Through partnerships, phone companies have managed to integrate mobile money services with banks, allowing customers to seamlessly move money back and forth.
| File | Nation Media GroupTechnology
Premium
M-Pesa: Why you must always log out before changing SIM card
Picture this. You are busy at work meeting your tight deadlines, then you are interrupted by a text message that sends you reeling.
You have just sent a stranger or rather, someone pretending to be you has just sent the little money you had in your M-Pesa. And just like that, your money is gone in an instant.
Well, this happened to one of these writers one Thursday afternoon last month.
The writer did not imagine that his money was being drained and being sent to people he had no idea who they were.
It all started after he gave a colleague his old handset. He deleted his password and fingerprint authentication and then his colleague put his. Three hours later the writer’s money started disappearing without his authority.
He rushed to Safaricom shop along Kimathi Street to inquire why his money was being sent to people he did not know. The first customer care lady he met at the shop and explained what was going on said that was impossible.
“Did you have your handset or did you share your secret pin with anyone,” she inquired.
The answers were no. Another male customer care official also at the counter had the same reaction.
Reversed the money
Luckily, the writer had already reversed the money. Once someone reverses the money it sometimes takes up to 12 hours to be credited back to someone’s account.
The Safaricom customer care official then politely asked what kind of gadget the writer was using and he told him that it was an Oppo Reno6, then he told the writer that the money had been sent by an Oppo Reno4, which was his old handset.
The victim had both the Safaricom App and the Mpesa App on his phone. What he did not know is that whereas the Safaricom App had the capability of logging itself off once he removed his sim card, the M-Pesa app has a mind of its own.
You must log off manually before giving your old phone away. Changing fingerprint authentication passwords is not enough.
But according to the customer care official, this was not possible because the writer had removed his sim card from his old handset which automatically reset itself after the new user inserted his sim card.
“I have been working here for a while and this is the first time I’m hearing of this. Our Safaricom App should be safe and once someone removes their sim card it is supposed to deactivate everything from the previous owner,” he explained.
What happened was that despite the writer deleting his password and fingerprint authentication, the Mpesa App still recognised the writer’s colleague's fingerprint authentication, and instead of using his M-pesa sim card it used the writers.
Sim card
The money that the writer thought was being stolen was the colleague who was sending it but instead of being deducted from his sim card it was being deducted from the writer’s sim.
Contacted for comment, the telco did not provide a written response on this inquiry. But it said that it takes matters of security seriously, pointing out that the incident only happens if one does not log off from their Mpesa APP accounts.
Instead, the telco told the writer to go to their offices and sit down with the technical team so that he could take them through what happened.
He obliged and went. For two hours the team explained that it was impossible and that the app, unlike the Safaricom App which uses both biometric authentication and PIN, M-Pesa app uses three options, facial, fingerprint authentication and pin.
“Unfortunately for the M-Pesa App, you can only use one of the three securities which we provide, that is facial, fingerprint authentication and pin. It does not allow you to use more than one,” they explained.
Asked why they had left it so vulnerable yet it might be carrying someone’s savings? “That is what some customers wanted it to be so that it can be easy for them to transact,” they added.
The writer insisted that in such an app and if you’re going to use biometric data to keep your phone safe one should have the option of adding another layer of security to it through a different type of security like a password.
Biometric technologies
“It might be more annoying, but it’ll be considerably more annoying and frustrating if your phone or data is stolen,” he insisted.
Biometric technologies rely on immutable physical features that do not change for as long as they're needed.
But that was not the shock, according to the team, once you install the M-Pesa App, it will stay on your mobile phone even if you remove your Safaricom Sim card and insert another one from a different mobile carrier.
According to Wachira Kang’aru, Safaricom's Head of Corporate Communications, the reason the app was designed this way was that some of their customers who travel abroad wanted to be able to transact without having to keep changing their sim cards.
“People said that they do not want to be in China and have to remove the Chinese sim card and insert their Safaricom registered number to transact. That is why you can even use the app even if you are offline. All you need is the app and one can transact,” he said.
As the journalist was coming to terms with his scare and explanation, police based at Kasarani Police Station were left wondering how someone could lose all his money in his M-Pesa wallet after a victim who identified himself as Steven Wachira went to report how he lost Sh33,000 through the M-Pesa app, under OB11/2/10/21.
According to Wachira, the fraudster went ahead and also managed to Fuliza, which is Safaricom’s mobile money overdraft facility.
“Since my balance was Sh27,000 and my Fuliza limit was Sh7,000, the fraudster took Sh33,000. But was weirder, was myself explaining all these to the authorities and they seemed more shocked that they have never heard of such a case,” he said.
Narrating his experience on social media, Wachira said he lost the money while on a long drive.
“I was on a long drive from Lerruat Log Resort. I left the hotel at 5pm, with two friends.At 6pm, I was at Lexo Energy in Isinya where I wanted to fuel. I encountered some M-Pesa issues, the M-Pesa tool kit took too long to launch. I kept trying it, till I gave up and cancelled the process.”
According to Wachira, this prompted him to ask one of his friends if she can pay for the fuel since his M-Pesa was not responding.
He adds that after fueling, they embarked on their journey to Nairobi and arrived at their final destination in Roysambu at 7:30pm.
Lost money
They all parted ways and he decided to go and relax at his favourite joint and that is when he realised that he had lost all his money.
“When I was making payment, I noticed that it was saying insufficient funds. I was shocked, since all this time I knew my M-Pesa balance was Sh27,000. I quickly checked my transactions and I noticed that I had made a transaction at 6:11pm,” he adds.
He swears that he never did such a transaction and when it was made he was driving and his two friends were all asleep.
When he tried to reverse, the recipient had already utilized the money, and only Sh632 was reversed.
He called Safaricom who informed him that the transaction was done at 6:11pm and in less than a minute, the money was already utilized. He was advised to go and report at the nearest police station.
Mobile phones in Kenya are like bank accounts, with some people keeping all their savings on their phone
Through partnerships, phone companies have also managed to integrate mobile money services with banks, allowing customers to seamlessly move money back and forth.
M-Pesa, which has a 99 per cent market share in the country and a customer base of over 40 million active users may need to abandon the use of its biometric non-repudiation platform, with many users citing the previous transactions via the sim card as more secure.
Once a user registers their fingerprint on the app, it no longer asks for a PIN, making it easier for muggers armed with cheap weapons to steal your M-Pesa balances and go ahead and authorize a ‘Fuliza’ overdraft.
“What happens when you go out partying and get really drunk? You are one fingerprint away from being robbed,” says John Ngeru, an M-Pesa app user.
By design, the app will allow any robber to withdraw KCB M-Pesa funds while also wiping out every coin saved on M-Shwari.
Cyber security
Though Safaricom pioneered the concept of open banking where it has shared its Application Programming Interfaces (APIs) in services such as ‘Lipa na M-Pesa’ for free to enable easy payments among businesses, the telco has made biometrics another layer of vulnerability instead of cyber security.
Unlike passwords or PINs which can only be saved on devices, fingerprints that are left on every object you touch can be stored everywhere and on everything, making them public domain.
Since the surface of the sensor itself is used to record the fingerprint, your smartphone could be easily compromised by anyone with access to the device and your fingerprints.
Critics have demonstrated how it is possible to make high-quality copies of fingerprints using different techniques, which means that it is very much possible to create copies with the fingerprint in order to impersonate the user.
Even more critical is the fact that the app contains user private transactional data, which can land on the wrong hands when users face robbery with violence.
During this year's Huawei’s Eastern Africa Banking, Financial Services and Insurance (BFSI) summit in September, Central Bank of Kenya's Deputy Governor Sheila M’mbijewe, warned banks and fintechs against innovating while ignoring the risks that threaten to cripple the country's digital financial services.
"We should eliminate risks in our innovations. Let us also observe data privacy regulations in banking. It is only through technology that we can address the issues emanating from data privacy,” Ms M’mbijewe said.
