Flutterwave: How BOLA (not Tinubu) Serves As Gateway For Hackers

The incessant cyber security breaches affecting one of Nigeria's most valued Fintech company Flutterwave is now a norm, and the amount of monies that cyber criminals do gain from these attacks are staggering. And I know that so many people are eager to get answers to the following questions:1. Who are the cyber criminals?2. What are the attack methods?3. Can these attacks be stopped?4. Is doing business with Flutterwave safe?All these and many more questions is what I will answer in this article.1. WHO ARE THE CYBER CRIMINALS: The cyber criminals that are launching these attacks consists of internal staffs and stand alone individuals according to court records, and some of them are currently facing charges in court.2. WHAT ARE THE ATTACK METHODS: The method that these cyber criminals use is called BOLA. BOLA is the abbreviation of "Broken object level authorization". This is the method of attack in which a legitimate user of an application will sniff the API requests and responses as he uses the application, so as to know the internal workings like authentication scheme, and get the full request template with intent to forge his or her own request to steal money etc. In the case of Flutter wave the API key is the target. Armed with this API key a cyber criminal can transfer money to any bank account of their choice world wide including mobile money.3. CAN THESE ATTACKS BE STOPPED: The answer is no, these attacks can be reduced when Cyber security experts are consulted during any Fintech application development. Meaning only merchants can secure their API keys. Flutterwave can't detect when an API key is stolen.4. IS DOING BUSINESS WITH FLUTTERWAVE SAFE: Using Flutterwave as your payment gateway is 100 percent safe. The cyber insecurity is inside every individual application that uses any payment gateway, be it Flutterwave, Paystack, or Korapay etc. The problem is generic across payment gateways, the thing is just that Flutterwave customer account breach always hit the news due its position as a major player in the Fintech industry in Nigeria and the world.If all application developers can work with cyber security experts then our Fintech industry will be safe.What we currently have are copy and paste application developers, not taking security of their application into consideration before release. To know the degree of quackery of these application developers just download this Android application called "Dexplorer" from the Google play store, and you will be able to browse the internal components of any Android application, and you will be amazed about the numbers of API keys that our application developers left insecure inside source codes, especially cryptocurrency exchange and banking applications.***Ayanbe Francis Uzezi is a Cyber security consultant.