EFFECTS OF CYBERSECURITY ON SELECTED MOBILE PHONE PAYMENT SYSTEM IN NAIROBI CENTRAL BUSINESS DISTRICT WEKESA NELSON BARASA

Transcription

1 EFFECTS OF CYBERSECURITY ON SELECTED MOBILE PHONE PAYMENT SYSTEM IN NAIROBI CENTRAL BUSINESS DISTRICT WEKESA NELSON BARASA A Thesis Submitted to the Graduate School in Partial Fulfillment of the Requirements for the Conferment of Master of Information Systems Degree of Faculty of Information Science and Technology KISII UNIVERSITY OCTOBER, 2013

2 DECLARATION AND RECOMMENDATION DECLARATION This is my original work and has not been submitted for examination in any other university known to me. Signature: Mr. Wekesa Nelson Barasa MIN14/20019/11 Date: RECOMMENDATION We confirm that this thesis has been submitted for examination with our approval as the University supervisors Signature: Prof. Constantine M. Nyamboga Associate Faculty, Kisii University Date: Signature: Mr. Benjamin Kyambo Lecturer, Kisii University Date: ii

3 DEDICATION This work is dedicated to my dad and mum, Mr. and Mrs. Patrick Wekesa, the entire Wekesa family and Mr. Njoroge Njuguna for the tiring support, inspiration and motivation to pursue higher education. iii

4 ACKNOWLEDGEMENT I would like to register my special thanks to all those who have participated in one way or another to facilitate and ensure that this research project concludes successfully. First of all, special gratitude to the Almighty God for his protection, guidance and enabling me to overcome problems and be strong whenever faced with troubles, and the continued blessings and the heart of determination to succeed despite the many hurdles faced. Secondly, I would like to express my appreciation to my family, dad, mum and the rest of the family members who cooperatively and understandingly participated throughout the entire period of my studies and who believed and put their trust in me. Again, I would like to sincerely thank my employer who agreed and understood on my course to pursue further education and the untiring support towards my academic endeavors. Thirdly, my supervisors Prof. Constantine M. Nyamboga and Mr. Benjamin Kyambo, whom have been outstanding in their professionalism and personal encouragement and for being unfailingly available in both the exhilarating and challenging moments of the study. Also, to the entire teaching fraternity of Kisii University who assisted in seeing me through the entire project and to a successfully completion of my course. Lastly, all my fellow students whom we shared a lot during the course of our studies and also whom guided and showed me the right direction whenever I lost or didn t have the courage to go through. Also, to all the respondents who took time to answer my questionnaire and give me information that was used in the research. Thank you very much. iv

5 ABSTRACT The aim of this study was to examine the effects of cybersecurity on selected mobile phone money payment system in Nairobi Central Business District. The objectives were to investigate how electronic payments are effected using the mobile phone money payment system, establish how mobile phone payment systems are secured, as well as investigate what kind of challenges there are in the implementation of secure mobile phone payment systems. A review of relevant literature was explored regarding mobile phone payment systems in both developed and developing countries. A modified Technological Acceptance Model for mobile services was adopted and used in the study. The study collected data from a sample size of 111 respondents characterized into three; the mobile phone user, the mobile phone money merchant and the mobile phone service provider. A purposive sampling procedure was employed to collected data from the mobile phone service provider; Safaricom where 11 respondents participated in the study. A proportionate stratified random sampling procedure on the other hand was used where 100 respondents were equally divided among mobile phone users and mobile phone money merchants. Data was tabulated and analyzed using frequency distributions, descriptive statistics, weighted means, and regression models. From the findings, it was observed that there is a lack of sufficient awareness education and information on the use and existence of mobile phone money services, those who know about it majorly use it as a money transfer service (sending and receiving money) from one mobile phone user to another. Only a few respondents actually use the service to effect core business transactions (paying bills and buying of goods and service). v

6 TABLE OF CONTENTS DECLARATION AND RECOMMENDATION... II DEDICATION... III ACKNOWLEDGEMENT... IV ABSTRACT... V LIST OF FIGURES... IX LIST OF TABLES... X LIST OF ABBREVIATIONS... XI CHAPTER ONE... 1 INTRODUCTION Background of the Study Statement of the Problem Objectives of the Study Research Questions Significance of the Study Assumptions of the Study Scope and Limitations Operational Definition of Terms... 4 CHAPTER TWO... 6 LITERATURE REVIEW Electronic Payment Systems Cybersecurity Mobile Phone Payment Systems Mobile Phone Payment Based on Technology Mobile Phone Payment Based on Payment Type Mobile Phone Payment Based on Usage Securing Mobile Phone Payment Systems Secure Mobile Phone Payment Application Theoretical Framework Conceptual Framework CHAPTER THREE RESEARCH METHODOLOGY Research Design vi

7 3.2 Study Area Target Population Sample Size and Sampling Procedure Data Collection Procedures Instrumentation Validity of Instruments Reliability of Instruments Data Analysis and Presentation CHAPTER FOUR DATA ANALYSIS, DISCUSSIONS AND PRESENTATIONS Characteristics of Respondents Reasons for Subscription to Safaricom Mobile Money Service Existing Mobile Phone Usage Mobile Phone User Mobile Phone Money Merchant Frequency of Mobile Phone Usage Level of Accessibility Money Spent on Mobile Phone per Week Mobile Phone Money Subscription Usage of Mobile Phone Money Service Frequency of Mobile Phone Money Usage Sending Money Receiving Money Paying Bills Buying Goods and Services Other Uses Effectiveness of Information provided relating to Mobile Phone Money Mobile Phone Money Usage Conduct while Using Mobile Phone Money Where to Access Mobile Phone Money Effects on Mobile Phone Money Service Usage Fraud Lack of Acceptability Few Numbers of Agents vii

8 Poor Network Coverage Role of CCK in Mobile Phone Money Service Usage Merchants Opinion on Accessibility and Usage Security on the Mobile Phone Correlation Coefficient Matrices Regression CHAPTER FIVE SUMMARY, CONCLUSIONS AND RECOMMENDATION Summary of the Main Findings of the Study Conclusions Recommendations Areas for Further Research REFERENCES APPENDICES APPENDIX I: MOBILE TRANSACTION INVOLVING PAYMENTS APPENDIX II: MAP OF NAIROBI CENTRAL BUSINESS DISTRICT APPENDIX III: INTRODUCTION LETTER APPENDIX IV : MOBILE PHONE USER QUESTIONNAIRE APPENDIX V: MOBILE PHONE SERVICE PROVIDER QUESTIONNAIRE APPENDIX VI : MOBILE PHONE MONEY MERCHANT QUESTIONNAIRE APPENDIX VII: LIST OF MOBILE PHONE MONEY MERCHANTS viii

9 LIST OF FIGURES Figure 2.1: Typical Mobile Payment System Figure 2.2: Secure Mobile Payment Procedures Figure 2.3: Secure Mobile Payment Application Figure 2.4: The Technology Acceptance Model Figure 2.5: Technology Acceptance Model for Mobile Services as an extension and modification of TAM Figure 2.6: Modified Technology Acceptance Model for Mobile Phone Services with Security Figure 2.7: Conceptual Framework Figure 4.1: Mobile Phone Users Figure 4.2: Mobile Phone Merchants/Agents Figure 4.3: Ordinary Mobile Phone User Figure 4.4: Duration of Usage with Mobile devices Figure 4.5: Frequency of Mobile Usage Figure 4.6: Money Spent per Week Figure 4.7: Safaricom Mobile Money Subscription Figure 4.8: Safaricom Mobile Phone Money Usage ix

10 LIST OF TABLES Table 3.1: Respondents Distribution, Sample Size Table 4.1: Respondents Distribution Table 4.2: Reasons of choosing Safaricom MPESA Table 4.3: Frequency of Mobile Money Usage Table 4.4: Effectiveness of Information provided by Mobile Phone Service Provider Table 4.5: Effects on Mobile Phone Money Service Usage Table 4.6: Merchants Opinion on Accessibility and Usage of Mobile Money Table 4.7: Strategies implemented to ensure Security Table 4.8: Measures to ensuring Security of Mobile Money Table 4.9: Challenges of enforcing Security Table 4.10: Correlation Coefficient Matrix from Mobile Phone Users Table 4.11: Correlation Coefficient Matrix from Merchant/Agents Table 4.12: Correlation Coefficient Matrix from Mobile Service Provider Table 4.13: Model Summary for Mobile Phone Money Users Table 4.14: Regression Coefficient for Mobile Phone Users Table 4.15: Regression Coefficient for Mobile Phone Merchant x

11 LIST OF ABBREVIATIONS ATM - Automatic Teller Machine CA - Certification Authority CBD - Central Business District CBK - Central Bank of Kenya CCK - Communication Commission of Kenya CDMA - Code Division Multiple Access CII - Critical Information Infrastructure CIIP - Critical Information Infrastructure Protection E-Commerce - Electronic Commerce E-Payment - Electronic Payment EPS - Electronic Payment System E-Wallet - Electronic Wallet GPRS - General Packet Radio Service GSM - Global Service for Mobile ICT - Information Communication and Technology M-Commerce - Mobile Commerce M-Payment - Mobile Payment M-PESA - Mobile PESA (Swahili word for Money) MASP - Mobile Payment Application Service Provider MoIC - Ministry of Information and Communication MMS - Multimedia Messaging Service NFC - Near Field Communication OTA - Over the Air PCR - Platform Configuration Registers PDA - Personal Digital Assistant PKI - Public Key Infrastructure POS - Point of Sale SIM - Subscriber Identity Module SMS - Short Message Service SPSS - Statistical Package for Social Science TAM - Technology Acceptance Model TCA - Trusted Certifying Authority xi

12 TPM - Trusted Platform Module TTP - Trusted Third Party USSD - Unstructured Supplementary Service Delivery WAP - Wireless Application Protocol Wi-Fi - Wireless Fidelity WTO - World Trade Organization xii

13 CHAPTER ONE INTRODUCTION 1.1 Background of the Study The current trends and demands from the public and the business community has resulted to financial institutions banks and micro finance institutions to produce and also encourage their customers to use electronic money to avoid visiting the banks and to achieve faster services, Insurance providers, and service providers have followed suite and installed electronic payment systems in their establishments and through promotions and special offers customers are slowly accepting these new changes. Mobile phone service providers have also joined the bandwagon and developed platforms to facilitate the use of electronic money-mobile money payment systems. Through the use of mobile money payment systems, customers can deposit, transfer cash, purchase goods and services as well withdraw cash through a merchant, ATM, or an agent. Security is the protection of assets from unauthorized access, use, alteration, or destruction. It involves the control of access to data/information stored in the computer and network accessible resources. Security is usually cited as the major barrier to mobile commerce and electronic commerce systems in general. Prospective buyers are leery of sending money information over the network and more so over the Internet. Marketers and vendors are also worry that hackers will compromise their systems resulting to losses of data/information, money and control to unscrupulous people (Turban, Lee, King, & Chung, 2004). There is need for security to be maintained and monitored as businesses move towards electronic oriented commerce. The cyberspace is an environment that makes it possible for the interaction of interdependent devices, and networks of information technology infrastructures; including the internet, telecommunications networks, computer systems, and embedded processors and controllers. Cyberspace underpins every facet of the modern society in every aspect; for example communication, entertainment, business operations, data storage, governance as well as politics. Cybersecurity is one of the main challenges to the wider deployment of electronic payment systems, for example, 1

14 the Kenyan government through the Communication Commission of Kenya (CCK) has recently signed an agreement with International Telecommunications Union to boost cybersecurity in the country (Nduati, 2012). Cyber insecurity affects everyone from national governments, the public sector, the private sector, and ordinary citizens in a country (Tamanikaiwaimaro, 2010). The availability of affordable mobile phones in the market, mobile phone network coverage extending to remote areas of the country and having acceptable mobile money payment systems, mobile commerce has totally revolutionized Kenya. The mobile phone has become a common device and almost every Kenyan own one. The mobile phone has become the platform of choice for running electronic commerce applications. It is for this reason that the mobile phone accounts for a huge number of devices that make up the cyberspace compared to computers and other related devices. The huge number of players in the cyberspace, for example Safaricom alone has over 15 million subscribers connected to M-PESA (Nduati, 2012), this huge number generates a myriad of challenges. For example, ensuring that privacy of the players is not compromised as well as ensuring that there is security in the process of effecting payment using the mobile payment systems. 1.2 Statement of the Problem Electronic commerce has taken over the globe as the preferred method of conducting business transactions and Kenya is not an exception. With Electronic commerce, electronic payment systems have been developed to effect payment of both goods and services. There are various electronic payments systems and methods used worldwide for example; smart cards, visa cards, master cards etc. Mobile phone payment is an emerging electronic payment method in the world and most business establishments and institutions are slowly adopting it however with reservations. Efforts are being put in place to educate and inform the public on its usage and it is slowly being responded to. Kenya as a developing country has several mobile phone service providers where each has its own platform of mobile phone money with rules and regulations of usage. The players (owners and stakeholders) in the business environment are a bit confused on how to adopt all these platforms and if they are secure enough. Ordinary Kenyans as well as are afraid of using their mobile phone to 2

15 conduct transactions due to the fact that this means has not yet widely accepted and also through the fear of being conned and losing money. This research therefore seeks to study the effects of cybersecurity on mobile phone payments systems in Nairobi Central Business District, Nairobi County and why people have fears to use this form electronic payment to effect payment while conducting their daily business operations (buying of goods and services). 1.3 Objectives of the Study The aim of this study was to investigate the effects of cybersecurity on mobile phone payment systems in Nairobi CBD as well as to identify challenges and suggest possible solutions. Specific objectives of the research include; i. Establish the scope of mobile phone payment systems in Nairobi Central Business District ii. Determine security measures put in place for mobile phone payment systems in Nairobi Central Business District iii. Investigate challenges faced in instituting cybersecurity measures in Nairobi Central Business District 1.4 Research Questions The research aimed at answering the following questions; i. What is the status of mobile phone payments system in Nairobi Central Business District? ii. What are the measures put in place for secure mobile phone payment in Nairobi Central Business District? iii. What are the challenges faced in instituting cybersecurity measures in Nairobi Central Business District? 1.5 Significance of the Study The findings and recommendations from this research provides insights and add to the field of knowledge on mobile phone money service Also, this research aimed to stress that for mobile payment services to be acceptable and usable, security must be put into consideration. The findings from this research would be useful to various 3

16 concerned bodies in the country for example, the government, the business community, mobile phones service providers. 1.6 Assumptions of the Study The assumptions made in this research were that the sample chosen represents the entire mobile phone usage population and that the respondents participated truthfully and that they understood what electronic payment systems are. Also, another assumption made in this study was that the instruments used had validity and were measuring the desired constructs. 1.7 Scope and Limitations This research was limited to the effects of cybersecurity on mobile phone payment systems in Nairobi CBD. Due to the fact that the population is too large, a simple sample size of the dominant mobile phone operator and its usage was chosen and considered. Another limitation of this research was that the availability of the correct source of data was a challenge as mobile phone payment systems was an emerging area of interest in electronic commerce. 1.8 Operational Definition of Terms Cybersecurity: The protection of all things Internet; that is, from the network itself to the data/information stored in computer databases and other applications that work and operate in the cyberspace. the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and organization and users asset (International Telecommunication Union, 2008). Cyberspace: A computer network consisting of a worldwide network of computer networks and related devices that use the TCP/IP network protocols to facilitate data 4

17 transmission and exchange of data and information. It is also known as the internet. Electronic Commerce: This is the process of effecting payments from one end to another end through the medium of the computer without manual intervention beyond inputting the payment data for example; electronic money usually associated with smart cards, visa cash, cyber cash, and master cash. Electronic Payment System: This is a part of Electronic Commerce that facilitates the exchange of money with goods. It is also a sub-group of e-payments, where mobile phones or other wireless communication devices are used to access accounts and to use payment services. Mallat describes electronic payments as cited by (Heikkinen, 2009) as the use of mobile devices, commonly a mobile phone, to make a payment transaction, where funds are transferred from payer to payee, either via a bank or directly, without an intermediary. This functional definition considers mobile payments as a payment instrument comparable to credit transfers, direct debits or card payments Protocols: A special set of rules and regulations that determine the format and transmission of data between two or more computers 5

18 CHAPTER TWO LITERATURE REVIEW 2.1 Electronic Payment Systems Electronic commerce provides the capability of buying and selling products, information and services on the Internet and other online environments-cyber environment (Abrazhevich, 2004). As for any trading activity, the issue of safe and reliable money exchange between transacting parties is essential. In an electronic commerce environment, payments take the form of money exchange in an electronic form, and are therefore called electronic payments. E-payments are an integral part of electronic commerce and are one of its most critical aspects. An electronic payment is a financial exchange that takes place in an online environment, that is, through websites running on interconnected computers. It has evolved from a simple system involving cash as a means of exchange to a more sophisticated system involving various institutions and related regulations providing payment instruments and infrastructures, allowing for interconnections between various partners or business units in fulfilling their business or social obligations. It could thus be seen to include any payment to businesses, banks and public services from citizens, businesses or governments, which are executed through electronic networks (Briggs & Brooks, 2011). Electronic Payment Systems (EPSs) are summoned to facilitate the most important action after the customer s decision to pay for a product or service and to be able to deliver payments from customers to vendors in a most effective, efficient and problem-free way. The role of electronic payment systems is pivotal for the future of electronic commerce, whose further growth depends on the timely development of EPSs. The current trends and demands from the public as well as from the business community results to financial institutions example banks and micro finance institutions to produce as well as encourage their customers to use various forms of electronic money. Retail chain markets example supermarkets, health institutions and other service providers have also followed suite and installed the electronic payment systems. Banks and mobile phone service providers have made this possible by developing platforms to facilitate the use of electronic money. Through the use of this 6

19 form of electronic money, customers can deposit cash, transfer cash, as well as withdraw cash from any ATMs connected within the banks vast network, through the use of electronic cards (debit and credit card) systems and also, through mobile devices. 2.2 Cybersecurity The principal objective of cyber security is to ensure the attainment and maintenance of security properties of the organization and user s assets against relevant security risks in the cyber environment. There are various types of breaches that compromise security for example virus, unauthorized access, theft of proprietary information, denial of service, sabotage, web site defacement, etc. Although these security incidents are continuously rising, organizations have come to be aware the importance of information security. Assessing the impact of security breaches is very difficult because costs of security breaches are not very ease to quantify (Ko & Dorantes, 2006). All over the world, there have been reported news and surveys being conducted on the magnitude of the monetary losses from the ever increasing breached incidents. The Ministry of Information and Communication (MoIC) in conjunction with industry players and other stakeholders have formulated a framework that will govern and regulate the procurement and deployment, use and adoption of technological innovations, inventions, security and related issues known as the ICT policy (Ministry of Information and Communications, 2011). This policy strives to build confidence in the use of information communication and technology in the country in government circles, health facilities, communication, as well as in learning institutions. As the Internet is a global infrastructure of the modern society that supports various services and products such as transport, health, telecommunication, banking, media and information distribution, learning as well as research, these systems or solutions are frequent targets of cyber-attacks. Issues on cybersecurity are classified according to the following criteria; i. Type of action. This is classification based on type of action and includes data interception, data interference, illegal access, spyware, and data corruption, sabotage, and denial of service and identity theft. 7

20 ii. iii. Type of perpetrator. Classification based on the possible perpetrators that include hackers, cyber criminals, cyber warriors and cyber terrorist. Type of target. Classification has numerous targets, ranging from individuals, private companies, and public institutions to critical infrastructures such as governments and military assets. With the rapid growth and evolution of ICT as well as Internet penetration in Kenya, government, financial and educational institutions are now relying more on the internet as an infrastructure to deliver on their core business. This reliance on the Internet infrastructure for basic operations such as trade, education, and health makes cybersecurity a matter of concern for the Republic of Kenya. The MoIC working closely with the Central Bank of Kenya (CBK), Kenya Police and the Communication Commission of Kenya (CCK), has ensured that cybercrimes which are becoming a common occurrence in the country are eliminated and also that systems are not abused (Obura, 2012). The illicit use of ICTs adversely affects Kenya s communication infrastructure, national security, and economic development. It is therefore vital that necessary mechanisms are put in place to addresses cybersecurity issues. According to (Tamanikaiwaimaro, 2010), he states that the main objective of cybersecurity, is to ensure the attainment and maintenance of security properties of the organization and user s assets against relevant security risks in the cyber environment. Other objectives include; Availability (customers rely on the availability of systems and infrastructure within the cyber environment), Integrity (customers rely on banks to have systems in place to preserve data integrity), Confidentiality (Customers also rely on the confidentiality of the systems to keep their transactions confidential). With the landing of the undersea fiber optic cable that connects Kenya to the world in the year 2010, there has been an increase in data transmission as well as demands for, and unprecedented economic opportunities through the linking of populations around the globe in a way never seen before. The business community has turned to convergent communication, processing, and essential services and devices to the internet infrastructure. This convergence has led to the formation of a critical infrastructure that organizations, institutions as well as individuals require to satisfy their daily needs. The (International Telecommunication Union, 2008), defines critical 8

21 infrastructure (CI) as the key systems, services, and functions whose disruption or destruction would have a debilitating impact on public health and safety, commerce, and national security, or any combination of those matters. The CI consists of both physical elements such as facilities and buildings and virtual elements such as systems and data. The cyber-environment needs to have means in place that would protect the Critical Information Infrastructure (CII). CII consist of physical structures, IT facilities and installations, computer networks, services and assets which if disrupted or destroyed, would have a serious impact on health, safety, security or economic we well-being of citizens or effective functioning of governments. The Critical Information Infrastructure Protection (CIIP) is critical when addressing cybersecurity issues. The European Commission is at the forefront of developing strategies to protect Critical Information Infrastructure (CII). The communication from the European Commission to the European Parliament, Council, European Economic and Social Committee of the Regions on CIIP, COM proposes five key pillars to tackle cybersecurity challenges (Glorioso, 2009); i. Preparedness and prevention: to ensure preparedness at all levels; ii. Detection and response: to provide adequate early warning mechanisms; iii. Mitigation and recovery: to reinforce EU defense mechanisms for CII; iv. International cooperation: to promote EU priorities internationally; v. Criteria for specific ICT sector: to support the implementation of the Directive on the Identification and Designation of European Critical Infrastructures CIIP is critical because the degree to which it is protected directly affects the livelihood of the many people who depend on efficient security. The impact of cybersecurity on national security is a very real one. Likewise, the country s economic growth has been impacted by the use and application of ICT. Whilst an increase in ICT penetration throughout Kenya brings economic growth, the outlawed use of ICT can also adversely affect Kenya s economy. According to the ITU s toolkit for cybercrime legislation, The interconnected networks of the Internet have enabled unprecedented economic opportunities and linked populations around the globe in 9

22 ways never before possible. ICT has revolutionized economic development in developing economies, as suggested by a World Bank Study in 2009 that observed that for developing countries every 10% increase in broadband penetration leads to 1.38% increase in Gross Domestic Product (GDP). 2.3 Mobile Phone Payment Systems The use of mobile devices instead of electronic cards has gotten momentum in developing countries more so in Kenya. For instance, business operations and transactions are currently being conducted through the use of mobile devices. There are six registered mobile phone money platforms currently operating in Kenya; Orange Telkom s Orange Money(Orange Telkom, 2012), Airtel s Airtel Money ( Airtel Money, 2012), Essar Communication Yu Cash (Yu Mobile, 2012), Safaricom s M-PESA (Safaricom, 2012a), Tangaza and MobiKash (MobiKash, 2012). Safaricom s M-PESA has always been discussed as the most dominant mobile phone money service in the market. Mas & Radcliffe (2010) wrote how mobile phone money has revolutionized Kenyan lifestyles, for example, 98% of the mobile phone users are happy with the growth towards mobile phone money service usage (M- PESA) and 84% claim that losing M-PESA would have a large, negative effect on them. Since the inception of mobile phone money in Kenya, it has continued to surpass other forms of EPS. Mobile phone money and payments can be used in the following dimensions of electronic commerce, Business to Business (B2B), Business to Consumer (B2C) as well as Government to Business (G2B). From the previous CBK statistics, mobile phone money accounts for the large volumes of transactions. Mobile phone money can be used for varied functions example, mobile phone money transfer, payments of goods and services, settling of bills/invoices etc. Mobile phone money has also been used in payment for digital content e.g. ring tones, logos, news, music, or games. Payments for physical goods are also possible, both at the vending and ticketing machines, or at manned Point-of-Sale terminal (Dahlberg, Mallat, Ondrus, & Zmijewska, 2006). Mobile phone money in Kenya initially was developed to facilitate the transfer of cash from urban to rural areas linking and building into family and social ties. Recently, however, it does more than just transfer of money for example, 10

23 distributing salaries and social welfare payments, enabling payments across supply chains, paying bills, as well as goods and services. According to Li, Zhang, Seifert, & Zhong, (2008) Mobile phone payments systems typically involve three parties; a mobile device (representing a payment customer/user), a merchant, and a financial service provider (e.g., a bank or credit card service provider).this means that for us to have a complete mobile payment similar to commerce, we must have the user (buyer) who owns a mobile phone and intends transact business operation, the agent/merchant (seller) to provide the goods or services and a place to store money usually a financial institution. To ensure security of a mobile phone payment transaction, a trusted third party (TTP) is usually involved to authenticate and authorize users (mobile phone subscribers) see figure 2.1. Figure 2.1: Typical Mobile Payment System Source : Li et al., (2008) 11

24 Mobile phone payment systems are classified as follows; Mobile Phone Payment Based on Technology Mobile technologies provide a rough basis for classifying mobile phone payments, for instance, any type of payment may be done with all available technologies, which may even converge or be present at the same time. Most existing SMS or phone call based applications should be classified as billing systems, not payment systems (Heikkinen, 2009). Technological development and convergence has made modern mobile phones a bundle of technical options hence the same phone can be used in a GSM network for calls, SMS messages or WAP connections, or it can be used to transmit data or as an Internet browser through GPRS, 3G or 4G connections. A payment application may be used with any of these technologies. Chip technology allows different applications in the phone, whether a plain SIM card is used or a SWIM card where the SIM is equipped with PKI certificates or the multifunctional UICC chip, which allows the use of a secure element in payment applications. Communications between chip and phone is developing rapidly and creating new possibilities. In addition to these, separate devices may be attached to the phone to facilitate payments. a) SIM Based Application The subscriber identity module (SIM) used in GSM mobile phones is a smart card i.e., it is a small chip with processing power (intelligence) and memory. The information in the SIM can be protected using cryptographic algorithms and keys. This makes SIM applications relatively more secure than client applications that reside on the mobile phone. Also, whenever the customer acquires a new handset only the SIM card needs to be moved. If the application is placed on the phone, a new handset has to be personalized again. SMS can be used to provide information about the status of one s account with the bank (informational) or can be used to transmit payment instructions from the phone (transactional). In Kenya, all the mobile phone service providers use this model. According to Mas & Radcliffe, (2010), a customers must first register at an authorized retail outlet where they will be assigned an individual electronic money 12

25 account that is linked to their phone number. Customers can then deposit and/or withdraw cash to/from their accounts by exchanging cash for electronic value at a network of retail stores (often referred to as agents). These stores are paid a fee by mobile phone service providers each time they exchange these two forms of liquidity on behalf of customers. Once customers have money in their accounts, they can use their phones to transfer funds to other users and even to on registered users, pay bills, and purchase mobile airtime credit. All transactions are authorized and recorded in real time using secure SMS. b) Unstructured Supplementary Services Delivery (USSD) Unstructured Supplementary Service Data (USSD) is a technology unique to GSM. It is a capability built into the GSM standard for support of transmitting information over the signaling channels of the GSM network. USSD provides session-based communication, enabling a variety of applications. USSD is session oriented transaction-oriented technology while SMS is a store-andforward technology. Turnaround response times for interactive applications are shorter for USSD than SMS. c) WAP/GPRS General Packet Radio Service (GPRS) is a mobile data service available to GSM users. GPRS provides packet-switched data for GSM networks. GPRS enables services such as Wireless Application Protocol (WAP) access, Multimedia Messaging Service (MMS), and for Internet communication services such as and World Wide Web access in mobile phones Mobile Phone Payment Based on Payment Type According to Carr (2007), mobile phone payment solutions based on payment type include; a) Bank Account Based Mobile Phone Payment In this model, the bank account is linked to the mobile phone number of the customer. When the customer makes a mobile phone payment transaction with a merchant, the bank account of the customer is debited and the value is credited to the merchant account. 13

26 b) Credit Card Based Mobile Phone Payment In the credit card based mobile phone payment model, the credit card number is linked to the mobile phone number of the customer. When the customer makes a mobile phone payment transaction with a merchant, the credit card is charged and the value is credited to the merchant account. c) Telecommunication Company Billing of Mobile Phone Payments Customers may make payment to merchants using his or her mobile phone and this may be charged to the mobile phone bills of the customer. The customer then settles the bill with the telecommunication company. This model can further be classified into prepaid airtime (debit) and postpaid subscription (credit) Mobile Phone Payment Based on Usage The use of mobile phone devices in effecting payments based on usage reveals heterogeneous variety mobile payment applications. The environment or size of payment seems to differentiate between the applications, however, most existing mobile payment schemes can be used in almost all environments, (Heikkinen, 2009) from money transfer, billing, purchase of goods and services, buying airtime as well in lending money to others. 2.4 Securing Mobile Phone Payment Systems It has been argued that for widespread use and customer acceptance of mobile phone payment services, both perceived and technical levels of security should be high (Carr, 2007). For customers, privacy should not be compromised and there should be no possibility of financial losses. For businesses, customer authentication is important. According to Li et al., (2008) a secure mobile phone payment scheme provided by secure hardware within a trusted mobile phone payment system should detect any malicious modifications and intrusions of a payment application and/or the corresponding data during their life cycle. It is therefore that for any secure messaging system, confidentiality, integrity, non-repudiation and authentication should be guaranteed. 14

27 There are three stages of ensuring and guaranteeing security in the mobile phone payment applications; a) Secure software downloading: For a secure payment scheme, especially in payment solutions with near field communication (NFC), e-wallet applications are essential for m-payment transactions. In this context an e-wallet runtime environment is also important. For example; we ll need to download this software packages from trusted software providers. Otherwise malicious software might compromise the platform integrity and the user s privacy. On the other side, as e-wallet software maintains user payment data such as credit card accounts and billing information, it is typically provided by a financial service provider. For security reason, the service provider typically needs to evaluate the integrity status of the mobile phone before granting download followed by the final installation. In general, this software can be downloaded through different wireless technologies, such as GPRS or Wi-Fi. b) Secure e-wallet initialization: In order to secure payment transaction processes itself; we also need to secure the e-wallet initialization process. For instance, the private key and the user account information should be generated in a secure environment and then stored inside the secure storage of the target device. We ll need to validate also the integrity of the mobile phone itself through the help of a trusted third party (TTP) before actually storing the private key with the user account information. The public key generated by an e-wallet application encrypts the user account information and the private key is protected by the trusted platform module (TPM). The user s public information should be sent to the trusted certifying Authority (TCA) or service provider through GPRS or other wireless technologies while the user registers to the mobile payment service. c) Secure payment transaction: Similarly, we need to evaluate and validate the integrity of the whole mobile phone before an actual payment process. Prior to starting a payment application, the integrity of the mobile phone is measured and the corresponding measurement values are reported to the platform configuration registers (PCR s). If the PCR values match the expected values, the sealed private key of the e-wallet can be unsealed from the TPM. Also, the 15

28 private key decrypts the user account information. Eventually, the user sends out the account information with its signature after the integrity of the mobile phone is validated by the TTP. All the information including the measurement values is sent out via NFC which provides at this stage enough security protection. As noted, we assume that the point of sale (POS) terminals at merchants have a direct and secure connection to financial service providers, and merchants are not directly involved in payment transaction processes. Figure 2.2: Secure Mobile Payment Procedures Source: Li et al., (2008) Mobile phone payments conducted via short message service (SMS) can also be secured using the transport layer security usually offered by GSM/CDMA networks. This usually sufficiently guarantees confidentiality; that is messages cannot be read by anyone else and message integrity; the assurance that the message has not been altered in transit. Authentication; identifies the author of the transaction and nonrepudiation; makes sure that any of the users in the system cannot later deny the message they sent can only be guaranteed with the help of wireless public key infrastructure (WPKI) and digital certificates. 16

29 1. Public Key Infrastructure and SIM Cards Every user of the system is listed in a publicly available directory. A Certification Authority (CA) maintains the publicly available directory, which is responsible for issuing and revoking digital certificates. A digital certificate contains the public key of a user in the system. This framework is known as Public Key Infrastructure (PKI). A user normally maintains his or her private key confidentially in a personal secure environment. SIM cards have the ability to store and process private keys. 2. Protocols A protocol that describes the transaction between a customer and a merchant is created where each using his or her mobile phone and a mobile payment application service provider as an intermediary. It is assumed that customers and merchants are registered as users with the mobile payment application service provider and with their respective bank account details as well as both of them have valid digital certificates (see Appendix I). 2.5 Secure Mobile Phone Payment Application This is a simple, illustrative conceptual model that describes the relationship between the major participants in a mobile phone payment system. There is the customer (user), the merchant (agent), financial institution (bank) and a third party (certifying authority). The mobile payment application service provider (MASP) provides the necessary technical infrastructure; hardware and software to facilitate mobile phone payments and acts as an intermediary between the financial institutions and mobile phone network/service operators. The MASP registers users who would like to avail for the mobile payment service. The users, customers and merchants have to be registered with the MASP prior to using the service. At the time of registration the MASP collects the bank account details or credit card details of the customer and merchant as well as their valid digital certificates. The mobile phone numbers of the customer and the merchant are mapped to their respective bank accounts and this mapping is maintained by the MASP. The users are provided with a client mobile payment application mobile wallet that is either resident on their phones or else in 17

30 the SIM card. This application may be provided over the air (OTA) to the users and merchants. The mobile wallet will normally interact with the MASP server. Figure 2.3: Secure Mobile Payment Application Source : Carr (2007) From the above illustration, a mobile phone user communicates with a merchant and makes a business transaction, for example, buying a ticket for a concert using the phone. The merchant then obtains the phone number of the customer and initiates the mobile phone payment transaction request stating the amount for which payment is 18

31 required. The customer confirms the request and authorizes payment. The MASP receives the authorization and verifies the authenticity of the customer. The MASP then debits the customer account and credits the merchant account by interacting with the bank. Once the electronic funds transfer is successful a confirmation message is sent to the customer and the merchant advising them of the debit and credit respectively. The Certifying Authority supplies digital certificates for the users in the system to provide security. Figure 2.3 shows that this model can be extended to handle the interaction between the MASP and the financial system taking into account inter-bank payments and settlement. 2.6 Theoretical Framework This study was anchored on the broad theoretic framework of the Technology Acceptance Model (TAM). The TAM model was chosen due to its solid framework for identifying issues that affect user acceptance of a wide range of end user computing technologies that provide technical solutions. This framework stresses out the perceived ease of use and perceived usefulness that affects the intention of use (Davis, 1991), (Davis & Venkatesh, 2004) as shown in figure 2.4 Perceived Usefulness External Variables Perceived Ease of use Behavioural Intention Actual System use Figure 2.4: The Technology Acceptance Model Source: Davis (1991) Perceived ease of use affects the perceived usefulness. The technology acceptance model deals with perceptions; it is not based on observing real usage but users reporting their conceptions (Davis 1991). The effects of cybersecurity on mobile phone payment systems research is therefore well suited to apply this framework as it deals with user perception and usage of the system. 19

32 According to Kaasinen (2005), the TAM model has the following three components; perceived ease of use, perceived value and trust. These three components affect the usage, acceptance and the intention of using a mobile services and systems. To move from an intention to use to real usage, the user has to take the product/service or technology into use. Perceived usefulness and ease of use were the main attributes determining the acceptance. In mobile payment systems and services, there are two important factors perceived risk and trust that can affect the acceptance and use of the service/system. Heikkinen (2009) writes that for consumers using systems or services for example, a payment instrument, it must be easy to access/get, understand and use. Also, it must be widely acceptable that is, nobody wants to experience disappointments at the counter when a purchase is to be effected but can t, only because payment is not acceptable or cannot be paid for. The payment system/service also should be safe from risks and threats like criminal use, fraud, as well as technical disturbances such as denial of services etc. However, these are the major risks facing these systems and as such they must be dealt with. Mobile phone services are increasingly becoming the favorable choice for mobile phone users due to their characteristics of handling personal information, for instance due to the personalization and context-awareness of the services. Mobile phone service networks are getting quite complex and the user may not know with whom he/ she is transacting. Technical infrastructures as well as the rapidly developed services are prone to errors. All these issues raise risk and trust issues that determine user acceptance. Trust has been proposed as an additional acceptance criterion for mobile services by (Chiravuri & Nazareth, 2001). It has therefore been included in the studies of personalization and customizing mobile services for users as shown in figure 2.5. External variables Perceived Value Perceived Ease of use Trust Intention to Use Perceived Ease of Adoption Taking into use Usage Behavior Figure 2.5: Technology Acceptance Model for Mobile Services as an extension and modification of TAM Source: Chiravuri & Nazareth (2001) 20

33 Kaasinen (2005) modified the original TAM model and included the trust component. She wrote that when consumers are using mobile phone services that are provided to them via complex mobile phone service networks, trust in the service providers also becomes an issue. Also, as mobile phone services collect and use more and more information about the usage environment and the user, ethical issues need more attention, especially ensuring the privacy of the user. Also, as the users get more and more dependent on mobile services, reliability of the technology and conveying information about reliability to the user becomes more important. She also wrote that, consumer trust in mobile services includes perceived reliability of the technology and the service provider, reliance on the service in planned usage situations, and the user s confidence that (s)he can keep the service under control and that the service will not misuse his/her personal data. According to Njenga (2009), mobile phone services in Kenya has been accepted and is widely been adopted more so in respect to the storage of money; mobile banking. From the report, 96% of the respondents use the service as a savings store. 90% of the respondents use the service for cash deposits while 87% for withdrawals this service has made banking easier. Also, the report indicates that only a few respondents use the service for bill payments due to the lack of confidence in using the system. It is therefore important that for there to be wide acceptance of the system/service, the student researcher proposed the technology acceptance model to be adjusted and a component on security issues be included. As the model is as it were, it didn t present all the components necessary for the adoption of mobile phone money acceptance, adoption and usage, the new proposed framework is as shown below in figure 2.6. External Variables (Availability of Service, and Information) Figure 2.6: Modified Technology Acceptance Model for Mobile Phone Services with Security Source: Researcher Perceived Value Perceived Ease of use Trust Intention to Use Security Perceived Ease of Adoption Taking into use Usage Behavior 21

34 The proposed new modified TAM model adds a new component of security which aims to stress the point that for end users to accept and be confident to use the system/service, they must be assured that the system is free from the risk of fraud, loss of privacy or even loss of service whenever needed. 2.7 Conceptual Framework Independent Variables i. Fraud and Cyber Insecurity ii. Effectiveness of Information released to the Public iii. CCK regulation on Mobile Phone Money iv. Level of Accessibility v. Providers Efforts in Educating the Public vi. Frequency of Usage vii. Merchants Opinion Dependent Variables Usage of Mobile Phone Money System i. Poor Network Coverage ii. Fewer Merchants/Agents iii. Culture Intervening Variables Figure 2.7: Conceptual Framework Source: Researcher 22

35 CHAPTER THREE RESEARCH METHODOLOGY 3.1 Research Design The research was guided and conducted using the cross sectional survey design. A selected representative sample was interviewed and/or asked to respond to wellstructured questionnaires and interview schedules. The research design was suitable for the collection of data from several respondents at one point (Kothari, 2010). The research conducted was descriptive which means that it aimed to describe the true state of affairs as they existed. Descriptive statistics was further used to analyze the variables and correlation analysis conducted to investigate the relationship between the existing variables. Through in depth interviews and supporting literature the researcher was be able to summarize the effects of cybersecurity on mobile phone payment systems in Nairobi Central Business District. 3.2 Study Area The research study was conducted in Nairobi Central Business District (CBD). This area was chosen due to its main characteristic of being; the financial, the governance and the legislative capital of the country representing a blend of the entire population. 3.3 Target Population The target population for the research was the dominant mobile phone service provider; Safaricom, Safaricom mobile phone subscribers, and Safaricom M-PESA money agents/merchants. The Nairobi CBD comprises of 352 M-PESA agents and/or merchants (Safaricom, 2012b) and approximately 3,138,369 people (Ministry of State Planning, National Development and Vision 2030, 2010) most of whom are mobile phone users both M-PESA agents and M-PESA subscribers. 23

36 3.4 Sample Size and Sampling Procedure A purposive sampling procedure was used to collect data from the mobile phone service providers and 10 is the number of respondents sampled from the company. A proportionate stratified random sampling technique was in turn employed in the CBD to seek responses from mobile phone users and mobile phone money merchants. According to Yamane Taro s study (as cited in Israel, 2012), the sample size was calculated using the following formula; ( ) Where; n is the sample size, N is the population (approximately 3,138,369) and e is the level of precision (sampling error or 90% confidence level) ( ) On applying the formula, was the result and after the round off 100 was the number chosen to be utilized in the study. The sample size 100 respondents was therefore a representative of the population in the Nairobi CBD. Since there are two types of respondents, an equal proportion from the sample size was used to represent both the mobile phone money users and subscribers while the other mobile phone money merchant/agent as represented in Table 3.1. Table 3.1: Respondents Distribution, Sample Size S/No. Respondents No. Sampled 1 Mobile Service Provider(Safaricom Technical Staff) 11 2 Mobile Phone Money Agents/Merchants 50 3 Mobile Phone Money Users 50 Total 111 Source: Researcher 24

37 3.5 Data Collection Procedures Data collection was administered by the researcher and two tools were employed from both the primary and secondary sources. 3.6 Instrumentation The research study applied two types of instruments to collect data. From the mobile phone user/subscriber and mobile phone money agent and or merchant. Interviews were employed when it came to interrogation of the technical staff of the mobile service provider (Safaricom) as primary data and secondary data from journals and journal articles, magazines, books as well as published and unpublished research works Validity of Instruments An expert (supervisor) was consulted to scrutinize the relevance of the questionnaire items against the objectives of the study and there was a strong signal of them being relevant to the study. Again, the instruments were checked to ensure they produced accurate and credible results Reliability of Instruments Reliability test were conducted to determine the consistency of the scales used to measure the study variables. The instruments were designed with main focus being on content where the information collected from the respondents would provide stable ground for analysis and portray a true picture; that the information was merely a representation of the entire population. 3.7 Data Analysis and Presentation The data collected was cleaned, coded and stored as a database of statistics and analysed using descriptive statistics for example, frequency distributions, weighted averages, and descriptive variables, correlations and linear regression models. 25

38 No. of Responses CHAPTER FOUR DATA ANALYSIS, DISCUSSIONS AND PRESENTATIONS 4.1. Characteristics of Respondents The research was characterized by three sets of respondents who were expected to respond to the call; mobile phone money user (45.45%), mobile phone money merchant/agent (45.45%) and the mobile phone money service provider (9.09%) see Table 4.1. Table 4.1: Respondents Distribution S\No Item/Description Value (%) Mobile Phone Service Provider Mobile Phone Merchant/Agent Mobile Phone User/Subscriber Total Source: Research Data 42 (84%) respondents responded with reliable data to be used in the research from the mobile phone users as seen see Figure 4.1 below Reliable Type of Responses Unreliable Figure 4.1: Mobile Phone Users Source: Research Data 26

39 No. of Responses 39(78%) respondents from the mobile phone merchants/agents provided reliable data to be used in the research as shown in Figure Reliable 11 Unreliable Type of Responses Figure 4.2: Mobile Phone Merchants/Agents Source: Research Data 4.2. Reasons for Subscription to Safaricom Mobile Money Service Majority(100%) of the mobile phone merchants and agents interviewed stressed out that the main reasons they have chosen to use Safaricom mobile money service is because of its ease of access, affordability, it being widely accepted, of high quality, and being reliable as described in Table 4.2. Table 4.2: Reasons of choosing Safaricom MPESA VH FH A FP VP Reasons f i Ʃf i w i Ʃf i w i /f i Ease of access Affordability Acceptability High Quality Reliability Others Key: VH-Very High, FH-Fairly High, A-Average, FP-Fairly Poor, VP-Very Poor, f-no. of Respondents, w- Weight of Score Source: Research Data 27

40 4.3. Existing Mobile Phone Usage Mobile Phone User 8 respondents representing a 19.05% from the sample have had and used mobile phones below two year, 20 respondents representing 47.62% indicate that they have had and used mobile phones between 2 years and 5 years while 14 respondents representing 33.33% have had and used in the last 5 years. See Figure 4.3 for more details Figure 4.3: Ordinary Mobile Phone User Source: Research Data Mobile Phone Money Merchant In relation to the mobile phone merchant questionnaire, the following were the findings; 27 respondents representing % indicated that they have used mobile phones between 2 years and 5 years. 12 respondents representing 30.77% indicated that they have used mobile phone for over 5 years, see Figure

41 Figure 4.4: Duration of Usage with Mobile devices Source: Research Data 4.4. Frequency of Mobile Phone Usage From the mobile phone user, 23 respondents representing, see Figure

42 Figure 4.5: Frequency of Mobile Usage Source: Research Data 4.5. Level of Accessibility Majority (100%) of the mobile phone money merchant s respondent to this question asking them to rate the level of accessibility in Nairobi Central Business District and why they have chosen the service compared to others. All of them stressed that the service is very accessible in Nairobi CBD Money Spent on Mobile Phone per Week From the information, 9.76 % of the respondents use below 200 shillings, % use between 200 and 500 shillings, % of the respondents indicated that they spend between 500 and 1000 shillings while % of the respondents spend above 1000 shillings. See Figure

43 Figure 4.6: Money Spent per Week Source: Research Data 4.7. Mobile Phone Money Subscription In relation to mobile phone money subscription, the following were the findings, 39 of the respondents representing a 95.10% indicated that they have subscribed to Safaricom mobile money while 1 representing a 4.88% indicates that hasn t subscribed, Figure

44 Figure 4.7: Safaricom Mobile Money Subscription Source: Research Data 4.8. Usage of Mobile Phone Money Service According to the responses, the following were observed, 32 representing a 31.00% of the population use Safaricom mobile money service for sending money, 35 representing a 34.00% on the other hand use for receiving money, 29 representing 28.00% indicate that they use for paying bills, 5 representing 5.00% buy goods and services, 2 respondents representing 2.00% indicated that they use Safaricom mobile money service for other services not indicated see Figure