Communications regulator, Uganda Communications Commission (UCC) has called on Fintechs to invest in cybersecurity to enable Digital Financial Services (DFS) to flourish in the country. With adoption of digital financial services on the rise, it has become prudent to prioritize risk management for the growing ecosystem involving banks, telecom providers and other financial service providers.
On 5th April, 2022, CEOs from Uganda’s telecom sector & partner agencies attended the 2nd Cybersecurity CEO breakfast, an annual event aimed at bringing stakeholders to discuss key issues that affect Mobile Financial Services. This year’s discussion focussed on the topic, “Cybersecurity for Financial Services in the Telecommunications Sector: A Growing Challenge.”
The state of cybersecurity in Uganda.
The Financial Technologies Service Providers Association (FITSPA) highlights identity theft & social engineering through phishing as the key threats in Digital Financial Services involving mainly banks, mobile money and cryptocurrencies in that order.
The words ‘social’ and ‘engineering’ separately are associated with positive aspects but combine to give a name to the broad range of malicious activities accomplished through exploiting human error to gain private information, access, or valuables- Social engineering. Social engineering thus covers everything from conmen and scammers to pyramid schemes and phishing. Phishing is a form of fraud in which an attacker pretends to be a reputable entity or person you trust or lures you to a fake/counterfeit verifier to try & get you to provide sensitive/personal data.
What is Phishing? How to Spot a Phishing Attack
Speaking at the CEO breakfast, Uganda Communication Commission (UCC) Executive Director, Irene Kaggwa Sewankambo pointed out how cyber security was not just an IT issue but rather as an issue of national security posing an organizational risk that deserves the attention of not just CEOs but boards as well.
“We can’t pretend that we can implement everything to tackle cyber security if we don’t have competent people in place. We don’t just need an IT person; we need an expert in cyber security. It’s not just about computer hacking, the whole infrastructure can be taken down.”
On a large scale, Ms. Sewankambo emphasized that cybersecurity should be looked at as an investment and not an expense. In an industry focused on connecting people to opportunities, it is crucial to be proactive in upgrading security protocols and systems to reduce vulnerability to attacks.
On a macro level, MTN Uganda CEO, Wim Vanhelleputte noted that today’s fraudsters are not very different from the ordinary thieves from 20 years ago. This is a digital form of a problem that has always existed. Social engineering just tricks customers in slightly different ways. MTN Uganda has a running campaign educating customers not to share their Mobile Money pin codes and Mr. Wim says this is going to be pushed more aggressively. The vulnerability of mobile money pin codes extends to banks and financial services involving passwords and the security position remains around not sharing these. MTN’s campaign involves text messages, online and radio public service announcements and ringtones pushing the “Do not share pin codes” message.
“Good regulation works – despite vulnerabilities in social engineering, identity theft and at cash out, Uganda today has one of the most robust SIM Registration Know Your Customer (KYC) frameworks globally requiring a recognized national ID and biometric information.” By working along with the financial-inclusion driven agency, Financial Sector Deepening (FSD) Uganda, Government and Digital Finance Service Providers have been working closely to push electronic KYC efforts as Uganda looks towards having a harmonized system for all government agencies.
While this may not solve all the problems, it covers a major issue that needs more attention considering over 40 billion Uganda Shillings was lost due to fraud in 2020.
Solutions to Cybersecurity
The International Telecommunication Union (ITU) is working with Uganda under the UCC to set up a Digital Financial Services Lab at the Uganda Institute of Information & Communication Technology. This Lab will provide guidance on ways to strengthen digital commerce while connecting startups to mentorship and strategic advice services. While at the CEO breakfast, Dr Bilel Jamoussi, Chief of Study Groups Department, ITU Standards Bureau remarked that effective collaboration and coordination is critical to the development of a safe and enabling DFS ecosystem.
In sharing information, UCC is working with the National Identification and Registration Authority (NIRA) to seal current information loopholes with an integrated and upgraded system. The system is intended to simplify sharing and verification of different identification details collected by these agencies along with the National Information Technology Authority (NITA), Uganda Revenue Authority (URA), Uganda Registration Services Bureau (URSB) and other infrastructure and service agencies.
On an individual level, whenever creating online accounts, it is advised to review the information collected by a site and check the privacy policy to provide only what is absolutely necessary.
When questioned on whether Uganda has sufficient and adequate cyber space regulatory frameworks for policing, the UCC Director emphasized how cyber security is multifaceted and a dynamic subject pointing out the laws such as the Computer Misuse Act, 2011, the Electronic Transactions Act, 2011, the Computer Emergency Response Team Regulations, 2019 and the Data Protection and Privacy Act 2019.
Ms. Sewankambo acknowledged that while it may not be practical to have all these laws and more at your fingertips, citizens should not suffer in silence with problems around cybersecurity. She urges citizens to reach out to the Uganda Computer Emergency Response Team (CERT) to help them recover from a cyber attack or to check that they have been adequately secured.
In the interest of vigilance, here are some crypto scams you can look out for.