tashka2000 - Fotolia

How does the M-Pesa service work and what are the risks?

How does mobile microfinancing service M-Pesa allow users to make transactions without a bank account? Expert Michael Cobb explains how it works and M-Pesa security measures.

I've heard about a new mobile microfinancing application/service called M-Pesa, which is gaining popularity overseas on cheap mobile phones. How does it work, and how does M-Pesa security protect financial transactions on low-grade devices?

The M-Pesa service -- M for mobile, pesa is Swahili for money -- was launched in 2007 by Vodafone and is a transactional and store of value platform. It allows users to deposit, withdraw and transfer money, as well as pay for goods and services with a mobile device, all without needing a bank account. It has proved very popular with millions of users in over 10 countries, including India, South Africa and Egypt.

M-Pesa is not a cryptocurrency like bitcoin; there is no anonymity and users have to deposit and withdraw money via a network of M-Pesa agents. These agents have to review original identification documents of anyone opening an account in order to fulfill the same Know Your Customer requirements that banks are obliged to meet. All money deposited in the M-Pesa service accounts is held in escrow, so funds remain at all times the property of M-Pesa users. As every transaction completed on the M-Pesa platform is electronic, it can be monitored by the local providers, which run anti-money laundering checks and provide regular reports to the appropriate regulator. There are also cash in, cash out and transfer transaction limits, so the M-Pesa service is not an attractive option for criminals looking to launder money, particularly as the location of the device used for a transaction can be recorded. Cryptocurrencies, on the other hand, allow individuals to send and receive payments without intermediary financial institutions and are not backed by currency deposits, relying instead on a shared public ledger called a block chain to record and validate transactions and ownership. They are not aligned to any form of regulatory framework and are not legal tender in many countries.

The M-Pesa service allows users to transfer money from their M-Pesa account, using PIN-secured SMS text messages, to other users and nonusers, who can then exchange it for real money. This reduces the risks associated with counterfeit notes, insecure money deliveries and having to carry cash. M-Pesa has introduced a feature called Hakikisha to reduce the chances of an attacker being able to spoof transaction authorizations and minimize cases of users sending money to unintended recipients, by showing a pop-up screen that contains the details of the intended recipient prior to the transaction being completed. Of course, criminals can still steal someone's mobile device, but all M-Pesa service transactions have to be confirmed by entering a 4-letter PIN and the application locks after five consecutive incorrect PINs are entered. There is also the additional risk for the criminal of having to be physically present at an M-Pesa agent to withdraw any money.

The internal security of the M-Pesa platform is somewhat of an unknown. It will no doubt come under attack like any other service handling financial transactions, but the low transaction limits and physical presence requirement to withdraw cash make it a less attractive a target than many other mobile payment systems.

Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn more about bitcoin and cryptocurrency safety

Discover how traditional banking is changing with mobile payments

Read more on the pros and cons of other disruptive technologies like M-Pesa

Dig Deeper on Network security