Online system to make virtual trading safer

Kenyans will from October this year enjoy more secure online transactions if a new plan by the government to assign digital certificates to individuals, firms, and state agencies succeeds.

In an attempt to rein in fraud by “no-name” Internet users, the government launched the Sh391 million ($4.6 million) National Public Key Infrastructure project in March to make online transactions more secure by issuing digital signatures equivalent to physical signatures.

The project is undertaken within the framework of the Kenya Transparency and Communications Infrastructure Project (KTCIP), a World Bank-funded initiative meant to help the country achieve its objectives under the ICT pillar of Vision 2030 and run by the Kenya ICT Board.

“We are moving fast towards record automation and these systems need to be protected because some people have evil intentions. We can’t expand e-commerce in this country or efficiently offer government services online without an assurance of the security of our systems,” Information and Communication permanent secretary Bitange Ndemo told Smart Company.

Make online deals secure

If the project succeeds, Kenyans will no longer be able to venture into the digital world with complete anonymity.

The project comes in the wake of calls by the local e-commerce industry for the government’s assurance over online security amid escalating fraud that has cost the local banking sector billions of shillings.

The lack of a robust online security system has also held back attempts by the government to digitise and automate health, tax, and even agricultural services.
“The bottom line is fraud. When you conduct transactions online currently, you really have no clue whether the person you are dealing with is real and this is part of what we need to address,” the project manager, information security at the Kenya ICT Board, Mr Evans Kahuthu, said.

Public Key Infrastructure (PKI) protects data in transit by issuing Internet users with unique certificates. These certificates are used to authenticate the source of information transmitted within an unsecured public network.

The certification authorities that issue the unique identifiers also provide users with public and private keys with which to encrypt and decrypt data. When a user transmits data, for instance, he/she would encrypt it with the public key of his/her recipient. The recipient can only retrieve the message using the private key issued by the certification authority.

The Communications Commission of Kenya will serve both as the licensing authority as well as the licensed operator of the root certification authority. Under it, a government certification authority will issue certificates to government organisations and their employees while a private sector certification authority will issue certificates to the rest of the citizens.

Upon completion, the National Public Key Infrastructure (NPKI) will give banks and other businesses with online operations an easier way of authenticating the identity of consumers with whom they transact over the Internet.

According Mr Danson Muchemi, the chief executive officer of JamboPay, an online payment firm, NPKI is long overdue and will give the country a better foundation to run a robust e-commerce industry. 

“This is a way of ensuring that there is integrity in the business process. It is like a signature. It is legally recognised and neither merchant nor consumer can renege on promises made,” said Mr Muchemi.

In the public sector, the NPKI will be piloted at the Kenya Revenue Authority (KRA) before it is rolled out to other government departments such as Immigration. It will enable Kenyans to pay taxes and renew identification cards or passports without necessarily having to present themselves physically at government offices. They will also apply in the private sector, saving time and improving the country’s rating as an investment destination of choice.

“In countries such as France, the launch of the NPKI has led to spin-off businesses for companies in the financial sector. It makes them a lot of money,” said Mr Draman Traore, Africa sales executive for Clear2Pay, a Belgian online payments firm.

Mr Traore added that should the NPKI prove successful, Kenya and the East African region will become a more secure destination for companies in the payments sector looking to establish a presence in Africa.

South Korean firm, Samsung SDS, has been contracted by the government through the Ministry of Information and Communication to develop the system.

Initially, the Communications Commission of Kenya (CCK) will act as the sole certification authority in Kenya. However, over time, the doors will be opened to the private sector to step in and acquire licences to issue digital identities.

Security breaches

But questions have been raised over whether the system is really the silver bullet that will slay the beast stalking local cyber space. Although the mathematical ideals and formulas behind PKI are near-perfect, the humans who manage them are far from faultless.

A spate of security breaches over the past five years among some global certification authorities set the tech community atwitter.  In 2011, GlobalSign, a certification authority, was hacked. The breach was later traced to a piece of open-source software that had not been updated appropriately.

Before that, two other PKI certification authorities had been hacked too, leading to creation of numerous fake online identities.
“PKI is not fool-proof. Most times, its weaknesses lie in the management of the infrastructure. Certification authorities have to remain vigilant. They can still be hacked,” said Mr William Makatiani, chief executive of online security firm, Serianu.

“The only problem would be if someone compromises the certification authority or the root certification authority. Then all issued certificates would immediately become void,” Mr Kahuthu warned.

In an analysis of the challenges facing the project, Samsung SDS and the ICT Board of Kenya warn that Kenya currently lacks the trained workforce or vibrant enough information security sector that is needed to run the PKI successfully.

“A country should accumulate and retain its own technologies related to security and certification to enhance its national competitive edge,” said Samsung SDS in a presentation.

The country also lacks the legal framework and will have to make amendments to the current legislation to allow for the creation of digital certificates.