– Expert to state institutions, others
…proposes mobile device management to curb MoMo fraud
A cybersecurity expert, Dr. Samuel Boateng, has described as ‘confusing’ and ‘worrying’ the use of personal email addresses for professional correspondence, even by persons in state institutions – saying that the practice not only smacks of unprofessionalism but has wider cybersecurity implications.
He noted that this, along with the use of unauthorised devices to connect to networks, provides the easiest route for cyber-intrusion and makes organisations extremely vulnerable.
He made these comments while responding to questions on the weakest link for remote working, and asked that government must be particularly vigilant of this in light of introducing the smart workplace platform.
The government of Ghana accelerated introduction of the platform for all Ministries, Departments and Agencies (MDAs) and Metropolitan, Municipal, and District Assemblies (MMDAs) in response to the COVID-19 pandemic, “to enable public sector workers to work remotely and reduce personal contact, curb the spread of COVID-19 and ensure the safety of public servants”. Since its introduction, more than 300 institutions have been onboarded.
“The weakest links are the endpoint devices,” he said. “When I am connected to the system, my device might have already been hacked. Maybe there is a backdoor that somebody is using. Was I given a new system that has been filtered and secured? The bigger picture is that if I have not been given a system that has been certified and authorised, then there will be vulnerabilities. Systems might be compromised even before they are connected to the workplace.”
Explaining further, he said: “Even without remote work, there are a lot of institutions I have dealt with personally where members of staff use their personal email addresses for official work, with the excuse that they cannot access the system or whatnot. How would I trust the person I am dealing with and any information I receive from said person if the email used is a personal email for sensitive information?
“These things must be addressed because when dealing with professionals, the use of personal emails is both confusing and disturbing. Sometimes you do not feel secure sending emails to these people, because you do not know where they will end up.”
Mobile Money Device Management
Taking the argument further, Mr. Boateng noted that similar practices have made the nation’s largest financial platform – mobile money – susceptible to incidents of fraud.
Data from the cybercrime unit of the Ghana Police Service suggest over 300 reported cases, mostly from mobile money agents, in 2019 alone. While conceding that mobile money has driven financial inclusion, he stated that rising incidents of fraud and the seemingly slow pace at which this has been addressed does not read well for the telcos behind them, nor the regulators.
With measures such as the mobile SIM card reregistration underway, he is of the expert view that use of the mobile device management (MDM) tools – which provide dedicated secured devices to mobile money agents – as an added layer to curb incidents of fraud is needed.
“Dealing with agents, we realised that their phones are not secure… it would go a long way if they are assigned dedicated devices which are encrypted from the telco, as opposed to using their own phones which make them exposed to criminal elements.”