Cyber security an afterthought for most fintech apps in Sri Lanka: Mastercard

By Nishel Fernando

Cybersecurity has become an afterthought for most fintech apps in Sri Lanka, while banks also show reluctance to leverage available technology to protect their consumers from fraudsters, according to Mastercard.

There are around 29 to 30 mobile applications offering various financial services, including those from banks in Sri Lanka. However, Mastercard’s Sri Lanka and Maldives Country Manager Sandun Hapugoda revealed that many of these applications only consider cybersecurity towards the latter stages of development or just before launching to the public, primarily to meet baseline security standards and regulatory requirements.

“This should not be the case. If you are coming up with a mobile platform or a digital platform, I think it’s super important that you get the experts in the world involved in the design phase itself, especially if it has anything to do with digital financial services or transactions,” he stressed.

Hapugoda also emphasised that banks have access to tools that can protect consumers from fraudsters. For example, he noted that Mastercard offers banks an AI-based scoring system to track suspicious transactions. Although all Sri Lankan banks are registered for this service, he revealed that they hardly make use of it.

For every transaction processed, a score is generated considering multiple data points, including the merchant’s location, previous transaction history, consumer’s location, past transactions, the type of transaction, and the device used. All these data elements are used to assign a score, which helps banks or financial service providers to decide whether to approve a transaction or not. 

“There is enough technology available in the market today for banks to leverage. It’s just a matter of using these technologies to their full potential. The problem is that even though every bank in Sri Lanka is registered for this platform, its real use is very rare,” he elaborated.

Meanwhile, Hapugoda pointed out that the security of a mobile application or digital financial services account consists of three layers: securing the customer, securing the account, and securing the transaction.

However, Sri Lankan digital financial service providers do not pay sufficient attention to the first two layers—securing the customer and securing the account—which makes their customers more vulnerable to phishing attacks by fraudsters.

Most fraudsters rely on social engineering rather than sophisticated technology to obtain customer identities, making major scams much simpler to execute.

“For example, I saw that one bank has put up a paper advertisement claiming they were the first bank to implement the latest security. For fraudsters, this is fantastic news. The moment you publish an advertisement saying that security has been upgraded for digital or mobile financial services, fraudsters begin to love it. What they do is link this announcement to social engineering tactics,” he said.

“They create an email that looks exactly like it’s from your bank. I have personally seen this happen at a place where I have worked. Fraudsters send emails to random customers saying, ‘You may have seen our paper advertisement on this particular date announcing our security upgrade, but to verify your identity, you must click the link below and confirm your login credentials.’”

Those unaware of phishing attacks, may simply click the link and land on a page that looks just like their bank’s website, where credentials are entered. 

“What you don’t realise is that someone has already stolen your login credentials,” he explained