There are fresh concerns over an alleged illegal surge in mining of data belonging to Nigerians through point of sales (PoS) terminals, a situation that is threatening the survival of agent banking, a scheme initiated to deepen financial inclusion in the country.
The Central Bank of Nigeria (CBN) puts financial inclusion in Nigeria at 64 per cent and hopes to increase it to 95 per cent by 2024. But the flagship programme for advancing the cause is faltering as criminals are threatening to hijack the system for sinister gains.
The financial inclusion drive has been confronted with many challenges and lately, cases of illegal mining of customers’ data across the board, leading to financial losses which are on the rise. There is a guesstimate of over 250 fintech companies in Nigeria with a lot of the companies securing offshore funds to advance their operations.
Increasingly, criminals with sophisticated tools are actively targeting vulnerable merchant PoS terminals, mining payment card data and PINs for card cloning and other fraud purposes, The Guardian learnt.
Ordinarily, data mining is the process of sorting through large data sets to identify patterns and relationships that can help solve business problems through analysis. Lately, the practice has become dangerously exploitative, as cyber criminals through various platforms are exploiting the vulnerabilities of unsuspecting individuals to wreak havoc, largely financials on them.
The art is brewing concern across the ecosystem. While the agent banking system is thriving and has encouraged a surge in PoS usage and transactions in the country, the challenge posed by illegal data mining appears to be fiercest.
The CBN, through the Shared Agent Network Expansion Facilities (SANEF), said the number of agents in the country is now over 1.4 million from just 86,000 on record in 2018, just as checks by The Guardian showed that the number of PoS terminals deployed by merchants and individuals rose to 1.8 million in March, representing a 75 per cent increase year-on-year when compared with the number of deployed terminals in the same period last year, which was 1.04 million.
The March 2023 figure indicated that 776,089 new PoS terminals were deployed within the last few months.
According to the Nigeria Inter-Bank Settlement System (NIBSS) Plc data, a total of 2.329 million PoS machines had been registered across the country as of December 2022, which shows that a total of 504,572 terminals are either yet to be deployed or have become inactive.
PoS terminals were introduced in the country in 2012 to promote the cashless policy. Its popularity rose during the 2020 COVID-19 lockdowns, which stopped people from going to the banks.
Industry sources that raised this alleged illegal data mining alarm, pointed largely to terminals operated by some digital banks, especially two firms (fintechs) operated by Asians.
Checks showed that the two operators have over a million mobile banking agents spread across the country. The allegations suggest that there is software in the terminals largely used to siphon peoples’ data from Nigeria and funnel it to other parts of the world for use.
It was gathered that apart from the risk of possible financial losses, the operators are also to use siphoned data for product and service design. They are used to develop products or services that target customers.
Today, data privacy is one of the biggest issues globally. But there are concerns about safety and monitoring in Nigeria with experts demanding more attention to the issues
While this challenge remains, The Guardian also gathered that many fraudsters are now hiding under the guise of “PoS agents” to defraud unsuspecting members of the public through data theft.
Worrisome also is the fact that many untrained agents have fallen into the traps of fraudulent customers, who come around to make transactions with either fake alerts or currencies. In this case, there are two groups of criminals at two different agent locations. One group will request for the agent account to receive some funds while the ones at the other end request for urgent fund transfer to a relative and in the melee, they pay with fake currencies.
There is also swapping of ATM cards, another criminal trend gaining popularity. This happens with the exchange of the victim’s card with that of the defrauding agent, thereby obtaining the ATM card details of the customers. The criminals also often take photographs of ATM cards of their targets, thereby using the information to defraud the customers.
Reports of fraudulent activities have made some wonder how customers’ details are obtained for theft.
Confirming the possibility of users’ data siphoned from PoS, a banker in one of the new generation banks, who preferred anonymity, said data can be downloaded from customers’ ATM cards if a chip is planted in the machine to read and copy card information.
He advised customers not to expose information such as card verification value (CVV) and expiration date of their debit card to POS operators.
The banker said most customers get debited because important information about their accounts had been disclosed to a third party.
“It is important they keep account and debit card-related information safe,” the banker added.
Narrating his experience, a frequent PoS user, who just relocated from Plateau to Lagos, Benjamin Johnson, said after making a cash transaction at a PoS shop in Jos in August, his ATM card information was extracted and used to fund a Nairabet account.
“I was confused and suddenly began sweating after I woke up the next day to see several debit alerts on my phone,” he added.
According to Johnson, he first withdrew N20, 000 from his account, at PoS with the transaction successfully performed.
“But at about 1:23 a.m. the next day, I received several debit alerts from my account. The money meant for my clients was entirely withdrawn. In all, N350,000 was debited, and the account was left with just N15, 500.
“When I took my complaint to my bank branch in Jos, I was told by the Manager that my card details had been compromised and used online to fund a Nairabet wallet,” he recalled.
Rising in defence of PoS operators, the National Public Relations Officer, Association of Mobile Money and Bank Agents in Nigeria (AMMBAN), Oluwasegun Elegbede, said such news is everywhere lately, but “people are seriously getting it wrong. If I say I have not heard of such reports, I will be lying. These are impressions that we always try to correct across the board. I believe this is a result of the knowledge gap in the industry.”
Elegbede claimed no PoS terminal harvests customers’ information.
He explained: “The first thing we need to understand is that every PoS terminal you have out there that is working in the banking ecosystem in Nigeria has identities. They have terminal IDs and are traceable to a particular financial institution and NIBSS.
“NIBSS is the one that sits on that infrastructure and has all of the information. So, there is no way the terminals will be out there and harmful to the financial security of the citizenry and they would not do anything about it.
“So, what I think is happening is that people do not know how to keep or guard their vital information. Some of these people, who play up these claims, if you monitor very well and investigate, are the people, who give the third party their cards to go and do transactions on their behalf forgetting that apart from giving your PIN, some of these guys (relatives, apprentice) sent to carry out transactions on their behalf are the ones most times that perpetrate crimes later with information of their supervisors.
“Individuals cannot bring in PoS. You have to be licensed before you can bring PoS into this country. It is a well-regulated sub-sector. So, no single PoS out there that is built by an individual or syndicates. “
But speaking with The Guardian, the National Commissioner of the Nigeria Data Protection Commission (NDPC), Dr. Vincent Olatunji, confirmed that the commission has been overwhelmed with information on data warehousing through PoS platforms.
Vincent said NDPC is aware of these allegations that data of Nigerians are being harvested somewhere by some people through PoS terminals and other means.
“But aside from the fact that we have commenced investigations into that, we are also educating lots of organisations, including banks, schools, digital learning companies that we have had courses to investigate on these issues and others. Nonetheless, the most important thing is to take them through compliance,” he said.
Speaking on regulatory lapses in PoS and Agent banking in Nigeria, Founder/CEO of PhoonePoS Technology Solutions Inc. USA, Olaniyi Adeosun, said the regulation focuses on how the super agents, sole agents, sub-agents and PoS operators should function, which is what the CBN wants to achieve.
“But has the body achieved that purpose? Yes, it has achieved its purpose. Has that purpose brought value to the public? Yes, but at a steep price. For instance, during the cash crunch period, the point of sales operator and agents fleeced the public by arbitrarily overcharging the customers as high as 50 per cent. Even merchants were part of the arbitrary increase,” he stated.
Adeosun noted that the CBN guideline mandates the body to monitor agent relationships to ensure these agents comply with relevant regulations.
“I am not sure the body has done this monitoring adequately, specifically during the period under review. The agents and PoS operators have become lords, especially in areas and states where banks do not operate. For instance, in some parts of Ekiti, Ikirun, Ife, Ijebu, and neighbouring cities where there are no banks, the agents’ operations are not monitored. In these areas, there are fewer agents. Therefore, these agents charged customers a steep fee to access banking services either for cash in, cash out, bill payment, etc.
“Because of these lapses on the side of the CBN, the agents and PoS operators engage in unethical behaviours to maximise profit at the expense of the customers. The CBN needs to look into the loophole and apply sanctions where it is needed,” he stated.
