Comments on gmeltdown: M-PESA Fraud - Agents Beware!

I hope I'm wrong, but irrespective of whether ...

2011-05-09T21:29:11.164+03:00

I hope I'm wrong, but irrespective of whether sms confirmation message was genuine or not, why would an MPESA agent pay out ?
Are the agents not suppose to key in the confirmation supplied by customer on the MPESA system and than the system would validate same and advise if Agent should honor it or not. Am I missing something here?

Correction: The M-PESA fraud tool place on 1st Feb...

2010-08-12T10:43:08.825+03:00

Correction: The M-PESA fraud tool place on 1st Feb 2010 and not 2009 as earlier indicated

The most basic education to the Agent HAS to be to...

2010-02-12T10:19:42.615+03:00

The most basic education to the Agent HAS to be to check the ID of the sender of the SMS.

If it is sent by MPESA, it would normally contain an MPESA sender ID.

If it is sent by a fraudster then it would contain the Fraudsters Mobile number.

This is one of the most obvious fraud possibilities in launching such services and I am surprised that it wasn't foreseen and the agent trained accordingly.

I realise that you may think that even with training the Agent may omit seeing the sender ID on a per transaction basis, but then that is the fear that needs to be drilled into the agent that you cannot afford to miss out on seeing who is the sender of the SMS

I thought that the SMS was encrypted and could ONL...

2010-02-10T03:53:31.109+03:00

I thought that the SMS was encrypted and could ONLY be deciphered by the SIM application?

Are you saying that the thieves got around this?

@kipsang sorry for delayed response. You may go ah...

2010-02-09T09:33:36.232+03:00

@kipsang sorry for delayed response. You may go ahead and repost. It may have been prefferatble to simply link to this post but you may repost as you wish.

@anon 9.24am, am informed that the fake Safaricom guys did not gain access to the dispensing handset but true to your hypothesis, there was a fake contact labelled M-PESA on the handset. Its still unclear how it got there eg a VCARD sent and saved inadvertently. What is puzzling now is the thought that a dispensing handset should be allowed to receive SMS texts from an origin other than the Safaricom system.

Me thinks M-PESA agents are highly exposed to fraud and theft from employees and such tricksters. Several such incidents practically eat away the float deposited at safaricom and they either inject more capital of they are out of business

This is how the tricks works : - The conmen visit ...

2010-02-02T18:54:57.652+03:00

This is how the tricks works : -
The conmen visit your premise pretending to be from Safaricom or use any other excuse to handle the dispensing phone. Once they access the phone they save themselves in your phone book by the name mpsesa. Then they edit a normal mpesa message and send as a normal sms to the dispensing phone. what you see is actualy an sms message bearing the name mpesa but if you scroll the message further down you see the actual number of the sender. a very cheap trick but higly devastating.

Dear gmeltdown, I would like to repost this artic...

2010-02-02T09:24:08.958+03:00

Dear gmeltdown,

I would like to repost this article followed by a link to your blog for publication on mine (http://kipsang.wordpress.com).

Hence this comment to ask your permission to do so.

Kind regards,

Kipsang.