Zimbabwe’s government faces off against its tech community over internet restrictions

After days of intermittent blackouts at the order of the Zimbabwe’s Minister of State for National Security, ISPs have restored connectivity through a judicial order issued Monday.  

The cyber-affair adds Zimbabwe to a growing list of African countries—including Cameroon, Congo, and Ethiopia—whose governments have restricted internet expression in recent years.

The debacle demonstrates how easily internet access—a baseline for all tech ecosystems—can be taken away at the hands of the state.  

It also provides another case study for techies and ISPs regaining their cyber rights. Internet and social media are back up in Zimbabwe — at least for now.   

Protests lead to blackout

Similar to net shutdowns around the continent, politics and protests were the catalyst. Shortly after the government announced a dramatic increase in fuel prices on January 12, Zimbabwe’s Congress of Trade Unions called for a national strike.

Web and app blackouts in the Southern African country followed demonstrations that broke out in several cities. A government crackdown ensued with deaths reported.

“That began Monday [January 14]. A few demonstrations around the country become violent…Then on Tuesday morning there was a block on social media: Facebook, Twitter, and WhatsApp,” TechZim CEO Tinashe Nyahasha told TechCrunch on a call from Harare.

On January 15, Zimbabwe’s largest mobile carrier Econet Wireless confirmed via SMS and a message from founder Strive Masiyiwa that it had complied with a directive from the Minister of State for National Security to shutdown internet.

Net access was restored, taken down again, then restored, but social media sites remained blocked through January 21.

Data provided to TechCrunch from Oracle’s Internet Intelligence research unit confirm the net blackouts on January 16 and 18.

VPNs, government response

Throughout the restrictions, many of Zimbabwe’s citizens and techies resorted to VPNs and workarounds to access net and social media, according to Nyahasha.

Throughout the interruption TechZim ran updated stories on ways to bypass the cyber restrictions.

The Zimbabwean government’s response to the net shutdown started with denial—one minister referred to it as a congestion problem on local TV—to presidential spokesperson George Charamba invoking its necessity for national security reasons.

Then President Dambudzo Mnangawa took to Twitter to announce he would skip Davos meetings and return home to address the country’s unrest—a move panned online given his government’s restrictions on citizens using social media.    

The Embassy of Zimbabwe in Washington, DC and Ministry for ICT did not respond to TechCrunch inquiries on the country’s internet and app restrictions.

Court ruling, takeaways

On Monday this week, Zimbabwe’s high court ordered an end to any net restrictions, ruling only the country’s president, not the National Security Minister, could legally block the internet. Econet’s Zimbabwe Chief of Staff Lovemore Nyatsine and sources on the ground confirmed to TechCrunch that net and app access were back up Tuesday.  

Zimbabwe’s internet debacle created yet another obstacle for the country’s tech scene. The 2018 departure of 37–year President Robert Mugabe—a  hero to some and progress impeding dictator to others—sparked hope for the lifting of long-time economic sanctions on Zimbabwe and optimism for its startup scene.

Some of that has been dashed by subsequent political instability and worsening economic conditions since Mugabe’s departure, but not all of it, according to TechZim CEO Tinashe Nyahasha.   

“There was momentum and talk of people coming home and investing seed money. That’s slowed down…but that momentum is still there. It’s just not as fast as it could have been if the government had lived up to the expectations,” he said.  

Of the current macro-environment for Zimbabwe’s tech sector, “The truth is, it’s bad but it has been much worse,” Tinashe said

With calls for continued protests, Monday’s court ruling is likely not the last word on the internet face-off between the government and Zimbabwe’s ISPs and tech community.

Per the ruling, a decision to restrict net or apps will have to come directly from Zimbabwe’s president, who will weigh the pros and cons.

On a case by case basis, African governments may see the economic and reputational costs of internet shutdowns are exceeding whatever benefits they seek to achieve.

Cameroon’s 2017 shutdown, covered here by TechCrunch, cost businesses millions and spurred international condemnation when local activists created a  #BringBackOurInternet campaign that ultimately succeeded.

In the case of Zimbabwe, global internet rights group Access Now sprung to action, attaching its #KeepItOn hashtag to calls for the country’s government to reopen cyberspace soon after digital interference began.

Further attempts to restrict net and app access in Zimbabwe will likely revive what’s become a somewhat ironic cycle for cyber shutdowns. When governments cut off internet and social media access, citizens still find ways to use internet and social media to stop them.

Youth-run agency AIESEC exposed over 4 million intern applications

AIESEC, a non-profit that bills itself as the “world’s largest youth-run organization,” exposed more than four million intern applications with personal and sensitive information on a server without a password.

Bob Diachenko, an independent security researcher, found an unprotected Elasticsearch database containing the applications on January 11, a little under a month after the database was first exposed.

The database contained “opportunity applications” contained the applicant’s name, gender, date of birth, and the reasons why the person was applying for the internship, according to Diachenko’s blog post on SecurityDiscovery, shared exclusively with TechCrunch. The database also contains the date and time when an application was rejected.

AIESEC, which has more than 100,000 members in 126 countries, said the database was inadvertently exposed 20 days prior to Diachenko’s notification — just before Christmas — as part of an “infrastructure improvement project.”

The database was secured the same day of Diachenko’s private disclosure.

Laurin Stahl, AEISEC’s global vice president of platforms, confirmed the exposure to TechCrunch but claimed that no more than 40 users were affected.

Stahl said that the agency had “informed the users who would most likely be on the top of frequent search results” in the database — some 40 individuals, he said — after the agency found no large requests of data from unfamiliar IP addresses.

“Given the fact that the security researcher found the cluster, we informed the users who would most likely be on the top of frequent search results on all indices of the cluster,” said Stahl. “The investigation we did over the weekend showed that no more than 50 data records affecting 40 users were available in these results.”

Stahl said that the agency informed Dutch data protection authorities of the exposure three days after the exposure.

“Our platform and entire infrastructure is still hosted in the EU,” he said, despite its recently relocation to headquarters in Canadia.

Like companies and organizations, non-profits are not exempt from European rules where EU citizens’ data is collected, and can face a fine of up to €20 million or four percent — whichever is higher — of their global annual revenue for serious GDPR violations.

It’s the latest instance of an Elasticsearch instance going unprotected.

A massive database leaking millions of real-time SMS text message data was found and secured last year, a popular massage service, and phone contact lists on five million users from an exposed emoji app.

Google starts pulling unvetted Android apps that access call logs and SMS messages

Google is removing apps from Google Play that request permission to access call logs and SMS text message data but haven’t been manually vetted by Google staff.

The search and mobile giant said it is part of a move to cut down on apps that have access to sensitive calling and texting data.

Google said in October that Android apps will no longer be allowed to use the legacy permissions as part of a wider push for developers to use newer, more secure and privacy minded APIs. Many apps request access to call logs and texting data to verify two-factor authentication codes, for social sharing, or to replace the phone dialer. But Google acknowledged that this level of access can and has been abused by developers who misuse the permissions to gather sensitive data — or mishandle it altogether.

“Our new policy is designed to ensure that apps asking for these permissions need full and ongoing access to the sensitive data in order to accomplish the app’s primary use case, and that users will understand why this data would be required for the app to function,” wrote Paul Bankhead, Google’s director of product management for Google Play.

Any developer wanting to retain the ability to ask a user’s permission for calling and texting data has to fill out a permissions declaration.

Google will review the app and why it needs to retain access, and will weigh in several considerations, including why the developer is requesting access, the user benefit of the feature that’s requesting access and the risks associated with having access to call and texting data.

Bankhead conceded that under the new policy, some use cases will “no longer be allowed,” rendering some apps obsolete.

So far, tens of thousands of developers have already submitted new versions of their apps either removing the need to access call and texting permissions, Google said, or have submitted a permissions declaration.

Developers with a submitted declaration have until March 9 to receive approval or remove the permissions. In the meantime, Google has a full list of permitted use cases for the call log and text message permissions, as well as alternatives.

The last two years alone has seen several high-profile cases of Android apps or other services leaking or exposing call and text data. In late 2017, popular Android keyboard ai.type exposed a massive database of 31 million users, including 374 million phone numbers.

Two-factor authentication can save you from hackers

Getty Images

If you find passwords annoying, you might not like two-factor authentication much. But security experts say it’s one of the best ways to protect your online accounts.

Simply put, two-factor authentication adds a second step in your usual log-in process. Once you enter your username and password, you’ll be prompted to enter a code sent as a text message or an email, or sometimes as a push notification on your phone.

In all, it usually only adds a few extra seconds to your day.

Two-factor authentication (sometimes called “two-step verification”) combines something you know — your username and password, with something you have — such as your phone or a physical security key, or even something you are — like your fingerprint or another biometric, as a way of confirming that a person is authorized to log in. You might not have thought much about it, but you do this more than you think. Whenever you withdraw money from an ATM, you insert your card (something you have) and enter your PIN (something you know) — which tells the bank that it’s you. Even when you use your bank card on the internet, often you still need something that you know — such as your ZIP or postal code.

Having a second step of authentication makes it so much more difficult for a hacker or a thief to break into your online accounts.

Why is two-factor important?

Gone are the days where your trusty password can protect you. Even if you have a unique password for every website you use, there’s little in the way to stop malware on your computer (or even on the website!) from scraping your password and using it again. Or, if someone sees you type in your password, they can memorize it and log in as you.

Don’t think it’ll happen to you? So-called “credential stuffing” or brute-force attacks can make it easy for hackers to break in and hijack people’s online accounts in bulk. That happens all the time. Dunkin’ Donuts, Warby Parker, GitHub, AdGuard, the State Department — and even Apple iCloud accounts have all fallen victim to credential-stuffing attacks in recent years. Only two-factor accounts are protected from these automated log-in attacks.

Two-factor also protects you against phishing emails. If someone sends you a dodgy email that tries to trick you into logging in with your Google or Facebook username and password to a fake site, for example, two-factor can still protect you. Only the legitimate site will send you a working two-factor code.

Enabling two-factor is a good start, but it’s not a panacea. As much as it can prevent hackers from logging in as you, it doesn’t mean that your data stored on the server is protected from hackers breaching a server elsewhere, or a government demanding that the company turns over your data.

And some methods of two-factor are better than others. As you’ll see.

The best way to two-factor your accounts

Let’s get something out of the way real quick. Even if you want to go all-out and secure your accounts, you’ll quickly realize many sites and services just don’t support two-factor. You should tell them to! You can see if a website supports two-factor here.

But as credential-stuffing attacks rise and data breaches have become a regular occurrence, many sites and services are doing everything they can to protect their users.

There are four main types of two-factor authentication, ranked in order of effectiveness:

A text message code: The most common form of two-factor is a code sent by SMS. It doesn’t require an app or even a smartphone, just a single bar of cell service. It’s very easy to get started. But two-factor by text message is the least secure method. These days, hackers can easily exploit weaknesses in the phone networks to steal SMS two-factor codes. Because SMS messages aren’t encrypted, they can also just leak. More recently, researchers found that this can be done on a massive scale. Also, if your phone is lost or stolen, you have a problem. A text message code is better than not using two-factor at all, but there are far more secure options.

An authenticator app code: This works similarly to the text message, except you’ll have to install an app on your smartphone. Any time you log in, you’ll get a code sent to your app. There are many authenticator apps to choose from, like Authy, Duo, and Google Authenticator. The difference here is that they are sent over an HTTPS connection, making it near-impossible for anyone to snoop in and steal the code before you use it. But if you lose your phone or have malware on your phone — especially Android devices — those codes can be stolen once they arrive on your device.

A biometric: Smile! You’re on camera. Often, in industrial or enterprise settings, you’ll be asked for your biometrics, such as facial recognition, an iris scan or, more likely, a fingerprint. These usually require specialized hardware (and software) and are less common. A downside is that these technologies can be spoofed — such as cloning a fingerprint or creating a 3D-printed head.

A physical key: Last but not least, a physical key is considered the strongest of all two-factor authentication methods. Google said that it hasn’t had a single confirmed account takeover since rolling out security keys to its staff. Security keys are USB sticks that you can keep on your keyring. When you log in to your account, you are prompted to insert the cryptographically unique key into your computer and that’s it. Even if someone steals your password, they can’t log in without that key. And phishing pages won’t work because only the legitimate sites support security keys. These keys are designed to thwart even the smartest and most resourceful attackers, like nation-state hackers.

There are several security keys to choose from: Google has its Advanced Protection Program for high-risk users, like politicians and journalists, and its Google Titan key for everyone else. But many security experts will say Yubikey is the gold standard of security keys. There are a few things to note. Firstly, not many sites support security keys yet, but most of the major companies do — like Microsoft, Facebook, Google and Twitter. Usually, when you set up a physical key, you can’t revert to a text message code or a biometric. It’s a security key, or nothing. A downside is that you will have to buy two — one as a backup — but security keys are inexpensive. Also, if one is stolen, there’s no way to determine your account from the key itself. But, if you lose them both, you might be done for. Even the company that stores your data might not be able to get you back into your account. So, be careful and keep one safe.

That’s what you need to know. You might want to create a checklist of your most valuable accounts, and begin switching on two-factor authentication starting with them. In most cases, it’s straightforward — but you can always head to this website to learn how to enable two-factor on each website. You might want to take an hour or so to go through all of your accounts — so put on a pot of coffee and get started.

You should see two-factor as an investment in security: a little of your time today, to save you from a whole world of trouble tomorrow.

Check out our full Cybersecurity 101 guides here.

Google is killing off Allo, its latest messaging app flop

It’s official: Google is killing off Allo.

The messaging app was only launched in September 2016 but it was pretty much flawed from the word go with limited usage. Google was, once again, painfully late to the messaging game.

The company said it had ceased work on the service earlier this year, and now it has announced that it’ll close down in March of next year.

“Allo will continue to work through March 2019 and until then, you’ll be able to export all of your existing conversation history from the app,” Google said in a blog post. “We’ve learned a lot from Allo, particularly what’s possible when you incorporate machine learning features, like the Google Assistant, into messaging.”

Google said it wants “every single Android device to have a great default messaging experience,” but the fact remains that the experience on Android massively lags iOS, where Apple’s iMessage service offers a slick experience with free messages, calling and video between iPhone and iPad users.

Instead of Allo, Google is pushing ahead with RCS (Rich Communication Services), an enhanced SMS standard that could allow iMessage like communication between Android devices.

But could is the operative word. The main caveat with RCS is that carriers must develop their own messaging apps that work with the protocol and connect to other apps, while the many Android OEMs also need to hop on board with support.

As I wrote earlier this year, with RCS, Google is giving carriers a chance to take part in the messaging boom, rather than be cut out as WhatsApp, Messenger, iMessage and others take over. But the decision is tricky for carriers, who have traditionally tightly held any form of income until the death. That’s because they won’t directly make money from consumers via RCS, though it allows them to keep their brand and figure out other ways to generate income, such as business-related services.

Verizon has already signed up, for one, but tracking the other supporters worldwide is tricky. Another problem: RCS is not encrypted, which flies in the face of most messaging apps on the market today.

Elsewhere, Google is keeping Duo — the video chat service that launched alongside Allo — while it continues to develop Hangouts into an enterprise-focused service, much like Slack .

A leaky database of SMS text messages exposed password resets and two-factor codes

A security lapse has exposed a massive database containing tens of millions of text messages, including password reset links, two-factor codes, shipping notifications and more.

The exposed server belongs to Voxox (formerly Telcentris), a San Diego, Calif.-based communications company. The server wasn’t protected with a password, allowing anyone who knew where to look to peek in and snoop on a near-real-time stream of text messages.

For Sébastien Kaul, a Berlin-based security researcher, it didn’t take long to find.

Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to to one of Voxox’s own subdomains. Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.

An example of one text message containing a user’s phone number and their Microsoft account reset code. (Image: TechCrunch)

Most don’t think about what happens behind the scenes when you get a text message from a company, whether it’s an Amazon shipping notification or a two-factor code for your login. Often, app developers — like HQ Trivia and Viber — will employ technologies provided by firms like Telesign and Nexmo, either to verify a user’s phone number or to send a two-factor authentication code, for example. But it’s firms like Voxox that act as a gateway and converting those codes into text messages, to be passed on to the cell networks for delivery to the user’s phone.

After an inquiry by TechCrunch, Voxox pulled the database offline. At the time of its closure, the database appeared to have a little over 26 million text messages year-to-date. But the sheer volume of messages processed through the platform per minute — as seen through the database’s visual front-end — suggests that this figure may be higher.

Each record was meticulously tagged and detailed, including the recipient’s cell phone number, the message, the Voxox customer who sent the message and the shortcode they used.

Among our findings from a cursory review of the data:

  • We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
  • Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
  • Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
  • Many messages included two-factor verification codes for Google accounts in Latin America;
  • A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
  • We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
  • Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
  • We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
  • Yahoo also used the service to send some account keys by text message;
  • And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.

“Yeah, this is very bad,” said Dylan Katz, a security researcher, who reviewed some of the findings.

The exposure to personal information and phone numbers notwithstanding, the ability to access two-factor codes in near-real-time could have put countless number of accounts at risk of hijack. In some cases, websites will only require a phone number to reset an account. With access to the text message through the exposed database, hijacking an account could take seconds.

“My real concern here is the potential that this has already been abused,” said Katz. “This is different from most breaches, due to the fact the data is temporary, so once it’s offline any data stolen isn’t very useful.”

Kevin Hertz, Voxox’s co-founder and chief technology officer, said in an email that the company is “looking into the issue and following standard data breach policy at the moment,” and that the company is “evaluating impact.”

Many companies, including Facebook, Twitter and Instagram, have rolled out app-based two-factor authentication to thwart SMS-based verification, which has long been seen as vulnerable to interception.

If ever there was an example, this latest exposure would serve well.

Nigerian data analytics company Terragon acquires Asian mobile ad firm Bizense

Nigerian consumer data analytics firm Terragon Group has acquired Asian mobile marketing company Bizense in a cash and stock deal.

Based in Singapore, with operations in India and Indonesia, Bizense specializes in “mobile ad platform[s] for Telco’s, large publishers, and [e-commerce] ad networks” under its proprietary Adatrix platform—according to its website and a release.

The price of the acquisition was not disclosed.

The company lists audience analytics, revenue optimization, and white label SSP services among its client offerings.

Headquartered in Lagos, Terragon’s software services give its clients — primarily telecommunications and financial services companies — data on Africa’s growing consumer markets.

Products allow users to drill down on multiple combinations of behavioral and demographic information and reach consumers through video and SMS  campaigns while connecting to online sales and payments systems.

Terragon clients include local firms, such as Honeywell, and global names including Unilever, DHL, and international agribusiness firm Olam.

The company’s founder and CEO Elo Umeh sees cross-cutting purposes for Terragon services in other markets.

“Most of the problems we seek to solve for our clients in Africa also exist in places like South East Asia and Latin America,” Umeh told TechCrunch.

The Bizense acquisition doesn’t lessen Terragon’s commitment to its home markets, according to Umeh.

“We are…super focused on Africa right now, building out propriety platforms powered by data and artificial intelligence to help Telco’s, SMEs, FMCGsand financial institutions …increase their customer base and drive more transaction volumes,” he said.

Terragon’s CEO would not divulge the acquisition value, saying only that it consisted of  “a combination of cash and stocks, with the actual amount not disclosed.”

In an interview with TechCrunch earlier this year, Umeh confirmed the company was looking into global expansion.

Tarragon already has a team of 100 employees across Nigeria, KenyaGhana and South Africa.

Umeh indicated the company is contemplating further expansion in Asia and the Latin America, where Terragon already has consumer data research and development teams.

With the Bizense acquisition Terragon plans to “build out platforms, tools and machine learning models to help businesses…acquire new customers and get existing customers to do more.”

Bizense founder and CEO Amit Khemchandani will be involved in this process. “We are excited about the next phase of this journey as we innovate for Africa and other emerging markets,” he said.

With the exception of South African media and investment giant Naspers, acquisitions of any kind—intra-continental or international—are a rarity for Sub-Saharan African startups and tech companies.

Terragon’s acquisition in Singapore, and other moves made by several other Nigerian startups this year, could change that. African financial technology companies like Mines and Paga announced their intent to expand in and outside Africa. They would join e-commerce site MallforAfrica, which went global in July in a partnership with DHL.

Epic Games just gave a perk for folks to turn on 2FA; every other big company should, too

Let’s talk a bit about security.

Most internet users around the world are pretty crap at it, but there are basic tools that companies have, and users can enable, to make their accounts, and lives, a little bit more hacker-proof.

One of these — two-factor authentication — just got a big boost from Epic Games, the maker of what is currently The Most Popular Game In The World: Fortnite.

Epic is already getting a ton of great press for what amounts to very little effort.

The company is giving users a new emote (the victory dance you’ve seen emulated in airports, playgrounds and parks by kids and tweens around the world) to anyone who turns on two-factor authentication. It’s one small (dance) step for Epic, but one giant leap for securing their users’ accounts.

The thing is any big company could do this (looking at you Microsoft, Apple, Alphabet and any other company with a huge user base).

Apparently the perk of not getting hacked isn’t enough for most users, but if you give anyone the equivalent of a free dance, they’ll likely flock to turn on the feature.

It’s not that two-factor authentication is a panacea for all security woes, but it does make life harder for hackers. Two-factor authentication works on codes, basically tokens, that are either sent via text or through an over-the-air authenticator (OTA). Text messaging is a pretty crap way to secure things, because the codes can be intercepted, but OTAs — like Google Authenticator or Authy — are sent via https (pretty much bulletproof, but requiring an app to use).

So using SMS-based two-factor authentication is better than nothing, but it’s not Fort Knox (however, these days, even Fort Knox probably isn’t Fort Knox when it comes to security).

Still, anything that makes things harder for crimes of opportunity can help ease the security burden for companies large and small, and the consumers and customers that love them (or at least are forced to pay and use them).

I’m not sure what form the perk could or should take. Maybe it’s the promise of a free e-book or a free download or an opportunity to have a live chat with the celebrity, influencer or athlete of a user’s choice. Whatever it is, there’re clearly something that businesses could do to encourage greater adoption.

Self-preservation isn’t cutting it. Maybe an emote will do the trick.

MallforAfrica goes global, Kobo360 and Sokowatch raise VC, France explains its $76M fund

B2B e-commerce company Sokowatch closed a $2 million seed investment led by 4DX Ventures. Others to join the round were Village Global, Lynett Capital, Golden Palm Investments, and Outlierz  Ventures.

The Kenya based company aims to shake up the supply chain market for Africa’s informal retailers.

Sokowatch’s platform connects Africa’s informal retail stores directly to local and multi-national suppliers—such as Unilever and Proctor and Gamble—by digitizing orders, delivery, and payments with the aim of reducing costs and increasing profit margins.

“With both manufacturers and the small shops, we’re becoming the connective layer between them, where previously you had multiple layers of middle-men from distributors, sub-distributors, to wholesalers,” Sokowatch founder and CEO Daniel Yu told TechCrunch.

“The cost of sourcing goods right now…we estimate we’re cutting that cost by about 20 percent [for] these shopkeepers,” he said

“There are millions of informal stores across Africa’s cities selling hundreds of billions worth of consumer goods every year,” said Yu.

These stores can use Sokowatch’s app on mobile phones to buy wares directly from large suppliers, arrange for transport, and make payments online. “Ordering on SMS or Android gets you free delivery of products to your store, on average, in about two hours,” said Yu.

Sokowatch generates revenues by earning “a margin on the goods that we’re selling to shopkeepers,” said Yu. On the supplier side, they also benefit from “aggregating demand…and getting bulk deals on the products that we distribute.”

The company recently launched a line of credit product to extend working capital loans to platform clients. With the $2 million round, Sokowatch—which currently operates in Kenya and Tanzania—plans to “expand to new markets in East Africa, as well as pilot additional value add services to the shops,” said Yu.

MallforAfrica and DHL launched MarketPlaceAfrica.com: a global e-commerce site for select African artisans to sell wares to buyers in any of DHL’s 220 delivery countries.

The site will prioritize fashion items — clothing, bags, jewelry, footwear and personal care — and crafts, such as pictures and carvings. MallforAfrica is vetting sellers for MarketPlace Africa online and through the Africa Made Product Standards association (AMPS), to verify made-in-Africa status and merchandise quality.

“We’re starting off in Nigeria and then we’ll open in Kenya, Rwanda and the rest of Africa, utilizing DHL’s massive network,” MallforAfrica CEO Chris Folayan told TechCrunch about where the goods will be sourced. “People all around the world can buy from African artisans online, that’s the goal,” Folayan told TechCrunch.

Current listed designer products include handbags from Chinwe Ezenwa and Tash women’s outfits by Tasha Goodwin.

In addition to DHL for shipping, MarketPlace Africa will utilize MallforAfrica’s e-commerce infrastructure. The startup was founded in 2011 to solve challenges global consumer goods companies face when entering Africa.

French President Emmanuel Macron  href="https://pctechmag.com/2018/05/french-president-emmanuel-macron-launches-a-usd76m-africa-startup-fund/">unveiled a $76 million African startup fund at VivaTech 2018 and TechCrunch paid a visit to the French Development Agency (AFD) — who will administer the new fund — to get details on how it will work.

The $76 million (or €65 million) will divvy up into three parts, AFD Digital Task Team Leader Christine Ha told TechCrunch.

“There are €10 million [$11.7 million] for technical assistance to support the African ecosystem… €5 million will be available as interest-free loans to high-potential, pre-seed startups…and…€50 million [$58 million] will be for equity-based investments in series A to C startups,” explained Ha during a meeting in Paris.

The technical assistance will distribute in the form of grants to accelerators, hubs, incubators and coding programs. The pre-seed startup loans will issue in amounts up to $100,000 “as early, early funding to allow entrepreneurs to prototype, launch and experiment,” said Ha.

The $58 million in VC startup funding will be administered through Proparco, a development finance institution — or DFI — partially owned by the AFD. “Proparco will take equity stakes, and will be a limited partner when investing in VC funds,” said Ha.

Startups from all African countries can apply for a piece of the $58 million by contacting any of Proparco’s Africa offices.

The $11.7 million technical assistance and $5.8 million loan portions of France’s new fund will be available starting in 2019. On implementation, AFD is still “reviewing several options…such as relying on local actors through [France’s] Digital Africa platform,” said Ha. President Macron followed up the Africa fund announcement with a trip to Nigeria last month.

Nigerian logistics startup Kobo360 was accepted into Y Combinator’s 2018 class and gained some working capital in the form of $1.2 million in pre-seed funding led by Western Technology Investment.

The startup — with an Uber like app that connects Nigerian truckers to companies with freight needs — will use the funds to pay drivers online immediately after successful hauls.

Kobo360 is also launching the Kobo Wealth Investment Network, or KoboWIN — a crowd-invest, vehicle financing program. Through it, Kobo drivers can finance new trucks through citizen investors and pay them back directly (with interest) over a 60-month period.

On Kobo360’s utility, “We give drivers the demand and technology to power their businesses,” CEO Obi Ozor told TechCrunch. “An average trucker will make $3,500 a month with our app. That’s middle class territory in Nigeria.”

Kobo360 has served 324 businesses, aggregated a fleet of 5480 drivers and moved 37.6 million kilograms of cargo since 2017, per company stats. Top clients include Honeywell, Olam, Unilever, and DHL.

Ozor thinks the startup’s asset-free, digital platform and business model can outpace traditional long-haul 3PL providers in Nigeria by handling more volume at cheaper prices.

“Logistics in Nigeria have been priced based on the assumption drivers are going to run empty on the way back…When we now match freight with return trips, prices crash.”

Kobo360 will expand in Togo, Ghana, Cote D’Ivoire and Senegal.

[PHOTO: BFX.LAGOS] And finally, applications are open for TechCrunch’s Startup Battlefield Africa, to be held in Lagos, Nigeria, December 11. Early-stage African startups have until September 3 to apply here.

More Africa Related Stories @TechCrunch

More Africa Related Stories @TechCrunch

·         CowryWise micro-savings service opens high-yield government bonds to everyday Nigerians


African Tech Around the Net

·         More Than Half of Sub-Saharan Africa to Be Connected to Mobile by 2025, Finds New GSMA Study
·         Ethiopia’s Gebeya acquires Coders4Africa to accelerate its growth
·         Rwanda, Andela partner to launch pan-African tech hub in Kigali
·         Google’s free public Wi-Fi initiative expanded to Africa
·         Accounteer wins 2018 MEST Entrepreneur challenge
·         SafeBoda completes expansion to Kenya, now live in Nairobi
·         Uganda government sued over social media tax

Twitter posts record $100M profit but loses 1M users

The social media apocalypse is on us this week. Days after Facebook’s stock took a record $123 billion plunge on a poor earnings report, Twitter’s shares are down nearly 20 percent after the company announced falling users numbers.

The microblogging service recorded a drop of one million monthly users in Q2, with 335 million overall and 68 million in the U.S.. International users stayed consistent, with U.S. numbers down from 69 million in the previous quarter.

Bloomberg reported that Twitter’s share price sunk by 17 percent in early trading following the earnings announcement.

The market seems spooked that Twitter has failed to grow in the U.S.. Indeed, one year ago it recorded 68 million users on home turf, and while it has grown its international presence by a fairly modest 3.5 percent over that period, there are doubts as to whether Twitter can increase its audience. The company itself said it expects to see its monthly active user count drop by “mid-single-digit millions.”

Twitter has increased its efforts finding and suspending fake accounts, which is said to have doubled over the past year, but it also said that it didn’t expect that to impact users numbers this quarter.

“When we suspend accounts, many of the removed accounts have already been excluded from MAU or DAU, either because the accounts were already inactive for more than one month at the time of suspension, or because they were caught at signup and were never included in MAU or DAU,” Twitter further explained in its release.

The company did say, though, that its work with SMS carriers and reallocation of resources, are the reasons why it is forecasting more user number declines.

While Twitter can (just about argue) that its daily user number grew by 11 percent in the quarter — a little higher than 10 percent in Q1 — the company doesn’t actually disclose this number.

The stock drop will be frustrating for executives because, in its favor, Twitter had a record quarter of profit. GAAP net income came in at $100 million with revenue climbing 24 percent year-on-year to reach $711 million. Adjusted EBITDA came in at $265 million — Twitter is predicting it will decline to $215-$235 million in the next quarter.

That profit was above analyst forecasts of $70 million but, following Facebook’s epic crash this week, investors want to see growth potential… and that means more users. Unfortunately, that’s Twitter’s Achilles heel.

[gallery ids="1681441,1681442"]