ABSTRACT
Social Engineering is the science of using social interaction as a means to persuade an individual or an organization to comply with a specific request from an attacker where either the social interaction, the persuasion, or the request involves a computer-related entity. Social engineering threats are the biggest threats facing cybersecurity because they exploit the natural human tendency to trust. Human-based social engineering requires a person-to-person interaction to achieve an objective. Mobile money users are target to most criminals. Smishing is a form of phishing where someone tries to trick a victim into giving their private information via a text message. A vishing attack is a type of criminal phone fraud that uses voice messages to obtain personal information or money from victims. Consumer-based fraud represents the most prevalent form across all stages of the mobile money services operation, where offending is enabled by a lack of system-based checks and awareness. Current mobile money transfer and payment applications design does not mitigate cybersecurity risks and specifically social engineering. This study establishes the gap and proposes a design that will mitigate these risks. The literature review describes the social engineering frameworks, defensive techniques against social engineering in mobile money, and establishes the knowledge gaps that need to be filled. A descriptive research design with a qualitative approach is employed in this study. Open-ended questionnaires were used to collect the data. Results of the analysis show that 66% of the respondents have experienced social engineering attacks either through phone or SMS. The effects of Social Engineering lead to the inability to recover money once sent. A mobile application prototype called SAFECASH that can analyze and hold unconfirmed transactions, blacklist suspected contacts and lock suspected transactions is implemented and tested.
Table of Contents
DECLARATION ii
ABSTRACT iii
ACKNOWLEDGMENT iv
DEDICATION v
List of Figures ix
List of Tables x
CHAPTER ONE
INTRODUCTION
1.1 Background 1
1.2 Problem Statement 4
1.3 Aims and objectives of the study 4
1.3.1 General objective 4
1.3.2 Specific objectives 5
1.4 Justification 5
CHAPTER TWO
LITERATURE REVIEW
2.1 Introduction 6
2.2 Social Engineering Attacks 6
2.2.1 Forms of Social Engineering Attacks 7
2.2.2 Social Engineering Attack Ontological Model 8
2.2.3 Social Engineering Attack Framework 9
2.3 Social Engineering Risk Assessment Framework (SERA) 10
2.4 The Social Engineering Defensive Framework (SEDF) 11
2.5 Defensive Techniques in mobile money 13
2.5.1 Hakikisha 13
2.5.2 Creating User Awareness 13
2.5.3 iVisher: Real-Time Detection of Caller ID Spoofing 14
2.5.4 PayProtect 14
2.5.5 Blockchain for mobile money traceability 14
2.6 The Knowledge Gap 15
2.7 Conceptual Design 17
2.8 Chapter Summary 18
CHAPTER THREE
METHODOLOGY
3.1 Introduction 19
3.2 System Development Methodology 19
3.3 Research Design 22
3.4 Research Approach 22
3.4.1 Qualitative Research 23
3.5 Population and Sampling 23
3.5.1 Study Population 24
3.5.2 Sampling 25
3.6 Data Collection 26
3.6.1 Questionnaires 26
3.7 Reliability and Validity of Research Instruments 27
3.8 Data Analysis 27
3.9 Ethical Consideration 28
3.10 Chapter Summary 29
CHAPTER FOUR
RESULTS, FINDINGS, AND DISCUSSIONS
4.1 Introduction 30
4.2 Response Rate 30
4.3. Mechanisms used by social engineers to conduct social engineering attacks 30
4.3.1 Social Engineering by SMS 30
4.3.2 Social engineering by phone call 32
4.4 Challenges in Mobile Money Applications 34
4.5 Defensive Techniques against Social engineering attacks 35
4.6 Systems Analysis and Requirements Specification 36
4.6.1 Requirements specification 37
4.7 System Design 40
4.7.1 Logical Database Design 40
4.7.2 Input design 43
4.7.3 Output Design 45
4.7.4 Level 0 DFD 45
4.7.5 Use Case Narration 47
4.8 System implementation 50
4.8.1 Testing 51
4.8.2 Proof of concept 55
4.9 Discussion 57
4.10 Chapter Summary 58
CHAPTER FIVE
CONCLUSION AND RECOMMENDATIONS
5.1 Introduction 59
5.2 Conclusion 59
5.3 Limitations of the Study 60
5.4 Achievements 60
5.5 Recommendations 61
REFERENCES 62
APPENDICES 67
APPENDIX 1: QUESTIONNAIRE 67
List of Figures
Figure 1: Classifications of SE Attacks (Salahdine & Kaabouch, 2019) 7
Figure 2: Social Engineering Attack Ontological Model (Mouton, Leenen, et al., 2014) 9
Figure 3: Social Engineering Attack Framework (Mouton, Malan, et al., 2014) 10
Figure 4: SERA and OCTAVE – A (Abeywardana et al., 2016) 11
Figure 5:Social Engineering Defensive Framework by Thomas in (Gardner & Thomas, 2014). 12
Figure 6: Conceptual Design 17
Figure 7: Waterfall model source: (Sparrow, 2011) 20
Figure 8: Level 0 DFD 46
Figure 9: subscriber use case diagram 48
Figure 10: administrator use case diagram 49
Figure 11: Agent Use Case diagram 50
List of Tables
Table 1: Study population 24
Table 2: Functional requirements 38
Table 3: non-functional requirements 39
Table 4: Members Table- To store subscribers’ details 40
Table 5: Deposits- To store transaction details 41
Table 6: Held time- To store details on the amount of time a transaction is held 42
Table 7: Password Resets- To store details on password resets, to provide a new password to the customer 43
CHAPTER ONE
INTRODUCTION
1.1 Background
Cyber security is a term that stands for the steps taken to protect resources in the network from being accessed, modified, or tampered with by unauthorized users. (Edgar & Manz, 2017). It is the act of making cyberspace safe from damage or threat. According to Edgar & Manz (2017), cyberspace is the abstruse construct made from combining digital hardware, data, and people who interrelate with tangible electronic resources and generate and use the processed data the raw data contains. Humans play a major role in cyberspace. Edgar & Manz (2017) further poses that users are usually targeted against their cognitive behavior through social engineering methods and therefore they are the most vulnerable link in security.
The collection of techniques through which people are influenced to give out specific data or forced to behave in a certain manner represents Social Engineering (Serban & Serban, 2014). Human-based and computer-based are the two types of social engineering attacks (Sadiku et al., 2016). To achieve an objective in a human-based social engineering attack, person-to-person interaction is required. This research focused on social engineering in mobile money. The specific social engineering attacks that were focused on in this research are smishing and vishing attacks.
Smishing is a type of phishing attack where a victim is tricked into providing their private information through a text message (Deloitte, 2019). It is a form of social engineering attack that motivates users to act depending on the target for example clicking on a link or behaving accordingly (Soykan & Bagriyanik, 2020). Smishing attacks' success materializes from the reality that victims' mobile phones can be always carried and mechanisms for checking the authenticity of the SMS do not exist (Soykan & Bagriyanik, 2020).
Vishing on the other hand is the perpetrator's act of committing fraud by getting access to the subscribers' information on finances and personal information through the telephone system (RSA, 2015). It refers to phone phishing to manipulate people to provide their sensitive information for verification for example calls from a bank (Salahdine & Kaabouch, 2019). An individual's trust in telephone services is utilized in Vishing.
Mobile money refers to a service in which financial services are accessed with the use of mobile phones (Donovan, 2011; GSMA, 2010). It describes computerized financial services performed using a mobile phone (Subia & Martinez, 2014). The user can deposit, withdraw or send money with the use of a mobile phone. Banks and mobile network operators are already using mobile money to provide a way of storing and accessing money digitally to millions of unbanked consumers.
Mobile banking, mobile payments, and mobile transfers are the three main services provided by mobile money (Subia & Martinez, 2014). This research focused on mobile money transfers and mobile payments. Mobile money transfer is the process of moving values made from a mobile account, accumulates to a mobile account, and/or is started off using a cellphone (GSMA, 2010). A mobile device is involved in executing and confirming payment in the transfer of funds in return for goods or services in mobile payment (Raina, 2015). During the purchase of goods a mobile phone is used to handle the transfer of credit instead of depending on bank cards and cash in mobile payment (Narayan, 2013).
Tremendous development in the use of mobile phone services continues to be witnessed in the Kenya ICT sector. The operational SIM Cards subscriptions count was 59.8 million against 57.0 million customers reported in June 2020 according to the Communications Authority of Kenya statistics report as of the end of September, 30th 2020. The subscriptions resulted in SIM usage by
125.8 % between July and September 2020 (Authority-Kenya, 2020). With the increase in mobile phone usage, the demand for mobile money services by mobile phone users also increases. As of September, 30th 2020, there were 31.8 million and 245, 124 active mobile money subscribers and agents respectively (Authority-Kenya, 2020).
Safaricom and Vodafone’s MPESA in Kenya initially made mobile money popular in 2007 (Subia & Martinez, 2014). The mobile money industry has increasingly expanded, specifically in developing countries in Africa and South Asia such as India, Bangladesh, and Pakistan since then. The provision of less expensive and reliable services in finance by the growing population who previously did not have bank accounts has been facilitated by services provided by mobile money (Mudiri, 2012). However, the expansion in mobile money comes with a fair share of fraud cases. According to the Financial Analysis Report, 2020, vulnerabilities and impact data indicated that within Africa there is an increase in cases of fraud relating to services provided by mobile money (European Union, 2020). The report further indicated that any of the following stages can be used to exploit mobile money services;
1) When money is deposited into an account
2) When money is transferred between accounts
3) When money is withdrawn from an account, with both customers and agents having opportunities to commit fraud
Potential frauds in mobile money can be classified as either transactional, channel, or internal fraud (Gilman & Joyce, 2012). According to the authors, the main players who need to be examined in mobile fraud risks are the subscriber which translates to transactional risk, the agent which is also referred to as risk associated with the channel, and the internal risks brought about by the employees. This study focused on the customer (transactional risk) and in particular how fraudsters through social engineering methods steal money from mobile money users.
Being a highly dynamic platform, there is a need to understand the human factor when it comes to mobile money payments and transactions. The victory and defeat in securing and protecting information, businesses systems, and services are impacted hugely by the human element (Metalidou et al., 2014). This research established the social engineering methods used by fraudsters to influence unsuspecting mobile money users.
1.2 Problem Statement
Despite the Mobile Network Operators (MNO) working hard to ensure the security of the mobile money application in ensuring financial inclusion for users who cannot access banking services, fraud, and other criminal activities are carried out using mobile money services (Mudiri, 2012). Refusal to refund the money by unintended recipients has led to loss from wrong transfers. Consumer-based fraud represents The most extensive form of fraud across all mobile money services stages is the consumer-based fraud, where lack of authentication by the system and awareness contributes to offenses (European Union, 2020).
Current mobile money transfer and payment applications design does not mitigate cybersecurity risks and specifically social engineering. This study aimed to establish the gap and propose a design that will mitigate these risks.
1.3 Aims and objectives of the study
This part gives the objectives of the study.
1.3.1 Main objective
The study aimed to develop a mobile application prototype for mobile money payment and transfer platforms to mitigate human-based social engineering risks in mobile money.
1.3.2 Specific objectives
i. To evaluate the effectiveness of existing platforms in use by mobile money and transfer applications that counter the effects of social engineering.
ii. To identify gaps in the current mobile money applications which facilitate social engineering.
iii. To design a mobile money application model factoring in the current gaps facilitating social engineering to mitigate human-based social engineering risks in mobile money.
iv. To implement and test a mobile application model.
1.4 Justification
Humans are the most vulnerable link in information security. Different convincing methods are used to make people perform requests which are sensitive in social engineering attacks by targeting this vulnerability (Salahdine & Kaabouch, 2019). In mitigating fraud in mobile money services, specific steps can be taken by providers to reduce the possibility and monitor the occurrence of some of the more common types of fraud and manage their effects (Mudiri, 2012).
According to GSMA (2019), when funds are fraudulently lost by mobile money users, it can result in loss of confidence in services provided by mobile money, therefore, may undo the achievements in financial inclusion by forcing people to reverse to cash hence sabotaging the realization of global development goals (Farooq, 2019). This study aimed to identify gaps that facilitate social engineering attacks in current mobile money applications and develop a mobile application model for mobile money transfer platforms to mitigate social engineering risks in mobile users.
Login To Comment