LinkedIn
When Your Identity Isn't Yours

When Your Identity Isn’t Yours

BureauniaDigital

Bureaunia Chronicles: Episode 11

“Someone Else Is Taking My Allowance.”

I’m Mariamix, enrolled in the digital G2P system of Bureaunia. I am excited to be a pioneer in my country’s digital transformation of public service delivery. It will make our lives easier, cheaper, and better!

I went this morning to Paulix’s shop to buy rice. I whispered the price to my phone, and uttered the PIN even more softly. I’d been taught that nobody other than my phone should hear the PIN. I always do this every time. The phone spoke back to me but this time with a devastating message: “Payment not successful!” 

I thought I made a mistake. After all, I am old, but a pioneer nonetheless!

I sought Paulix’s help to check my balance. “Zero,” he said. But the entire 1000 burs was withdrawn with the ‘successfully verified’ text. 

My allowance came three days ago but I was sick and couldn’t check it. Today, I see the 1,000 Burs I needed for groceries, medicine, rent – all gone. The system said it was me. But I was sick, the whole time.

I used my last coins for transport to the Social Protection office. “Come back tomorrow. The fraud investigation team only works two days a week,” I was told. I had nowhere else to turn to.

How Did This Happen?

BurePay checked Mariamix’s identity only once, when she first enrolled. After that, everything rested on a four-digit PIN. No fingerprint at withdrawal. No voice alert. Just four numbers, quietly spoken or typed into her phone, easy for anyone nearby to overhear. Even a fully literate and digitally fluent user is vulnerable in such a setup.

Distraction, habit, or simple human error is enough. Security cannot depend on perfect user behavior. The system also assumed ideal environments– quiet, private spaces. But crowds gather, lines form, and people stand close everywhere. In Paulix’s shop, customers stand shoulder to shoulder. There is no privacy. 

Once the PIN was compromised, the thief could drain her account repeatedly. Each time, the system happily replied: “Verified.”

It’s Not Just Happening to Mariamix

This isn’t rare

South Africa saw fraud jump 32%.

Kenya lost $230 million to identity theft.

Latin America reports 79% of fraud through mobile phones.

Identity theft happens in wealthy countries too, but there’s established consumer protection. Banks and digital wallets reimburse victims when there is fraud that’s verified, and offers provisional credit during the time of investigation. In Bureaunia, victims bear the loss. The World Bank points out “the difficulty of holding fraudsters to account.” This means institutions have little incentive to invest in fraud prevention. And so  the loss falls often on the least protected while the criminal faces no consequence.

What Actually Works

Director Efficio from the Digital Transformation Office presents BurePay’s metrics to Governor Regulix, pointing to other countries showing possible solutions to the crisis.

He pulls up Aadhaar. A citizen walks in, presses a finger, and a pension that once required forms, middlemen, and three trips to a district office arrives in seconds— no literacy required, no signature needed. India shifted from paper-based welfare to digital transfers, and public money started reaching real beneficiaries– faster and without middlemen. $37.8 billion( ₹3.48 lakh crore saved) in a decade. One billion people brought into a system that finally recognises them.

And when fingers don’t work due to worn ridges and years of labour? The designers thought of that too. Iris, face, OTP — a considered fallback, not an afterthought.

M-Pesa doesn’t ask for a body at all. It watches the transaction, the pattern, the location, the hour, and flags what doesn’t fit before the money moves. In preventing SIM swap fraud, Safaricom let users lock their own line so replacement required a physical visit with ID and banks could verify in real time whether a SIM had recently changed. This way, M-Pesa ensured protection was built into the system, not handed to the user to figure out. This was key; as of 2024, of 32 million active M-Pesa users, only 3.6 million used the smartphone app. It was important for the system to be designed for the rest.

This is what Bureaunia needs to look at. Enrollment only proves who Mariamix is. It does not protect her every day. And that is what is needed.

What Bureaunia Must Build

Physical equity must precede digital equity. Without good data on fraud patterns there is no system that learns, no DPI that protects, no AI that helps. Bureaunia invested in reaching Mariamix. It invested nothing in protecting her once it reached her. 

Bureaunia made one telling decision at the design stage: no certified device requirement at agent points. What it created was security outsourced to shop-level affordability. 

  • Multi-factor authentication: All withdrawals should require both PIN and biometric verification. Single-factor systems are structurally weak.
  • Behavioral and geographic intelligence: Systems must learn normal user behavior and instantly flag anomalies, unusual locations, odd hours, or sudden distance jumps triggering re-verification or automatic account freezing.
  • Mandatory certified hardware: Every authorized agent must use certified fingerprint scanners. Security cannot depend on shop-level affordability.
  • Accessible alerts: Use voice-based alerts in local languages. Feature-phone inboxes are often full, so users must receive regular prompts to clear their message boxes, or they may miss critical security warnings.
  • User awareness and women’s empowerment: Awareness campaigns must stress PIN privacy, message confidentiality, and fraud recognition. It must also strengthen women’s financial autonomy, confidence, and control over their finances.
  • Cooling-off protection: Introduce short transaction lock periods after withdrawals to prevent rapid, repeated theft.
  • Repurpose and reinvent: Technology is meant to be for the people. Sometimes, it works against them. Nations need to recognize when the technology they have adopted isn’t doing what it is supposed to. India learned this with Adhaar where “critics and activists voiced strong concerns, citing media reports of significant security breaches and high rates of biometric failure.”

When No One Listens

Governor Regulix announced: “Five million verified identities.” Director Efficio showed efficiency charts. There was applause and plaudits. Neither mentioned fraud rates. Neither discussed what happens after verification.

Mariamix walked home hungry that day. She thought she was a pioneer. In reality, she was a guinea pig.

Policymakers championed “financial inclusion” while tolerating fragile security. The result? Theft from the poorest and most marginalized. 

They feared stronger authentication might exclude the vulnerable, but what’s more exclusionary than losing your food budget to a stolen PIN? Poor security for the poor only results in poor service.

With incidents such as the one that Mariamix experienced,  Bureaunia is slowly waking up to the reality that better service requires stronger security – especially for those most in need. Bureaunia is also cautious and recognizes that sometimes the best innovation is reinvention and recognizing when technology divides rather than unites.

In the next episode, we see what happens when the grievance system moves as slowly as the fraud moves fast.

Anir Chowdhury

#BureauniaChronicles #FinancialInclusion #DigitalTrust #WomenInFinance #G2P #DPI

Leave a Reply

Your email address will not be published. Required fields are marked *