I just read this piece where the author lamented the increasing fraud in the digital payment ecosystem. First, Nigerian banking security from the customer-facing side is one of the most intriguing banking structures in the world. It is only in Nigeria that you have to put your debit card number, expiration date, last 3 digits and then password to pay for most items. Nigeria’s banking system is more secure than even the US banking system. I mean, we all post our bank account numbers online in Nigeria! Our banks are really solid on security: companies do not post account numbers online in America.
Yet, Nigeria needs to do a really good job in the backend. And that means on the bankers and the systems they work on! If you do not clean that weak point, you expose the bank to vulnerability.
As a former bank’s system automation engineer with admin access to the bank’s general ledger, how you structure logs – no matter how benign – will help in hardening your system. This goes beyond spending more money on technology.
Tekedia Mini-MBA edition 14 (June 3 – Sept 2, 2024) begins registrations; get massive discounts with early registration here.
Tekedia AI in Business Masterclass opens registrations here.
Join Tekedia Capital Syndicate and invest in Africa’s finest startups here.
The #1 rule is this: under no circumstance should you allow a “generic” user which many people can use to login into the bank’s architectures. (In the bank, my responsibility included deepening digital security from the software side.)
Banks and fintechs: tell the IT unit to do one thing: deactivate all generic users in branches and HQs, and create the accounts with approved privileges for each user. Branches are some of the weakest links in a bank’s operations. The server is kept in the branch system room and banks with poor security awareness create one user with admin rights. You need that user to do many things like backup, etc. The problem is that many people end up having access to that account (think of Head of Operations, Branch Internal Control, Branch Manager, Regional IT, etc).
Because anyone can login and do whatever he/she wants via that account, accountability post fraud becomes challenging. To deal with that, systems must apportion rights to users with privileges they need and delete generic users. Then have a solid logging structure which ensures you can trace what everyone is doing when logged in.
If you execute Rule #1 with an all-log regime; those debit card frauds, etc will drop.
---
Register for Tekedia Mini-MBA (Jun 3 - Sep 2, 2024), and join Prof Ndubuisi Ekekwe and our global faculty; click here.