A MOBILE MONEY SOCIAL ENGINEERING FRAMEWORK FOR DETECTING VOICE & SMS PHISHING ATTACKS - A CASE STUDY OF
M-PESA
BY
BRYAN MUTETHIA NTURIBI
UNITED STATES INTERNATIONAL UNIVERSITY – AFRICA
SUMMER 2018
A MOBILE MONEY SOCIAL ENGINEERING FRAMEWORK FOR DETECTING VOICE & SMS PHISHING ATTACKS - A CASE STUDY OF M-PESA
BY
BRYAN MUTETHIA NTURIBI
A Project Report Submitted to the School of Science and Technology in Partial Fulfillment of the Requirement for the Degree of Master of Science in Information Systems and Technology
UNITED STATES INTERNATIONAL UNIVERSITY – AFRICA
SUMMER 2018
STUDENT’S DECLARATION
I, the undersigned, declare that this is my original work and has not been submitted to any other college, institution or university other than the United States International University in Nairobi for academic credit.
Signed: ______Date: ______
Bryan Mutethia Nturibi (ID: 634460)
This project has been presented for examination with my approval as the appointed supervisor.
Signed: ______Date: ______
Dr. Leah Mutanu
Signed: ______Date: ______
Dean, School of Science and Technology
ii
COPYRIGHT
All rights reserved. No part of this research may be photocopied, recorded or otherwise reproduced, stored in retrieval systems or transmitted in any electronic or mechanical means without prior permission of USIU-A or the author.
Bryan M. Nturibi © 2018.
iii
ABSTRACT
Social engineering refers to the use of deception by an attacker, with the intent of psychologically manipulating the target/victim, into sharing crucial/confidential information which could either be leaked or used to swindle them. Without a clear understanding of social engineering, mobile users may be highly likely to be victims of social engineering crimes. Regarding social engineering on the mobile money platform, there are few existing documents/statistics on the study. Therefore, this research study focuses on social engineering on M-Pesa. The specific objectives of the study are: evaluating the prevalence of social engineering crimes, suggesting solutions that can deter them, and creating a framework that could be used to detect social engineering threats in M-Pesa.
Going beyond the methods used by social engineers, this study reviews the current comprehension of social engineering on M-Pesa. To gain good understanding of this issue, this research presents results of a survey conducted by the author, for testing the feasibility of the study.
According to our data, it was observed that 87% of the sample population had agreed that social engineering was indeed prevalent. On most occasions the social engineers / attackers usually take advantage of people’s lack of knowledge on the topic to psychologically manipulate them. The study revealed that despite having technological solutions to defend against social engineering, the best way of mitigating against such threats would be using security education, training and awareness programs.
The study led to the development of the Mobile Money Social Engineering (MMSE) detection framework that aids mobile users in detecting against social engineering threats that occur via Voice Calls and SMS. The proposed framework was derived from careful review and evaluation of the survey participant’s responses. This framework serves as a point of reference for future research in the field of social engineering on the mobile money platform. It could also be adopted and evaluated by experts with the aim of improving it further. Mobile service providers could also use this framework in combination with their institutional training programs to provide support to mobile users.
iv
ACKNOWLEDGEMENT
The author would like to specially thank Dr. Leah Mutanu for her tireless support and the members of the advisory committee for their continued support throughout the entire graduate studies period.
He also thanks his research assistants Mark and Beryl, whom sacrificed a lot and worked tirelessly to support him in the data collection phase by distributing and collecting instruments from the sample study participants.
He is grateful to his family and grandparents for taking care of him and inspiring him in a profound way. Finally, he thanks God, his friends and colleagues for unlimited support.
v
TABLE OF CONTENTS
STUDENT’S DECLARATION ...... ii
COPYRIGHT ...... iii
ABSTRACT ...... iv
ACKNOWLEDGEMENT ...... v
LIST OF TABLES ...... x
LIST OF FIGURES ...... xi
LIST OF ABBREVIATIONS ...... xii
Chapter 1: Introduction ...... 1
1.1 Background of the Study ...... 1
1.2 Statement of the Problem ...... 4
1.3 Purpose of the Study ...... 5
1.4 Specific Objectives of the Study ...... 5
1.5 Significance of the study ...... 5
1.6 Scope of the Study ...... 7
1.7 Definition of Terms ...... 7
1.8 Chapter Summary ...... 9
Chapter 2: Literature Review...... 10
2.1 Introduction ...... 10
2.1.1 An Overview of How M-Pesa Works ...... 12
2.2 Theoretical Foundation ...... 15
2.2.1 Conceptual Framework ...... 19
2.3 Evaluating the Prevalence of Social Engineering crimes...... 20
2.3.1 Case 1: SIM Swapping & Fake SIM Registration...... 21
2.3.2 Case 2: Smartphone Seller Loses Phone through SE ...... 21
2.3.3 Case 3: Social Engineering through Manipulation of Trust ...... 22
vi
2.3.4 Case 4: Loss of money to a Social Engineer posing as a Safaricom agent . 22
2.4 Suggesting Solutions to Defend against Social Engineering ...... 23
2.4.1 Precautionary Measures ...... 24
2.4.2 Social Engineering: A Study in Awareness and Measures ...... 24
2.5 Developing a Framework that Detects SE Threats...... 26
2.5.1 Managing Social Engineering Risk ...... 26
2.5.2 Risk Management Framework ...... 29
2.5.3 Vishing Attack Detection Model ...... 37
2.6 Chapter Summary ...... 39
Chapter 3: Methodology ...... 41
3.1 Introduction ...... 41
3.2 Research Design ...... 41
3.3 Research Population and Sampling Design ...... 42
3.3.1 Population ...... 42
3.3.2 Sampling Design and Sample Size ...... 42
3.4 Data Collection Methods ...... 43
3.5 Research Procedures ...... 44
3.6 Data Analysis Methods ...... 44
3.7 Ethical Considerations ...... 45
3.8 Chapter Summary ...... 45
Chapter 4: Model ...... 46
4.1 Introduction ...... 46
4.2 Analysis ...... 46
4.3 Modeling & Design ...... 47
4.4 Testing ...... 48
4.5 Summary ...... 49
vii
Chapter 5: Results and Findings ...... 50
5.1 Introduction ...... 50
5.2 Evaluating the Prevalence of Social Engineering ...... 53
5.3 Suggesting Solutions to Defend against Social Engineering ...... 56
5.3.1 Authentication Methods...... 56
5.3.2 Suggested Solutions ...... 60
5.4 Developing a Framework that Detects SE Threats ...... 65
5.4.1 Factor Analysis ...... 65
5.4.2 Revised Framework ...... 68
5.5 Chapter Summary ...... 69
Chapter 6: Discussion, Conclusions and Recommendations ...... 71
6.1 Introduction ...... 71
6.2 Summary ...... 71
6.3 Discussion ...... 74
6.3.1 Evaluating the Prevalence of SE Crimes ...... 74
6.3.2 Suggesting Solutions to Defend Against SE ...... 74
6.3.3 Developing a Framework that Detects SE Threats ...... 75
6.4 Conclusion ...... 76
6.4.1 Evaluating the Prevalence of SE Crimes ...... 76
6.4.2 Suggesting Solutions to Defend against SE...... 77
6.4.3 Developing a Framework that Detects SE Threats ...... 77
6.5 Recommendations ...... 77
6.5.1 Limitations of the study ...... 77
6.5.2 General Recommendations ...... 78
6.5.3 Recommendations for Future Work ...... 78
References ...... 80
viii
Appendices ...... 86
Appendix A: Questionnaire Used for Main study ...... 86
Appendix B: Questionnaire Used for Pilot Study ...... 90
ix
LIST OF TABLES
Table 2.1: Components of the ERM Integrated Framework of COSO ...... 28 Table 5.1: Participants Responses Regarding Authentication Methods ...... 57 Table 5.2: Suggest Solutions to Mitigate SE Threats ...... 60 Table 5.3: SPSS Correlation Matrix ...... 66 Table 5.4: SPSS Correlation Matrix Continued ...... 67
x
LIST OF FIGURES
Figure 2.1: An Overview of M-Pesa Functionality ...... 12 Figure 2.2: Methodology Used in the Study ...... 17 Figure 2.3: Theoretical Framework Used in the Study...... 18 Figure 2.4: Conceptual Framework ...... 20 Figure 2.5: Risk Management Framework ...... 37 Figure 2.6: Vishing Attack Detection Model ...... 39 Figure 3.1: Formula for Calculating Sample Size ...... 42 Figure 4.1: Mobile Money Social Engineering Framework ...... 48 Figure 5.1: Gender Distribution ...... 51 Figure 5.2: Age Distribution ...... 51 Figure 5.3: Country Distribution ...... 52 Figure 5.4: Level of Education ...... 52 Figure 5.5: Social Engineering Prevalence ...... 53 Figure 5.6: Participants That Received Fraudulent Calls/SMS ...... 54 Figure 5.7: "Money Sent Wrongfully" Scam ...... 55 Figure 5.8: "Winning a Prize" Scam ...... 55 Figure 5.9: Sharing Personal Information ...... 56 Figure 5.10: Authentication Methods ...... 57 Figure 5.11: Revised Mobile Money Social Engineering framework ...... 69
xi
LIST OF ABBREVIATIONS
ATM: Automated Teller Machine
ANI: Automatic Number Identification
CA: Communication Authority
CBK: Complete Body of Knowledge
CID: Criminal Investigations Department
CISSP: Certified Information Systems Security Professional
COBIT: Control Objectives for Information and Related Technologies
COSO: Committee of Sponsoring Organizations
DRC: Democratic Republic of Congo
ERM: Enterprise Risk Management
GPS: Global Positioning System
ICT: Information and Communication Technologies
ID: Identity
IT: Information Technology
KCB: Kenya Commercial Bank
KMO: Kaiser Meyer Olkin
MMSE: Mobile Money Social Engineering framework
M-PESA: Mobile Money
PCA: Principal Component Analysis
PIN: Personal Identification Number
SE: Social Engineering
xii
SELM: Social Engineering Land Mines
SESM: Social Engineering through Social Media framework
SETA: Security Education, Training and Awareness
SIM: Subscriber Identity Module
SMS: Short Message Service
SMS Phishing: Short Message Service Phishing
xiii
Chapter 1: Introduction
1.1 Background of the Study
Social engineering refers to the art of using deceit and manipulation of trust amongst people to obtain information from them. Social engineers perform information gathering, develop some form of relationship with key people, exploit the element of trust and as a result obtain sensitive information that could fall in the wrong hands if proper controls are not taken. Social engineers take advantage of the fact that people will always be the weakest link.
Pervasiveness in this context refers to the huge amount of mobile phone subscribers that use M-Pesa. Therefore, we can assume that if the number of M-Pesa users is high, then the chances of social engineering incidences occurring on M-Pesa are also high. Social Engineering can therefore, be said to be pervasive because it exists everywhere if M-Pesa is present.
In the current society, there has been a focus on the technical weaknesses present in information security. One of the most overlooked factors in information security is the human element, especially how someone can be manipulated and later lead to a compromise of information security. This research focused on yet another threat that is just as equally important as technology; Social Engineering. This kind of attack mainly takes advantage of the human element of security.
Social engineering uses aspects of social constructs like trust, confidence and love to get access to someone’s systems. Some of the methods they employ are tricking unsuspecting users into breaking standard security measures or revealing their M-Pesa Pin. Although fraud is not commonly reported, it’s still an existing threat. End users can lose money, or the service providers can suffer reputational risks.
Fraudsters are always on the lookout for innovative ways on how to steal from your M-Pesa resorting to the usage of non-technical methods like social engineering. Service provider employees can also use their authority to access personal customer information which can be used to target end users and take control of their accounts or transfer funds.
The prevalence of social engineering in many publicly disclosed cyber-attacks suggests that there is either an inherent weakness in the ability of victims to distinguish malicious communications. This research focuses on social engineering attacks on the mobile money 1
platform with the main aim of obtaining financial gain. This study aimed at making social engineering risk known and helping companies deal with these kinds of risks by developing a mobile money social engineering mitigation framework. The framework will be used to inform on social engineering threats especially in the mobile money platform.
Social engineering is such a real threat in today’s workplace, it is essential that organizations don’t just focus their efforts and security budgets entirely on defending against cyber-attacks, but also invest equal time to the system weaknesses posed by the human element. Since organizations are getting smarter and have systems in place to prevent cyber-attacks, the fraudster’s soft spot remains the human mind. To gain access to an organization’s sensitive information, these criminals have resorted to social engineering.
The rise of social engineering has targeted both public and private sector in Kenya, leading to severe losses and there is a great need to address this issue. Social engineers are not only targeting computers but also, they are after the information. The source of an attack doesn’t really matter because the consequences are usually the same; loss of sensitive information or revenue.
According to Kigen et al. (2015), social engineering was among the top 3 methods used by cyber criminals amongst other threats like database manipulation & ransomware attacks. Organizations ought to invest more time in learning different ways criminals can target their systems and obtaining good knowledge of their environment.
Information security professionals ought to focus on developing cyber security awareness programs within their organizations. This will help employees understand the organization’s security posture Kigen et al. (2015) and improve the efficiency in decision making. Institutions need to work towards enhancing their monitoring capabilities since criminals have become very proficient in social engineering which they employ to bypass defenses.
Due to fiber optic connectivity in the country Kigen et al. (2015), access to internet services has become easily accessible to people and as a result cyber threats like social engineering scams have increased drastically. Most times, people lack the necessary knowledge on social engineering. This leads them to unknowingly share confidential information that could be used to defraud them or the organizations they represent.
2
Companies across various industries in the country, often report the increase of social engineering attacks. In most cases Kigen et al. (2015), companies are defenseless especially concerning social engineering. This provides a clear indication of the inability of companies to detect them and how popular these attacks are.
The weakest link continues to be the end users or people since most organizations focus on employing technological solutions to secure their software and network platforms (Kigen et al., 2015). Therefore, phishing-related data breaches continue to increase due to social engineering.
Due to the penetration of internet services in Africa, cybercrime threats are also rising. According to a study by Kigen et al. (2016) on the continent, it is estimated that African businesses (Kenya, Uganda, Tanzania, Ghana and Nigeria) lose about $895 million in a year. This translates to reputational loss, direct damage & loss and a major disruption to businesses.
According to Kaimba et al. (2016), the top causes of compromise in Kenya in 2016 were social engineering and malware. The biggest challenge among Kenyan businesses is the lack of investment in these kinds of capabilities. Most people are normally not aware of these threats which leads to a great risk of exposure to cyber threats. In 2016, the cost of cybercrime in Kenya was $175 million which shows an increase in crime from the previous $150 million that was reported in 2015. According to the 2017 report by Munyendo et al. (2017), the amount of money lost in Kenya as a result of social engineering and identity theft was $21M.
From the report by Kaimba et al. (2016), there is a huge gap between the allocated budget funds for technological solutions and the cost of cybercrime. According to this study, in as much as most organizations tend to have a high level of investments in technology and automated processes in government, not much investment in cyber security solutions. It is important to note that 96 percent of the surveyed organizations annually spend less than $5,000 in cyber security solutions.
The amount of crime continues to rise especially in the financial service sectors since most organizations automate their processes. Mobile money and electronic services have introduced various weaknesses that could lead to loss of money through cyber-crime
3
(Kaimba et al., 2016). The mobile money platforms in Kenya have experienced many attacks through social engineering.
Since mobile money is used as an alternative for most of the banks, cyber-criminals have exploited the weak controls around the platform, which has led to huge amounts of money being stolen. Besides the low investments of organizations on cyber security solutions, the level of cyber security awareness amongst people is low (Kaimba et al., 2016). In most cases, the security trainings are normally carried out after the attack has occurred. Attackers take advantage of this leading to various data breaches most of which can be attributed to employees that were compromised.
As one of the alternative channels for most banks, hackers are now exploiting the weak security controls around the mobile money platform to steal millions (Kaimba et al., 2016). Low levels of security awareness. Most organizations don’t budget for awareness and training programs for their staff. This has been proven by the numerous breaches we have seen in the period under review alone attributed to compromised employees. Most trainings are conducted after a security incident has occurred.
1.2 Statement of the Problem
There is a need for urgent research on the use of social engineering on Mobile money transfer services. The end users should be empowered to utilize mobile money transfer service (M- Pesa) to full potential to suit their needs without worrying about being vulnerable or prone to social engineers. However, currently most people are less informed on social engineering and its impact. Therefore, they are highly likely to be victims of social engineering acts (such as use of deception by attackers to lure victims into giving out crucial information, which could be further used to swindle them).
Literature shows that, many studies on social engineering have been conducted in the past few years, however not much has been done on social engineering in regard the mobile money transfer platforms, especially M-Pesa.
This study was necessary because it can be used to educate end users and create awareness on the issue of social engineering crimes. Therefore, before the framework was developed, an evaluation survey was conducted to ascertain the prevalence of social engineering crimes
4
in relation to M-Pesa and to extract requirements for its development. The framework provided a platform to address social engineering attacks on the money transfer systems.
1.3 Purpose of the Study
The purpose of this research was to propose a Mobile Money Social Engineering (MMSE) detection framework focusing on the detection of Voice and SMS phishing attacks. The development of the framework involved an analysis of social engineering risks present in the mobile money platform alongside data collected from the sample population to help improve the state of security in M-Pesa. Risk management is a key component to the commercial success of any business. The proposed MMSE detection framework helps in managing social engineering crimes in mobile money.
1.4 Specific Objectives of the Study
According to an article by Ojamaa (2016), four suspected fraudsters were arrested after they attempted to con an M-Pesa dealer at Keumbu area, Kisii County. The fraudsters were suspected to be part of a notorious syndicate that had been conning M-Pesa dealers by pretending to be Safaricom customer care agents. Their mode of operation was by removing money from an agent, claiming to have deposited in a wrong number. Then make calls to their friends posing as customer care agents.
Considering the given article, it was evident that there is a need to mitigate the issue of social engineering in Kenya and therefore, the study aimed to achieve the following objectives by the end of the research:
1) To evaluate the prevalence of social engineering crimes in M-Pesa.
2) To suggest solutions to deter social engineering crimes in the study group.
3) To develop a framework that detects social engineering attacks within the study group.
1.5 Significance of the study
The mobile money platforms in Kenya have experienced many attacks through social engineering (Kaimba et al., 2016). Since mobile money is used as an alternative for most of the banks, it has introduced various weaknesses that could lead to loss of money through
5
cyber-crime. Cyber-criminals have exploited the weak controls around the platform, which has led to huge amounts of money being stolen.
Social engineering was among the top 3 methods used by cyber criminals. Organizations ought to invest more time in developing cyber security awareness programs for employees, obtaining good understanding of their security posture and enhancing their monitoring capabilities. This is because criminals have become very proficient in social engineering which they employ to bypass defenses. The weakest link continues to be the people since they lack knowledge on social engineering leading them to unknowingly share confidential information that could be used to defraud them or the organizations they represent. Therefore, phishing-related data breaches continue to increase due to social engineering (Kigen et al., 2015).
Research on social engineering in mobile money in Kenya, is lacking despite of its impact. At the point of writing, few research papers existed in Kenya on this area. This type of attack is on the increase in Kenya because of high amount of money transactions done via mobile money, hence the need of this research.
Besides the low investments of organizations on cyber security solutions, the level of cyber security awareness amongst people is low. Most organizations don’t budget for awareness and training programs for their staff. In most cases, the security trainings are normally carried out after the attack has occurred. Attackers take advantage of this leading to various data breaches most of which can be attributed to employees that were compromised (Kaimba et al., 2016).
Hackers are now exploiting the weak security controls around the mobile money platform to steal millions. According to the report by Munyendo et al. (2017), the amount of money lost in Kenya as a result of social engineering and identity theft was $21M. In 2016, the cost of cybercrime in Kenya was $175 million which shows an increase in crime from the previous $150 million that was reported in 2015. According to this report by Kaimba et al. (2016), the top causes of compromise in Kenya in 2016 were social engineering and malware. Most people are normally not aware of these threats which leads to a great risk of exposure to cyber threats (Kaimba et al., 2016).
6
Different forms of measures have been put in place to protect information from malicious attacks technically but despite of all these efforts, security breaches are on the increase because the weakest link in the security chain is always over looked. Therefore, there is a need to address the issue of people being compromised using social engineering on the mobile money platform. It would help if mobile users had a way of detecting these social engineering cases when they occur. This study focused on the detection of social engineering threats on M-Pesa as one of the mobile money transfer services in Kenya. The proposed framework can be used by mobile users to help them detect against social engineering attacks carried out via Voice Calls and SMS.
1.6 Scope of the Study
Taking note of the fact that there are various money transfer systems provided by different mobile service providers. This research only covered social engineering occurring within the M-Pesa platform by Safaricom. Due to the broad reach of the amount of M-Pesa users in the country, the study just focused on Nairobi as the study population since its residents are of diverse cultures.
Due to the allotted duration for conducting of this research, (approximately 6 months), it was only feasible to gather relevant information from Nairobi County only. To perform a country-wide survey on M-Pesa is an exercise that would require a lot of time and resources to make this possible.
1.7 Definition of Terms
Automated Teller Machine - This is a machine that helps people carry out their transactions making use of a credit card, without the help of a bank teller (“Automated Teller Machine - ATM,” n.d.).
Automatic Number Identification - A service that aids in identifying the identity of callers (Rouse, 2007a).
Communication Authority - A regulatory body in Kenya tasked with authority over the communication sector (“What we do,” n.d.).
Complete Body of Knowledge - These are core skills defined by professional societies or associations that are needed in the industry (“Body Of Knowledge (BOK),” n.d.).
7
Criminal Investigations Department - A section of the Kenyan police that handles high profile cases and performs complex investigations (Goldberg, 2015).
Certified Information Systems Security Professional - A certification program that ensures its candidates become an all-round security professional with the expertise to manage cyber security programs (“Cybersecurity Certification| CISSP,” n.d.).
Control Objectives for Information and Related Technologies - A framework that aims to improve governance and management practices in Information Technology (Rouse, 2013).
Committee of Sponsoring Organizations - refers to a joint initiative that is tasked with giving thought leadership through guidance on managing enterprise risk and framework development (COSO, n.d.).
Enterprise Risk Management - Involves the managing of an organization’s activities to reduce the level of risk that the organization may face (“Enterprise Risk Management Definition | Investopedia,” n.d.).
Kaiser Meyer Olkin - A test for sampling adequacy that measures the suitability of your dataset for factor analysis (Stephanie, 2016).
Mobile Money Social Engineering framework - The proposed detection framework that will help mobile users detect against social engineering attacks.
Principal Component Analysis - Refers to a dimension-reduction technique that can be used to at reduce a large set of variables to a small set (“What is Principal Component Analysis (PCA),” n.d.).
Phishing - A type of fraud where the attacker masquerades as someone they're not and the victims are usually contacted by telephone, email or text messages (“What Is Phishing,” n.d.).
Social engineering - This is the kind of attack that relies heavily on social interactions and makes use of deception to gain access to systems or for financial gain (Samani & McFarland, 2015).
Social Engineering Land Mines - These are policies that serve to detect any intrusion attempts that may involve social engineering (Gragg, 2003).
8
Social Engineering through Social Media framework - A framework that reduces social engineering risk on the social media platform by using ICT security policies (Wilcox & Bhattacharya, 2016).
SETA - Security Education, Training and Awareness. These are programs that are designed to reduce the amount of security breaches that occur through lack of employee awareness (Hight, 2005).
SMS Phishing - Involves someone that tries to manipulate you into giving up your personal information through a text message (“What Is Smishing,” n.d.).
Short Message Service - A service that involves sending short messages to cellular phones (Rouse, 2007b).
Voice Phishing - The use of a telephone to trick or deceive a mobile user into sharing confidential information that could later be used by the attacker for fraudulent purposes (“Phone Scams and Voice Phishing (Vishing),” n.d.).
1.8 Chapter Summary
The chapter started off with the introduction section that gave an overview on the topic of social engineering, its prevalence and impact. Background of the study gives some insights on how the social engineering is evolving. The background also helps highlight the current state of social engineering and what has been done so far on the same.
Statement of the problem addressed the need for the research in terms of the knowledge and research gap to be filled. The statement of the problem helps identify the exact problem that is being experienced as a result of social engineering and what can be done to solve it. Purpose of the study addressed the major research objective of the study by emphasizing on the practical outcomes of the study.
Specific objectives captured the main objectives to be investigated. This helps illustrate the specific areas of focus in the study. Significance of the study described the value or benefits that will accrue from the study. The researcher described the scope of the study to enable the reader to generalize the findings.
9
Chapter 2: Literature Review
2.1 Introduction
The review of literature is covered in the following order: Introduction section that covers an overview of how M-Pesa works, the theoretical and conceptual framework. After the introduction, the first research objective is analyzed. This is on the prevalence of social engineering crimes. Then the 2nd objective on suggesting solutions on how to defend against SE is analyzed. The section finally reviewed the objective which revolves around creating a SE detection framework.
Some of the gaps identified are that unsuspecting users can be deceived by social engineers, due to lack of knowledge on the issue regarding social engineering. This results in huge losses of money both by the end users, retail (M-Pesa) agents and the service provider. The high number of social engineering scams can be reduced by increasing awareness campaigns for the end-users.
Social Engineering is the deliberate application of deceitful techniques designed to manipulate someone into divulging information or performing actions that may result in the release of that information. According to Samani and McFarland (2015), a social engineering attack can be targeted or opportunistic. Targeted attacks typically focus on a specific individual, whereas opportunistic attacks aim to glean information from anyone in a specific position (such as a helpdesk). The prevalence of social engineering in many publicly disclosed cyber-attacks suggests that there is either an inherent weakness in the ability of victims to distinguish malicious communications (Samani & McFarland, 2015).
Fraudsters are always on the lookout for innovative ways on how to steal from your M-Pesa (Koech, n.d.). It’s quite hard to penetrate the system; therefore, they resort to the usage of non-technical methods like social engineering. Social engineering usually involves the use of psychology to manipulate an M-Pesa user’s trust to defraud them. Some of the methods they employ are tricking unsuspecting users into breaking standard security measures, withdrawing from ATMs remotely or revealing their M-Pesa Pin.
Social engineering can be categorized into two classes: art and science.
Art – The ability to influence a large group of people and influence their response and thinking.
10
Science – Regarding information security, it can be said to be a process of acquiring confidential information by manipulating / deceiving an individual to divulge crucial information.
The first thing that occurs before an attack is reconnaissance or information gathering. If the attacker has access to an M-Pesa Agent, he can obtain the following information from his phone: Phone number, M-Pesa Balance, Business Name, Transaction IDs, Make of the phone, Physical Location, and Name of the Agent. All this information will not be used in any technical attack, rather it could be used by the attacker to manipulate your thinking and in the process, and you will be divulging confidential information. In most occasions, the attacker may pose as a Safaricom customer care agent (Abel, 2014).
Social engineering attacks can be divided into two categories: hunting and farming (Samani & McFarland, 2015). Hunting - aims to extract information using minimal interaction with the target. This approach typically involves a single encounter, with the attacker ending communication once information has been acquired.
Farming - aims to establish a relationship with the target and to “milk” the relationship for information over a longer period.
The fundamental difference between hunting and farming is the number of interactions between the social engineer and target. Hunting aims to get information in a single interaction, whereas farming involves ongoing interactions.
Social engineering attempts may be a single action to acquire specific data or part of a much larger campaign to gather multiple bits of related information. Several phases are involved in a social engineering attack. There is no typical duration for each phase. The following phases highlight the different stages that a social engineering can go through such as: research, hook, play and exit (Samani & McFarland, 2015).
Research: The objective when researching the target is to identify a potential hook or garner information that may assist the play phase, such as learning the jargon of the person or company an attacker is trying to imitate.
11
Hook: A hook aims to set up a successful play. The attacker engages the target and provides a pretext for interaction. Social engineers will attempt to use their influencing skills in the hook phase.
Play: The play aims to carry out the purpose of the attack. It might be to extract information from the target and keep things going long enough to do so, or it might be to get the target to click on a link. Ultimately, the attacker may have several plays in mind.
Exit: The exit phase aims to close the interaction with the target. In many cases, the social engineer wishes to complete this phase without arousing suspicion.
2.1.1 An Overview of How M-Pesa Works
According to Hughes and Lonie (2007), the mobile money concept is very simple as illustrated in Figure 2-1.
Figure 2.1 An Overview of M-Pesa Functionality (Hughes & Lonie, 2007)
An M-PESA customer uses a mobile phone to move money quickly, across great distances directly to another mobile phone user. The customer registers with Safaricom for an M- PESA account. Customers turn cash into e-money at M-Pesa Agents. They then follow simple instructions on their phones to make payments through their M-PESA accounts.
12
According to Hughes and Lonie (2007), there are several processes involved in the diagram (Figure 2.1.1). Some of the processes include: depositing money, sending/receiving money, withdrawing money and electronic float.
1. The M-Pesa Agent is required to deposit some money to his M-Pesa Account to be able to buy electronic money float. 2. The Customer (sender) can deposit money with an M-Pesa Agent to buy electronic money. The M-Pesa Agent sends money to the customer in return. 3. Customer (sender) sends money to another Customer (receiver) 4. Customer (receiver) will withdraw money from the M-Pesa Agent in exchange for electronic money. Therefore, for this transaction to be successful, the customer will need to send the agent the electronic money. 5. Because of the withdrawal, M-Pesa Agent’s money float will be reduced.
This research focused on the prevalence of social engineering and developing a framework that can inform on social engineering threats in M-Pesa. To be successful, a thorough knowledge of functionality was necessary. The diagram (Figure 1) represents an overview of M-Pesa. With the end user in mind and the risks involved, the resulting framework informs on how to manage risk in M-Pesa money transfer system.
Although fraud is not commonly reported, it’s still an existing threat. End users can lose money, or the service providers can suffer reputational risks (McKee, Kaffenberger, & Zimmerman, 2015). Service provider employees can also use their authority to access personal customer information which can be used to target end users and take control of their accounts or transfer funds.
According to McKee et al. (2015), it can also be noted that, “customers in Uganda were receiving fraudulent SMS messages saying money had been deposited in their account, followed by a call requesting they return the money sent by mistake. This kind of fraudulent requests were once the major social engineering scams in Kenya, although they have reduced because of aggressive awareness campaigns.”
Social engineering uses aspects of social constructs like trust, confidence and love to get access to someone’s systems (Riaga, 2014). City conmen are coming up with innovative ways to remotely access unsuspecting customers’ accounts. They can carry this out by using
13
SMS, Use of Certain codes & Posing as customer care officials from leading service providers (“Phone Scams and Voice Phishing (Vishing),” n.d.).
The article by Riaga (2014) demonstrates that, “M-Pesa fraud has been purely sociological. Some examples of the sociological methods used include: The criminal sends a text message to an unsuspecting M-Pesa customer. The message appears as though it may have originated from M-Pesa. The fraudster follows up by calling the victim asking him to send back the money as it was sent to a wrong number. The victim complies and therefore, ends up losing money as a result.”
According to Riaga (2014), “The second approach of a purely social method of M-Pesa fraud is, sending a text message to a victim claiming they have a won a prize in an on-going competition (mostly Safaricom competitions). The victim is required to call a number on instructions about how to collect the prize money. Upon calling the said number, the victim is required to send some money to another as processing fee for the prize money to be processed. Several Kenyans have lost money by falling prey to this technique.”
SIM swaps – This is whereby a customer’s phone number is swapped to a different SIM, changes or acquires the Pin associated to the mobile money account and withdraws the balance (McKee et al., 2015).
Social Engineering scams – Mostly involves the use of fraudulent calls or SMS messages with the aim of obtaining the end user’s personal information. Some typical examples include erroneous transfers, job application or promotion scams (McKee et al., 2015).
Caller ID Spoofing – Someone can mask a phone number and appear as though as they are already in the caller ID, then requests some information or scams the person.
SMS Spoofing – an attack on M-PESA would probably involve changing the originating information on a text message and replacing it with information collected during social engineering. It can be used for fraudulent purposes whereby the attacker may pretend to be someone else using spoofed texts (“What is SMS Spoofing,” n.d.).
Agent fraud – Agents can access and use agent records for fraudulent purposes. For example, accessing another agent’s log book used to record transactions, gain information about customers & use that information for fraudulent purposes (McKee et al., 2015).
14
Telephone - This is a popular channel for information brokers. Text messaging is also used as a channel for attacks.
Face to face - An employee can be approached and tricked or coerced into providing information.
2.2 Theoretical Foundation
A scientific theory can be referred to as something that has some aspects of natural world, been repeatedly tested and provides factual evidence of its existence through observation and experimentation. To be able to define the human behaviors that enable social engineering to be performed, you need to know the reasons why people do things the way they do. Social Rule Systems Theory by Maseno (2017) explains how human social activity is usually managed by socially produced rules & system of rules. Social interactions are mostly dependent on these rules. A successful social engineer is an expert in matters of social interaction. Therefore, without the social rule system theory, social engineering won’t be feasible. Social Engineering is dependent on the social rule systems theory because it has been rampant and prevalent in the current society by taking advantage of human behavior (Maseno, 2017). It can be proved by either observation / experience or various experiments have been done on the same.
For a social engineering attack to be successful, the following components by Mouton, Leenen and Venter (2016) must be present: Social Engineer, Target, Compliance Principles, Techniques, Medium and a Goal.
Social Engineer: This is the person carrying out the attack by psychologically manipulating people through deception. It could be an individual or a group of individuals.
Target: The object of the attack. It would be pointless to carry out a social engineering attack with no target.
Compliance Principles: These are some of the compliance methods used by social engineers to influence the target into sharing confidential information (Mouton et al., 2016). The principles can be listed as follows: Friendship/liking, Commitment/consistency, Authority, Scarcity, Social Validation and Reciprocity.
15
Techniques: This section highlights some of the various kinds of social engineering tactics that a social engineer can employ regarding the M-Pesa case study; SIM Swaps, Social Engineering Scams, Caller ID Spoofing, SMS Spoofing, Agent fraud and Face to Face interactions (Mouton et al., 2016).
Medium: The channel of attack being used by social engineers. For this research, we will only focus on will just include: Telephone, SMS.
Goal: The main reason for carrying out a social engineering attack can consist of the following (Mouton et al., 2016): Financial gain, unauthorized access, and Service Disruption.
For this research, the study focused on social engineering attacks with the main aim of obtaining financial gain. Identifying and analyzing how a social engineer can use social engineering mechanisms in M-Pesa for financial gain was also explored.
To investigate the reasons behind why social engineers, target M-Pesa for financial gain, the researcher carried out a survey on M-Pesa users in the study population. Data was then collected through the usage of questionnaires and the analysis of the experiment assisted in suggesting solutions/recommendations for mitigation of social engineering crimes, in M- Pesa mobile money platform.
16
Figure 2.2: Methodology Used in the Study(Mouton et al., 2016).
Information security aims to keep data in any form secure. This involves covering both physical aspects and digital data as well. The Certified Information Systems Security Professional (CISSP’s) Critical/Complete Body of Knowledge (CBK), is an established common framework of information on security terms and principles. Information Security can be further classified to include various domains (Brecht, n.d.). However, since the study is on social engineering, identity and access management will be the main focus. Identity and Access Management: This domain mainly deals with understanding the unique styles of controlling how users gain access to data. This means that it also covers the attacks that exploit the human element to gain access to data.
The information security domains handle the designing & maintaining security infrastructure within an organization to include understanding of new threats, regulations, standards and practices. Since this research covered the topic of managing Social Engineering threats on mobile money, the study focused more on the Identity and Access Management domain and studied diverse ways to mitigate access control attacks. The most common attacks experienced in access control can be categorized as follows: Access Aggregation Attacks and Spoofing Attacks. Social Engineering attacks are classified under the spoofing attacks category. There are 3 main propagation methods that a social engineering attack can take advantage of: Email, Mobile (Call or SMS), and In Person.
17
Figure 2.3: Theoretical Framework Used in the Study(Brecht, n.d.).
This research shows how social engineers can make use of mobile phones to carry out M- Pesa fraud either through usage of Calls or SMS. The end goal is to create a framework that can be used to inform on social engineering threats especially in the mobile money platform.
18
2.2.1 Conceptual Framework
This section represents the variables used in the study. They can be classified as either dependent or independent variables. Dependent variables are categorized in the following groups: Security, Demographics, Sharing of Information and Opinions.
Security variable – contains authentication methods. This is essential in testing user knowledge on social engineering detection measures.
Demographics variable – includes the following variables: country of origin, age, gender and level of education.
Sharing of Information variable – involves the sharing of M-Pesa Pin or personal information with others.
Opinion variable – this variable covers the prevalence of Social Engineering or M-Pesa fraud.
The independent variables are classified into the following categories: Fraudulent Calls/SMS, Money sent wrongfully scams and Won a prize scam. These are some of the strategies used by social engineers to defraud people for financial gain. Therefore, these varies can all be grouped under social engineering group.
19
Figure 2.4: Conceptual Framework.
2.3 Evaluating the Prevalence of Social Engineering crimes.
Some of the gaps identified are that unsuspecting users can be deceived by social engineers. This happens mostly due to the lack of knowledge on Social engineering. This may eventually lead to huge losses of money both by the end users, M-Pesa agents and service provider. In terms of conducting M-Pesa transactions, most people are not aware of the techniques that attackers use to conduct social engineering. For someone who’s not aware, it’s very easy to be easily convinced by a social engineer and defrauded.
The prevalence of social engineering in many publicly disclosed cyber-attacks, suggests that there is an inherent weakness in the ability of victims to distinguish malicious communications. Most important, to blame users for breaches is not entirely fair (Samani and McFarland, 2015). This is clearly a gap because if a mobile user is unable to distinguish from malicious communications, he / she can easily be compromised. This can occur whether SMS or Voice Calls. Despite most literature addressing the need of awareness programs, there’s nothing touching on the detection of Voice or SMS phishing attacks.
20
2.3.1 Case 1: SIM Swapping & Fake SIM Registration.
Anne was one day on her way to an M-Pesa Agent when she was stopped by a smartly dressed group of people who were hawking SIM cards. The SIM cards belonged to one of the telecom providers in the country and had a cheaper tariff than the one she was currently using. Furthermore, they were giving out the SIM cards free of charge. This sounded like a great deal (Omondi, n.d.). They offered to register her SIM Card right there without having to look for an outlet to register the SIM card. For registration to be successful, she was asked for her personal information which included; Full names, Birth place, ID Number among other personal details.
After the registration was over, they all went separate ways (Omondi, n.d.). Anne was looking forward to realizing a drop in her airtime expenses. Her worst fears were realized, when she discovered that the money she was going to withdraw had already been deducted. Although she tried to call her mobile service provider to reverse the transaction, her phone had been deactivated and she couldn’t make any calls.
The details she was asked for had been used to key in possible password combinations. Since Anne used her date of birth as her M-Pesa Pin, it was a lucky guess. The funds were immediately transferred to an agent for withdrawal. Her phone was also deactivated in the process. Anne is one of the many victims in Kenya fallen victim to social engineering.
2.3.2 Case 2: Smartphone Seller Loses Phone through SE
Job was recently robbed of a smartphone by two young men in Nairobi. He posted an advert at one of the city’s popular malls to sell his cellphone at Ksh 30,000. He received a call a few days later and arranged to meet the potential customer at a crowded place to be safe (Omondi, n.d.). Two men arrived and identified themselves as students, who mentioned about being sent by their cousin to purchase the phone on his behalf since he was busy. They had a look at the phone and asked their cousin to send the money right away.
While waiting for their cousin to send the money, they engaged Job in an interesting conversation on the latest technologies trending. At some point, one of the young men asked to view Job’s phone as they discussed its specifications. They kept asking him questions about it. A few minutes later, he got an M-Pesa message confirming that Ksh 30,000 had been transferred to his account (Omondi, n.d.).
21
He gave the students his phone and bid them goodbye (Omondi, n.d.). When he got to the M-Pesa agent, he realized that he had a balance of Ksh 12. It turns out that the man who had his phone save the “cousin’s” number as M-Pesa, so when he sent a fake transaction, it registered as a text from Safaricom. Job quickly ran out to find the two fraudsters, but they were nowhere in sight.
2.3.3 Case 3: Social Engineering through Manipulation of Trust
Veronica, a second-year student at Kenyatta University, was conned by a person with a coastal accent that claimed to be a business mogul dealing in the export of laptops, cars and motorbikes. The person had a mature voice therefore she did not think of him as a conman (Omondi, n.d.).
It all started with an SMS that appeared to have been mistakenly sent to her phone. The message appeared official, containing passwords and serial numbers. Worried the person might lose his money, she forwarded it back to the sender and said that it had been forwarded to her erroneously.
The sender called back to thank her and beseech her not to share the text as it contained sensitive information. The man created intimate relationship with her by calling her regularly. This man whose name was James told Veronica that he would send her Ksh 150,000 to thank her for not sharing the sensitive information (Omondi, n.d.). Someone called Veronica saying that he is from Dubai Bank was calling to confirm if Veronica knew James. The banker later said that James had sent her some money in dollars, however he had forgotten to add some extra money to exchange the dollars to shillings. He needed Ksh 8000. She managed to convince her mother to loan her the amount to sort out the mess.
The banker was quite persistent and kept calling Veronica asking for more money to release the money. As a result, she ended up being swindled out of an additional Ksh 8000 and she still did not receive the amount promised by James.
2.3.4 Case 4: Loss of money to a Social Engineer posing as a Safaricom agent
According to Angira (2012), Ms. Caroline Maina lost Ksh 124,775 within a few minutes to conmen who tricked her into sending them money through M-Pesa. She said that she received a call from a person that claimed to be an employee of Safaricom before being swindled.
22
2.4 Suggesting Solutions to Defend against Social Engineering
Although fraud is not commonly reported, it’s still an existing threat. End users can lose money, or the service providers can suffer reputational risks (McKee et al., 2015). Service provider employees can also use their authority to access personal customer information which can be used to target end users and take control of their accounts or transfer funds. In most cases, these kinds of attacks usually go undetected usually due to the element of authority and manipulating a mobile user’s trust. The gap here is the fact that most people usually are not aware about the kind of information classified as confidential. There is also the inability to know which red flags to look for during voice calls or SMS.
According to Omondi (n.d.), we witness a classic case of social engineering. A student is defrauded basically through the manipulation of trust. She received an SMS that appeared to contain sensitive client details, she fell for it and forwarded to the sender. This followed up with a call thanking her for not sharing the personal information. This shortly led her to being defrauded. In such a situation, this could have been avoided by being aware of some of the most common traits or behaviors that social engineers might portray.
The threat of social engineering is very real. Cybercriminals use it to unlawfully extract information for various malicious uses. To best counter the problem, we must understand the nature of social engineering attacks. This means defining the likely threat actors, their attack methods, and their resources.
An awareness program combined with measures to evaluate its effectiveness is one of the best tools for fighting social engineering attacks. Although continuous measurement and refinement in education programs represent an effective counter against social engineering, they are rarely used (Samani and McFarland, 2015).
According to police investigations, it is revealed that most mobile phone social engineering cases are executed from prisons. Former CID Director, Ndegwa Muhoro, warned the public against receiving calls from social engineers who advise them to dial 555 555 pretending that it’s a procedure of getting the money they have won, yet it’s a number used when one wants to make an M-Pesa withdrawal through any ATM (Angira, 2012).
Safaricom also signed a memorandum of understanding with the Kenya Prisons Service after it was discovered that some of the social engineering fraud were perpetrated by prisoners.
23
The aim was to disable connectivity in some of the notorious prisons in the country such as Kamiti (Angira, 2012). Safaricom has also put in place a toll-free fraud hotline for customers. Any customer can use the SMS line 333 to report to Safaricom any suspected incidence of fraud free of charge at any time.
2.4.1 Precautionary Measures
Avoid sharing confidential and personal information with people. Make your M-Pesa Pin complex and hard to guess. When you receive a message that has allegedly come from M- Pesa, verify that it’s from M-Pesa rather than from a personal number (How To Report Mpesa Fraud To Safaricom, 2016).
Avoid sharing your devices with strangers. If you receive a call from someone claiming to have sent you money on M-Pesa, check your balance before sending him the money back (How To Report Mpesa Fraud To Safaricom, 2016). You could try dialing *234# for a free mini statement.
Never dial codes that perform codes on your phone, that you didn’t request for assistance from Safaricom Customer Care (How To Report Mpesa Fraud To Safaricom, 2016). Advise end-users to be extra careful on the kind of transactions they initiate and check your balance if not sure about a transaction (DataPivotAfrica, 2016).
According to our theoretical framework, it is evident that this research focuses on management of social engineering risks in the Mobile money transfer system (M-Pesa). Mobile phones are the most relevant form of propagation for social engineering attacks in this scenario. A social engineer can take advantage of both phone Calls and SMS to defraud unsuspecting customers. The resultant framework serves the key role of educating the public on the detection of social engineering specifically in the mobile money case.
2.4.2 Social Engineering: A Study in Awareness and Measures
In current society, there has been a focus on the technical weaknesses present in information security. This research focused on yet another threat that is just as equally important as technology that is Social Engineering (S.E). This kind of attack mainly takes advantage of the human element of security. This research gave a brief description of social engineering as well as an in-depth description of how the specific social engineering attacks are carried out. It discussed some of the factors that make people vulnerable to social engineering and
24
even some of the possible impacts that it might have on a company. This would lead to the development of a research model using previous research (Svanlund, Kronberg and Jeppsson, 2015).
This research aimed at examining the perception of S.E among Swedish production companies and find out what are some of the measures taken to mitigate against it (Svanlund et al., 2015). To achieve this, qualitative interviews were carried out with some IT professionals from the Swedish companies. As per the study, Swedish companies seem to have a good perception of S.E and that their methods of mitigation are in accordance with best practices. However, each company had a different emphasis on different measures & also different views on the impact of S.E.
The interviews carried out were limited to IT experts who are managers in information security within their companies. The rest of the employees were excluded from the study since we just wanted to know the kind of measure used to protect against social engineering and only managers would be able to provide such kind of information. The focus was specifically on production companies in Sweden, since they have valuable products and other kind of information that would be highly sought after by social engineers (Svanlund et al., 2015). Understanding human behavior is also important when studying social engineering. The study carried out didn’t provide sufficient empirical results on human behavior since the respondents that were interviewed were not behavioral scientists, but rather Security Managers.
Data was collected by performing qualitative interviews with IT experts that were working for either small/large production companies in Sweden. A detailed qualitative approach was used to obtain a comprehensive understanding of the state of S.E in Swedish companies. Data collected was compared against the research model to check if the relevant measures corresponded with some of the factors highlighted by respondents. Semi structured interviews were chosen to create a sense of openness and encourage free discussion amongst the respondents. This would help to cover more aspects and allows for more comprehensive responses (Svanlund et al., 2015). The companies that participated in the study were from Sweden, and the reason was because that was convenient for the author and he preferred having physical interviews.
25
The data collected when performing the interviews with the IT security managers (Svanlund et al., 2015) was presented in a holistic perspective, since our main goal was to distinguish patterns that would help in the achievement of the research objectives/goals. The research established that Swedish companies (Svanlund et al., 2015) were fully aware of Social Engineering and had some strategies on how to protect themselves from the threat. However, there was a variation in their perception of threat and possible impact of S.E. This was noted when it was realized that the training programs for the companies varied, this was directly related to how serious of a threat the companies perceived Social Engineering.
2.5 Developing a Framework that Detects SE Threats.
There is a great need to have some form of detection framework for social engineering threats that can help mobile users to be secure and safe while carrying out their transactions. The framework will not only be used to teach users about how to detect against such threats, but also inform users on some precautionary measures that can be taken to prevent them from happening. This section highlights some of the frameworks that have been developed by other researchers on the topic of social engineering.
2.5.1 Managing Social Engineering Risk
This paper focused on social engineering in an enterprise and addresses the following issues: introduction to social engineering, identifying a social engineer & social engineering threats and developing a mitigation plan to prevent social engineering risk. The responses to these issues were analyzed and led to the development of a social engineering risk management model. This model is important because it will make social engineering more transparent and assist companies in managing social engineering threats. The study was carried out for an organization known as Atos Consulting to identify the threats, mitigate them and develop a risk management model (Oosterloo, 2008).
One of the most overlooked factors in information security is the human element, especially how someone can be manipulated and later lead to a compromise of information security. This research focused on making social engineering risk known and helping companies deal with these kinds of risks by developing a social engineering risk management model. The study consists of the following: a comprehensive research on the topic of social engineering, performing a preliminary qualitative empirical study to identify the gap and suggest some
26
requirements for the final model, and the proposed social engineering risk management model (Oosterloo, 2008).
Since most of the companies have some information security controls, comparing these kinds of controls with security controls related to social engineering, can help when measuring the current level of security.
The focus of this research was concerning the human element of security. Some of the physical and organizational elements of security architecture that have been highlighted are as follows: security awareness, culture, organization, policy and monitoring/evaluation. The empirical study was carried out to identify the gaps and to validate the models based on this theory. Theory verification was done by challenging the given hypothesis and assumptions as well as research and findings used to base this theory on (Oosterloo, 2008).
To verify questionable findings and findings from questionable research methods, re- performance of some research was necessary. Qualitative information was carried out through semi-structured in-depth interviews with IT intensive and high-risk organizations as well as the Computer Emergency Response Team of the Dutch government. There was also a seminar discussion between several governmental organizations, Atos Consulting and an insurance company (Oosterloo, 2008).
The findings, conclusions and recommendations helped get a feeling of how social engineering is perceived & mitigated in practice. The structured interviews were used to validate the social engineering risk management model. The seminar discussion was used to generate more specific needs and address the requirements of companies on a final model (Oosterloo, 2008). These measures were necessary to structure the S.E risk management model to be in accordance to the needs and expectations of real-life enterprises.
Organizations need to manage social engineering risk to minimize their losses. Social Engineering Risk Management can be defined as follows (Oosterloo, 2008): A process that is influenced by organization’s management and applied across the organization. It’s designed to identify the risks related to S.E and manage them to be below the pre-defined security level.
This aids in ensuring that reasonable assurance is provided. The proposed model will be based on some components of the Enterprise Risk Management Integrated Framework of
27
COSO which is a re-known information risk management framework (Oosterloo, 2008). The elements of this framework have been used and filled further with steps that are more specific to social engineering.
Table 2.1: Components of the ERM Integrated Framework of COSO (Oosterloo, 2008)
Component Steps
Internal environment 1. System and environment characterization
Objective setting 2. Objective setting
Event identification 3. Threat identification
Risk assessment 4. Vulnerability identification
5. Control analysis
6. Likelihood determination
7. Impact analysis
8. Risk determination
Risk response 9. Risk response
10.Control implementation
11.Residual risk evaluation
Control activities 12.Supporting policy and procedures implementation
Information and communication 13.Information and communication management
Monitoring 14.Ongoing monitoring
15.Periodic evaluation
28
The components of the Table 2-1 (Oosterloo, 2008) give companies a chance to measure and manage their level of social engineering risk in a transparent and structured procedure. Due to limited resources and time, there are a few things that were not part of the scope for this study such as evolution, detailed risk management model, specific controls and test agreements.
Evolution: Due to the constant evolution in the field of social engineering, the proposed list of social engineering tactics should be regularly updated to keep up with the creativity of social engineers.
Detailed Risk Management Model: The proposed model is presented on a high level, meaning that a more specific model could help companies support business continuity by improving the security of their assets through good decision making, clear documentation and reasonable risk budgeting.
Specific Controls: COBIT model provides a framework for risk management & control that’s based on the COSO components. Many of its components can be applied to help mitigate against social engineering. The ERM framework and SE risk management model used in this study aren’t specific enough. Therefore, you could have specific controls to focus on social engineering and assist in an SE audit.
Research and Test Agreement: Boundaries should be set showing how deep follow up research may go and how far penetration testers can go when social engineering personnel.
In summary, all controls and tools mentioned in this study should be expounded and transformed into practical tools that can be used the management, security officers and other personnel.
2.5.2 Risk Management Framework
Since risk management is a key component to the commercial success of any business, some of the mobile money risks involved consists of the following elements:
1. Identification of the Risk Appetite 2. Identifying potential risks 3. Implementation of effective controls 4. Monitoring and Reviewing of risks.
29
2.5.2.1 Identification of the Risk Appetite
This is the foundation of risk management. This is an important phase, since it will help when forming relevant & effective controls. To successfully prioritize and control the risk of fraud you need to know your risk appetite. These are the costs that are comfortable to carry (Gilman and Joyce, 2012).
2.5.2.2 Identifying Potential Risks
The benefits of creating a framework from scratch is that it is custom tailored to the requirements of the service. We need to have a good understanding of the key risks in M- Pesa, to be able to develop a framework (Gilman and Joyce, 2012). By analyzing the vulnerabilities of the service, we will get a good comprehension on how to manage the risk. This phase aids in understanding the potential of fraud. The identification of risks is an important phase since you’ll be more equipped to develop measures to manage the risks on mobile money.
Due to the sensitive nature of this phase, it is best if the risk identification exercise is done by the risk management team of the organization. What are some of the areas in M-Pesa that actors can be at risk of fraud? The key players for consideration are consumers, M-pesa agents and employees (Gilman & Joyce, 2012). Consumers – Transaction risks (Vishing, Smishing and Scams). M-Pesa Agent – Channel Risks (Registration Fraud). Employees – Internal Risks (Identity theft).
Identifying the risk of fraud from all stakeholders provides the mobile service provider an end to end understanding of the managed risks. Once risks have been identified, they should then be compared to the risk appetite. By looking at each player, service providers can identify and assess the vulnerabilities in the system. Any risk that falls outside the appetite requires further investigation and controls put in place to manage or reduce these risks until they are acceptable to the business (Gilman and Joyce, 2012). Other things to consider when in this phase are as follows: Complex parts of the process, high – risk / any large – value transactions, authentication mechanisms that can be easily bypass, abuse of the system, disruption of operations, types of fraud prevalent in Kenya besides Mobile Money fraud, level of criminal activity and strength of law enforcement in the country, likelihood of the risk and potential impact of the business (financial and reputational) (Gilman & Joyce, 2012).
30
2.5.2.3 Implementation of Effective Controls
After identifying risks, the next step is developing effective controls that can manage the risks. An effective control will underpin, but not block, sustainable commercial growth (Gilman & Joyce, 2012). Some of the Controls that could be considered in this category are as follows: prevention, detection, reaction and compliance.
2.5.2.3.1 Prevention
Preventative controls are held to be stronger than detective controls especially if implemented as technical features of mobile money. It’s important for these controls to be implemented robustly, with proper documentation, review and testing. Prevention aims to reduce the likelihood of fraud. These are measures that can be taken to minimize damage done to an organization. Service providers should publish their contact or service numbers to the public to avert criminals from defrauding the public. Mobile operators should identify the users & block their numbers from contacting other people or be charged with a fine to avoid inconveniencing others and to swindle others.
Keep personal information confidential. Use of strong passwords. Be alert with transactions on MPESA. Introducing encryption of mobile money transaction details & personal information. Enhance safety measures on withdrawal and receiving money transactions. Other than just a password, have another way of having a customer verify before withdrawing the money. Facial/voice recognition password or email option. Two-factor authentication.
User Awareness and Education – This is the first line of defense against social engineering threats. Since people will always be the weakest link in such attacks, they’ll need to be more informed on the dangers of social engineering. This can be done through frequent trainings on social engineering. People also need to know the extent of the damage that can occur because of this kind of attacks.
People should be taught and educated about it. Less technology savvy users should be educated about fraud and how to recognize and prevent it. Especially the elderly. Information Security awareness needs to be incorporated in the school curriculums. Use of applications like True-caller or other systems to authenticate or verifying the identity of callers. The service provider needs to alert customers and create awareness about those fraudulent activities going on. Comprehensive fraud awareness and prevention programs aimed at 31
letting the customers know how they can validate a phone call or SMS, to be able to identify phishing (Software, 2015). Customers/Agents to be trained on ensuring transactions are valid (Lake, 2013).
Enforce mandatory SIM registration before activation and ban on cellphones in prisons. Being able to access phone contacts through the app even if they are not recorded on the SIM card. Users must be cautious of unfamiliar individuals and not give out information unless there is a confirmation of their identity. Always treat unknown calls as suspicious. Avoid responding to any offers made over the phone. Be cautious (CHUBB, n.d.) in situations where a party refuses to provide basic contact information. Proactively combat information security complacency (CHUBB, n.d.). Block SMS header and Caller ID spoofing (Lake, 2013).
2.5.2.3.2 Detection
Proper security auditing - Developing and implementing security policies is not enough. There is a need to ensure that everyone conforms to the policy. For this reason, there should be audits on the usage of policies. These audits should be done across the board in an organization. It will show who is not following the standards that have been enforced and hence expose vulnerability. Organizations should deploy periodic security vulnerability assessments and penetration tests. This can expose the security loopholes that a social engineer can exploit to attack (Software, 2015).
Comprehensive fraud management programs – cost effective automated transaction monitoring (Buku and Mazer, 2017). Safaricom should be keen on transactions especially withdrawal transactions. Data Analytics and sharing for fraud detection – strengthening data analytics capacity for fraud detection (McKee et al., 2015). Leveraging data analytics to build a fraud indicator dashboard for robust monitoring (Deloitte, 2015).
Implement strong detection and prosecution procedures - Developing technology that will make it easier to identify fraudsters. Study the tricks used by fraudsters and identify ways of how to overcome them. Service providers should do real-time monitoring of suspicious activities. Blacklisting of numbers once detected as a fraud and whitelisting only special numbers allowed. Detection involves the monitoring & reporting of trends. The process of identifying the presence of an attack.
32
Having a feature that prevents unauthorized/blacklisted users from accessing M-Pesa. This will disable them from sending or receiving funds from M-Pesa for a certain period. Publishing of blacklisted numbers used by fraudsters to aid in creating awareness to the public. Use of Caller ID or Automatic Number Identification (ANI) detection (Software, 2015).
Behavioral Biometrics – provides continuous authentication. Tracks the way a user interacts with an application and compares to a genuine user’s profile. Authenticates users based on who they are, rather than what they know (secret question) or what they have (password). This kind of technology is invincible to users but allows operators to immediately detect if a fraudster is attempting to break into an account via purloined authentication data or other malicious means (Biocatch, n.d.).
Location Intelligence – This makes use of GPS technology to identify the real time location of where a user is (Software, 2015).
2.5.2.3.3 Reaction / Response
These are sets of activities implemented after the occurrence of a disaster, to reduce or limit the consequences. Mobile service providers should take necessary action against subscribers who use their network, for fraud purposes. Deregistration of fraudsters with measures to ensure they cannot register lines with a service provider when it is found to be a fraudster. Arrest and prosecution of fraudsters. Introduce severe penalties for criminals.
Incident documentation and Reporting. Whenever a social engineering attack occurs, the victims should report the incident to the relevant personnel before any active attack is made. For example, if a user gives his password to anyone, it is advisable to change the password immediately. The operator should also provide a hotline for reporting crimes. Better customer care especially when cases are reported. Provision of an effective complaints resource channel. Report misuse and attempts of fraud.
Incidence Response Procedures – clearly outlined steps that should be followed when an incident occurs. Tracking services should be availed so that fraudsters can be tracked. Effective Consequence management and crisis management (Deloitte, 2015).
33
2.5.2.3.4 Compliance
This is the commitment of an organization to a set of regulations or terms of agreement. Strict security policies and procedures. The security policy should be well-documented with sets of standards that form a solid foundation of a good security strategy. It should clearly document in simple terms, its scope and contents in each area that it applies to. These policies will be redundant if not enforced and implemented. The users should be following these guidelines for the policies to be effective. Every new user should go through orientation on the security policies that they should follow.
Security procedures are a set of activities, tasks, steps, decisions or processes to achieve a set of outcomes. These procedures form the organizational countermeasures based on the security objectives stated by management. To gain compliance, management needs to support and enforce these policies and procedures. Security Culture- creating a culture where security is embedded, and employees are constantly aware of the social engineering risk. To achieve this security culture, everyone should be motivated and see information security as part of their responsibility.
All MPESA agents should have camera surveillance and insist on recording the ID Number of anyone who wants to transact. From the service provider to the user there should be thorough checks, some negligence has been observed severally from Safaricom.
Compliance monitoring and agent recruitment (Buku & Mazer, 2017). Borrow ideas from other countries. Enactment of legislation or laws that will curb social engineering fraud. Perform product risk assessments. Inculcation of a compliance culture, continuous staff training & implementation of disciplinary measures.
Multi – layered or defense in depth approach is essential in building a good defense against social engineering attacks (Ghafir, Prenosil, Alhejailan, and Hammoudeh, 2016). Foundational level – Create a security policy around social engineering attacks. Fortress level – Resistance training for employees. Persistence level – Ongoing reminders (Gragg, 2003). Offensive level – Responding to Incidences. Gotcha level – Developing Social Engineering Land Mines (SELM).
34
Engage in coordinated industry action aimed at curbing fraud – market level industry associations could monitor trends, promote mutual sharing of information on fraud trends and prudent fraud management best practices (Buku and Mazer, 2017).
Improve the handling of complaints, queries and redress. High service standards. Better equipped agents to help address problems. Designated and specialized call center staff. Communication about recourse options (McKee et al., 2015).
The size of the deployment and availability of resources can have an impact on whether a deployment relies on preventive or detective controls. All mobile money deployments should continue to review the effectiveness and relevance of controls, particularly as the deployment grows both in customer base and volume of transactions.
When controls aren’t an option: transfer, tolerate or terminate risks are other options that can be considered (Gilman and Joyce, 2012).
Transfer: If a risk isn’t acceptable, then it can be transferred. For mobile money, a form of transfer is outsourcing. The use of third parties may reduce the risk for the operators.
Tolerate: There are cases when a mobile money deployment may choose to tolerate a risk; if the cost benefit analysis of preventing risk indicates that the cost/customer impact is too high. Should be monitored closely in case the cost benefit analysis equation changes.
Terminate: This is more practical, especially when an effective control isn’t possible. If a service or product creates many opportunities for fraud, customer issues or other problems, the best option is to discontinue that service.
2.5.2.4 Monitoring & Reviewing of Risk
Risks can easily change through the growing knowledge and ingenuity of social engineers (Gilman and Joyce, 2012). Monitoring is critical to the success of risk management because mobile money services will evolve, and controls will need to be reviewed to ensure on-going effectiveness.
Monitoring requires strong management support and adequate internal resources. Most usual form of monitoring is internal audits. This is a comprehensive review that ensures processes and controls are performed in a timely manner (Gilman and Joyce, 2012). Monitoring on
35
responses and incidents is very important to see if there are still cracks in security that need immediate repair or to find trends in attacks.
This knowledge can lead to changes in different controls and should also include changes proposed by people and new insights from information security literature and continuous improvement. Continuous periodic evaluation should also take place. The performance of the security controls can be measured by periodic audits on the different controls (Gilman and Joyce, 2012).
Regular reviews and involvement from management are necessary for operators to ensure long term sustainability of risk management. Therefore, regular reviews and updates of the controls and measures should be performed. This framework can be used to manage fraud risk in mobile money. Protecting the operators, customers and agents, contributing to a successful mobile money business.
36
Figure 2.5: Risk Management Framework(Gilman & Joyce, 2012).
2.5.3 Vishing Attack Detection Model
Vishing refers to a type of attack whereby the social engineer psychologically manipulates people during a phone conversation to give up confidential information. Social engineers usually prefer this kind of attack since most of these kinds of attacks are never reported to relevant authorities and the attacker can easily complicate the call routes. This makes it hard for the investigators to trace them (Maseno, 2017).
This study proposes a practical model that can be used by mobile phone users to quickly and effectively identify social engineering attacks. A cross section survey was employed as part of the research design, with the sample size comprising of 20 respondents that were selected using random sampling. The data was collected through the usage of interviews and structured questionnaires. The key findings of the study indicated that some of the
37
main factors influencing vishing attacks are technical factors, information sensitivity and psychological factors. A practical model based on these factors was created to help mobile users in detecting against vishing attacks (Maseno, 2017).
The study illustrates how people and technology form some of the two most common weaknesses that could be easily exploited by social engineers. Therefore, information sensitivity was considered among the key factors in the detection of these attacks.
ID Spoofing & Complexity of the mobile phone - These are some of the technical weaknesses that an attacker can easily exploit during a vishing attack. The level of security of a mobile device can be considered low, if it lacks security measures like anti spoofing software. The research shows how mobile phone complexity affects the security level. This means that the more complex a device is, the easier it is for a social engineer to defraud people. ID spoofing refers to the technology used by attackers to hide their true identity. A technical breach can be considered to have occurred, when the caller ID cannot be verified and the complexity of the mobile device is high (Maseno, 2017).
Script & Emotion used - Mobile users ought to be able to evaluate and be conscious of their emotional state during a phone conversation. This is because your emotional state has an impact on decision making. These can be referred to as psychological factors that are triggered during a social engineering attack, with the main aim of getting information. Most of the vishing attacks usually follow a script as a way of gaining trust. Mobile users are encouraged to ask for clarifications and not to feel pressured to take certain actions. However, if the script is not clear, emotion state is unbalanced and the user is unable to clarify, then the mobile user is free to end a phone call (Maseno, 2017).
Sensitivity of Information - A mobile user ought to be able to differentiate between sensitive information from non-sensitive information. People are encouraged not to share their personal information with anyone requesting such kind of information. There are several trainings that users can undergo to be able to value the information they already have. If the request is of a sensitive nature, then you are advised to end the call (Maseno, 2017).
All the three different factors in the developed model: technical factors, psychological factors and information sensitivity can be used when detecting against vishing attacks. The model clearly outlines different avenues that social engineering can be detected against. 38
Figure 2.6: Vishing Attack Detection Model (Maseno, 2017)
2.6 Chapter Summary
The chapter begins with an overview of social engineering and how M-Pesa works. Theoretical and conceptual frameworks used in the study are also addressed in the chapter. This helps give a highlight of some of the variables used in the study and their relationship with each other. It also outlines the theories used in the study.
The chapter has been categorized as per the different research objectives. Some of the most common social engineering attacks were highlighted when evaluating the prevalence of social engineering within the study group. Other researchers’ work in the field of social engineering was reviewed to learn about some solutions to mitigate against social engineering threats. Existing frameworks developed have also been reviewed in the literature since one of the study’s objective was to develop a framework that detects social engineering threats.
The first objective of the study which involves determining the prevalence of social engineering, was also evaluated. Various social engineering attack scenarios, cases and techniques used were explored and discussed.
39
The second objective covers some possible solutions that can be used to mitigate against social engineering threats. This describes some of the precautionary measures to take and the use of a risk management framework that can be used to manage social engineering risks in mobile money transfer systems.
The third objective deals with developing a framework that can be used to help detect social engineering threats in the mobile money platform. In this section, several papers are reviewed. The author looks at what other researchers have done in terms of social engineering. The gaps that were identified from the literature have also been covered. This area explains where the gap is and why our proposed solution is needed.
40
Chapter 3: Methodology
3.1 Introduction
After doing a review of literature, it is quite evident that there is a gap in terms of social engineering research especially on mobile money transfer platform like M-Pesa. Therefore, it was necessary to carry out a preliminary study and a main study to identify the gaps, get feedback from the participants and obtain a good understanding of the problem at hand.
This chapter presented the third phase of this study, a comprehensive evaluation of the prevalence of Social Engineering on Mobile Money Transfer Services (M-Pesa) and suggestions on how to prevent such attacks. The evaluation will rely on analytic and empirical evaluations conducted by experts on potential users.
Data collection section presents methods for the work, materials used, experimental data (i.e. demographics), procedures and experimental observations. The usability results and implications support the adoption of a framework that can be used to inform on the prevalence of Social Engineering on Mobile Money Transfer Services.
3.2 Research Design
As theorized from our literature review there were a couple of challenges especially in terms of social engineering on mobile money platforms. Therefore, to capture and discover those factors that facilitated the use of social engineering by individuals, the study employed a survey research design. The variables that were used in the study are also explained in detail.
Receiving fraudulent Calls or SMS for the past 6 months. This served as the psychological factor under authority. The reason being the person calling would invoke some form of seniority or authority to get information from the user. The different scams used by social engineers to deceive people lie under the techniques used. The scams include the “won a prize” scam and “money sent wrongfully” scam. The reason why they are classified as part of the techniques used is because this is the stage where voice and SMS phishing attacks would be used by the social engineer. Sharing personal information with other people served as the final independent variable being classified under information sensitivity. Having some form of authentication and prevalence of social engineering were used as the dependent variable. SPSS was used as the main tool for analysis in measuring the inter-relations
41
between the various variables. A factor analysis was conducted on the data set to determine its suitability. Microsoft Excel was also used in the design of tables and charts as well as in the organization of the data.
3.3 Research Population and Sampling Design
3.3.1 Population
The focus of the study was the Nairobi community. The general attributes of the population comprised of Individuals who own a mobile phone device and Individuals that carry out mobile money transactions through M-Pesa.
3.3.2 Sampling Design and Sample Size
Cluster Sampling technique was used, sampling M-Pesa users within Nairobi and hypothesize the participants to be from diverse cultures, from which findings will be generalized. The target size was 5 for the pilot study and 97 for the main study.
Figure 3.1: Formula for Calculating Sample Size
Figure 3.3.1 illustrates how to perform sample size estimations using variables such as size of the population, error margin and z–score (Sample Size Calculator: Understanding Sample Sizes | SurveyMonkey, n.d.).
42
According to Nairobi Population (2017), the last official population of Nairobi was taken in 2009 and the figure was 3,138,369 million. This will be used as the value of N.
The error of margin we will use is 10%, so after conversion into decimal format. Our value of e is 0.1.
The confidence level we will use is 95%, therefore our z score value is 1.96.
Using these variables in the above-mentioned formula will generate a sample size of 97.
3.3.2.1 Sampling Frame
The sampling frame consisted of M-Pesa Agents, Master of Science in Information Systems & Technology students, Business owners and people that use M-Pesa services, and General population.
3.3.2.2 Sampling Technique
The sampling technique used was cluster sampling. This whereby the researcher is required to divide the population into different groups, referred to as clusters. A random sample of clusters is selected from the population and the researcher conducts analysis on the data from the clustered samples.
3.4 Data Collection Methods
Surveys/questionnaires were our main method of collecting information from the study sample. The questionnaires were semi-structured and had both closed and open-ended questions. The study used two sets of questionnaires: preliminary and main studies.
Pilot/Preliminary Study Questionnaire: The main purpose of the pilot study was to test the feasibility of the study and identify the gaps in the research instruments. The study was collected from just 5 people.
Main Study Questionnaire: gathering detailed information about a participant’s demographics, education level, experience with M-Pesa, prevalence of social engineering crimes, as well as to judge on a qualitative level to what extent users know about mitigating threats of social engineering in M-Pesa. The main study involved evaluating the main objectives of the research comprehensively and as a result forming a framework that can be used to detect social engineering crime cases. 43
3.5 Research Procedures
The design and development of the data collection instruments was dependent on the research objectives, which are as follows: Evaluate the prevalence of social engineering and suggest some solutions on how to mitigate against them. Develop a framework that informs on social engineering threats in M-Pesa.
The pilot study was carried out in Nairobi amongst M-Pesa users to identify the gaps and test validity of the research instruments. The total number of participants that took part in the pilot study was five.
The main study was also carried out in Nairobi. Some of the general requirements needed for the participants were: owning a mobile device & use M-Pesa for transactions. Since the target sample population was more extensive than the pilot study, the researcher had the assistance of two research assistants in the data collection. Their key role was to help in the distribution and collection of surveys to the participants. The questionnaires were short, brief and easy to understand. For the participants that had problems in comprehension, the research assistants gladly explained all that was expected from them and helped them in interpreting the surveys by taking a neutral stance to avoid influencing the decision of the participants.
Before someone took part in the survey, they were encouraged to read the consent form before filling in. This was necessary just to give the participant a brief introduction and background on the project. There was no specific time duration for filling the questionnaires, the participants were encouraged to take as much time as possible to comprehend the survey.
3.6 Data Analysis Methods
To test for validity of data collected from the questionnaires, the study used Microsoft Excel and SPSS. The questionnaires that were used for the pilot and main study are available for further scrutiny. Descriptive statistics was used for the quantitative data making use of visual representations such as bar graphs and pie charts. This ensured that the large volume of data was simplified into summaries and organized in a manageable form. Thematic analysis was used to analyze the qualitative data we obtained from the data collection phase. A regression analysis was performed to test the relationship between the
44
independent and dependent variables. Factor analysis was also performed to evaluate the suitability of our dataset.
3.7 Ethical Considerations
The materials for this experiment included a consent form for users to sign before filling the survey. The researcher obtained authorization to carry out the research and was issued with an introductory letter by the university. Confidentiality was observed throughout the data collection exercise and no cases of forced participation in the study.
3.8 Chapter Summary
This chapter presents the methodology used in this study. Introduction: This section gives a highlight on what the research involves and what to expect from this chapter. The research design outlines what instruments we used for the data collection. For this study, surveys or questionnaires were used for data collection.
Population and sampling design specifies the considerations we had for the sample population and how the sample size was evaluated. This was determined after careful consideration of the total population, level of confidence and margin of error. Data collection methods outlines the various methods used for collection of data. Data analysis section illustrates how the analysis was performed.
Descriptive statistics was used to analyze the quantitative data. Thematic analysis was carried out on the qualitative data by classifying the data into various categories or themes. Research procedures gives an overview of how the research was carried out. A preliminary study was initially performed to test the feasibility of the study. This study was focused on mobile money users in Nairobi. Some of the general attributes required to participate in the study was that you needed to have a mobile phone and use M-Pesa for transactions.
45
Chapter 4: Model
4.1 Introduction
Upon the analysis of the data acquired from the survey participants, a framework was created. It was evident that some of the main contributing factors to successful detection of social engineering attacks usually involved the following: demographics, sharing of information, security and opinions.
Demographics – this covers the country of origin, gender, age and level of education of the mobile users.
Sharing of Information – this consists of examining the amount of people that have ever shared their M-Pesa Pin or personal information with someone else.
Security – This variable examined the number of people that had authentication methods. This also helped illustrate how knowledgeable the users in terms of social engineering detection.
Opinions – This covers the prevalence of social engineering or M-Pesa fraud within the study group.
As part of social engineering attacks, the following are some of the variables grouped under social engineering: fraudulent Calls/SMS, money sent wrongfully scams and won a prize scam.
4.2 Analysis
The proposed framework was developed using some of the variables obtained from the data collection phase. The dependent variables have been classified as follows: Demographics, Sharing of Information, Security and Opinion. The independent variables grouped under social engineering group are: Fraudulent Calls/SMS, Money sent wrongfully and Won a Prize.
Under each dependent variable, the questions used are listed. In the Demographics variable, the questions that were used covered various areas such as country of origin, age, gender and the person’s level of education. The Sharing of information variable used a question that dealt with the sharing of M-Pesa Pin with other people. The Security variable used a question 46
on authentication methods. The authentication methods were necessary since if someone had a way of detecting social engineering then the chances of being a victim of social engineering was low. Lastly, the opinion variable used a question that tested the perception of people on the prevalence of social engineering or M-Pesa fraud.
The same variables that influence social engineering, can also be used to detect against social engineering threats. The demographics variable can be evaluated to identify some of background information and characteristics of people who highly likely to be affected by social engineering.
Sharing of information can also be used to detect against social engineering. This is possible by examining the nature of information that is shared amongst people. The more sensitive it is, then the high chances of social engineering occurring. The security variable is important since it measures how knowledgeable a mobile user is on social engineering.
This means that the level of knowledge amongst users can determine the success rate of social engineering. The opinion variable assesses how the perception of a user on social engineering can affect the likelihood of social engineering. This means that the level of social engineering detection amongst mobile users is dependent on their perception level.
4.3 Modeling & Design
This figure clearly demonstrates the relationship between the dependent and independent variables. According to the analysis, it is evident that the demographics, sharing of information, security and opinion can have an impact on the likelihood of social engineering occurring.
47
Figure 4.1: Mobile Money Social Engineering Framework
4.4 Testing
Factor Analysis can be referred to as a data reduction technique since it takes a large set of variables and looks for a way that the data can be summarized into a smaller set of components or variables. This is done by looking for groups that very strong inter- correlations within a set of variables. This technique enables us to mathematically find patterns or inter-correlations amongst many variables and help identify how these variables work together (Channel, 2013).
Factor Analysis has a lot of different uses. It is used often by researchers when evaluating and developing scales that measure a certain construct or knowledge area. The person developing the scale starts with many items per question on a scale or measurement tool. Using these analysis techniques, it’s possible to refine these items to a smaller number of subscales that measure the construct together but may also measure different aspects of that construct. An efficient number of variables to measure a construct and avoid redundancy in the measurements of the constructs (Channel, 2013).
48
The term factor analysis is more of a generic term that can represents a couple of different but related techniques. The two techniques that fall under factor analysis are as follows: Principal component analysis and standards factor analysis (Channel, 2013).
Principal Component Analysis – In this kind of analysis, the original variables are transformed into smaller sets of variables that have strong linear correlations. Variances in all the variables are also examined. The outcome is a set of components that go into this measurement tool and technique that we are interested in.
Standards Factor Analysis – Factors are estimated using a mathematical model. The only variance that’s analyzed is the shared variance instead of the total variance.
These techniques have a lot of similarities, but they are also different. In the case that you want to develop a theoretical research solution that’s uncontaminated by unique variants, then standard factor analysis would be your choice. However, if you are interested in a more practical application and require an empirical real-world summary of your data, then principal component analysis is the better choice (Channel, 2013). In the research study, the principal component analysis method was used because it’s one of the most commonly used techniques and applies to the research.
4.5 Summary
The proposed framework was influenced by the data obtained during the data collection phase. This chapter analyzes in depth the various variables that were considered in the study. A correlation of the dependent variables and the independent variables was performed. The dependent variables were grouped into distinct groups based on their individual qualities. Some of the groupings under dependent variables were: security, sharing of information, demographics and opinion. Social engineering served as the independent variable. In the social engineering group, the strategies used by social engineers were listed. Some of these strategies include: the use of fraudulent Calls / SMS and social engineering scams such as money sent wrongfully or winning a prize. The modeling and design phase covers some of the processes involved in the creation of the proposed framework. It also shows how the various variables in the framework correlate with each other. Factor analysis was used to test the suitability of the dataset used in the study. The variables used in the framework are obtained from the data collected.
49
Chapter 5: Results and Findings
5.1 Introduction
The goal of this empirical study was to examine the prevalence of social engineering on mobile money transfer services (M-Pesa), get suggestions on improving the same and creating a framework that can be used to inform on Social Engineering fraud. To fulfill this goal as evaluators there was need to understand why the participants behaved and reacted as they did. This was accomplished by characterizing the participants and probing the details of the responses and subjective reactions (such as comments/opinions provided after the study).
The sample population that was required for this experiment was approximately 97 as per our sample size calculation formula. The data was collected from within Nairobi and some of the only requirements we had for the participants was to be based in Nairobi and have used M-Pesa previously for transactions. The data collection had some challenges, but it was successful, and the researcher was able to obtain 102 respondents.
This research revolves around creating a framework that can be used to inform on Social Engineering fraud. From the survey, several types of user characteristics were documented based on their background. Therefore, the following are some of the group of participants chosen to collect data from: M-Pesa Agents, Masters in IT students, Business owners/ people who use M-Pesa services and the General Population.
In the survey evaluation process, the researcher collected and measured several user background characteristics in the survey. Figure 5.1.1 illustrates data from self-reported responses of participants and it shows the frequency of responses for each category.
50
GENDER DISTRIBUTION
48% 52% Male Female
Figure 5.1: Gender Distribution
With respect to gender preferences, data is categorized into male/female categories, but did not ascertain any significant difference or trend by comparing responses. In addition, the researcher collected and reported the demographics. The figure above shows that there were more men than women who participated in the study. Male participants at 52 percent were slightly higher than the female participants at 48 percent. However, the researcher still hold the results accurate because we did not pinpoint any anomaly on the responses during gender-based data analysis.
Figure 5.1.2 represents the age range of participants. The values represent percentages of test subjects respectively.
Age Distribution
2% Below 18 26% 18 - 28 29 -39
72% 40 - 49 50 & above
Figure 5.2: Age Distribution
51
It’s evident that the researcher did not obtain any of the participants being below 18 or 50 years and above. However, it’s clear that 72 percent of the population belong to the 18 – 28 age group. The 29 – 39 age group follows closely behind with 26 percent and the 40 – 49 age group with 2 percent. From the above information based on the study sample, it is quite evident that most of the M-Pesa users fall between 18 – 28 years of age.
Figure 5.1.3 represents the countries that the survey participants belong to.
Country distribution 90 82 80 70 60 50 40 30 20 10 2 4 2 1 2 2 2 1 1 1 1 1 0
Figure 5.3: Country Distribution
Despite M-Pesa being a Kenyan innovation, it’s quite motivating to see people from other countries still use the same platform. This shows how diverse M-Pesa is. Eighty percent of the participants are from Kenya with the remaining 20 percent being shared amongst Uganda, Tanzania, Nigeria, Sierra Leone, Somalia, South Africa, DRC, Burundi, Zimbabwe, Malawi, South Korea and Angola respectively. Figure 5.1.4 provides a visual representation of the education level of the survey participants.
Highest Level of Education 60 50 56 40 30 20 30 10 1 12 3 0 Primary High school University Masters Doctorate Not school degree indicated
Figure 5.4: Level of Education
52
Primary school – 1 percent
High school – 12 percent
University degree – 55 percent
Masters – 29 percent
Not indicated – 3 percent
The researcher did not get anyone that held a doctorate degree from the participants. Three percent of the people did not indicate their level of education. Twelve percent had a high school education. Fifty five percent of the population had a degree and finally 29 percent had a masters’ degree.
According to the figure 5.1.4, 84 percent of the population had a degree, meaning that they had some experience with M-Pesa, basic knowledge about how it works and would be most suitable to suggest some of the ways that would help mitigate against social engineering fraud.
5.2 Evaluating the Prevalence of Social Engineering
An experiment was carried to test out the prevalence of social engineering in our study group. Figure 5.2.1 provides the results on the prevalence of social engineering in Kenya.
Prevalence of S.E in Kenya
52
27
10 6 5 1 1
STRONGLY AGREE MORE OR UNDECIDED MORE OF DISAGREE STRONGLY AGREE LESS AGREE LESS DISAGREE DISAGREE
Figure 5.5: Social Engineering Prevalence
53
Seven percent of the participants weren’t aware of the prevalence of social engineering in Kenya. Six percent of the participants were undecided. Eighty seven percent of the participants agreed that social engineering indeed is prevalent in Kenya. Therefore, based on the above statistics, there is a need to address the situation on how to mitigate against social engineering fraud.
This section analyzes some of the variables that were used in the development of the proposed framework for social engineering detection.
Figure 5.2.2 represents statistics of various responses to fraudulent calls or messages within the past 6 months.
Fraudulent Calls or SMS 45 40 35 40 30 25 20 24 15 10 13 14 5 5 1 5 0 Strongly Agree More or Undecided More of Disagree Strongly Agree less agree less disagree disagree
Figure 5.6: Participants That Received Fraudulent Calls/SMS
This is among the techniques used by social engineers to try and defraud you or make you give up some critical information without you realizing it.
According to our data, 68 percent have ever received either a fraudulent Call or SMS. This means that assuming that people were not aware of such social engineering techniques, it’s highly likely they’ll be compromised. Thirty two percent of the population admitted to having not received such calls or messages, which shows that as much as it’s common, it still has not really spread out to affect most of the people.
Figure 5.2.3 represents another common social engineering technique that is commonly used by social engineers. The use of scams.
54
Money Sent Wrongfully 70 60 61 50 40 30 20 29 10 3 1 1 5 2 0 Strongly Agree More or Undecided More of Disagree Strongly Agree less agree less disagree disagree
Figure 5.7: "Money Sent Wrongfully" Scam
This works by obtaining an SMS or Call from someone who says that they have sent you some money and request you to send it back. An unsuspecting user may easily fall for it without confirming their M-Pesa balance first. According to the study sample, 91% had received such a Call/SMS before, this shows how frequent this occurrence usually is.
Figure 5.2.4 represents yet another social engineering technique that’s very prevalent amongst our sample population with 87% of the people agreeing to having experienced it.
Won A Prize
64
22 3 1 7 5
STRONGLY AGREE MORE OR UNDECIDED MORE OF DISAGREE STRONGLY AGREE LESS AGREE LESS DISAGREE DISAGREE
Figure 5.8: "Winning a Prize" Scam
So basically, what happens is someone claiming to have received a Call or SMS from someone claiming that you have won a prize in an ongoing competition. The idea to get some
55
personal information from you while acting as if they are processing your prize. Based on figure 5.2.4, it is evident that this type of scam occurs frequently and should be addressed.
Figure 5.2.5 represents the number of participants that have ever shared their personal information or M-Pesa PIN with someone else.
Sharing Personal Information with others. 50 45 40 47 35 30 25 20 15 21 10 15 5 8 8 3 0 Strongly Agree More or Undecided More of Disagree Strongly Agree less agree less disagree disagree
Figure 5.9: Sharing Personal Information
Sharing of personal information is among one of the techniques that’s exploited by social engineers to defraud people. Thirty percent of the participants agreed to having ever shared such details with other people, this means that they were at possible risk of being defrauded. Seventy percent of the participants disagreed to sharing personal information with others. This is an indication that this most of the participants are aware of this technique used by social engineers.
5.3 Suggesting Solutions to Defend against Social Engineering
5.3.1 Authentication Methods
Figure 5.3.1 highlights the number of people with a form of authentication in the sample study. This section highlights how knowledgeable the users are about M-Pesa.
56
Have some form of authentication
46% 54%
Yes No
Figure 5.10: Authentication Methods
The reason why the researcher saw the need to measure the number of people that have some form of authentication, was because if you have some authentication methods then you would be able to detect most of the social engineering techniques used by fraudsters.
By authentication method, it means having a method to prove the legitimacy of calls or messages. 54% of the people didn’t have any authentication meaning that had no way of differentiation between legitimate and illegitimate content, which is very risky since they could be more prone to getting defrauded. Having some form of validation means that you can identify these kinds of threats, but if you don’t, then you are highly likely to end up as a victim. Table 5.1 represents some of the responses from the people that had authentication methods.
Table 5.1: Participants Responses Regarding Authentication Methods
“Safaricom has unique MPESA codes that are attached to every MPESA transaction; All calls from Safaricom contain unique numbers as well.”
“Call and confirm the details from the subscriber.”
“The service provider’s contact is unique and are also listed on their various platforms.”
“I use common sense and the actual references.”
“Keep changing password.”
“Pin Number.”
57
“M-Banking Services.”
“By ensuring that the MPESA SMS is genuinely from Safaricom and not any random number, if it’s not, the SMS is generally ignored.”
“Getting mini statements”
“Use True-caller, it will flag off fraudsters as spam.”
“Phone Number”
“Safaricom has a specific number they use to call their clients with. That serves as a way of authenticating the service provider.”
“The website / internet”
“Any website communication is through secure servers (https). Any SMS communication is only through recognized service providers.”
“Safaricom never calls. They always insist on visiting customer care centers; so do all other service providers.”
“Requesting for personal information before transacting”
“Messages. Email Verification.”
“Check balance on MPESA”
“Call Center”
“Normally the numbers are prefix registered name i.e., They like KCB etc. This also applies to SMS. But when a scammer calls or sends a message their mobile numbers are normally displayed.”
“Customer service. No of respective banks available.”
“The text comes in the form of a service number and not any other number.”
“Confirm the number calling as per previous communication from the bank/service provider.”
“The line must be landline or the officially documented contact lines of Safaricom or the bank. I also insist on communication via emails in case of a bank.”
“To check my bank statements, a password is required that is provided by the bank
“The phone number is very specific”
“Hakikisha na MPESA”
The knowledge of various authentication methods or techniques was tested amongst the sample study participants. Authentication is a key aspect in terms of proving the legitimacy or authenticity of phone calls or text messages. Based on analysis of the participants’
58
responses, the researcher came up with thematic groups which can be classified as: anatomy of M-pesa, Precautionary measures, red flags, innovations and knowledge.
5.3.1.1 Anatomy of M-Pesa
This involves mastering the internal workings of the mobile money transfer systems. When carrying out M-Pesa transactions, there are unique codes attached to every transaction for identification and validation purposes. Service providers also use specific and unique telephone numbers that are available and easily accessible to the mobile users. Any notifications received from the service providers is usually from a number with a specific prefix registered name. By learning the inner workings of the mobile money environment, it’s easier to detect any deviations in terms of legitimacy of Voice Calls or SMS.
5.3.1.2 Precautionary Measures
Ths category involves measures that can be taken by mobile users as a form of safety check to ensure adequate protection. Mobile users are encouraged to always confirm details of the service provider or caller. An example of confirmation of details would be ensuring that indeed a call or message is from the actual service provider. This can help in probing the authenticity of phone calls or messages. Most social engineering scams usually involve some form of deception or trickery. Therefore, it is always wise to check your mini statements or M-Pesa balance to be aware of some of the transactions made. Users are also encouraged to reach out to the Customer Care in case of any inquiries they may have.
5.3.1.3 Red Flags
These are indicators of looming compromise that may occur. An example of a red flag would be; receiving a request for personal information. Mobile users are often encouraged not to share any form of confidential or personal information with people. Therefore, receiving such requests can help users to easily identify legitimate and illegitimate calls or messages. The social engineer being a master at social interactions can easily influence someone into giving up sensitive information without even realizing it.
5.3.1.4 Innovations
This category involves some of the existing technological solutions that can aid users in ensuring the authenticity of calls or messages. The true caller application enables mobile 59
users to easily identify of the Caller IDs. This is key in social engineering since at most times, the attackers may mask their true identities through Caller ID or SMS header spoofing. With the help of this application, you can ensure legitimacy of calls or messages.
The “Hakikisha Service” by Safaricom also lies in the innovation category. It’s a system that enables mobile users to send money transfers to the intended recipient. It is also possible to stop and reverse M-Pesa transactions before completing the transfer. There are many scams that take advantage of M-Pesa money transfer systems. Therefore, with the help of this technology it can reduce the amount of money lost by being sent to the wrong recipient.
5.3.1.5 Knowledge
Acording to the analysis of the participant’s responses, it is observed that the use of common sense and reference to resources available on the internet, can be of great help in ensuring authenticity of calls or messages. The internet has a wealth of information concerning various subject matters. If the mobile users have some initiative, they can learn a lot of things that can still be applied to even our mobile money environment. Reference to resource isn’t just limited to the internet but also newspaper articles, journals, magazines among. Common sense can also be applied in some cases to help ensure legitimacy of calls or messages. The following are some of the responses that were given by the respondents that had suggestions on ways to mitigate against social engineering threats.
5.3.2 Suggested Solutions
Table 5.2: Suggest Solutions to Mitigate SE Threats
SOLUTION DESCRIPTION
Provide a hotline for reporting crimes Ensure the fraudsters are caught and brought to book to discontinue them from conning more people. Report misuse and attempts of fraud. Provision of effective complaints resource channel. Better customer care especially when cases are reported. Having all MPESA texts coming from a main place or specific number like Safaricom. Any other message will be fraudulent. A list of fraudsters’ numbers issued by the phone vendors i.e. Safaricom to enable their users to block the numbers prior.
60
Strong detection and prosecution Safaricom should invest more in cybersecurity and modern procedures. technology of detecting and preventing the scams. They should identify the users & block their numbers or be charged with a fine to avoid them from swindling others. Tracking services should be availed so that thieves can be tracked.
Prosecution Prosecution of those fraudulent activities should be taken seriously and at least people taken to jail. The level of collusion (graft) we see is high and the furthest these criminals are taken is in a court but never sentenced. Therefore, justice for me should improve first, like other serious countries in the West. Introduce severe penalties for criminals. Service providers should do real- time monitoring of suspicious activities
Better security authentication. Other than just a password, have another way of having a customer verify before withdrawing the money. 2 factor authentications. Facial recognition password option. More alternatives than two step verifications. Make MPESA use other form of verification. The four digits pin is very insecure. Use one- time PIN per transaction, it is applicable in some banks. Enhancing privacy settings.
Borrow ideas from other countries. Enactment of legislation or laws that will curb social engineering fraud.
Awareness. People should be taught and educated about it. Educate people on MPESA usage e.g. reversal. From non-user to user – common sense should be used. Confidentiality in your pins and passwords. Always treat unknown calls as suspicious. Social engineering awareness programs.
Public education. Less technology savvy users should be educated about such fraud and how to recognize and prevent it. Especially the elderly. Raise public awareness through social media platforms (ones commonly used) be as a protection/informative measure. Many adverts to be enhanced to educate the citizens. The telephone company needs to alert customers and create awareness about those fraudulent activities going on. Register phone numbers to access network services. Be alert with transactions on MPESA. Keep personal information safe. Information Security awareness to be incorporated in school curriculum.
61
Train users Safaricom should inform people about the various scams used by fraudsters and train users on how to identify and defend themselves from social engineering. Do not give personal information to friends. Do not give out access credentials to anyone. Do not respond to anonymous SMS/Calls. Decrease the number of people who have access to high level security and who can access to such information.”
Proper auditing. The service provider should have thorough checks; some negligence has been observed severally from Safaricom. Safaricom to audit all their current & previous employees and ensure tough measures are put in place to punish fraudsters. Service providers must always ensure that the clients and their money is safe. That way an individual can have trust in their product.
Strict government policies. Arrest and prosecution of fraudsters. Make Strict policies that prohibit people from transacting money without national I.D.
Camera Surveillance All MPESA agents should have camera surveillance and insist on recording the ID Number of anyone who wants to transact.
Regulations However, it must be ascertained whether the agent is trustworthy to keep such information. I also feel information is leaked through M-Pesa agents and thus there must be a way to regulate them and the information they collect.” Communication Authority (CA) to obligate mobile service providers to take necessary action against subscribers who use their network, for fraud purposes.
Study the tricks used by fraudsters What Safaricom is currently doing i.e. text a certain number in case you send money to a wrong recipient. Study the tricks used by fraudsters and identify ways of how to overcome them. If personal information would be used more in getting to know the individuals who try such techniques of robbing Kenyans.”
Encryption of mobile money Getting a personal encryption of mobile money and available information. Strong ID protection measures from the standpoint of the providers. Provide ample security to mobile money users. Developing technology that will make it easier to identify fraudsters.
62
Blocking unauthorized users Mobile service providers should have strategies that help users to authenticate the service providers’ calls & SMS. Use of apps to authenticate callers e.g. true-caller. Come up with apps that help in blocking unauthorized users from accessing others MPESA. Blacklisting of numbers once detected as a fraud and whitelisting only special numbers allowed.
This section covers some of the suggestions that were provided by the survey participants. These suggestions highlight various ways that social engineering threats can be mitigated against. Thematic analysis was used in analyzing the responses. Therefore, the proposed solutions were classified into different themes as follows:
5.3.2.1 Reporting
This involves providing a hotline that can be used to report crimes and prevent fraudsters from defrauding mobile users. Presence of an effective complaints resource channel. Ensure that there is good customer care when crimes are reported. People shouldn’t hesitate to report any misuse or attempts of fraud.
5.3.2.2 Prosecution
Ensuring that those caught engaging in fraudulent activities, should face the law. An improvement in our justice system is also key. This is due to the high level of collusion amongst the criminals and the courts. The furthest the criminals can be taken is to a court, but they’re never sentenced. Introduction of several penalties for criminals.
5.3.2.3 Detection
This involves blacklisting of numbers that are detected as fraudulent and whitelisting of only special numbers allowed. Ensure that all M-Pesa agents have camera surveillance and should insist on obtaining an Id number from anyone that wants to carry out a transaction. Presence of comprehensive fraud management systems. Mobile users ought to be alert when carrying out mobile money transactions.
63
5.3.2.4 Authentication
Other than relying on just a password, mobile users are required to have better forms of security authentication that allow verification before performing a transaction. There are also other alternatives besides the two-factor authentication, such as the facial / voice-based recognition. One Time PIN per transaction was also a suggestion from our sample study.
5.3.2.5 Security Education, Training and Awareness
People should be taught and educated about M-Pesa usage. Mobile users ought to keep personal information safe and observe confidentiality in their PIN and other personally identifiable information. Raising of public awareness through the usage of social media platforms. Less technology savvy users ought to be educated about social engineering and how they can protect themselves from it. According to the data, it was suggested that service providers need to inform people about the various kind of attack mechanisms used by fraudsters and also train mobile users on how to identify and defend against social engineering threats.
5.3.2.6 Audits
Service providers are required to perform regular audits on their systems and employees and ensure that stringent measures are put in place to punish fraudsters. Due to previous cases of negligence, Safaricom should carry out comprehensive checks on their systems. M-Pesa agents should also be required to take audit tests to ensure that the information they collect or have access to is regulated.
5.3.2.7 Policies
Service providers should always ensure that the users and their money is safe. This creates trust between the users and the company. Communications Authority of Kenya should obligate service providers to take necessary action against mobile users who used their networks for fraudulent purposes. Make strict policies that prevents people from doing an M-Pesa transaction without a National ID.
Enhance safety measures around the areas of sending and withdrawals of money. Prevention of information leaks should also be considered. There should be strong identification and protection measures from the service providers. Enforce mandatory SIM registration before 64
activation. All M-Pesa messages need to come from one centralized place or from a specific number like Safaricom. Banning of the usage of cellphones in prisons since that’s the source of most of the scams experienced by the users. Reduce the amount of people that have access to high level security and whom can access such information.
5.3.2.8 Compliance & Monitoring
Borrow ideas from other countries. This can be done by studying what other countries are doing in terms of social engineering and emulating the same strategy here. Compliance monitoring and M-Pesa agent recruitment. This process ensures that the right procedures and practices were followed when carrying out the exercise. Service providers should perform real-time monitoring of suspicious activities and also tracking services should also be availed to track criminals.
5.3.2.9 Innovations / Research
Safaricom should invest more in cybersecurity and modern technology of detecting and preventing the crime cases. Developing much more secure channels of curbing fraud. Improving the ability to access phone contacts through the application even though they are not recorded on the SIM card. Use behavioral analytics to study the behavior of fraudsters and from that, develop ways on how to overcome that. Encryption of mobile money transfer systems.
Creating a user- friendly system that can easily identify fraudsters. Service providers should employ strategies within M-Pesa to authenticate calls / SMS. All active SIM cards must be linked to a profile containing information about the user.
5.4 Developing a Framework that Detects SE Threats
5.4.1 Factor Analysis
GET
FILE='C:\Users\Brian\Desktop\SE\SE Data(1).sav'.
DATASET NAME DataSet1 WINDOW=FRONT.
FACTOR
/VARIABLES Gender Age Country Education Mpesa_PIN Fraudulent_Content Authentication 65
Money_sent_wrongfully_scam Won_a_Prize_scam SE_Prevalence
/MISSING PAIRWISE
/ANALYSIS Gender Age Country Education Mpesa_PIN Fraudulent_Content Authentication
Money_sent_wrongfully_scam Won_a_Prize_scam SE_Prevalence
/PRINT INITIAL CORRELATION SIG KMO EXTRACTION
/CRITERIA MINEIGEN(1) ITERATE(25)
/EXTRACTION PC
/ROTATION NOROTATE
/METHOD=CORRELATION.
This section outlines the correlational analysis done to compare the dependent variables against the independent variables. The following variables were used as the dependent variables: gender, age, education, sharing of personal information, authentication and prevalence of M-Pesa Fraud. The independent variables considered were: fraudulent calls / SMS and social engineering.
Table 5.3: SPSS Correlation Matrix
Have you ever received a Call or Have you ever received SMS claiming to have sent money fraudulent calls or sms within wrongfully to your number and the past 6 months? hence demanding it back?
Correlatio Gender -.034 -.020 n
Age -.166 -.107
Country .221 .267
Highest level of .051 -.089 education achieved.
Have you ever shared .089 .104 personal information with someone else?
66
Have you ever received 1.000 .098 fraudulent calls or sms within the past 6 months?
Do you have any form .084 .209 of authentication?
Have you ever received .098 1.000 a Call or SMS claiming to have sent money wrongfully to your number and hence demanding it back?
Have you ever received .066 .391 a call or sms saying that you have won a prize in an ongoing competition
Social engineering or .270 .215 M-Pesa fraud is prevalent in Kenya
Table 5.4: SPSS Correlation Matrix Continued
Social engineering or M-Pesa fraud is prevalent in Kenya
Correlation Gender -.055
Age -.234
Country .124
67
Highest level of education achieved. .044
Have you ever shared personal .199 information with someone else?
Have you ever received fraudulent .270 calls or sms within the past 6 months?
Do you have any form of .057 authentication?
Have you ever received a Call or SMS .215 claiming to have sent money wrongfully to your number and hence demanding it back?
Have you ever received a call or sms .373 saying that you have won a prize in an ongoing competition
Social engineering or M-Pesa fraud is 1.000 prevalent in Kenya
5.4.2 Revised Framework
After carrying out the analysis, there are variables that were more significant that others. In the demographics group, the country variable was more significant as compared to age, gender and level of education. The opinion variable was also significant, this shows that indeed the level of perception amongst mobile users in the study group affects the likelihood of social engineering. Security variable also made a significant contribution to this revised framework. This clearly illustrates that level of knowledge amongst mobile users on social engineering detection has affects the likelihood of social engineering.
68
Figure 5.11: Revised Mobile Money Social Engineering framework
After carrying out the correlation analysis, it was observed that the Country, Authentication and Opinion variables had an impact on the likelihood of Social Engineering occurring. These variables represent the dependent variables in the study. In terms of measuring the likelihood of social engineering occurring, the amount of fraudulent calls received and social engineering scams were classified as independent variables. It is quite clear that the country a person is from can have an effect on the likelihood of social engineering or the chances of someone detecting social engineering threats. Authentication represents the level of knowledge a user has in terms of detecting against social engineering. This means that for someone that knows how to detect against social engineering threats is highly unlikely to be affected by social engineering. The opinion variable addresses the mobile users’ perception of the prevalence of social engineering. From the analysis, the perception of someone can affect the likelihood of social engineering.
5.5 Chapter Summary
The main agenda of this research was to evaluate the prevalence of social engineering in M- Pesa. Suggest some solutions on how to mitigate against these kinds of threats. Development of a framework that would aid mobile users in detection of social engineering threats. The surveys / questionnaires were used as instruments for data collection to obtain an in-depth comprehension of the problem at hand.
To test the prevalence of SE within our study a group, an experiment was carried out. As part of the survey issued during the data collection phase, participants were asked if they
69
considered social engineering to be prevalent in Kenya. According to the participants’ responses, 87 percent agreed that social engineering is prevalent in Kenya.
This was the second objective of the research study. The survey participants were asked to share any form of authentication they had in the study. They were also required to suggest some of the solutions that could help in the mitigation of Social engineering. The reason for asking for authentication methods was a way of testing how knowledgeable the users were in terms of detecting legitimate from illegitimate Calls or SMS. Thematic analysis was used to analyze the qualitative data obtained from this section.
The third objective of this research involved the development of a framework that would help mobile users in detecting social engineering threats. Various tests were performed in this section. The first test involved identifying the number of people that had received fraudulent calls or SMS within the past 6 months. According to responses, 68 percent agreed to having received them.
The second test involved evaluating how many people had experienced the different kind of scams used by social engineers to deceive people. The scams that were highlighted included scams revolving around winning prizes and sending money wrongfully. The responses were positive and expected, as most people agreed to having experienced these scams.
The final test involved identifying the amount of people that had shared their personal information with someone. The essence of this test was to see if people valued their personal or confidential information. Social engineers psychological manipulate people into giving up confidential information. Therefore, this test was quite important in this study.
This chapter gives an overview of some of the results collected from the data collection phase. The demographics indicates where the data was collected from and the characteristics of the study participants. This included different attributes such as the gender factor, age of survey participants and level of education.
The section is also organized as per the different research objectives with each objective supported with results from the data collection phase. Qualitative results were analyzed using thematic analysis by grouping the data into various themes.
70
Chapter 6: Discussion, Conclusions and Recommendations
6.1 Introduction
This chapter included the following subsections: Introduction, Summary of key findings, Discussion, Conclusion and Recommendations or further work. The introduction gives a summary of the structure of the chapter. Summary of key findings provides a summary of the crucial elements of the study. The Discussion section provides the interpretation of the key findings by comparing them to the theoretical background presented in the literature review. Conclusion presented major conclusions drawn from the research findings. In Recommendations, the researcher offers suggestions for improvement with justification and suggestions for future work based on the findings and conclusion of the study.
6.2 Summary
There is a great need for research especially on securing M-Pesa money transfer system from social engineering attacks that are rampant in current society. The end users need to be educated about the prevalence of social engineering threats on the mobile money platform. Education will empower them with the necessary knowledge needed to protect themselves from these kinds of threats during their transactions.
The main reason why most people end up being compromised is due to lack of knowledge on social engineering. Attackers take advantage of this gap by psychologically manipulating people through deception or trickery. This results in huge losses of money both by the end users, retail (M-Pesa) agents and the service provider. The end goal is usually for financial gain although mobile users’ personal information is still valuable.
According to literature, not much has been done on defending against social engineering threats in M-Pesa. Besides the Vishing attack detection model, there are very few other relevant studies that touch on social engineering in Kenya (Maseno, 2017). His model helps mobile users detect against social engineering threats that occur via voice calls only. The study gives a general view of how to be safe in the mobile environment.
This study was important because the number of mobile users transacting with M-Pesa keeps rising. This also introduces the number of fraudsters that would potentially defraud M-Pesa
71
users. This research will help educate, create awareness and help M-Pesa users in detecting against social engineering threats that occur via Voice calls and SMS. An evaluation survey was conducted to ascertain the feasibility of the study and also extract requirements that would help in the development of this framework. This framework equips users with all the necessary information they require to be able to detect against social engineering threats in M-Pesa.
Evaluating the prevalence of social engineering crimes in M-Pesa: This main aim of this objective was to identify how common these kinds of attacks are. The study ventured to identify the different attack vectors and techniques that social engineers use. This section also aimed to provide actual examples of how people were defrauded through social engineering. The high number of social engineering scams can be reduced by increasing awareness campaigns for the end-users.
Suggesting solutions to defend against social engineering threats: After assessment of the common tactics employed by social engineers within the study group, the next step involved proposing some solutions or precautionary measures that can be used to mitigate them. An evaluation survey was carried out and the survey participants in the study group were required to propose possible ways to defend against social engineering threats. Review of literature was also key in this section by finding out how other people or countries defend against social engineering in the mobile money transfer systems.
Developing a framework that detects social engineering attacks: The main aim of this objective was to enable mobile users to easily detect against social engineering threats in M- Pesa. This framework was heavily dependent on the data collected within our sample population which helped with requirement gathering. The data collected from the surveys was analyzed and aided in the development of this framework.
The research revolved around detection of social engineering threats in the money transfer systems. From literature, there were a couple of challenges especially in terms of social engineering on mobile money platforms.
To investigate the reasons behind why social engineers, target M-Pesa for financial gain, a survey on M-Pesa users in the study population was carried out. The researcher carried out
72
a study to identify the gaps, get feedback from the participants and obtain a good understanding of the problem at hand. Survey research design was adopted for the study.
The focus of study was the Nairobi community. The general attributes of our sample population comprised of the following; individuals who own a mobile device and carry out mobile money transactions through M-Pesa.
The sampling technique used was cluster sampling. Sampling M-Pesa users within Nairobi and hypothesize the participants to be from diverse cultures, from which we will generalize our findings. A random sample of clusters is selected from the population and the researcher conducts his analysis on the data from the clustered samples.
Data was collected from the relevant stakeholders of the mobile money platform. The sampling frame consisted of the following groups; M-Pesa Agents. Master of Science in Information Systems & Technology students, business owners or people that use M-Pesa for transactions and the general population – this category refers to any other person that doesn’t fall in the other mentioned groups. The analysis of the experiment assisted in suggesting solutions/recommendations for mitigation of social engineering economic crimes, in M-Pesa mobile money platform.
Upon the analysis of the data acquired from the survey participants, a framework was created. A factor analysis was also carried out to test the suitability of our data set. Most of the participants (87 percent) agreed that social engineering indeed is prevalent in Kenya. The percentage of participants not aware of the prevalence of social engineering in Kenya was 7 percent. This is very risky since they are more prone to getting defrauded. According to the study data, 54 percent of the people didn’t have any authentication. This meant that they had no way of differentiating between legitimate & illegitimate content. Having some form of validation means that you can identify these kinds of threats. Otherwise, you are highly likely to end up as a victim.
The researcher drew a general conclusion that the Social Engineering framework for the M- Pesa platform is promising. This was after testing of the variables and considering the participants’ subjective reactions compared to our expected reactions. The conclusion was based on the analysis of the empirical data. Therefore, based on these statistics, there is a need to address the situation on how to mitigate against social engineering fraud.
73
6.3 Discussion
6.3.1 Evaluating the Prevalence of SE Crimes
Social engineers can use several avenues for their attacks. SIM Swaps – this is whereby a customer’s phone number is swapped to a different sim, the pin to mobile money account is changed, and the balance is withdrawn. Social engineering scams – most of these scams can be carried out via phone calls or SMS, usually with the intention of obtaining the user’s personal information. Caller Id/SMS spoofing – Masking a phone number or SMS to appear to be from a legitimate source and can be used for fraudulent purposes whereby the attacker may pretend to be someone else. According to our study, the participants suggested some ways of dealing with such kind of attacks. Never share personal/confidential information with people. The mobile phone operator should implement blocking of SMS headers and Caller Id spoofing. Consumers should also be trained and educated on how to recognize social engineering attacks.
The threat of social engineering is very real. Cybercriminals use it to unlawfully extract information for various malicious uses. According to our experiment, 87 percent of the participants agreed to the fact that social engineering is prevalent in Kenya. Therefore, there is a great need to address the situation on how to mitigate against social engineering fraud.
6.3.2 Suggesting Solutions to Defend Against SE
According to (Koech, n.d.), fraudsters are always on the lookout for innovative ways on how to steal money from your M-Pesa. It’s quite hard to penetrate the system; therefore, they resort to the usage of non-technical methods like social engineering. Social engineering usually involves the use of psychology to manipulate an M-Pesa user’s trust to defraud them. In our experiment, we tried to ask the survey participants if they had an alternative method of authentication. Due to the prevalence of social engineering fraud on mobile money, one should know of ways of verifying the authenticity of calls or SMS. The responses from the participants were quite positive. They gave a sizable number of responses meaning that they were well versed in terms of mobile money and shows that they were quite knowledgeable on social engineering attacks.
To best counter the problem, we must understand the nature of social engineering attacks. This means defining the likely threat actors, their attack methods, and their resources. An
74
awareness program combined with measures to evaluate its effectiveness is one of the best tools for fighting social engineering attacks.
Although continuous measurement and refinement in education programs represent an effective counter against social engineering, they are rarely used (Samani and McFarland, 2015). The participants in our study gave various suggestions on how to tackle the issue on social engineering with an emphasis on security education, training and awareness (SETA), policies, audits and improving the overall security culture of people.
According to police investigations, it is revealed that most mobile phone social engineering cases are executed from prisons (Angira, 2012). A suggestion from our survey was to enforce mandatory SIM registration before activation & banning of cellphones in prisons, this could help reduce the prevalence of social engineering being carried out from prisons. Also having a hotline for reporting crimes would aid people in reporting cases of fraud to the service provider.
6.3.3 Developing a Framework that Detects SE Threats
According to Samani and McFarland (2015) the prevalence of social engineering in most cyber-attacks, suggests that there is an inherent weakness in the ability of victims to distinguish malicious communications. From our experiment it was quite evident that most people weren’t aware of some of the strategies used by social engineers to defraud people. A large section of the sample study admitted to having ever received fraudulent calls or SMS after personal information, or other scams like money wrongfully sent & winning a prize in a fictitious competition. These were some of the most common techniques used by attackers in this research study.
Although fraud is not commonly reported, it’s still an existing threat. End users can lose money, or the service providers can suffer reputational risks (McKee et al., 2015). From our study, we note that not only do the users lose money but also, they risk losing personal information which can be used by attackers to coordinate highly targeted spear phishing attacks. Thirty percent of the participants agreed to having ever shared such details with other people, this means that they were at possible risk of being defrauded. Use of fraudulent calls or SMS, is among the techniques that are used by social engineers to defraud you or make you release some critical information without even realizing it. According to our data, 68
75
percent of the population had received fraudulent Calls/ SMS before. This means that this is a common attack mechanism that is used by attackers and most people have experienced it.
According to Riaga (2014), “M-Pesa fraud has been purely sociological. Some examples of the sociological methods used include: The criminal sends a text message to an unsuspecting M-Pesa customer. The message appears as though it may have originated from M-Pesa. The fraudster follows up by calling victim asking him to send back the money as it was sent to a wrong number. The victim complies and therefore, ends up losing money as a result.” In our experiment, 91% of the sample population had received such a Call/SMS before, this shows how frequent this occurrence usually is. An unsuspecting user may easily fall for this scam, if they don’t confirm their M-Pesa balance first.
According to Riaga (2014), “The second approach of a purely social method of M-Pesa fraud is, sending a text message to a victim claiming they have a won a prize in an on-going competition (mostly Safaricom competitions). The victim is required to call a number on instructions about how to collect the prize money. Upon calling the said number, the victim is required to send some money to another as processing fee for the prize money to be processed. Several Kenyans have lost money by falling prey to this technique.”
This is yet another social engineering technique that’s very prevalent amongst our sample population with 87 percent of the people agreeing to having experienced it. This clearly shows the extent to which social engineering uses manipulation of psychological factors and deception to trick people into giving up information.
It is evident that there is a need for a Social Engineering detection framework that can aid mobile users in the detection of social engineering threats. The users will be able to map the framework to different social engineering attack scenarios to verify the authenticity of the solution. Development of the framework will be a huge step towards securing the mobile money environment and reducing M-Pesa fraud risk.
6.4 Conclusion
6.4.1 Evaluating the Prevalence of SE Crimes
The rise of social engineering has targeted both public and private sector in Kenya, leading to severe losses and there is a great need to address this issue. End users should be
76
empowered to utilize M-Pesa to full potential to suit their needs without worrying about being vulnerable or prone to social engineers.
However, currently most people are less informed on social engineering and its impact. Therefore, they are more likely to be victims of social engineering which could be further used to swindle them.
6.4.2 Suggesting Solutions to Defend against SE
Social engineering is a real threat today. It is essential that organizations invest equal time to the system weaknesses posed by the human element. The fraudster’s soft spot remains the human mind. To mitigate against social engineering, we must understand the nature of social engineering attacks. An awareness program combined with measures to evaluate its effectiveness is one of the best tools for fighting social engineering attacks. Although continuous measurement and refinement in education programs represent an effective counter against social engineering, they are rarely used. Organizations that protect information assets through usage of information security governance and effective security policies, have a better chance of managing business risks.
6.4.3 Developing a Framework that Detects SE Threats
A framework was created to serve as a point of reference in the detection of social engineering attacks in M-Pesa. The components of the framework will give mobile users an opportunity to measure & manage their level of social engineering risk in a clear and organized way. This framework is a starting point into more enhanced frameworks that may follow.
6.5 Recommendations
6.5.1 Limitations of the study
This study was limited to mobile phones as a propagation channel that is used by social engineers to defraud unsuspecting users of the M-Pesa platform. The focus was mainly on detecting social engineering attacks conveyed via Voice Calls or SMS. It is also important to note, that it’s illegal to carry out social engineering penetration tests without consent. Otherwise legal action can be taken against you. Therefore, the proposed framework was limited to simply enabling mobile users to easily detect social engineering attacks. 77
6.5.2 General Recommendations
The Mobile Money Social Engineering framework plays a key role in the creating awareness and providing direction on how to detect social engineering attacks that affect the mobile money platform.
Enforce laws that clearly stipulate how to prosecute people found responsible for social engineering attacks. Developing and implementing security policies is not enough. There is a need to ensure that everyone conforms to the policy. For this reason, there should be audits on the usage of policies.
Social engineering attacks continue to escalate, and minimal efforts have been done to create awareness on factors that lead to social engineering attacks. Safaricom should seek to create training programs that build on detecting & defending against social engineering attacks in M-Pesa. They are already engaging massive awareness programs through various media outlets. This is a great initiative.
Kenyan citizens need to be encouraged to report incidences of social engineering attacks as they amount to criminal activities. Service Providers should publish their contact or service numbers to the public to avert criminals from defrauding the public.
Borrow ideas / benchmark practices from other countries. Assess what measures other countries are taking in the area of securing the mobile money platform from social engineering threats.
6.5.3 Recommendations for Future Work
The research focused on informing on social engineering attacks in the M-Pesa platform which is a product of Safaricom. Further work could be done on other mobile money platforms or service providers. Exploration of other avenues for social engineering should be considered besides Voice and SMS. A comprehensive study can also be done on M-Pesa since this study only focused on M-Pesa users within Nairobi.
Evaluate the proposed framework amongst experts to help improve it and keep up with the current trends in the field of social engineering. Development of a system that monitors & detects social engineering attacks in real-time and give interactive visualizations for the end
78
user. Adoption of the framework and evaluate its usability ensuring that the framework is indeed relevant and actually provides a solution for a real-world problem.
Service providers should invest more in cybersecurity and modern technologies that can detect various social engineering threats. Improvement of the M-Pesa system to be more user friendly, able to authenticate Calls / SMS and ability to access phone numbers even if they’re not stored in the Sim card. Employ the use of behavioral analytics to study the behavior of people using M-Pesa. This can be used to detect threats early and solve them.
79
References
Abel, L. (2014). Computer, Information Security and The Society: A victim of swindling, the art and science of Social Engineering from a hacker’s perspective. Retrieved August 23, 2018, from http://lawrab.blogspot.com/2014/07/a-victim-of-swindling-art- and-science.html
Angira, Z. (2012). How crooks lure mobile phone users - Daily Nation. Retrieved August 23, 2018, from https://www.nation.co.ke/news/1056-1310028-14uj21oz/index.html
Automated Teller Machine - ATM. (n.d.). Retrieved August 23, 2018, from https://www.investopedia.com/terms/a/atm.asp
Biocatch. (n.d.). PREVENTING FRAUD IN A MOBILE ERA - Addressing Authentication, Malware and Social Engineering. Retrieved from https://cdn2.hubspot.net/hubfs/1828513/BioCatch_WP_PREVENTING_FRAUD_IN _MOBILE_ERA.pdf?submissionGuid=09c07c61-0291-4a53-975d- 7a7cf945c804&hsCtaTracking=879d804f-97e6-4663-9bc4- f00ed53ff366%7Cbef8a35b-1536-4362-acc7-3e0d09e65238
Body Of Knowledge (BOK). (n.d.). Retrieved August 23, 2018, from https://www.investopedia.com/terms/b/body-of-knowledge.asp
Brecht, D. (n.d.). The CISSP CBK Domains: Information and Updates. Retrieved August 23, 2018, from https://resources.infosecinstitute.com/category/certifications- training/cissp/domains/
Buku, M. W., & Mazer, R. (2017). Fraud in Mobile Financial Services. CGAP. Washington. Retrieved from http://www.microsave.net/files/pdf/RP151_Fraud_in_Mobile_Financial_Services_JM udiri.pdf
Channel, T. B. R. (2013). How to Use SPSS: Factor Analysis (Principal Component Analysis) - YouTube. Retrieved August 23, 2018, from https://www.youtube.com/watch?v=UYxboC27190&feature=youtu.be
CHUBB. (n.d.). Guide to Preventing Social Engineering Fraud. New Jersey. Retrieved from https://www.gbainsurance.com/sites/default/files/2016-06/Social Engineering Guide From Chubb.pdf 80
COSO. (n.d.). About Us. Retrieved August 23, 2018, from https://www.coso.org/Pages/aboutus.aspx
Cybersecurity Certification| CISSP. (n.d.). Retrieved August 26, 2018, from https://www.isc2.org/Certifications/CISSP#
DataPivotAfrica. (2016). How to detect fraud in mobile money transfer using machine learning – DataPivotAfrica. Retrieved August 23, 2018, from http://datapivotafrica.com/2016/09/15/fraud-detection-in-mobile-money-transfer- using-machine-learning/
Deloitte. (2015). Mitigating emerging fraud risks in the mobile money industry. Retrieved from http://www2.deloitte.com/content/dam/Deloitte/in/Documents/finance/in-fa- mitigating-emerging-fraud-risks-in-the-mobile-money-industry-noexp.pdf
Enterprise Risk Management Definition | Investopedia. (n.d.). Retrieved August 23, 2018, from https://www.investopedia.com/terms/e/enterprise-risk-management.asp
Ghafir, I., Prenosil, V., Alhejailan, A., & Hammoudeh, M. (2016). Social Engineering Attack Strategies and Defence Approaches. In 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud) (pp. 145–149). IEEE. https://doi.org/10.1109/FiCloud.2016.28
Gilman, L., & Joyce, M. (2012). Managing the Risk of Fraud in Mobile Money. London. Retrieved from http://www.gsma.com/mobilefordevelopment/wp- content/uploads/2012/10/2012_MMU_Managing-the-risk-of-fraud-in-mobile- money.pdf
Goldberg. (2015). Directorate Of Criminal Investigation Kenya- CID; Component Units. Retrieved August 24, 2018, from https://intelligencebriefs.com/directorate-of- criminal-investigation-kenya-cid-component-units/
Gragg, D. (2003). A Multi-Level Defense Against Social Engineering. SANS Institute. https://doi.org/10.9780/22307850
Hight, S. D. (2005). The importance of a security, education, training and awareness program (November 2005), 1–5. Retrieved from http://www.infosecwriters.com/Papers/SHight_SETA.pdf
How To Report Mpesa Fraud To Safaricom. (2016). Retrieved August 23, 2018, from 81
https://www.how.co.ke/how-to-report-mpesa-fraud-to-safaricom/
Hughes, N., & Lonie, S. (2007). M-PESA: Mobile Money for the “Unbanked” Turning Cellphones into 24-Hour Tellers in Kenya. Innovations: Technology, Governance, Globalization, 2(1–2), 63–81. https://doi.org/10.1162/itgg.2007.2.1-2.63
Jacob, R. J. K., & Froscher, J. N. (1990). A software engineering methodology for rule- based systems. IEEE Transactions on Knowledge and Data Engineering, 2(2), 173– 189. https://doi.org/10.1109/69.54718
Kaimba, B., Kimani, K., Mwangi, M., Munyendo, B., Mueni, F., Ndegwa, D., … Owino, E. (2016). Kenya Cyber Security Report 2016. Achieving Cyber Security Resilience: Enhancing Visibility and Increasing Awareness. Nairobi. Retrieved from http://www.serianu.com/downloads/KenyaCyberSecurityReport2016.pdf
Kigen, P. M., Ekpeke, M., Inkoom, E., Inkoom, B., Masesa, D., Kaimba, B., … Mbae, K. (2016). Africa Cyber Security Report 2016. Achieving Cyber Security Resilience: Enhancing Visibility and Increasing Awareness. Nairobi. Retrieved from http://www.serianu.com/downloads/AfricaCyberSecurityReport2016.pdf
Kigen, P. M., Muchai, C., Kimani, K., Mwangi, M., Shihayo, B., Ndegwa, D., … Shitanda, S. (2015). Kenya Cyber Security Report 2015. Achieving Enterprise Cyber Resilience Through Situational Awareness. Serianu. Nairobi. Retrieved from http://serianu.com/downloads/KenyaCyberSecurityReport2015.pdf
Koech, E. (n.d.). Safaricom Fraud. Retrieved April 17, 2017, from http://www.gadgetanalyzer.com/2016/11/safaricom-fires-employees-over-fraud.html
Lake, A. J. (2013). Risk management in Mobile Money : Observed Risks and Proposed Mitigants for Mobile Money Operators. International Finance Corporation, (November), 1–21.
Maseno, E. M. (2017). VISHING ATTACK DETECTION MODEL FOR MOBILE USERS. KCA University. Retrieved from http://41.89.49.13:8080/xmlui/bitstream/handle/123456789/1276/Maseno-Vishing Attack Detection Model For Mobile Users..pdf?sequence=1&isAllowed=y
McKee, Kaffenberger, & Zimmerman. (2015). Doing Digital Finance Right : The Case for Stronger Mitigation of Customer Risks. CGAP. Washington. Retrieved from
82
http://www.cgap.org/publications/doing-digital-finance-right
Mouton, F., Leenen, L., & Venter, H. S. (2016). Social engineering attack examples, templates and scenarios. Computers & Security, 59, 186–209. https://doi.org/10.1016/j.cose.2016.03.004
Munyendo, B., Kimani, K., Kilo, G., Rishad, N., Ndung’u, M., Muema, M., … Bhatnagar, G. (2017). Kenya Cyber Security Report 2017. Demystifying Africa ’ s Cyber Security Poverty Line. Nairobi. Retrieved from http://www.serianu.com/downloads/KenyaCyberSecurityReport2017.pdf
Nairobi Population. (2017). Retrieved August 30, 2018, from http://worldpopulationreview.com/world-cities/nairobi-population/
Ojamaa, B. (2016). Four suspected Mpesa conmen arrested in Kisii | The Star, Kenya. Retrieved August 23, 2018, from https://www.the-star.co.ke/news/2016/08/23/four- suspected-mpesa-conmen-arrested-in-kisii_c1408053
Omondi, D. (n.d.). No Title. Retrieved from http://webmail.ktnkenya.tv/mobile/article/2000194204
Oosterloo, B. (2008). Managing Social Engineering Risk: Making social engineering transparent. University of Twente. Retrieved from http://essay.utwente.nl/59233/1/scriptie_B_Oosterloo.pdf
Phone Scams and Voice Phishing (Vishing). (n.d.). Retrieved August 24, 2018, from https://www.safecomputing.umich.edu/be-aware/phone-scams
Riaga, O. (2014). M-PESA Fraud reaches social engineering stage. Retrieved August 23, 2018, from http://www.kachwanya.com/2014/03/11/m-pesa-fraud/
Rouse, M. (2007a). What is ANI. Retrieved August 24, 2018, from https://searchcrm.techtarget.com/definition/ANI
Rouse, M. (2007b). What is Short Message Service (SMS). Retrieved August 24, 2018, from https://searchmobilecomputing.techtarget.com/definition/Short-Message-Service
Rouse, M. (2013). What is COBIT. Retrieved August 24, 2018, from https://searchsecurity.techtarget.com/definition/COBIT
Samani, R., & McFarland, C. (2015). Hacking the Human Operating System: The role of
83
social engineering within cybersecurity, 1–19. Retrieved from http://www.mcafee.com/us/resources/reports/rp-hacking-human-os.pdf
Sample Size Calculator: Understanding Sample Sizes | SurveyMonkey. (n.d.). Retrieved August 23, 2018, from https://www.surveymonkey.com/mp/sample-size-calculator/
Software, A. (2015). Hampering the Human Hacker and the Threat of Social Engineering. Retrieved from https://www.aspect.com/globalassets/social-engineering-wp.pdf
Stephanie. (2016). KMO Test for Sampling Adequacy. Retrieved August 24, 2018, from http://www.statisticshowto.com/kaiser-meyer-olkin/
Svanlund, J., Kronberg, B., & Jeppsson, H. (2015). Social Engineering : A study in awareness and measures. Retrieved from https://lup.lub.lu.se/student- papers/search/publication/5474076
What Is Phishing. (n.d.). Retrieved August 24, 2018, from http://www.phishing.org/what- is-phishing
What is Principal Component Analysis (PCA). (n.d.). Retrieved August 24, 2018, from https://www.techopedia.com/definition/32509/principal-component-analysis-pca
What Is Smishing. (n.d.). Retrieved August 24, 2018, from https://us.norton.com/internetsecurity-emerging-threats-what-is-smishing.html
What is SMS Spoofing. (n.d.). Retrieved August 23, 2018, from https://www.wisegeek.com/what-is-sms-spoofing.htm
What we do. (n.d.). Retrieved August 24, 2018, from http://www.ca.go.ke/index.php/what- we-do
Wilcox, H., & Bhattacharya, M. (2016). A framework to mitigate social engineering through social media within the enterprise. In 2016 IEEE 11th Conference on Industrial Electronics and Applications (ICIEA) (pp. 1039–1044). Hefei: IEEE. https://doi.org/10.1109/ICIEA.2016.7603735
84
85
Appendices
Appendix A: Questionnaire Used for Main study A Mobile Money Social Engineering Framework (An M-Pesa Case Study): Consent Form
Thesis for the Master of Science Degree in Information System and Technology
Study Goals: Social engineering is a modern form of the confidence scam. It involves communication between the attacker and victim to either elicit some information or persuade the victim to perform a critical action. The main objectives of the study are: evaluating the prevalence of social engineering crimes, suggesting solutions that can prevent them and creating a framework that could be used to detect social engineering threats in M-Pesa. This study will develop a framework intended to assist people in protecting themselves from social engineering crimes and educate users by creating awareness on social engineering. The framework will be derived from careful review and evaluation of the survey participants’ responses.
Procedures: the study will begin with users filling out the brief questionnaire. The responses will be analyzed, and results of the study will be used to come up with various propositions on how to mitigate this threat.
Participant Consent: Your participation in this experimental study is completely voluntary; there will be no reward for the time spent on this study. All the data collected from the usability study will be managed confidentially; it will be securely archived and will be analyzed and interpreted solely for the purposes of this evaluation. When your data is described, all identifying information will be excluded. There are no identified risks to participation in this experiment, and you are free to withdraw at any point during the evaluation.
------
Name Date
In case of any question, please feel free to contact Mr. Bryan Nturibi, +254721940361, [email protected]
86
1. Kindly indicate your gender below Male Female 2. Please indicate your age by ticking any of the following options Below 18 18 - 28 29 - 39 40 – 49 50 and above 3. Please indicate the country you are from. Kenya Uganda Tanzania Others, kindly specify 4. What is the highest level of education you have achieved, as of today? Primary school High School University degree Master’s Degree Doctorate Degree 5. Have you ever given your Mpesa PIN or shared personal information with someone else? Strongly agree Agree More or less agree Undecided More or less disagree Disagree Strongly disagree
6. Have you received a Call or SMS within the past 6 months from your mobile phone subscriber or someone that you suspect was an attempt to get your personal details for fraudulent purpose? 87
Strongly agree Agree More or less agree Undecided More or less disagree Disagree Strongly disagree
7. Do you have a method of authenticating your bank or mobile phone service provider’s Calls or SMS (e.g. Mpesa)? Yes No
If yes, specify
8. Have you received SMS/Calls from persons claiming to have sent money (Mpesa) wrongfully to your number and hence demanding it back? Strongly agree Agree More or less agree Undecided More or less disagree Disagree Strongly disagree 9. Have you ever received a Call/SMS saying that you have won a prize in an on- going competition (mostly Safaricom competitions)? Strongly agree Agree More or less agree Undecided More or less disagree Disagree Strongly disagree
88
10. Social engineering or M – Pesa Fraud is prevalent in Kenya. Strongly agree Agree More or less agree Undecided More or less disagree Disagree Strongly disagree 11. What are some suggestions that you think can be used to reduce social engineering fraud on mobile money? 12. You are free to share any other comments on the study.
89
Appendix B: Questionnaire Used for Pilot Study
User Study of Social Engineering Effects on Mobile Money Transfer Services: Consent Form Thesis for the Master of Science Degree in Information System and Technology
Study Goals: this research is being carried out to test and explore the effects of social engineering on Mobile money transfer services (for example M-pesa). Social engineering is a modern form of the confidence scam. It involves communication between the attacker and victim to either elicit some information or persuade the victim to perform a critical action. This study aims to find out some of the impacts social engineering can have especially in the mobile money industry. Procedures: the study will begin with users filling out the brief questionnaire. The responses will be analyzed, and results of the study will be used to come up with various propositions on how to mitigate this threat. Participant Consent: Your participation in this experimental study is completely voluntary; there will be no reward for the time spent on this study. All the data collected from the usability study will be managed confidentially; it will be securely archived and will be analyzed and interpreted solely for the purposes of this evaluation. When your data is described, all identifying information will be excluded. There are no identified risks to participation in this experiment, and you are free to withdraw at any point during the evaluation.
------Name Date
In case of any question, please feel free to contact, Mr. Bryan Nturibi, +254721940361, [email protected] 1. Kindly indicate your gender below Male Female 2. Please indicate your age by ticking any of the following options Below 18 18 - 28
90
29 - 39 40 – 49 50 and above 3. Please indicate the country you are from. Kenya Uganda Tanzania Others, kindly specify 4. What is the highest level of education you have achieved, as of today? Primary school High School University degree Master’s Degree Doctorate Degree 5. Have you ever given your Mpesa PIN or shared personal information with someone else? Yes No If yes (kindly elaborate on the incident) 6. Have you received a Call or SMS within the past 6 months from your mobile phone subscriber or someone that you suspect was an attempt to get your personal details for fraudulent purpose? Yes No If Yes, kindly elaborate 7. Do you have a method of authenticating your bank or mobile phone service provider’s Calls or SMS (e.g. Mpesa)? Yes No If yes, specify 8. Have you received SMS/Calls from persons claiming to have sent money (Mpesa) wrongfully to your number and hence demanding it back? Yes
91
No If Yes, (elaborate more on what your response was) 9. Have you ever received a Call/SMS saying that you have won a prize in an on- going competition (mostly Safaricom competitions)? Yes No If yes, elaborate more on what happened. 10. Social engineering or M – Pesa Fraud is prevalent in Kenya. Strongly agree Agree More or less agree Undecided More or less disagree Disagree Strongly disagree 11. What are some suggestions that you think can be used to reduce social engineering fraud on mobile money?
12. You are free to share any other comments on the study.
92