As we have mentioned many times before, the postponement and cancellation of events due to COVID has made the comeback of in-person events feel better than ever. For APIDE, this was the first event to come to fruition after two years of pandemic-related delays. Okay was lucky enough to attend and exhibit and present alongside the l’Association du Paiement and friends, including Partelya, Worldpay, Payinnov, Solumag and Pax Technology. 

During our time at APIDE, an aspect that really stood out to us were the intense discussions being had at our stand and in individual breakout sessions. It became clear very quickly that the big question on the table - and ultimately the big challenge - is how to best digitise Africa. With over 1.3 billion people spread across 54 different countries, leapfrogging into a digitised, mobile-first society is not looking so easy.

When it comes to transactions, USSD is still being widely used, namely by sub-Saharan countries. USSD stands for Unstructured Supplementary Service Data, which is a Global System for Mobile Communications (GSM) protocol used to establish a real-time communication session between a phone and another device (typically a network or server). USSD can be used for Wireless Application Protocol (WAP) browsing, mobile money services, prepaid callback services, and location-based content services, to name a few.

But USSD comes with some security issues. The most common are mistakes on the user side, such as giving out passwords or losing their SIM cards. If this kind of information gets into the wrong hands, accounts can be fraudulently accessed. USSD channels are also not encrypted, so when combined with infrastructure failures, users are left open to various kinds of attacks. Of course, a big part of this is because each financial service provider uses different technology, leaving no universal standard for all channels. 

In addition to USSD, there is also still a very high usage of OTP by SMS - the most frequently used process for mobile authentication. While this method is considered ‘safe’ when compared to a simple email + password combination, it actually has a lot of issues. A few of the big ones are message interception, SIM-swap fraud, call-forwarding fraud, and malware installation.

If any of such scenarios happens, and fraudsters have been able to access the OTP sent via SMS, they can assume the identity of their target to access bank accounts and other sensitive data authenticated through this method. You can read more on this subject by visiting one of our older posts on the risks of sending OTP via SMS.

As of today, we are seeing ~ 65% smartphone usage in Africa, yet only around 15-17% of these are used for financial transactions. Nevertheless, there is a growing interest surrounding the use of smartphones and improving available financial apps and eWallets, and fintechs are making progress in this field with new experiences being proposed to users regularly. For us at Okay, the experiences we are most excited about are those related to authentication, which should be integrated into any app for a smooth yet secure experience. 

Here are a few big reasons why industry (and government) players are now pushing for advancements:

• To increase economic growth for the continent
• To decrease the cost associated with financial transactions
• To reduce personal risks associated with cash-based transactions
• To increase the speed at which payments are done

Unfortunately, as of today, the low implementation and use of electronic payment systems in Africa combined with user behaviour are slowing the continent’s progress. Specifically, African countries lack appropriate regulatory frameworks, consumer protection/education/adoption practices, and the interoperability of bank and non-bank financial service providers to allow electronic payments to be made across stakeholders. 

Africa also must face a high risk of security breaches through cyber­­ attacks. This is because electronic payment systems depend on reliable and secure information and communication technology (ICT) networks and Internet infrastructure to process and transfer payments, which Africa does not have. What they do have is the highest rate of malware-infected computer systems compared to any other region in the world, and are among the highest in cybercrime activities, with at least four countries (Cameroun, Ghana, Nigeria, and South Africa) ranking in the top 10.

At this point it you can probably guess that Africa has no regulation like the PSD2-type regulation found in Europe. Still, an African PSD2 would likely not work even if there was one. Not only do they have an extremely different regulatory landscape across an enormous geographical area, but their drivers for change are looking quite different. Namely, fraud via OTP by SMS and the need for new and more fluid experiences.

We believe that if African countries can successfully adopt and implement appropriate policies and regulatory frameworks, they will be better able to address the challenges associated with electronic payment systems. Particularly the implementation of appropriate cybersecurity measures to protect said frameworks from security breaches. Africa is undoubtedly an incredible continent with incredible potential, and there is certainly room for authentication security to grow as African countries and ways of paying are beginning to transform. 

We look forward to learning more on this subject at APIDE 2023 - until then!

—————

Sources:

1. Science and Technology Policy Center for Development 

2. Stears Business 

3. USSD Directory