DIGITAL DEPRIVATION AS A DRIVER OF CYBER INSECURITY

Within the context of this security-focused discussion, digital deprivation in South Africa is characterized by the following:

Lower rates of digital literacy: Studies have underscored the importance of digital and technology literacy in terms of personal cyber risk mitigation. Marginalized populations are particularly targeted by cyber criminals. SABRIC’s findings underscore the perception that criminals prefer to exploit vulnerable users rather than attempt to bypass a bank’s robust security defenses.⁵⁶ The low level of financial literacy in South Africa further compounds this problem.

Suboptimal hardware platforms: While feature phone usage is much lower than elsewhere in Africa, many users own older Apple or Android smartphones with legacy operating systems for which operating system and app security patches are no longer available. This is compounded by the possibility that DFS apps may also not run on these phones. In such cases, users will pivot to USSD services that offer insecure SMS protocol interfaces.

Data deprivation: South Africa has some of the highest data costs in Africa. For the country’s poor, who primarily use prepaid cell phone access, data costs even more. These users make up 85 percent of the data market.⁵⁷ Referred to as the “poverty premium,”⁵⁸ this way of purchasing data has two punitive outcomes: the premium cost of prepaid data and the higher expense of low-volume data bundles.⁵⁹ The high cost of data and the security ramifications thereof cannot be overstated. The net effect of data unaffordability is that low-income users sacrifice cybersecurity hygiene when they prioritize data usage. This means that users frequently decline data-intensive software patch updates, use SMS to send sensitive information to others, and access public Wi-Fi when available to conduct sensitive financial transactions. Even though banks have zero-rated banking apps for data (in other words, carriers do not charge for associated data), users still consume data to make the initial connection.⁶⁰

Reduced access to security software: Security software is, simply put, unaffordable to most South Africans. In general, many people from all income groups fail to install antivirus software on their personal devices, mainly due to a lack of security awareness. However, for poorer people, this is aggravated by the cost of security software. Generally, an antivirus suite from a reputable security vendor will cost anywhere between ZAR 800 (about $53) and ZAR 2,000 (about $132) annually. More than 30 percent of South Africa’s adult population survives on the country’s Basic Income Grant, which is only ZAR 350 (about $23) per month. Suffice to say, very few people would be willing to spend a significant proportion of their entire annual grant income on security software.

Reduced access to technical support: The challenge of accessing support is two-fold: both technical and human. Given the cost of new devices, low-income users often purchase secondhand phones. Technical problems most often occur on unsupported devices. From a human interface perspective, accessing customer service support at either a financial service provider or MNO involves navigating call centers and adequately identifying and explaining the problem.⁶¹ This is often difficult for users who may not be digitally or financially literate, particularly when doing so in their third or fourth language.

Digital deprivation in South Africa is compounded by certain governance and technology challenges that pose cyber risks for digital financial inclusion. The importance of creating a secure ecosystem that will allow the underbanked to fully embrace DFS is vital. Through these services, economically marginalized people can move from a transactional financial existence toward asset and investment growth.⁶² However, to benefit from DFS, they require the security to safeguard and grow what they start with. There are still too many obvious and persistent risks in the digital financial ecosystem that place all customers at risk. These include:

One-time-password SMS protocol for payment verification: The SMS protocol, which is over thirty years old, is inherently insecure.⁶³ The use of one-time passwords via SMS is still widely prevalent in the South African market. Such messages are easily intercepted by criminals—this may, in fact, be a driver of SIM swaps. All DFS providers should aim to migrate to digital authentication with two-factor authentication, preferably through biometrics. Voice biometrics are widely used across Africa, due to both user ease and the low rollout cost for providers.⁶⁴

USSD-based services for DFS products: Many new fintech products give the user a choice between USSD interfaces or more advanced mobile app interfaces.⁶⁵ This is arguably to enhance uptake in a market where data deprivation is a persistent problem. USSD interfaces are, however, inherently insecure and place customers at far greater risk. The overarching problems remain South Africa’s sky-high data costs, delays in new spectrum allocation, and suboptimal cellular infrastructure in rural regions. These factors are stifling innovation, security, and access.

Third-party risks—the credit bureaus: The high incidence of massive data breaches involving credit bureaus over the past two years holds the spectre of introducing endemic security threats into the entire financial ecosystem. It appears as if these entities are being targeted for their weak information security practices and the high volumes of sensitive customer data they hold. The latest such incident, the TransUnion Hack,⁶⁶ has resulted in 54 million detailed South African financial records being exposed to additional risk. The credit industry is another “self regulating”⁶⁷ entity but—given its breach record—the information security practices within this industry require the urgent attention of both financial actors and the relevant authorities.

The South African identification number. The official South African ID number is one of the most compromised government-based identifiers in the world.⁶⁸ A series of massive breaches has released the bulk of all citizens’ unique numbers onto the dark web. ID numbers nevertheless are still the mandatory departure point for registering new clients and are demanded as the standard security check by call centers attending to customer queries.⁶⁹ The ability to triangulate an ID number, cell phone number, and bank account number opens the door for cyber criminals. Somewhat inexplicably, it is still common practice for most financial actors to use ID numbers as the password to unlock allegedly encrypted account or portfolio information sent to customers via email. Given the compromised nature of the ID number and the prevalence of email interception in Africa, the implementation of digital identity technologies and biometrics should be an urgent priority.⁷⁰ As a late adopter of such technologies, South Africa is well-placed to incorporate lessons learned, including constraints, from other markets.