Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World

Mobile money, also known as branchless banking, brings much-needed financial services to the unbanked in the developing world. Leveraging ubiquitous cellular networks, these services are now being deployed as smart phone apps, providing an electronic payment infrastructure where alternatives such as credit cards generally do not exist. Although widely marketed as a more secure option to cash, these applications are often not subject to the traditional regulations applied in the financial sector, leaving doubt as to the veracity of such claims. In this paper, we evaluate these claims and perform the first in-depth measurement analysis of branchless banking applications. We first perform an automated analysis of all 46 known Android mobile money apps across the 246 known mobile money providers and demonstrate that automated analysis fails to provide reliable insights. We subsequently perform comprehensive manual teardown of the registration, login, and transaction procedures of a diverse 15% of these apps. We uncover pervasive and systemic vulnerabilities spanning botched certification validation, do-it-yourself cryptography, and myriad other forms of information leakage that allow an attacker to impersonate legitimate users, modify transactions in flight, and steal financial records. These findings confirm that the majority of these apps fail to provide the protections needed by financial services. Finally, through inspection of providers' terms of service, we also discover that liability for these problems unfairly rests on the shoulders of the customer, threatening to erode trust in branchless banking and hinder efforts for global financial inclusion.

[1]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[2]  Marg Mumbai Know Your Customer (KYC) norms/Anti-Money Laundering (AML) standards / Combating of Financing of Terrorism (CFT)/Obligation of banks under Prevention of Money Laundering Act (PMLA), 2002. , 2010 .

[3]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[4]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[5]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2005, CCS '05.

[6]  Edward Cutrell,et al.  Usably secure, low-cost authentication for mobile banking , 2010, SOUPS.

[7]  Ming Ki Chong Usable authentication for mobile banking , 2009 .

[8]  Punam Chuhan-Pole,et al.  Yes Africa Can: Success Stories from a Dynamic Continent , 2011 .

[9]  Keith Mayes,et al.  Using the Smart Card Web Server in Secure Branchless Banking , 2013, NSS.

[10]  Baraka W. Nyamtiga,et al.  Security Perspectives For USSD Versus SMS In Conducting Mobile Transactions: A Case Study Of Tanzania , 2013 .

[11]  Saurabh Panjwani,et al.  Towards end-to-end security in branchless banking , 2011, HotMobile '11.

[12]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[13]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[14]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[15]  Patrick Traynor,et al.  [8WashJLTech&Arts0245] Privacy and Security Concerns Associated with Mobile Money Applications in Africa , 2013 .

[16]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[17]  Patrick Traynor,et al.  Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties , 2012, ESORICS.

[18]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[19]  Blase Ur,et al.  Can long passwords be secure and usable? , 2014, CHI.

[20]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2008, J. Comput. Secur..

[21]  Michael Paik Stragglers of the herd get eaten: security concerns for GSM mobile banking applications , 2010, HotMobile '10.

[22]  Peng Liu,et al.  Achieving accuracy and scalability simultaneously in detecting application clones on Android markets , 2014, ICSE.

[23]  Ignacio Mas,et al.  Mobile Payments Go Viral: M-PESA in Kenya , 2010 .

[24]  Thomas F. La Porta,et al.  Security for Telecommunications Networks , 2008, Advances in Information Security.

[25]  Kevin R. B. Butler,et al.  Securing SSL Certificate Verification through Dynamic Linking , 2014, CCS.

[26]  Baraka W. Nyamtiga,et al.  Enhanced Security Model For Mobile Banking Systems In Tanzania , 2013 .

[27]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[28]  Lakshminarayanan Subramanian,et al.  Secure branchless banking , 2009 .

[29]  Mike Bond,et al.  2010 IEEE Symposium on Security and Privacy Chip and PIN is Broken , 2022 .

[30]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.