in case the scum-bag that pulled the stunt is reading this, my contract with that mobile network operator has now been terminated.
Would I trust a mobile money service in the UK, linked to my mobile phone account (supported by a direct debit to my bank account) after that little episode? I don’t think so!!
Why do I happily use an M-PESA account in Kenya then, I wonder? Several reasons……For starters, M-PESA accounts, like many mobile money systems in emerging markets, are linked to a stored value virtual account. Most mobile phone users pre-pay for their airtime, rather than post-pay (have a contract), but that has no bearing on the mobile money account anyway. These stored value accounts cannot be accessed by a hacker, simply because they are virtual. In order for someone to access your m-pesa account, they have to have your phone or SIM card, and know your PIN. There simply isn’t another way of getting at that money. No amount of online hacking is going to allow you access to that person’s account, allow you to order something online against it, or make a payment using that account over the phone. Of course, there is a way of contacting Customer Services on your behalf, and this would be the analogy, but I’ll come to that in a minute.
In the UK, most people have now moved over to contract (post-pay) agreement with their MNO. The monthly amount they pay is linked to a direct debit order against their physical bank account. If a hacker somehow is able to match a phone number with a person, get hold of their date of birth (via linked in or facebook?), their address (Electoral role?), then they can do exactly what some low-life has done to me, by transacting with the MNO’s customer services over the phone. They don’t have to physically steal my phone, or my SIM card. With more and more facilities becoming available on your mobile (buying apps, text ‘just giving’ services, purchasing ring-tones), the MNOs are cashing in on how easy it is to pay for things using your mobile phone, but they are going to have to get a whole lot smarter about their security. If you’re still on a pre-pay agreement, anything you buy / pay for will just come off your airtime balance, and so the damage is slightly more contained, but if you have a contract, it’s added to your bill for payment at the end of the month, and automatically taken out of your account. Not so easy to keep track of, and definitely potentially more damaging, because you have agreed to pay the MNO what you owe them. Without a doubt, scams are on the increase – it won’t take long for word to get round as to how open to fraud these contracts are. I’m certainly doing my bit to raise awareness.
Of course there are scams on M-PESA. People will always find loop-holes in a system to exploit. Here are some examples:
Rogue texts are sent to a registered customer (let’s call him Customer B) – these texts appear to be M-PESA texts, indicating that the person has been sent money from Customer A. Minutes later Customer B will get a text from Customer A, saying that the money was sent in error, and that they money had been intended to pay their child’s school fees, requesting that the money please be sent back. If Customer B falls for it, they will send money to Customer A using a ‘Send Money’ transaction. Of course, no money was sent to Customer B in the first place and so he is now out of pocket. Had Customer B examined the bogus M-PESA text thoroughly, he would have spotted that the text was sent from a mobile number, and not from M-PESA (i.e. the M-PESA shortcode).
Another common scenario would be a customer paying for, say, petrol with his M-PESA account, using a ‘send money’ transaction. Shortly after completing the transaction, the customer phones up customer service, asking for the transaction to be reversed. There is a business process in place which states that ONLY the recipient can request a transaction reversal, but I have heard of cases where this has happened, and am assuming that the Customer Service Rep in question has had knuckles rapped, but I believe that most businesses are now refusing to accept ‘send money’ transactions for payment of goods or services (Send money was always designed as a Person to Person service, and using it to pay for goods is manipulating the service anyway).
Each customer has a ‘secret word’, which has to be quoted when phoning customer services, and so it is possible for someone to find out a customer’s secret word, and phone up on their behalf. (You need to know their mobile phone no ,ID no and secret word in order to be authorised to request an account to be closed / transferred to a new number, for a transaction to be reversed, or for a new PIN number to be issued) The PIN number always has to be entered in order for any handset transaction to be completed.
There are also reportedly many attempts to try and crack the ATM withdrawal, although I haven’t heard of any successful attempts to date. Because there is no physical card that can get swallowed when entering an invalid PIN too many times, there is little to prevent ‘would be’ hackers from just repeatedly trying to enter a voucher code and amount.
Unfortunately there are unscrupulous people in every single community, who will spend their days trying to defraud honest, hard-working folks….
Will mobile money really take off in the UK? There are about a hundred different ways of implementing this – some of them likely to succeed more than other. Given the numbers of under-banked in the UK, I can see an M-PESA type model actually taking off quite nicely. I think it could work well for youngsters as well, which would probably then mean that their parents would open up an account so that they could send their children money as and when required. Of course, the model in the UK and developed world for mobile money is much more likely to be accounts linked to a physical bank account. But security will need to be stepped up to prevent scenarios like the one I’ve described above, for sure….