The days of lining up at banks for financial transactions are long gone. Back then, carrying bundles of cash in a bag while nervously glancing over your shoulder was common, as the fear of being robbed—even in broad daylight—was all too real. Thankfully, advances in technology and software have transformed this experience, eliminating the need to carry cash and replacing anxiety with convenience. In today's digital age, financial technology has transformed how people interact with money, especially in developing nations like Bangladesh. The advent of mobile financial services (MFS) has been a game-changer, allowing millions of Bangladeshis, including those in remote areas, to access financial transactions conveniently. Leading banks and NBFIs in the country, such as City Bank, Dhaka Bank BRAC Bank and IDLC have also collaborated with MFS companies. However, is digital cash safe?

Despite its success, the country's financial sector has faced alarming incidents of fraud and cyberattacks. A notable example is the 2016 Bangladesh Bank heist, where cybercriminals exploited vulnerabilities to siphon off $81 million. Although the MFS sector operates differently, it is not immune to cybersecurity threats.

A report by Kaspersky Lab in 2021 ranked Bangladesh third on the list of countries at risk of malware attacks on smartphones, indicating that approximately 26% of smartphone users in Bangladesh are at risk of malware attacks—a significant increase from previous years. Another study, titled "Cybersecurity Landscape of Banking in Bangladesh and Recommendations" (2022), concluded that the financial sector faces an alarming average of 630 cyberattacks daily. These threats manifest in various forms, including phishing scams, SIM swapping, and social engineering attacks that exploit users' limited digital literacy.

For the unbanked population, who rely heavily on MFS for their livelihoods, even a small financial loss can be devastating. Thus, addressing data security and privacy concerns is essential for ensuring the continued growth of, and trust in, this industry.

Limited Digital Literacy

A significant portion of the population lacks the necessary skills to navigate digital platforms securely. Many users rely on intermediaries for transactions, which increases their exposure to fraud. Another segment of MFS users consists of rural, unbanked individuals with minimal education and limited understanding of digital security. Many do not understand the importance of safeguarding PIN codes or recognising phishing attempts. Numerous incidents involve users unwittingly sharing sensitive information, such as One-Time Passwords (OTPs) and Personal Identification Numbers (PINs), with scammers, leading to unauthorised transactions and financial losses. Although banks and MFS companies repeatedly remind people not to share their PINs, OTPs, or NID information, many still fall prey to these scams due to a lack of awareness.

An official working in the MFS sector, specifically catering to the unbanked population, shared insights into the challenges of serving rural communities. A significant part of their work involves educating people in these areas about using mobile wallets and the importance of safeguarding their personal data. However, the official revealed that despite their efforts, many rural individuals struggle to grasp these concepts. In their attempts to seek guidance, they often unknowingly share sensitive information, such as their PINs, leaving them vulnerable to fraud.

The official attributed this challenge to a combination of factors: the lack of basic education in rural communities and the relatively new nature of digital financial services. For many, understanding and navigating MFS wallets is akin to crossing a daunting bridge. Simple tasks, like cashing out earnings, can become overwhelming, as the digital interface feels unfamiliar and intimidating. This highlights the urgent need for tailored educational initiatives and intuitive financial solutions to help bridge the gap between rural populations and the digital finance ecosystem.

Dependence on Intermediaries

Rural users often depend on local agents or family members to perform transactions, which can lead to errors and data breaches when sensitive information is shared. A study by Userhub in October 2024 revealed that this population cited unfamiliarity with technology and the complexity of the processes involved as prime reasons for such dependency. One participant explained, "I didn't know the process after selecting the first step; that is why I went to my neighbour to help me pay the bill."

During the study, agents, too, acknowledged their role as intermediaries, frequently assisting individuals with account setup, payment processing, and resolving transaction errors. However, this heavy reliance on intermediaries often introduces challenges. Mistakes, such as inputting incorrect information, are common, and the risk of exposing sensitive data, like PINs, increases significantly in such situations. This dependency underscores the critical need for user-friendly systems and enhanced digital literacy to empower individuals and reduce reliance on third parties.

Social Engineering

Social engineering attacks exploit human psychology to manipulate users into performing actions that compromise their security, such as clicking on malicious links or downloading malware. One common example involves customers being drawn into voice conversations over a phone call. Fraudsters either threaten users with losing access to their accounts or lure them with impractical monetary offers or gifts. In doing so, they manipulate the customers' mindset to elicit their PINs or other security credentials.

As one of the leading MFS companies in the country, bKash is well-acquainted with the challenges in this finance sector. Mohammad Azmal Huda, Chief Product and Technology Officer (CPTO) of bKash, shares: "bKash has been working persistently to protect customers in three parallel measures. Firstly, technologically detecting the attempts and blocking the device or user using AI. Secondly, reviewing processes to make the journey difficult or impossible for the fraudsters. And finally, creating adequate awareness among customers to avoid such attempts."

Users can also take some measures to mitigate such challenges. Fahim Shahriar, an industry expert, emphasises that two-way authentication is crucial for data safety. It adds an extra layer of security by requiring users to verify their identity twice before accessing their accounts. For instance, when logging in or making a transaction, a user might need to input both their PIN and a one-time password (OTP) sent to their phone. This ensures that even if someone guesses the PIN, they cannot access the account without the OTP. "The combination of your PIN and OTP makes sure no one can access your MFS account other than you," he adds.

However, PIN code safety is paramount and should be treated with the same caution as safeguarding the keys to a secure vault. Users must ensure their PINs remain confidential, refraining from sharing them with anyone, including family members or trusted friends. It is equally important to avoid using easily guessable combinations, such as birthdays, anniversaries, or simple sequences like '1234' or '0000,' as these significantly increase vulnerability to unauthorised access. To further enhance security, users are encouraged to periodically change their PINs, reducing the risk of compromise over time.

"There is no alternative to awareness to keep MFS accounts secure. In this regard, customers shouldn't share their PINs and OTPs at any cost to keep their accounts secured. As part of an awareness drive, bKash circulates advertisements in the media, engages customers on social media platforms, arranges street plays and songs, and sends text messages or notifications through phone calls or apps," adds Azmal Huda.

He continues: "As a fintech, bKash prioritises safeguarding users' data. In this regard, bKash has implemented several measures, including data encryption, multi-factor authentication (MFA) to verify user identity, access control on user data, periodic security audits by third-party auditors, penetration testing to examine resilience against cyber threats, and regular training for employees on best security practices."

Data security is not just a technical concern; it is a shared responsibility between users and service providers. For users, being cautious about their digital habits can make a significant difference. For MFS companies, investing in cutting-edge technologies and user education can help build trust and ensure sustainable growth.

Regulators also need to strengthen efforts to ensure cybersecurity. Bangladesh Bank has already established effective regulations regarding MFS practices through the Bangladesh MFS Regulations-2018. Furthermore, the Bangladesh Financial Intelligence Unit (BFIU) has introduced detailed Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) guidelines for MFS providers to strictly adhere to in order to thwart possible Money Laundering and Terrorist Financing (ML & TF) risks.

The MFS industry in Bangladesh is at a crossroads, where rapid growth presents both opportunities and challenges. Ensuring data security and privacy is crucial for maintaining user trust and driving financial inclusion. Through collective efforts from users, companies, and regulators, the industry can address existing vulnerabilities and pave the way for a safer digital future.