Evaluation of Key Security Issues Associated with Mobile Money Systems in Uganda

: Smartphone technology has improved access to mobile money services (MMS) and successful mobile money deployment has brought massive beneﬁts to the unbanked population in both rural and urban areas of Uganda. Despite its enormous beneﬁts, embracing the usage and acceptance of mobile money has mostly been low due to security issues and challenges associated with the system. As a result, there is a need to carry out a survey to evaluate the key security issues associated with mobile money systems in Uganda. The study employed a descriptive research design, and stratiﬁed random sampling technique to group the population. Krejcie and Morgan’s formula was used to determine the sample size for the study. The collection of data was through the administration of structured questionnaires, where 741 were ﬁlled by registered mobile money (MM) users, 447 registered MM agents, and 52 mobile network operators’ (MNOs) IT o ﬃ cers of the mobile money service providers (MMSPs) in Uganda. The collected data were analyzed using RStudio software. Statistical techniques like descriptive analysis and Pearson Chi-Square test was used in data analysis and mean (M) > 3.0 and p -value < 0.05 were considered statistically signiﬁcant. The ﬁndings revealed that the key security issues are identity theft, authentication attack, phishing attack, vishing attack, SMiShing attack, personal identiﬁcation number (PIN) sharing, and agent-driven fraud. Based on these ﬁndings, the use of better access controls, customer awareness campaigns, agent training on acceptable practices, strict measures against fraudsters, high-value transaction monitoring by the service providers, developing a comprehensive legal document to run mobile money service, were some of the proposed mitigation measures. This study, therefore, provides a baseline survey to help MNO and the government that would wish to implement secure mobile money systems.


Introduction
The increased diffusion of powerful mobile devices like smartphones has transformed how users access mobile financial services such as mobile money. This has made many developing nations embrace mobile money as a potential payment platform. Mobile money is defined as a wide scope of financial services accessible on a mobile phone [1]. Talom and Tengeh [2] further added that mobile money is a service that allows customers to get access to financial services by using mobile devices and dialing unstructured supplementary service data (USSD) codes. According to the Global System for Mobile Communications (GSMA) [3], mobile money is now available in over 90 countries with three-quarters being lower and middle-income countries. It has thus emerged as the leading payment applications could use reverse engineering to attack passwords or PINs and encryption keys. According to Akomea-Frimpong et al. [39], most of the mobile money systems are not properly protected giving IT fraudsters' ability to hack the systems and steal customer money. ii.
Identity Theft: Mtaho [7] observed that mobile money agents usually incorporate mobile money businesses together with other services. Most of the well-established mobile money offices have many staff members who serve distinct services. If a dishonest member of staff happens to know the PIN of a colleague in the office, he/she can carry out unauthorized transactions at the expense of the colleague. This is consistent with the submission of Trulioo [40], who noted that identity theft is usually an inside job activity through unscrupulous employees gaining unauthorized access to mobile money data that belongs to the users and then irregularly misappropriating their funds. Gwahula [37], Buku and Mazer [41] further added that identity theft results from fraudulent or offline SIM swaps by fraudsters that transfer the mobile wallet account from the customer's SIM to the fraudster's SIM, thus enabling them to have full access to the user's mobile wallet and then carry out fraudulent transactions [42,43]. According to Bosamia [9], when a customer's mobile phone is stolen, attackers can make use of any sensitive data stored in it including the PIN, and have control over the device. The mobile money PIN stored on the mobile phone will provide attackers with access to the mobile money account and then carry out fraudulent transactions [44,45]. iii.
USSD Technology Vulnerabilities: Nyamtiga, Anael, and Loserian [46] define USSD as a session-based, real-time communication technology used by the GSM network to provide additional services between a mobile client and an application server. Talom and Tengeh [2] further expanded the definition as a communications protocol for mobile communication technology used to send text between mobile phones and an application program in a mobile network without having access to the internet. The greatest risk of USSD is that information carried within the communication channel is not encrypted, thus making USSD data vulnerable to attacks [2,14,46]. This is consistent with the submission of Mtaho [7] who noted that during the verification process, the client enters the PIN that passes through the USSD system to the server in a plain text; thus, attackers using network sniffer software such as Wireshark can intercept it. Phipps et al. [47] further reported that there is also a threat to the redirection of USSD by attackers. This is by using ThinSIM, which can leverage the call control to redirect the USSD connection to a server owned by the attacker. iv.
SMiShing and Vishing Attacks: According to Maseno, Ogao, and Matende [48], a smishing attack is where fraudsters use an emotional delusional SMS to trick users to reveal their mobile money PIN. When used, an attacker can send SMS to the user(s) to "confirm" a payment when no money has been transferred. Vishing attack, on the other hand, is where attackers use anonymous phone calls or false promotions to trick users into disclosing their PINs or other sensitive personal information that is used to steal from their mobile money accounts [27,48]. This is in line with the submissions of Gilman and Joyce [44], Buku and Mazer [41], Lonie [45], Akomea-Frimpong et al. [39], who reported that phishing or social engineering frauds such as fraudsters impersonating as employees of service providers are common with mobile money. They added that the fraudsters send false promotions to users that they have won prizes and to claim those prizes, they need to send money to the fraudster's number. Mudiri [42] also noted that fraudsters call or send fake SMS using either their mobile phones or computers to customers or agents and then guide them through various steps that later result in the transfer of money from their account to the fraudsters' account. According to a report by Kigen et al. [49], social engineering was Kenya's second-largest cyber-security concern in 2015 and vishing was the widely used method of launching attacks on mobile money platforms in Kenya, where individuals were tricked to provide sensitive information such as mobile money PIN, which led to fraudulent transactions. With the rise of vishing attacks on many Kenyan mobile platforms, no substantial research has been undertaken to offer a remedy, thus affecting the integrity of mobile transactions [48]. Kisekka [50] also confirmed that "according to MTN Uganda, some suspicious individuals have obtained PINs from customers under pretenses and have subsequently withdrawn funds from mobile money accounts of customers". v.
Brute-Force (Guessing) Attack: The brute-force attack is where attackers can predict and calculate the key required for accessing the system by using the machine-readable zone information [27,51]. Lately, the brute force attack has become common in mobile money were attackers utilize many channels to gain access to the user's mobile money account [44]. Reaves et al. [38] added that most mobile money applications use poor authentication such as numeric PINs that are proven ineffective against brute-force attacks. vi.
Denial-of-Service (DoS) Attack: This is where attackers are targeting a network link with fake traffic to block requests from mobile money users to access the database [8]. Buku and Mazer [41] noted that the disruption of the network creates opportunities for fraud, mainly through offline SIM swaps and over-the-counter (OTC) transactions. When a DoS attack occurs, the organization loses revenue and the mobile money account becomes inaccessible to customers [8,9,36,37]. vii.
Man-in-the-Middle Attack: According to Taban, Luhanga, and Anael [51], in a man-in-the-middle attack, the intruder intercepts a message in transit and becomes familiar with the messaging system, thereby transmitting fake data to either party. Fraudsters hack or control the traffic into the mobile money platform and manipulate accounts to perform transactions or gain benefit [38,52]. This attack may include full root exploits as well as access to partial server logs, database records, or proprietary source code [8]. viii.
Salami Attack: According to Balasubramanian [53], a salami attack is where a bank employee installs a program on the bank's server to steal or deducts a small sum of money from customers' accounts and deposits them into the attacker's account without the customers realizing. Salami attacks are difficult to detect or trace because the money deducted is small. Alhassan et al. [54] also observed that attackers could hack mobile wallets by inserting a program into the wallet server to deduct a small sum of money from each wallet and deposit them into the attacker's account. ix.
Replay Attack: According to Paik [55], SMS-based services such as GCASH are prone to interception and replay attacks. In developing nations, weak algorithms such as A5 protect SMS. Attackers with scanning software can easily get these messages while in transit, modify them and then, later on, resend them to the designated receivers. The SMS originating address is also spoofable, so there is no guarantee that messages sent are safe from alteration [44]. x.
Insider Threat: Findings from Serianu research indicate that over 80% of fraud within remote systems has been borne out through facilitation by insiders and employees due to inside access [56]. Organizations have lost huge amounts of money to the tune of billions of shillings because of employee fraud within companies or institutions [56]. This assertion is consistent with the submission of Gilman and Joyce [44], Trulioo [40] who observed that less scrupulous employees abuse their privileges by accessing and stealing money from customers' wallets. Various instances of mobile money fraud have been reported by Morawczynski in the press, including the Ugandan newspaper, Daily Monitor, citing a fraud incident in MTN Uganda that resulted in the theft of 10 billion (US$ 3.83 million) and USh 15 billion ($900,000) from the company, and the crime was committed by senior MTN Uganda staff [45,57]. Similarly, the same scenario also occurred in Rwanda when Tigo lost more than 495 million francs ($170,000) to staff after they conspiried to manipulate the mobile money system [57]. xi.
Agent-driven fraud: Many people, because of illiteracy or a general fear of making a mistake, trust agents who conduct transactions on their behalf [58]. Agents now take advantage of such people by stealing their money intended for a deposit and charges an additional amount compared to the company charge [59]. In some incidences, agents also defraud their depositors and abscond with the money [60]. According to Buku and Mazer [41], some other common frauds related to agents include, float loss in the agent's account resulting from unauthorized use, misuse of PINs, and fraudsters impersonating MNO staff to gain unauthorized access to an agent's float account [45]. Gilman and Joyce [44] added that some mobile money agents also transfer customer money into their accounts. Akomea-Frimpong et al. [39] noted that some mobile money agents operate in open spaces like under trees, open market, under umbrellas, building with weak locks where they are attacked and robbed of their physical money. Customers also commit fraud against agents by giving a wrong mobile phone number repeatedly to get the agent's PIN, fake currency deposits, and physical force [8,41,45]. The 2015 surveys of the Helix Institute indicated that fraud is the primary concern of many agents [41]. The surveys found that 53% of mobile money agents in Uganda and 42% in Tanzania had experienced fraud, and Uganda recorded the highest rate of fraud and crime rates in the region [41]. xii.
Malware: According to Castle et al. [8] and Chen et al. [61], software developers often include third-party libraries in their applications and such libraries can introduce unintended vulnerabilities. Musuva-Kigen et al. [56] observed that communication networks sometimes deliver malware to mobile phones. This malware spread in several ways, such as attaching to received SMS, internet downloads, and received Bluetooth messages. This malware then eavesdrops on user input and steals sensitive information stored on the mobile phone, such as mobile money PIN, and grant access to the intruder at will [9,62]. According to Bosamia [9], attackers often install malware through malware attachments that give them the exclusive right to redirect the users to the malicious uniform resource locator (URL), insecure Wi-Fi hotspots, fake websites, and access points so that users can avail their details to them, which they later use for mobile wallet payment without user's consent. xiii.
Mobile Phones Vulnerabilities: Mtaho [7] emphasized that a mobile phone has many security features that were left by the manufacturer without being disabled. Some of these features allow encryption of the data, but the task is left to the user. If users do not enable such features, attackers can intercept sensitive information stored in them like users' mobile money PIN. Previous studies have shown that technically skilled attackers take advantage of poor security design inside mobile money applications by creating a backdoor that allows them to login or simply circumvent poorly implemented encryption [9,62]. In addition to compromising data, mobile phones with active services, such as mobile money systems, could be accessed without approval, resulting in the stealing of money from mobile wallets [9]. xiv.
Unauthorized SIM Swap: SIM swapping occurs when a fraudster uses social engineering techniques to obtain the mobile user's credentials to take control of the victim's SIM card.
With this stolen information about the victim, the fraudster can use false documents to register the SIM and take over the victim's mobile money account [9,42,44]. The fraudster can directly receive incoming calls and text messages, including access to the victim's mobile money account, thus having full access to the funds in the account [40].

Hypothesis Development
To assess the relationship between demographic variables and mobile money systems' security challenges in Uganda, we considered five (5) constructs: gender, age, education level, duration of mobile money usage, and mobile money transactions in a month. No study has ever been carried out to assess the relationship between these constructs and mobile money systems' security challenges.

Study Design
A descriptive research design was employed in the study because both the quantitative and qualitative data are collected from the study area concerning the status of the phenomena [63]. The population for this study included registered MM users, registered MM agents, and MNO IT officers of the seven mobile money service providers in Uganda. The study targeted a population of 25,800,000 registered MM users, 200,857 registered MM agents, and 100 MNO IT officers. This is because they possess experience with mobile money systems.

Sampling Technique
A stratified random sampling technique was employed for the study. This was used to group the population into strata of registered MM users, registered MM agents, and MNO IT officers. This is because each stratum is more homogeneous than the total population, thus giving the researchers confidence to select samples from each stratum to constitute the total sample size for the study [64]. The survey questionnaires were administrated for a period of nine weeks, from February 2020 to April 2020.
The sample size for the study was determined using Krejcie and Morgan's formula [65]. A number of 1614 respondents were selected using Krejcie and Morgan's formula below from a population of 26,000,957.

Validity and Reliability of the Questionnaires
Validity refers to the extent to which the instrument used for data collection accurately measures what it is intended to measure [66]. A credible research design is one that maximizes validity, that is to say, it provides a clear explanation of the phenomenon under study and controls all plausible biases or mistakes that could distort the research findings [67]. The validity of the instrument for this study was determined using the content validity index (CVI) [63]. According to Amin [63], Polit and Beck [68], A CVI of 0.78 and above is considered satisfactory for the study.
Reliability is "the consistency with which a measuring instrument yields certain results when the entity being measured has not changed" [66,69]. The reliability of the research instrument was ascertained through pre-testing to crosscheck the consistency and accuracy of the questions and answers obtained. A Cronbach alpha coefficient test was conducted to establish the reliability of the variables. The four (4) variables, along with their respective Cronbach alpha scores are summarized in Appendix A, Table A1. According to Cronbach [70], if Alpha coefficient values are above 0.7, then the variables are considered satisfactory for the research.

Data Collection and Analysis
The study used structured questionnaires to gather quantitative data from registered MM users, registered MM agents, and qualitative data from MNO IT officers. The questionnaires were designed and divided into four parts. The first part covered demographic information; the second part covered mobile money services; the third part contained questions regarding the opinions of the respondents on the security issues associated with mobile money systems in Uganda; and, the last part had suggestions on different ways or measures to mitigate the security challenges associated with mobile money systems. The questionnaires contained direct questions of yes/no, multiple choice items, and five-point Likert scale. Questionnaires were pretested with ten registered MM users, six registered MM agents, and four MNO IT officers in Uganda. Some questions were reviewed based on the responses from the pilot test.
Evidence-based questionnaires were used in this study to obtain quantitative information to serve the research questions: (a) What are the key security issues associated with mobile money systems in Uganda?; (b) What is the relationship between demographic variables (like gender, age, education level, duration of mobile money usage, mobile money transactions in a month) and the mobile money systems' security challenges?; (c) What are the different ways or measures to mitigate the security challenges associated with mobile money systems?
The collected data were analyzed using RStudio software. Statistical techniques like descriptive analysis (percentages, means, and standard deviations), graph, and Pearson Chi-Square tests were used in the data analysis. For a five-point Likert scale data, results for the means (M) > 3.0 and p-value < 0.05 were considered statistically significant [71,72].

Respondents' Social Demography Characteristics
From Table 1, the respondents' gender, age, marital status, and level of education were analyzed.  Table 2 depicts the distributions of the responses of the respondents regarding mobile money service characteristic, i.e., mobile money service providers, the duration of mobile money service usage, access to mobile money services, and mobile money transactions in a month. This was aimed at determining whether they contribute to mobile money security issues.  Figure 1 shows the findings on services performed using mobile money. Respondents were asked which services they performed using mobile money and 24.6% of the respondents use mobile money to send and receive the money within Uganda, followed by withdrawing money (21.0%), paying for telecom network services (like airtime, data bundles) (16.5%), paying for utilities (like NWSC, UMEME, DStv) (15.8%), save and borrow money (8.1%), buy goods and services (5.6%), mobile banking (4.8%), international money transfer (2.7%), buy insurance (0.6%), and receive a pension (0.3%).  Table 3 shows the responses of the participants according to a 5-point Likert scale concerning the benefits of using mobile money services. Percentages, means (M), standard deviations (Std Dev), and Chi-square tests (χ 2 ) were computed to assist the research conclusion.  Table 3 shows the responses of the participants according to a 5-point Likert scale concerning the benefits of using mobile money services. Percentages, means (M), standard deviations (Std Dev), and Chi-square tests (χ 2 ) were computed to assist the research conclusion.  The significant majority (70.4%) of the respondents strongly agreed that mobile money provides a convenient way to send and receive money to anyone who owns a mobile phone or has access to a mobile money agent. The mean (M) is 4.64 (4.64 ≥ 4.5), which strongly agrees that mobile money provides a convenient way to send and receive money to anyone who owns a mobile phone or has access to a mobile money agent while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that mobile money provides a convenient way to send and receive money to anyone who owns a mobile phone or has access to a mobile money agent, χ 2 (df = 4, N = 1240) = 2229.177, p = 0.000.

SD-Strongly
It was reported that 61.9% of the respondents strongly agreed that mobile money is more reliable than physically transporting money. The mean (M) is 4.45 (4.45 ≥ 4.0), which agrees with the notion that mobile money is more reliable than physically transporting money while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that mobile money is more reliable than physically transporting money, The consensus of 56.9% of the respondents strongly agreed that mobile money services save time. The mean (M) is 4.33 (4.33 ≥ 4.0), which agrees that mobile money services save time while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that mobile money services save time, It was reported that 52.1% of the respondents strongly agreed that mobile money services are trustworthy. The mean (M) is 4.09 (4.09 ≥ 4.0), which agrees that mobile money services are trustworthy while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that mobile money services are trustworthy, Besides, 47.7% of the respondents strongly agreed that mobile money services are faster and easier market transactions. The mean (M) is 4.27 (4.27 ≥ 4.0), which agrees that mobile money services are faster and easier market transactions while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that mobile money services are faster and easier market transactions, It was reported that 48.1% of the respondents strongly agreed that mobile money services improve access to financial services for a large number of people. The mean (M) is 4.30 (4.30 ≥ 4.0), which agrees that mobile money services improve access to financial services for a large number of people while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that mobile money services improve access to financial services for a large number of people, χ 2 (df = 4, N = 1240) = 1154.847, p = 0.000.
A similar majority (44.4%) of the respondents strongly agreed that mobile money services reduce the expenses and delays associated with opening, operating, and maintaining bank accounts. The mean (M) is 4.13 (4.13 ≥ 4.0), which agrees with the notion that mobile money services reduce the expenses and delays associated with opening, operating, and maintaining bank accounts while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that mobile money services reduce the expenses and delays associated with opening, operating, and maintaining bank accounts, χ 2 (df = 4, N = 1240) = 806.944, p = 0.000.
It was reported that 41.7% of the respondents strongly agreed that mobile money services lead to economic growth and development through increased savings and investments. The mean (M) is 3.90 (3.90 ≥ 3.5), which agrees with the notion that mobile money services lead to economic growth and development through increased savings and investments while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that mobile money services lead to economic growth and development through increased savings and investments, χ 2 (df = 4, N = 1240) = 518.798, p = 0.000.
Still, 38.4% of the respondents strongly agreed that mobile money services offer many services such as money transfers, mobile payment, mobile banking, and mobile financial services. The mean (M) is 4.53 (4.53 ≥ 4.5), which strongly agrees with the notion that mobile money services offer many services such as money transfers, mobile payment, mobile banking, and mobile financial services while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that mobile money services offer many services such as money transfers, mobile payment, mobile banking, and mobile financial services, χ 2 (df = 4, N = 1240) = 1737.234, p = 0.000.
It was reported that 36.5% of the respondents strongly agreed that mobile money services enhance the standard of living for the unbanked population. The mean (M) is 3.96 (3.96 ≥ 3.5), which agrees with the notion that mobile money services enhance the standard of living for the unbanked population while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that mobile money services enhance the standard of living for the unbanked population, χ 2 (df = 4, N = 1240) = 593.250, p = 0.000. The significant majority (35.1%) of the respondents strongly agreed that mobile money services increase banking penetration/untapped market at a low acquisition cost. The mean (M) is 4.06 (4.06 ≥ 4.0), which agrees that mobile money services increase banking penetration/untapped market at a low acquisition cost while the chi-square test was performed with the sig. value of 0.000 which is less than 0.05. This means that it was statistically significant to say that mobile money services increase banking penetration/untapped market at a low acquisition cost, χ 2 (df = 4, N = 1240) = 749.960, p = 0.000.

Security Issues Associated with Mobile Money Systems
This study mainly focuses on the evaluation of key security issues associated with mobile money systems. Table 4 depicts the opinion of respondents regarding the security issues associated with mobile money systems. Percentages, means (M), standard deviations (Std Dev), and Chi-square tests (χ 2 ) were computed to assist the research conclusion.  It was reported that 34.7% of the respondents strongly agreed that identity theft is one of the security challenges of mobile money systems. The mean (M) is 3.63 (3.63 ≥ 3.5), which agrees that identity theft is a key security challenge experienced by the users while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that identity theft is a key security challenge to mobile money systems, χ 2 (df = 4, N = 1240) = 334.508, p = 0.000. 34.5% of the respondents strongly agreed that an authentication attack is a security challenge to mobile money systems. The mean (M) is 3.69 (3.69 ≥ 3.5), which agrees that the authentication attack is a key security challenge experienced by the users while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that the authentication attack is a key security challenge to mobile money systems, χ 2 (df = 4, N = 1240) = 387.661, p = 0.000.

SD-Strongly
A similar majority (30.4%) of the respondents strongly agreed that a phishing attack is a security challenge to mobile money systems. The mean (M) is 3.27 (3.27 ≥ 3.0), which agrees with the notion that a phishing attack is a key security challenge while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that a phishing attack is a security challenge to mobile money systems, χ 2 (df = 4, N = 1240) = 145.145, p = 0.000.
It was reported that 49.8% of the respondents strongly agreed that a vishing attack is a common security challenge to mobile money systems. The mean (M) is 3.96 (3.96 ≥ 3.5), which agrees with the notion that a vishing attack is a security challenge experienced by the users while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that a vishing attack is a key security challenge to mobile money systems, χ 2 (df = 4, N = 1240) = 771.298, p = 0.000.
The consensus of 32.1% of the respondents strongly agreed that a smishing attack is a security challenge to mobile money systems. The mean (M) is 3.30 (3.30 ≥ 3.0), which agrees that a smishing attack is a key security challenge experienced by the users while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that a smishing attack is a key security challenge to mobile money systems, χ 2 (df = 4, N = 1240) = 143.927, p = 0.000.
Besides, 33.4% of the respondents strongly agreed that PIN sharing is one of the security challenges of mobile money systems. The mean (M) is 3.68 (3.68 ≥ 3.5), which agrees with the notion that PIN sharing is a key security challenge experienced by the users while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that PIN sharing is a key security challenge to mobile money systems, χ 2 (df = 4, N = 1240) = 368.379, p = 0.000.
Lastly, 22.3% of the respondents agreed that agent-driven fraud is a common security challenge to mobile money systems. The mean (M) is 3.05 (3.05 ≥ 3.0), which agrees with the notion that agent-driven fraud is a key security challenge experienced by the users while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that agent-driven fraud is a key security challenge to mobile money systems, χ 2 (df = 4, N = 1240) = 54.524, p = 0.000.

The Relationship between Demographic Variables (Like Gender, Age, Education Level, Duration of Mobile Money Usage, Mobile Money Transactions in a Month) and Mobile Money Systems' Security Challenges
Hypothesis 1 (H1). There is no significant relationship between gender and mobile money systems' security challenges.

Hypothesis 2 (H2).
There is no significant relationship between age and mobile money systems' security challenges.

Hypothesis 3 (H3).
There is no significant relationship between education level and mobile money systems' security challenges.

Hypothesis 5 (H5).
There is no significant relationship between the number of mobile money transactions in a month and mobile money systems' security challenges.
From Table 9, a Pearson chi-square test suggests that there is no statistically significant relationship between number of mobile money transactions in a month and authentication attack (χ 2 (20)

The Different Ways or Measures to Mitigate the Mobile Money Systems Security Challenges
From Table 10, the responses of the participants regarding the different measures to mitigate the security challenges associated with mobile money systems are presented in the form of percentages, means (M), standard deviations (Std Dev), and Chi-square tests (χ 2 ) to assist in research conclusion.
There was a significant majority (64.7%) of the respondents who strongly agreed that the use of better access controls like, PIN, one-time password, and Biometric fingerprint altogether is a high priority. The mean (M) is 4.41 (4.41 ≥ 4.0), which agrees with the notion that the use of better access controls can mitigate mobile money systems' security challenges while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that the use of better access controls is a priority in mitigating mobile money systems' security challenges, χ 2 (df = 4, N = 1240) = 1698.427, p = 0.000.
It was reported that 60.9% of the respondents strongly agreed that customer awareness campaigns to increase customer education and protection is a high priority. The mean (M) is 4.47 (4.47 ≥ 4.5), which strongly agrees with the notion that customer awareness campaigns to increase customer education and protection is a high priority while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that customer awareness campaigns to increase customer education and protection is a high priority in mitigating mobile money systems' security challenges, χ 2 (df = 4, N = 1240) = 1603.621, p = 0.000.  Besides, 60.4% of the respondents strongly agreed that agent training on acceptable practices is a higher priority. The mean (M) is 4.41 (4.41 ≥ 4.0), which agrees with notion that agent training on acceptable practices is necessary while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that agent training on acceptable practices is a priority in mitigating the security challenges, χ 2 (df = 4, N = 1240) = 1486.452, p = 0.000.

NP-Not
It was reported that 51.0% of the respondents strongly agreed that a comprehensive legal document to guide mobile money service is a high priority. The mean (M) is 4.22 (4.22 ≥ 4.0), which agrees with the notion that comprehensive legal document to guide mobile money service is necessary for mobile money service providers and the government while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that a comprehensive legal document to guide mobile money service is necessary for successful implementation of mobile money services, χ 2 (df = 4, N = 1240) = 1015.024, p = 0.000.
The consensus of 68.5% of the respondents strongly agreed that strict measures against fraudsters are a high priority. The mean (M) is 4.48 (4.48 ≥ 4.0), which agrees with the notion that strict measures against fraudsters are a priority while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that strict measures against fraudsters are a high priority in mitigating mobile money systems' security challenges, χ 2 (df = 4, N = 1240) = 1918.411, p = 0.000.
It was reported that 49.4% of the respondents strongly agreed that knowing your customer controls during registration is necessary. The mean (M) is 4.19 (4.19 ≥ 4.0), which agrees that knowing and verifying customer credentials during registration is a priority while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that know your customer controls during registration is necessary for mitigating the security challenges, χ 2 (df = 4, N = 1240) = 951.669, p = 0.000. Furthermore, 64.4% of the respondents strongly agreed that mobile users should report any security incidence/fraud to the regulators and security agencies. The mean (M) is 4.48 (4.48 ≥ 4.0), which agrees with the notion that mobile users reporting any security incidence/fraud to the regulators and security agencies is a priority while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that reporting any security incidence/fraud to the regulators and security agencies by mobile users is necessary for mitigating mobile money systems' security challenges, χ 2 (df = 4, N = 1240) = 1727.944, p = 0.000.
It was reported that 56.5% of the respondents strongly agreed that high-value transaction monitoring from the service providers is a high priority. The mean (M) is 4.32 (4.32 ≥ 4.0), which agrees with the notion that high-value transaction monitoring from the service providers is a must while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that high-value transaction monitoring from the service providers is a priority in mitigating the security challenges, χ 2 (df = 4, N = 1240) = 1278.927, p = 0.000.
A similar majority (54.9%) of the respondents strongly agreed that the government and mobile money service providers should publish any reported incidences. The mean (M) is 4.28 (4.28 ≥ 4.0), which agrees with the notion that the government and mobile money service providers should publish any reported incidences while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that the government and mobile money service providers should publish any reported incidences to mitigate the security challenges, χ 2 (df = 4, N = 1240) = 1190.427, p = 0.000.
Lastly, 50.5% of the respondents strongly agreed that the government and mobile money service providers should come up with a portal where victims can share their incidences anonymously. The mean (M) is 4.16 (4.16 ≥ 4.0) which strongly agrees with the notion that it is a priority for the government and mobile money service providers to come up with a portal where victims can share their incidences anonymously while the chi-square test was performed with the sig. value of 0.000, which is less than 0.05. This means that it was statistically significant to say that the government and mobile money service providers should come up with a portal where victims can share their incidences anonymously to mitigate the security challenges associated with mobile money systems, χ 2 (df = 4, N = 1240) = 950.935, p = 0.000.

Discussion
The opinion of MM users, MM agents, and MNO IT officers remain paramount in the implementation of secured mobile money systems. Therefore, the main aim of this study was to evaluate the key security issues associated with mobile money systems in Uganda. The crucial objective of the survey was for MM users, MM agents, and MNO IT officers to identify and evaluate the key security challenges associated with mobile money systems, assess the relationship between demographic variables and mobile money systems' security challenges in Uganda, and suggest mitigation measures for the security challenges to improve the mobile money technology. Before evaluating the key security challenges, there is a need to establish the services and benefits offered by mobile money.
The results in Figure 1 shows some of the services performed using mobile money. They include sending and receiving money within Uganda, withdrawing money; paying for telecom network services (like data bundles, airtime, etc.); paying for utilities (like NWSC, UMEME, DStv); saving and borrowing money; buying goods and services; mobile banking; international money transfer; buying insurance, and receiving a pension. This outcome is consistent with the studies conducted by Lwanga and Adong [17], BoU [1], Afi [18], who identified depositing and withdrawing of money, transfer of money to other users, paying utility bills, paying for goods in a store, saving money for future purchases or payment, receiving a salary, taking a loan, receiving state aid or pension, buying insurance, purchasing airtime and data bundle, and making bank transactions as the services performed using mobile money.
The findings presented in Table 3, mentioned convenient means to transport and receive money to anyone who has a mobile phone or has access to a mobile money agent, improved access to financial services for a large number of people, more reliability than physically transporting money, and that it saves time as some of the benefits of mobile money services. This is in line with the submissions of Kikulwe, Fischer, and Qaim [23], Mugambi, Njunge, and Yang [24], Saxena et al. [27], Marumbwa and Mutsikiwa [30], Kanobe et al. [33], Cisco [35], who identified a convenient way to send money to anyone who owns a mobile phone, enhance access to financial services for a large number of people who are effectively excluded from banks, transfer money through mobile phones without physically visiting the bank, and cut down time lags associated with opening, operating, and maintaining a traditional bank account as some of the benefits. Furthermore, faster and easier market transactions, increased banking penetration, enhanced standard of living for the unbanked population, and economic growth and development are some of the mentioned benefits. These findings conform with the studies of Lonergan et al. [31], Hu et al. [34], who stated that mobile money provides the quickest mechanism for clearing unplanned domestic financial payments, enhances the standard of living for the unbanked population, and stimulates economic development.
From Table 4, respondents identified the following as the security issues associated with mobile money systems: Identity theft: This is a form of mobile money crime committed by a friend, relative, or a fraudster who steals the owners' financial information such as PIN for performing transactions. According to Bosamia [9], when a customer's mobile phone is stolen, attackers make use of any sensitive data stored in it, including the PIN, and have control over the device. The mobile money PIN stored on the mobile phone will provide them with access to the mobile money account enabling them to carry out fraudulent transactions [45,46]. This is in line with the work of Trulioo [40], Mtaho [7], who noted that identity theft is usually an inside job activity through unscrupulous employees gaining unauthorized access to mobile money data that belongs to the users and then irregularly misappropriating their funds. This is affirmed by Gwahula [37], Buku and Mazer [41], who observed that identity theft results from fraudulent or offline SIM swaps by fraudsters that transfer the mobile wallet account from the customer's SIM to the fraudster's SIM, enabling them to have full access to the user's mobile wallet to carry out fraudulent transactions [42,43].
Authentication attack: This is a mobile money crime where attackers target and try to exploit the mobile money authentication process by an applying brutal-force attack or weak PIN attack. This is in line with the findings of Mtaho [7], Castle et al. [8], Mtaho and Mselle [13], Gwahula [37], Reaves et al. [38], who found out that attackers use many ways to gain access to users' account and take advantage of weak PIN reset procedures, making it easy to guess, smudge, or snoop. This outcome is consistent with the study conducted by Bosamia [9], Akomea-Frimpong et al. [39], who reported that most of the mobile money systems are not properly protected, giving IT fraudsters the ability to apply reverse engineering to attack hardcoded passwords or PINs, encryption keys, and steal customer money.
Phishing attack: This is a form of mobile money crime where fraudsters masquerade as employees of the mobile money service provider by calling or sending SMS messages to mobile money users and agents to reveal their data including a PIN for an update. This is in line with the submissions of Bosamia [9], who also found out that fraudsters carry out sophisticated attacks by sending either email messages, SMSs, or calls to mobile money users to disclose their personal and financial information.
Vishing attack: This is a form of mobile money fraud where fraudsters use voice calls to trick mobile money users and agents into revealing their critical financial information like a PIN. This reaffirms the findings of earlier studies by Saxena et al. [27], Maseno, Ogao, and Matende [48] who observed that attackers use anonymous phone calls or false promotions to trick users into disclosing their PINs or other sensitive personal information that is then used to steal from their mobile money accounts. It was further supported by Kigen et al. [49], who added that vishing is a widely used method of launching attacks on mobile money platforms in Kenya, where individuals have been tricked to provide sensitive information such as mobile money PINs, which have led to fraudulent transactions.
Smishing attack: This is a form of mobile money fraud where fraudsters send emotional delusional SMS messages to lure mobile money users and agents into revealing their mobile money account information, including the PIN. This finding is described in other earlier studies conducted by Mudiri [42], Maseno, Ogao, and Matende [48], where fraudsters send fake SMS using their mobile phones to mobile money users and mobile money agents, and then take them through various steps, which later result in the transfer of money from their account to the fraudsters' account. It is also consistent with the studies of Akomea-Frimpong et al. [39], Buku and Mazer [41], Gilman and Joyce [44], Lonie [45] who reported that fraudsters impersonating as employees of mobile money service providers send fake SMS messages to customers that they have won a promotion prize, and for them to claim the price they should send money to the fraudster's number.
PIN sharing: Many mobile money users and agents tend to share their mobile money PIN(s) among relatives, friends, which makes their account vulnerable to identity theft, brute-force attack, and authentication attacks. This finding is reported in other earlier studies conducted by Mtaho [7], who observed that most people tend to share their mobile money PIN among friends and families, which has also added more security risks to the platform.
Agent-driven fraud: mobile money agents also experience fraud from both mobile money attackers/fraudsters, employees of the MNO, and users, thus threatening the security of the platform. This result is logical with the work conducted by Buku and Mazer [41], Lonie [45], in which they found that the common acts of fraud that agents experience include float loss in the agent's account resulting from unauthorized use, misuse of PINs, and fraudster impersonating MNO staff to gain unauthorized access to the agent's float account. Buku and Mazer [41] reported that the 2015 surveys of the Helix Institute indicate that fraud was the primary concern of many agents, and found that 53% of mobile money agents in Uganda and 42% in Tanzania had experienced fraud. Uganda recorded the highest rate of fraud and crime rates in the region. Castle et al. [8], Gilman, and Joyce [44] added that customers also commit fraud against agents by giving wrong mobile phone numbers repeatedly to get the agent's PIN.
Tables 5-9 analyzed the relationships between demographic variables (like gender, age, education level, duration of mobile money usage, mobile money transactions in a month) and mobile money systems' security challenges. Respondents observed that: There is no statistically significant relationship between gender and identity theft, authentication attack, phishing attack, vishing attack, smishing attack, PIN sharing, and agent-driven fraud. There is a statistically significant relationship between age and phishing attack or vishing attack. Furthermore, there is a statistically significant relationship between education level and identity theft, phishing attack, vishing attack, smishing attack, PIN sharing, agent-driven fraud. Besides, there is a statistically significant relationship between duration of mobile money usage and identity theft, phishing attack, vishing attack, smishing attack, PIN sharing, agent-driven fraud. Finally, there is a statistically significant relationship between the number of mobile money transactions in a month and identity theft, phishing attacks.
The findings presented in Table 10 are regarding the different ways and measures to mitigate the security challenges associated with mobile money systems, respondents agreed that: Use of better access controls such as multi-factor authentication (i.e., PIN, one-time password, and biometric fingerprint). These findings are similar to the studies of Bosamia [9], Gilman and Joyce [44], Lonie [45], who found out that there is a need for control access rights to protect customer information, and that all interactions between servers must be logged, secured, and strongly authenticated using two-factor authentication. Lonie [45] further pointed out that there is a need to enforce high-security standard measures for payment processing systems and encryption should occur at the earliest possible point in the messaging flow where all external messages between customer and partner activities are encrypted.
Customer awareness campaigns to increase customer education and protection. This finding is reported in other earlier studies conducted by Bosamia [9], Gwahula [37], Akomea-Frimpong et al. [39], Mudiri [42], Gilman and Joyce [44], who added that financial education, customer awareness campaigns, security awareness, and risk awareness need to be carried out to increase customer education, protection and encourage their participation in this industry.
Agent training on acceptable practices. It is also consistent with the study of Gilman and Joyce [44], who argued that agent training is needed on acceptable practices, terms, and conditions. Need for a comprehensive legal document to guide mobile money service. This is in line with the work of Akomea-Frimpong et al. [39], Lonie [45], Alhassan et al. [54], who stated that detailed legal code, internal fraud policy, and an efficient and robust user and security policy should be developed and used by mobile money merchants and partner banks.
Mobile money service providers should monitor high-value transactions. This outcome is consistent with the study conducted by Gilman and Joyce [44], who argued that there is a need for threshold limits to reduce the risk associated with anti-money laundering/combating the financing of terrorism (AML/CFT). Mudiri [42], Gilman, and Joyce [44], further added that monitoring and supervision of mobile money agents are imperative.
Some other measures to mitigate the security challenges of mobile money systems include: taking strict measures against fraudsters; reporting any security incidences or fraud to the regulators and security agencies; publishing any reported incidences by the government and mobile money service providers; the government and mobile money service providers should come up with a portal where victims can share their incidences anonymously.

Conclusions
Mobile money systems have come out as the primary payment platform for the digital economy, thus bettering the standard of living of many people who have limited access to the banking infrastructure in developing nations like Uganda. By enabling access to cashless payment infrastructure, these systems allow citizens of developing nations to decrease the physical security risks associated with hard currency transactions. However, the security of most of the mobile money systems remains a big challenge. In this article, the researchers evaluated the security challenges of mobile money systems. They found significant security challenges with the current mobile money systems such as identity theft, authentication attack, phishing attack, vishing attack, SMiShing attack, PIN sharing, and agent-driven fraud. The study also found significant relationships between constructs and mobile money systems' security challenges in Uganda. Several mitigation measures were recommended for successful implementation of secure mobile money systems such as the use of better access controls, customer awareness campaigns, agent training on acceptable practices, developing a comprehensive legal document to run mobile money service, KYC controls, high-value transaction monitoring by the service providers, but to mention a few.
The findings of this study contribute to the theoretical literature in the following ways. First, this paper extends the theoretical knowledge of security challenges in mobile money systems. To our best knowledge, no empirical study has been conducted to evaluate the key security issues associated with mobile money systems in Uganda. Second, our study contributes to the literature by empirically testing the relationship between constructs (gender, age, education level, duration of mobile money usage, and mobile money transactions in a month) and mobile money systems' security challenges. Most of these constructs have never been used in studies focusing on mobile money systems' security challenges. The study also offers useful managerial contributions. Firstly, the study suggests that identifying and improving the security issues and challenges of mobile money systems are an important factor in the implementation of secure mobile money services. Thus, to encourage the successful implementation of secure mobile money systems, MMSPs need to evaluate the current system so that proper mitigation measures can be proposed and implemented to increase service delivery. Secondly, mobile money systems' security challenges are a threat to the implementation of mobile money services. By assessing the relationship between constructs and mobile money systems' security challenges in Uganda, MNOs can emphasize measures to counter those challenges. Lastly, the study can be useful to the Bank of Uganda concerning financial inclusion, which is important to achieve a sustainable development goal.
This study encountered some limitations that create an opportunity for future research on mobile money systems' security challenges. Firstly, the survey was restricted to only Uganda and the survey data were mainly used for descriptive analysis regarding the key security issues associated with mobile money systems. The study did not investigate the views of other stakeholders, such as banks or other financial institutions and regulatory institutions. Thus, the findings from this study may not fully represent the opinions of all the stakeholders in Uganda. Secondly, the respondents' involvement in answering the questionnaires were primarily voluntary, which might make some bias towards the sample. Thus, future research involving an online survey is encouraged to embrace the views of all the mobile money stakeholders who did not take part in the study. Thirdly, the research is limited to statistical data gathered from the few participants since mobile money security is a complicated issue, and data can only be availed on request and approval. Finally, the data used for empirical analysis were gathered from respondents in Uganda who have characteristics differing from respondents in other parts of the world. Future research could focus on repeating a similar topic in other regions of the world like Kenya, Tanzania, Rwanda, Burundi, Somalia, Nigeria, Ghana, South Africa, Haiti, India, Pakistan, Colombia, Philippines, Mexico, Brazil, and so on. This would help in the evaluation of the validity of the proposed measures across different countries. This study, therefore, provides a baseline survey to help MNO and the government that would wish to implement secure mobile money systems.