By Nasarah Dashe
If you have sent money via USSD, paid for groceries with a mobile wallet, or onboarded a new fintech app in the last 12 months, you have touched Nigeria's digital economy. It is vibrant, relentless, and growing faster than almost anywhere else in the world.
Between 2020 and 2025, Nigeria saw an explosion in fintech startups, mobile banking agents, and cashless payment channels. The Central Bank's cashless policy, combined with a young, tech-savvy population, pushed transaction values into the trillions of Naira. USSD codes like *737# or *894# became household commands. Mobile wallets replaced physical banks for millions of unbanked citizens.
This is progress. This is inclusion. This is the future.
But there is a shadow beneath the speed.
The very force driving Nigeria's digitisation—rush, competition, and pressure to onboard users—has left a critical gap wide open: security maturity. We are building a ten-lane highway while still using paper maps and wooden guardrails. And attackers have already found the exits.
Let me walk you through the anatomy of this challenge, because until we name it honestly, we cannot fix it.
The Explosion: What Rapid Digitisation Looks Like on the Ground
Walk into any bustling market in Lagos, Kano, or Port Harcourt. You will see small traders with point-of-sale (POS) terminals powered by mobile apps. You will see customers dialling USSD codes on feature phones to transfer airtime or pay bills. Behind the scenes, APIs link these tiny transactions to large switching hubs, banks, and fintech processors like Paystack, Flutterwave, Moniepoint, and OPay.
The numbers are staggering. According to the Nigeria Inter-Bank Settlement System (NIBSS), mobile money transactions alone have grown by over 200% in some quarters year-on-year. USSD still processes billions of Naira monthly, especially for users without smartphones. Fintech startups have raised hundreds of millions of dollars in funding, promising to "unbank the unbanked."
But here is the uncomfortable truth: many of these systems—whether legacy banking infrastructure repurposed for mobile, or fast-built fintech MVPs—lack modern security protections.
Why? Because speed to market was the priority. Security was a checklist, not a culture.
The Attack Surface: What We Have Exposed
Every new digital channel is a door. Every API endpoint is a window. Every USSD gateway is a potential back alley. When you digitise rapidly without corresponding security maturity, you do not just expand access—you expand vulnerability.
Consider the typical Nigerian mobile money ecosystem:
- USSD interfaces that communicate in plain text over SS7 networks, vulnerable to interception and session hijacking.
- Mobile wallets that store user credentials on devices with weak encryption or no runtime protection.
- Agent banking apps with hardcoded API keys or poor authentication logic, exposed in public repositories.
- Legacy core banking systems wrapped in modern APIs but never audited for modern threats like injection or broken access control.
Attackers love this chaos. They do not need zero-day exploits. They just need one misconfigured server, one forgotten debug endpoint, one USSD session token sent in the clear.
And because Nigeria's digitisation happened in waves—each provider layering new features on old foundations—the attack surface is not a straight line. It is a tangle of protocols, versions, and forgotten services.
Real Consequences: When Speed Meets Exploitation
This is not a theoretical risk. We have seen the results.
Fintech breaches involving credential exposure have led to billions of Naira in unauthorised transfers. USSD session hijacking has allowed fraudsters to drain accounts while victims sleep. SIM-swap attacks, amplified by poor verification at telecom agents, have handed over mobile money accounts to criminals.
The common thread in many of these incidents? Not sophisticated hacking. Exploitable gaps left open because security was bolted on after launch, not built in from the start.
One example: a popular mobile lending app left its API completely open, exposing user loan details, BVNs, and phone numbers. No authentication. No rate limiting. It was discovered by a security researcher—not by the company's own team. That is the symptom of maturity lag.
Why Traditional Scanners Fail the Maturity Test
So how do organisations defend themselves? Many turn to automated vulnerability scanners. They run a tool, get a report, and "fix" the red items. But here is where the maturity gap creates a second-order problem.
Most traditional scanners—even expensive ones—are built for idealised environments. They assume clean configurations, standard frameworks, and English-language error messages. They also suffer from a crippling flaw: false positives.
A typical scan against a Nigerian fintech portal might return 50 "critical" findings. After hours of triage, a developer realises that 42 of them are false alarms: outdated rule sets, misinterpretations of custom code, or generic warnings that don't apply. The remaining 8 are real—but now the team is exhausted, frustrated, and less likely to trust future scans.
When security tools waste your time, you stop using them properly. And when you stop using them, the gap between digitisation and maturity grows even wider.
A Smarter Path Forward: Local Solutions for Local Problems
The answer is not to stop digitising. That would be like asking a race car to brake suddenly on a highway. The answer is to match speed with intelligence—specifically, the intelligence to separate real threats from noise.
Imagine a tool that scans live websites or source code for the same vulnerabilities (SQL injection, XSS, missing headers, hardcoded secrets) but then uses an optional AI layer to validate each finding. Instead of drowning in 50 alerts, you see only the 8 that actually matter. You save hours. You fix what is broken. You move on.
That tool exists. It is called Permi. It is open-source, free, and built by a Nigerian cybersecurity student who got tired of traditional scanners crying wolf. Permi understands local contexts: it can check for USSD gateway misconfigurations, flag exposed Paystack or Flutterwave keys, and even nod to NDPR compliance requirements—all while running in offline mode if you prefer.
But here is the deeper point: tools like Permi embody the exact mindset Nigeria needs. Not expensive, imported black boxes with generic rule sets. Lightweight, developer-first, locally relevant software that respects your time and your budget. It does not pretend to be a complete security operations centre. It simply says: "Here are your real vulnerabilities. Ignore the noise."
That is what matching security maturity to digitisation looks like. Not perfect. Not over-engineered. Just honest and actionable.
What Organisations Can Do Right Now
While policymakers and regulators work on frameworks (the new 2026 NITDA guidelines are a start), individual organisations cannot wait. Here are three immediate steps to close the maturity gap:
- Audit your USSD and mobile wallet integrations – Treat them as high-risk channels. Check for unencrypted sessions, weak authentication flows, and excessive logging of sensitive data.
- Run regular, low-noise scans – Use tools that prioritise accuracy over volume. Permi is one example, but the principle matters more: false positives are not harmless; they burn team morale.
- Build security into the deployment pipeline – Do not scan only once a quarter. Automate lightweight scans every time code is pushed. Catch the hardcoded secret before it reaches production.
The cost of ignoring this gap grows every day. Attackers are not slowing down. They are automating their attacks with AI—while many Nigerian systems still rely on manual, reactive defences.
The Bottom Line
Rapid digitisation without matching security maturity is not a bug in Nigeria's tech story. It is a feature of the speed we chose. And that choice has brought prosperity to millions. But the feature has become a liability.
We cannot rewind the clock. We can, however, stop pretending that generic scanners and annual compliance checklists are enough. We need practical, local, intelligent tools that help developers and small teams actually see what is broken—without wasting their time.
Permi is one small example of that new wave. It will not solve every problem. But it points the way: away from noise, toward signal. Away from imported irrelevance, toward homegrown relevance. Away from panic, toward calm, methodical improvement.
The digital tsunami is here. It is time to build guardrails that actually work.
What has been your experience with security maturity gaps in Nigeria's fintech or mobile money space? Share your thoughts below. Let's talk solutions, not just problems.
Next in this series: Challenge #2 – High Volume of Common & Sophisticated Attacks (phishing, ransomware, identity theft, and the tools that can help cut through the noise). Watch out for next series.
Top comments (0)