Cybersecurity has become an afterthought for many fintech apps in Sri Lanka, with banks also reluctant to leverage existing technology to protect their customers from fraudsters, says Mastercard.
There are 29 to 30 mobile apps offering various financial services, including banks, in Sri Lanka. However, Mastercard’s Country Manager for Sri Lanka and Maldives, Sandun Hapugoda, revealed that most of these applications only consider cybersecurity until the final stages of development or before they are launched to the public, mainly to meet basic security standards and regulatory requirements. Mi
“This should not be the case. If you are offering a mobile platform or a digital platform, I think it is extremely important to involve experts from around the world right from the design stage, especially if it is related to digital financial services or transactions,” he stressed.
Hapugoda stressed that banks have access to tools that can protect customers from fraudsters. For example, he noted that Mastercard offers banks an AI-based scoring system to monitor suspicious transactions. Although all Sri Lankan banks have signed up for the service, they rarely use it.
For each transaction processed, a score is generated by considering multiple data points, including the merchant’s location, previous transaction history, customer’s location, past transactions, transaction type and device used. All these data elements are used to provide a score that helps banks or financial service providers decide whether to approve a transaction or not.
“There is enough technology in the market today for banks to take advantage of. It is just a matter of using these technologies to their full potential. The problem is that even though every bank in Sri Lanka has registered for this platform, its actual use is very rare,” he explained.
Meanwhile, Hapugoda pointed out that the security of a mobile application or digital financial services account consists of three layers: securing the customer, securing the account and securing the transaction.
However, digital financial service providers in Sri Lanka do not pay enough attention to the first two layers, namely customer security and account security, which makes their customers more vulnerable to phishing attacks by fraudsters.
Many fraudsters rely on social engineering rather than modern technology to obtain customer identities, making it easier to execute major frauds.
“For example, I saw one bank put out a paper advertisement saying that they were the first bank to implement the latest security. This is great news for fraudsters. The moment you put up an advertisement saying that security has been improved for digital or mobile financial services, fraudsters start loving it. What they do is pair this announcement with social engineering tactics,” he said.
“They create an email that looks exactly like one from your bank. I’ve personally seen this happen at a place I worked. Scammers send emails to random customers saying, ‘You may have seen our paper ad on this particular day announcing our security upgrade, but to verify your identity, you need to click on the link below and confirm your login credentials.’”
Those who are unaware of phishing attacks may click on the link and land on a page that looks like their bank’s website, where the credentials are entered.
“What you don’t realize is that someone has already stolen your login credentials,” he explained.
