Last September, Nigerian university student Alowonle Aaliyah woke up to a debit alert of 10,000 naira ($24).
She didn’t recognize the transaction and it was vaguely tagged “WEB/POS” — indicating the transaction could either be from a purchase online or at a store.
The transaction went through although Aaliyah only had 2,000 naira, leaving her account 8,000 naira in the negative, she told The Record.
When she went to complain at the bank, the customer care representative told her she had used her debit card at a fraudulent point of sale (POS) terminal that scraped her details and used it for a fraudulent transaction. They told her to be careful of the POS terminals she used.
“They did not say anything about returning the funds. They said the money was gone, and I should be watchful of POS I use,” she said.
At that time, Aaliyah depended on her parents for income, earning an allowance of 15,000 naira monthly. To recover from the loss, she halved her expenditure for a month.
Aaliyah appears to be victim of a spike in financial fraud in Sub-Saharan Africa amid the pandemic — and during a boom in digital financial services that may offer many people new opportunities, but can also open them up to new risks with few options if something goes wrong.
The fintech industry is one of the world’s fastest growing markets in the tech sector. According to Market Data Forecast, the global industry is expected to reach $324 billion by 2026 and an expected compound growth of 25% from 2022 to 2027.
But the rise of fintech and other forms of electronic payments can also open grounds for cybercriminals. Globally, payment fraud in the fintech industry grew 121% 2020 to 2021 — making it the sector most targeted by payment fraud, followed by the travel and hospitality industry with 34% annual growth in fraud attacks, according to a 2022 Q1 report by Sift.
Many countries, including Nigeria, are experiencing a fintech boom but lack strong security and consumer protection measures — leaving local people vulnerable to digital financial fraud.
“This is an issue we all face, regardless of where we’re located,” Jeff Sakasegawa, a Trust and Safety architect at digital fraud prevention firm Sift, told The Record.
But, he said, digital payment fraud is likely due to fintech firms sacrificing security for growth metrics such as user base population.
Nigeria’s explosion in POS sale usage
POS terminals are a standard part of the physical retail experience for many people around the world. PC-based POS terminals were first offered by IBM in 1985 and took off in some markets in the mid-1990s.
The machines were slower to come to Nigeria, with widespread adoption starting after the Central Bank of Nigeria’s (CBN) 2013 approval of agency banking.
POS terminals are often in small kiosks, located in nooks and crannies where banks cannot reach, giving people the ability to send, receive, and withdraw money.
According to data from the Nigeria Interbank Settlement Scheme (or NIBSS), in 2017, 1,911 terminals carried out 146 million transactions worth more than 1.4 trillion naira ($3.3 billion). Last year, the NIBSS recorded 7.7 million registered POS carrying out 984 million transactions worth over 6.4 trillion naira ($15.4 billion).
There are several ways POS terminals and transactions can be exploited, according to a staffer at local Access Bank who asked to be identified by the pseudonym Pope due to non-disclosure agreements.
“Although not common, there are POS machines that clone your details and later on, use the details to make transactions without your authorization,” said Pope. “Other POS machines can also save your card details, which the owners can later access and use to carry out Web transactions.”
Usman Abiola, a product designer and digital fraud researcher, noted that using cards online also came with risks.
“Your card can also be compromised if you use it on a web service which saves your details. If that processor gets compromised, your account can be easily accessed,” Abiola said.
Consumer protection from digital fraud affecting credit and debit cards and other forms of digital payments vary from country to country. In the United States, for example, debit cards issued by banks are generally required to have less stringent fraud protections than credit cards.
When opening an account in Nigeria, banks typically ask their customers to sign a disclaimer which absolves the bank of any responsibility in case of an account compromise on the user’s end. So when incidents such as Aaliyah’s happen, banks are off the hook.
According to Pope, they sometimes send a request to the bank related to the POS merchant in an attempt to track them down, but the corresponding bank cannot identify the merchant due to data privacy agreements. Generally all that can be done is to disable the compromised card and advise the victim on safety tips, he added.
A local fintech boom
The fintech scene in Nigeria is growing fast.
Three of Nigeria’s five startups worth up to or more than one billion dollars, also known as unicorns, are fintechs — Interswitch, Opay and Flutterwave.
Local ecommerce platform Jumia — another unicorn — is also delving into fintech with its JumiaPay product. Kuda, another fintech, revealed in a fundraise last August where it was valued at $500 million that it had onboarded 1.4 million users and was processing an average of $500 million monthly.
Most of Nigeria’s fintech growth, according to PwC, is driven by increased internet access, dissatisfaction with traditional banks, e-commerce, rising population, and investments.
But along with this growth in ease and access, banking fraud has also increased year on year.
Between 2019 to 2020, recorded overall fraud attempts in Nigeria increased by 187%, according to a 2021 fraud report from the NIBSS — with web (47%), mobile (36%), ATM terminals (9%), and POS terminals (7%) being the leading sources of fraud in 2020.
Like POS terminals, digital payment apps have provided access to financial services to places who would otherwise not have it in Nigeria. The Central Bank of Nigeria’s relaxation of know your customer policies (or KYC) also allowed more people to have access to financial institutions, albeit often through limited bottom-tier accounts.
However, regulations and security lag behind their widespread adoption — which can have an outsized effect on people who are already financially underserved.
Afolabi Abidemi, a law student, says he was forced to repay an overdraft on his account incurred after it was compromised, even after explaining to the Kuda customer unit.
“I did not see why I would have to pay, so I kept arguing with Kuda for more than a year,” he said.
In the end, he had to repay the overdraft along with the compound interest accrued over more than a year.
“It affected my allowances, obviously,” said Abidemi, who depended on income from his paid internship at a startup.
Maduka Chika, a medical laboratory technician woke up one day to warnings from Migo Money, a fintech app which provides soft loans — small amounts of money loaned over a short period, usually between a week to three months
Cybercriminals stole her phone then used information associated with her SIM card to open fraudulent accounts, she told The Record.
Nigeria’s Central Bank connects SIM card information to a person’s Bank Verification Number or BVN — a unique identification number issued and required by the bank to link financial accounts to the identity of their holders. The baseline requirement for authenticating an account is sending a code to the SIM card associated with the individual’s BVN.
The fraudsters used this authentication method to virtually open two accounts in her name, Chika said — one on Migo Money and another at First Bank, a traditional bank which offers an option of creating an account with limited virtual transactions.
The cybercriminals took out a short-term loan from the Migo account, then had it sent to the First Bank account, where the money was then transferred to their own account, according to Chika.
“When an individual’s bank profile/security information is compromised, such a person is exposed to myriads of financial risks which are not limited to accessing an unauthorized Migo loan,” said Titi Savage, Migo’s head of Legal and Compliance, Nigeria.
She also said most complaints the company got concerning unauthorized loan applications involved First Bank.
First Bank did not respond to requests for comments.
After Chika filed a court affidavit, Migo Money agreed to scrape the interest off the loan, but she still had to pay the principal sum which was 13,700 naira ($33).
Although Migo Money and First Bank’s authentication practices met minimum local requirements, Usman says it’s not enough.
“If you want to do proper KYC, you need to make sure the person that owns the information is also the one presenting the information, and the only credible way to do that is through biometric confirmation,” said Usman.
In the case of traditional banks, authentication is done through biometric data collection and confirmation at the bank. However, most fintech digital payment services or “neobanks” opt for the text message verification due to ease of use.
Some require selfies and confirm identity virtually, through services like Smile Identity. Most will also impose limitations on such accounts and require extra information such as ID cards and selfies before upgrading the account, but the slim initial requirements can leave people vulnerable, per Usman.
Other times, the abuse is within the system itself.
For Adebayo Peter, WEMA bank, a traditional bank, had their partners open an account for ALAT — WEMA’s neobank product — using Peter’s name and his mother’s mobile number.
When Peter raised this with WEMA, the bank said the account was opened “in celebration of our ALAT BY WEMA 5th year anniversary which was celebrated with a million account opening in a day” and Peter was chosen to celebrate with them.
“My data is supposed to be used only for what I consented to,” said Peter, who had a traditional account with WEMA bank. “Why would you open an account for me without my explicit consent, especially in an environment where we know any abuse on these accounts can have very real-life consequences?”
Many Nigerians reported similar unsolicited accounts like Peter’s, spurring an investigation of the bank by the Nigeria Data Protection Bureau.
A global problem
This pattern is also present in other countries with booming fintech scenes.
In India, Arun Chandra said his details were used to open an account on LazyPay, a payment and lending neobank.
Chandra says he does not know how his financial details were exposed, but is glad he could take control of the account before anything could be done with it.
“I know people who have had their financial and credit integrity affected by situations like that,” Arun told The Record. “Everyday, there’s a new fintech, but they’re not paying attention to their user’s security.”
India, which is one of the world’s biggest fintech hotspots, cases like Arun’s are rampant and have very negative consequences on personal finance and credit scores.
Fintech is also a leading enabler of digital fraud in the country.
In Brazil, the central bank’s launching of PIX, an instant payment platform last November, enabled more people access to instant financial services. However, it was also linked to a rise in financial crime and lightning kidnapping, causing the government to consider pausing the platform until stricter security and identification protocols were adopted.
The growth in digital payment and credit card adoption in South Africa has also been linked to increased credit card fraud and cybercrime aimed to obtain people’s credit card details or the credit card itself.
Although fintech firms’ quests for more customers can help close banking gaps, it may also be contributing to these problems, according to Sakasegawa.
“I think why we’re all experiencing this type of fraud regardless of location is because fintechs and neobanks’ valuations are growth-based — this is metrics like how much users they have, the amount of transactions — things they’re able to present so they can be valued higher,” he said.
Most platforms are willing to do minimal risk assessments to get users into their ecosystems and more later, but that means there are already fraudsters on their platform, Sakasegawa added.
Unlike money laundering, fraudsters do not necessarily need to transact large sums of money, they can instead choose to carry out operations with low returns, but high success rates — then focus on doing a high volume of those operations.
Due to scale and operation cost, many startup fintech platforms in Nigeria require only the bare minimum verification required and have weak or non-existent internal fraud assessment and prevention units — which can leave open vulnerabilities fraudsters can exploit, whether to steal money or to move stolen money, according to Usman.
Poor data and cybersecurity literacy on the end of users who may be unaccustomed to the technology, can also leave them more at risk of fraud.
“Fintechs need to have more intuitive designs and deep sensitization of users on financial data protection,” said Usman.
But as fintech continues to develop internationally, it will continue to delve into uncharted territories of data and security for different places and people — all of them now navigating a mass economic experiment.
Aaliyah’s experience with that experiment left her wary.
After the fraud incident, she limited her POS usage to a handful of vendors she trusted —an action which limited her access to the financial services.
“Being careful of POS vendors misses the point of why there are so many POS in the first place,” she said.