As mobile-money services were growing at a rapid clip in the developing world 10 years ago, University of Florida computer scientists and cybersecurity experts Kevin Butler and Patrick Traynor were early sentinels, raising concerns about the lack of security that could lead to real problems for the user.
In a 2014 study, the two professors from UF’s Department of Computer and Information Science and Engineering, uncovered security vulnerabilities of mobile cash apps, especially in the Global South, where such technologies were becoming essential in the absence of robust banking systems.
“Our early work uncovered issues of security and privacy when using finance apps,” said Butler, director of the Florida Institute for Cybersecurity Research at UF. “We showed these apps could be hacked, and the consumer has no recourse. We’re often talking about populations where they have very little money to start with, so any type of hack could wipe them out.”
Fast forward to today, Butler and colleagues developed a comprehensive framework for securing mobile money applications that earlier this year was ratified and endorsed by the International Telecommunications Union, a United Nations specialized agency, marking a significant step toward safer digital financial transactions worldwide. All United Nations member states voted to endorse these recommendations.
The framework includes 120 detailed recommendations and controls designed to systematically secure every facet of the financial ecosystem, ensuring comprehensive protection for users and transactions. While the recommendations are non-binding, they are widely followed by telecom providers due to their high quality and the interoperability they provide among networks.
Butler said their work focused on all stakeholders in the digital finance ecosystem, including the user with a smartphone, the phone manufacturer who is responsible for the security of the phone, the cellular networks, base stations, telecommunications providers and third-party regulators.
“We addressed each of the participants and identified what threats they face and the risks, and we provided recommendations for ensuring those risks are mitigated through the system,” Butler said.
Mobile transactions through apps (like those used in the U.S., including PayPal, Zelle and others) are very important to people who don’t have easy access to the banking system. In fact, mobile money transactions account for about 59% of the gross domestic product in Kenya, according to a Forbes report. A similar trend is taking place in South America, Asia and India, Butler said.
Butler and Traynor’s research revealed a variety of vulnerabilities, including with a popular payment app based in India that appeared to use encryption to protect user data but failed to do so securely. They found that the app transmitted sensitive data to its server without encryption, only encrypting it afterward. This lapse in protection could expose users’ personal information to potential theft during the unprotected transmission step.
Another app used encryption but relied on a weak key — a fixed series of eight characters followed by the user’s phone and account numbers — making it easy for attackers to decode.
“We looked at this from many angles and created the list of recommended controls to thoroughly safeguard all parts of the digital finance network,” Butler said.
With the digital finance security framework complete, Butler said he is working to help deploy the recommendations, meeting with stakeholders in several countries. He recently presented best practices for secure mobile banking systems in Jakarta. He also co-chaired the Security, Infrastructure, and Trust Working Group under the Financial Inclusion Global Initiative, a collaboration involving the United Nations, World Bank, and Bank for International Settlements.
Additionally, the International Telecommunications Union is conducting security clinics across Sub-Saharan Africa that incorporate many of the document’s recommendations. Clinics have already been held in Uganda, Zambia, Zimbabwe, and Tanzania, aimed at empowering local stakeholders with the knowledge and tools necessary to enhance the security of mobile money applications.
“By fostering collaboration and providing targeted training, the International Telecommunications Union is helping to bolster the resilience of the financial ecosystem in these regions,” Butler said.