Thanks Ed and Kevin... The link I found which works now is https://www.serianu.com/downloads/SaccoCyberSecurityReport2018.pdf . Good intro article in cybersecurity risks for small financial institutions of all kinds.
Yes, SACCOS and SHGs (Self Help Groups) mostly predate the microfinance movement, and have been generally slower to become digital. Many still operate on paper systems. Some are using Mifos. The report is not wrong to say that most orgs of this size and sophistication remain mostly ignorant or barely aware of their cybersecurity vulnerabilities. They also note that many (Kenyan) banks are not much better. Broadly speaking there is a growing cybersecurity threat directly proportional to the number of users and scope of use of the mifos/fineract systems. While other banking systems remain a much richer target for funds transfer exploits, our community of user-institutions are definitely not immune. I think the important take away for the fineract project is to make sure we are supporting encryption of data "at rest" and "in motion" (e.g. SSL), secure key-storage, One-Time-Passwords (better is Timeout OTP), as well as architecture that assumes it will be hacked and there is a way to *monitor*, *detect* (e.g. key logs characteristics are visible to admin and specific issues raise a flag), and subsequently *react* to any intrusion via such functionality as "holding suspicious transactions" or "review exceptional transactions reports". When things are "to be implemented by the devops teams according to best practices" then that should be spelled out in guides. This probably deserves more discussion. There are also probably several areas of non-functional system features which could be interesting for a developer to work on. Please report technical security issues to [email protected] . @Jdailey67 On Tue, Dec 18, 2018 at 10:04 AM Kevin A. McGrail <[email protected]> wrote: > I had to look up SACCO. Surprised the document didn't spell it out > either. It's Savings and Credit Cooperative Organizations for others :-) > -- > Kevin A. McGrail > VP Fundraising, Apache Software Foundation > Chair Emeritus Apache SpamAssassin Project > https://www.linkedin.com/in/kmcgrail - 703.798.0171 <(703)%20798-0171> > > > On Tue, Dec 18, 2018 at 12:52 PM Ed Cable <[email protected]> wrote: > > > Hi community, > > > > I thought this would be a valuable read for everyone - SACCOs are become > a > > lucrative target for cyber attacks and as one would expect most are > > under-estimating in cybersecurity. > > > > We as a community and partners in supporting individual institutions > should > > take into account what measures we can take as we deliver them solutions > in > > the cloud and help them with digital transformation. > > > > You can download and read the report from Seriano at > > > > > https://media.licdn.com/dms/document/C4E1FAQHLuCFQsIiO7w/feedshare-document-pdf-analyzed/0?e=1545232378&v=beta&t=oo0Iyz-B5UJVgfLtCpFApxT8wAmyQrHKSV6_QqLOkLo > > > > > > > > -- > > *Ed Cable* > > President/CEO, Mifos Initiative > > [email protected] | Skype: edcable | Mobile: +1.484.477.8649 > <(484)%20477-8649> > > > > *Collectively Creating a World of 3 Billion Maries | *http://mifos.org > > <http://facebook.com/mifos> <http://www.twitter.com/mifos> > > >
