The main objective of this project is to improve the MPESA authentication process through the incorporation of a voice biometric functionality that enables the remote control of the individual MPESA accounts by MPESA subscribers with higher efficiency, accuracy and a higher level of authentication. The voice biometric is a state of the art technology that factors in authentication with better usability with the aim of combating fraud, self-service empowerment and cost savings through proper use of time and saving or reduction of administration costs for companies. The research study addressed the following objectives; to investigate the authentication schemes used by mobile money services; to investigate the major MPESA fraud techniques used in Kenya; to implement and analyse a time efficient, secure mobile-based multi-factor authentication scheme using device specific ID, voice biometric and a PIN for securing MPESA transactions. A design science research was used that aimed at coming up with a voice biometric MPESA model which was developed and implemented to address the main problem of fraudulent MPESA transaction performed using SIM-swap method. The population of study were MPESA subscribers around Mirema-USIU area. The sample frame was drawn from the population of study. The research study adopted the purposing sampling techniques to enable selection of respondents who were only relevant to be sampled.
Collection of data was done via online Google Forms questionnaire survey and a descriptive method was used to carry out the data analysis. A total of thirty (32) questionnaires were sent to users via Google Forms online survey and all the questionnaires were duly filled in hence giving a response rate of 100%. The research design adopted quantitative techniques where data was analysed and presented in form of graphs and charts. The research also adopted a qualitative technique, where the individual views from respondents for example, their understanding of voice biometrics.
The findings regarding the first research study objective on investigating the authentication schemes used by mobile money services indicated that majority of respondents, 75% indicated that MPESA 4-digit PIN as a security measure is insufficient and 56.3% think that their PINs can easily be guessed. The study hence identified a big gap in the security of mobile money transactions in terms of using PIN as a security measure when performing mobile transactions. The study also indicated that majority of the respondents indicated that adding biometrics will improve MPESA security. The findings regarding the second research study objective on investigating the major MPESA fraud techniques used in Kenya revealed that there are different techniques are used by fraudsters these include reversal of transactions, unauthorized sim-swap, identity theft, erroneous transactions, scam messages and insider theft. The research study revealed that MPESA subscribers were aware of the fraud techniques used in their area which was mostly unauthorized SIM-swap and identity theft.
A model was developed on the android platform, VMPESA, to address issues regarding objective three, which aimed at implementing a secure mobile-based multi-factor authentication scheme using device specific ID, voice biometric and a PIN for securing MPESA transactions.
The research concluded PIN is not a sufficient security measure when performing mobile transactions and fraudsters are taking advantage of this vulnerability to defraud MPESA subscribers by using techniques such as SIM-swap, reversal transactions and scam messages. Voice biometrics is a factor that can be used to achieve a high degree of benefits and advantages in lowering the risk within mobile financial systems with specific reference to MPESA mobile money transfer system
The study recommended that for mobile money service providers to provide safe and secure transactions, they should concentrate on implementing multi-factor authentication schemes in their system. They should also identify the major weaknesses of the implementing single factor authentication, such as PIN, as a security measure. Mobile money service providers should also be aware that fraudsters are employing new techniques everyday therefore continuous upgrade of the security features is imperative. Safeguarding subscriber personal information and account is extremely important and should be top priority to these organisations.
Researchers should do further studies on alternative multifactor authentication schemes which have more functionalities to make the entire process more seamless, convenient for the subscribers and intelligent in nature. Further studies should be done to identify the advance techniques used by fraudsters to acquire subscribers’ personal information.
