farmer using a mobile phone

More Than Tech: A Two-Lens Approach to Mobile Financial Services Cyber Threats

By Catherine Trifiletti

MITRE Engenuity™ has identified high-priority cyber risks threatening the security of mobile digital financial services, which citizens of all economies depend on in their daily lives. Secure access to money is essential for political stability, gender equity, and economic advancement.

In developing countries, people rely heavily on their cell phones to move money, from paying for goods to receiving compensation for work. The mobile digital financial systems (mDFS) supporting these daily transactions play a critical role in micro-economies across the world.

MDFS are incredibly complex, involving a multitude of factors—socioeconomical, cultural—and wide range of participants, including wireless companies, banks, government agencies, and more.

Protecting these systems is equally as complicated. MITRE Engenuity™, MITRE’s foundation directed at uniting industry for the public interest, stepped up to the challenge

To get the job done, Cynthia Wright, Adrian Gonzalez, and Sebastian Forgues leveraged several of our cross-cutting capabilities, combining statistical analysis with cybersecurity expertise to address system security issues.

The tool is low investment for really high impact.

Sebastian Forgues

A 30,000-foot View of a Complex Challenge

Big Picture: Large swaths of the global population rely on their mobile devices to make payments and get paid. Unfortunately, the financial technology (AKA fintech) processes supporting such transactions are extremely vulnerable to fraud. 

Challenge: Protecting mDFS is a multi-faceted challenge because each participant in the fintech ecosystem interacts and manages their role differently. MITRE Engenuity’s team set out to create a decision tool, or cyber risk model, to help direct industry and government toward solutions-oriented investments. 

Approach: Similar to 3D glasses, the complete picture of mDFS security is unclear unless it’s viewed through both technical and non-technical lenses simultaneously.

Dual-lens complexity in action: Forgues cites an example of a woman using her phone to buy goods from a shopkeeper at a market. The transaction is text or SMS-based and not associated with or insured by a bank.  

There are myriad technical touch points for something to wrong during any given transaction.

  • Criminal activity: “Shoulder surfers” could steal her password information.
  • Technical failure: Service providers could have an outage at the exact moment she presses “send.”
  • Political activity: Government could shut down cell tower service or be hacked.

There are also numerous non-technical factors that could contribute to her text transaction going awry. 

  • Education level: She’s not mathematically savvy and could be swindled by the shopkeeper.
  • Gender equity: If the woman wears a burka, but the wireless provider requires facial recognition for authentication, she may be unable to access her money.

Outcome: The team used open-source research to cull technical and non-technical data inputs, like the scenario outlined above. From there, they built on MITRE’s ATT&CK® framework, which tracks cyber adversary behavior, to develop an interactive cyber risk model outlining the top 20 risks (out of several hundred) threatening digital financial systems globally. They then transformed the model into a web-based software application available for the public to run individualized risk assessments.

Layered challenge: Due to its complexity, industry and governments haven’t yet recognized the value of this open-source tool.

Bringing a New View to a Long-Standing Problem

“It’s a rising tide that can lift all boats,” Forgues says of the project’s potential impact on the mobile fintech ecosystem broadly.

The team is working on the following next steps:

  • Invite industry stakeholders within mDFS to apply the framework to their processes and invest in targeted solutions for coverage gaps.
  • Prompt governments to strengthen infrastructure, policy, and education to reduce system risk. 
  • Put data on the international community’s radar, including the United Nations and other governing bodies, to inform improved infrastructure standards. “It’s low investment for really high impact,” Forgues explains.

The project’s risk model approach can be applied to many other sectors’ cyber threat areas, including agriculture, shipping, health information, and more.

Interested in learning more? An 87-page white paper outlines MITRE Engenuity’s process and findings in detail.

Join our community of innovators, learners, knowledge-sharers, and risk takers. View our Job Openings.