Here goes the story; this is factual and occurred on February 1st 2009 in a peri-urban setting about 24 kilometres from the Nairobi City Centre
- About 2.00PM, a lady and a gentleman who looked to be in their mid twenties visited an M-PESA outlet, claiming to be Safaricom supervisors. The two wore valid looking M-PESA badges and even carried M-PESA promotional material for the outlet. The two inspected the outlet’s log books then left. Note: It is normal for Safaricom to send supervisors to routinely inspect various parameters on operations of M-PESA outlets. The supervisors usually wear Safaricom badges and often take with them M-PESA promotional material to the outlets
- About 20 minutes after the purported supervisors left, an old looking man estimated to be at his late 50s or early 60s came to the same outlet requesting to withdraw Ksh.35,000. The man was allowed to withdraw the desired Ksh 35,000 and went ahead to initiate the withdrawal from his phone – as is the normal procedure.
- Shortly after, the outlet attendants received an SMS purporting to record and authenticate the old man’s withdrawal transaction. The SMS received by the attendant had a valid looking M-PESA transaction number and the old man’s purported names which were verified against an original national ID which he presented.
- The M-PESA attendant, convinced about the validity of the transaction (just like hundreds of others processed daily) gave the old man an initial Ksh. 30,000 and was reaching out for the remaining Ksh. 5,000. Before the exta amount could be retrieved, the old man calmly signed the outlet transaction and walked away saying he would come for the remainder later.
- The M-PESA attendant continued with the next customer, expecting their float to have increased by Ksh. 35,000 as a result of the withdrawal. The expected float was then not reflected in the valid M-PESA SMS after the next customer’s transaction – raising a red flag to the M-PESA attendant.
- The M-PESA attendant shortly after called 234 – Safaricom’s M-PESA service line for clarification and the service support person on the other end reported that the transaction withdrawing Ksh. 35,000 was not reflected in the M-PESA system
- Alarmed at the Safaricom claim, the M-PESA attendant frantically attempted to call out for the old man who had disappeared by then without a trace.
- Late in the afternoon, the M-PESA agent went to the police station to report the incident. The police officers took initial details and promised to visit the outlet the following day for further investigations.
‘P47DT685 confirmed on 01/2/2010 at 2.20PM Give Ksh 35,000 to DANIEL MAINA New M-PESA balance is Kh 42,049 Sender:MPESA +254771831462’
I shall leave the analysis of the text and the resulting fraud to the reader for now.
Note that according to the Safaricom M-PESA support person, the M-PESA agent only has to count their loss as no indemnity is payable to the agent for their predicament. When the known Safaricom / M-PESA representative for the affected region was contacted they disowned ‘supervisory visit’ by the lady and gentleman 20 minutes before the 'withdrawal' was requested. I wonder how many more M-PESA agents have fallen pryy to this new M-PESA trickery.
Posts
5 comments:
Dear gmeltdown,
I would like to repost this article followed by a link to your blog for publication on mine (http://kipsang.wordpress.com).
Hence this comment to ask your permission to do so.
Kind regards,
Kipsang.
This is how the tricks works : -
The conmen visit your premise pretending to be from Safaricom or use any other excuse to handle the dispensing phone. Once they access the phone they save themselves in your phone book by the name mpsesa. Then they edit a normal mpesa message and send as a normal sms to the dispensing phone. what you see is actualy an sms message bearing the name mpesa but if you scroll the message further down you see the actual number of the sender. a very cheap trick but higly devastating.
@kipsang sorry for delayed response. You may go ahead and repost. It may have been prefferatble to simply link to this post but you may repost as you wish.
@anon 9.24am, am informed that the fake Safaricom guys did not gain access to the dispensing handset but true to your hypothesis, there was a fake contact labelled M-PESA on the handset. Its still unclear how it got there eg a VCARD sent and saved inadvertently. What is puzzling now is the thought that a dispensing handset should be allowed to receive SMS texts from an origin other than the Safaricom system.
Me thinks M-PESA agents are highly exposed to fraud and theft from employees and such tricksters. Several such incidents practically eat away the float deposited at safaricom and they either inject more capital of they are out of business
I thought that the SMS was encrypted and could ONLY be deciphered by the SIM application?
Are you saying that the thieves got around this?
The most basic education to the Agent HAS to be to check the ID of the sender of the SMS.
If it is sent by MPESA, it would normally contain an MPESA sender ID.
If it is sent by a fraudster then it would contain the Fraudsters Mobile number.
This is one of the most obvious fraud possibilities in launching such services and I am surprised that it wasn't foreseen and the agent trained accordingly.
I realise that you may think that even with training the Agent may omit seeing the sender ID on a per transaction basis, but then that is the fear that needs to be drilled into the agent that you cannot afford to miss out on seeing who is the sender of the SMS
Post a Comment