Volume 2 Issue 11 November 2017
Recent years have seen an impressive rise in the adoption of technology throughout the world. In the global South (Africa, in particular), the use mobile technology has provided access to a wide variety of new services, from weather forecasting for farmers to medicine validation, which aim at enabling development and increasing people’s quality of life.
A prominent example of this is branchless banking, which permits the delivery of banking services such as withdrawals, deposits, and transfers to remote, typically rural, locations, where it would be prohibitively expensive to build a physical bank branch. The positive, life-transforming effects of providing financial services to the unbanked have been praised in the literature, and the security research community has emphasized that such effects will be sustainable only by providing secure branchless banking solutions. Indeed a lack of security would eventually lead to diminishing confidence in the service, producing an undesirable backlash effect.
Much research has been done with the aim of proposing secure systems, ranging from solutions involving simple phones and scratch cards, to using advanced modern SIM features such as smart card web servers, to developing short message authentication protocols designed for human readability. While these efforts are well intentioned, the security of the systems that are actually deployed is still inadequate. A recent study (Reaves et al., 2015) shows that most branchless banking applications used in the developing world are subject to several security vulnerabilities, highlighting the existing gap between secure technology design and practical technology adoption. Such a gap is not merely technical. There is a growing awareness that technology needs to be designed for and placed in a cultural and societal context, and that humans are a fundamental and integral part of the definition and delivery of security itself.
In a project developed within REFLECT (http://www.reflect-action.org) we use participatory methodologies, including visualization tools, to provide a realistic and insightful understanding of a community, as well as actively engaging its members. Such ideas are at the heart of many social-change initiatives. In our work we take a first step in bridging the identified gap between theory and practice in secure branchless banking by doing three things:
1) Identify and systematise assumptions that are being made on the resources and connectivity available in the locations where branchless banking is intended to be effective, as well as on the security models underlying the existing designs (e.g., entities and operations involved, notions of identity, and levels of trust);
2) Analyse the benefits of participatory approaches to the design of threat models, since such tools help develop a better understanding of what constitutes security for a particular community, and for what reasons this is considered to be so; and
3) Propose a participatory design approach in the context of Ghanaian local communities.
The outcome of this will be ways of better determining the cryptographic design of branchless banking solutions, and consequently preparing the ground for its successful adoption in local communities. Our initial work in Ghana aims to provide a better understanding of what core properties in branchless banking are significant to its secure adoption that can hten be explored further in the wider African contxt.
This represents the first key part of a complex journey to achieve such goal. The next step will be to engage with Ghanaian communities using the proposed participatory tools to understand what security in branchless banking means for them. This will challenge our identified assumptions and start a conversation that will help to develop more secure, context-aware technologies. Moreover, we envisage that this approach will be applicable to many types of technologies adopted in the developing world, thereby inaugurating C4D, namely Cryptography for Development.
Reaves, B., Scaife, N., Bates, A. M., Traynor, P., & Butler, K. R. (2015, August). Mo (bile) Money, Mo (bile) Problems: Analysis of Branchless Banking Applications in the Developing World. In USENIX Security Symposium (pp. 17-32).