Tricksters and dishonest people have always existed in our midst. It is definitely naive to imagine that our new techno-savvy way of life is an exception to the age old social patterns. This afternoon, an M-PESA agent was a victim of a new line of M-PESA fraud.
Here goes the story; this is factual and occurred on February 1st 2010 in a peri-urban setting about 24 kilometres from the Nairobi City Centre
I shall leave the analysis of the text and the resulting fraud to the reader for now.
Note that according to the Safaricom M-PESA support person, the M-PESA agent only has to count their loss as no indemnity is payable to the agent for their predicament. When the known Safaricom / M-PESA representative for the affected region was contacted they disowned ‘supervisory visit’ by the lady and gentleman 20 minutes before the 'withdrawal' was requested. I wonder how many more M-PESA agents have fallen pryy to this new M-PESA trickery.
Here goes the story; this is factual and occurred on February 1st 2010 in a peri-urban setting about 24 kilometres from the Nairobi City Centre
- About 2.00PM, a lady and a gentleman who looked to be in their mid twenties visited an M-PESA outlet, claiming to be Safaricom supervisors. The two wore valid looking M-PESA badges and even carried M-PESA promotional material for the outlet. The two inspected the outlet’s log books then left. Note: It is normal for Safaricom to send supervisors to routinely inspect various parameters on operations of M-PESA outlets. The supervisors usually wear Safaricom badges and often take with them M-PESA promotional material to the outlets
- About 20 minutes after the purported supervisors left, an old looking man estimated to be at his late 50s or early 60s came to the same outlet requesting to withdraw Ksh.35,000. The man was allowed to withdraw the desired Ksh 35,000 and went ahead to initiate the withdrawal from his phone – as is the normal procedure.
- Shortly after, the outlet attendants received an SMS purporting to record and authenticate the old man’s withdrawal transaction. The SMS received by the attendant had a valid looking M-PESA transaction number and the old man’s purported names which were verified against an original national ID which he presented.
- The M-PESA attendant, convinced about the validity of the transaction (just like hundreds of others processed daily) gave the old man an initial Ksh. 30,000 and was reaching out for the remaining Ksh. 5,000. Before the exta amount could be retrieved, the old man calmly signed the outlet transaction and walked away saying he would come for the remainder later.
- The M-PESA attendant continued with the next customer, expecting their float to have increased by Ksh. 35,000 as a result of the withdrawal. The expected float was then not reflected in the valid M-PESA SMS after the next customer’s transaction – raising a red flag to the M-PESA attendant.
- The M-PESA attendant shortly after called 234 – Safaricom’s M-PESA service line for clarification and the service support person on the other end reported that the transaction withdrawing Ksh. 35,000 was not reflected in the M-PESA system
- Alarmed at the Safaricom claim, the M-PESA attendant frantically attempted to call out for the old man who had disappeared by then without a trace.
- Late in the afternoon, the M-PESA agent went to the police station to report the incident. The police officers took initial details and promised to visit the outlet the following day for further investigations.
‘P47DT685 confirmed on 01/2/2010 at 2.20PM Give Ksh 35,000 to DANIEL MAINA New M-PESA balance is Kh 42,049 Sender:MPESA +254771831462’
I shall leave the analysis of the text and the resulting fraud to the reader for now.
Note that according to the Safaricom M-PESA support person, the M-PESA agent only has to count their loss as no indemnity is payable to the agent for their predicament. When the known Safaricom / M-PESA representative for the affected region was contacted they disowned ‘supervisory visit’ by the lady and gentleman 20 minutes before the 'withdrawal' was requested. I wonder how many more M-PESA agents have fallen pryy to this new M-PESA trickery.
This is how the tricks works : -
ReplyDeleteThe conmen visit your premise pretending to be from Safaricom or use any other excuse to handle the dispensing phone. Once they access the phone they save themselves in your phone book by the name mpsesa. Then they edit a normal mpesa message and send as a normal sms to the dispensing phone. what you see is actualy an sms message bearing the name mpesa but if you scroll the message further down you see the actual number of the sender. a very cheap trick but higly devastating.
@kipsang sorry for delayed response. You may go ahead and repost. It may have been prefferatble to simply link to this post but you may repost as you wish.
ReplyDelete@anon 9.24am, am informed that the fake Safaricom guys did not gain access to the dispensing handset but true to your hypothesis, there was a fake contact labelled M-PESA on the handset. Its still unclear how it got there eg a VCARD sent and saved inadvertently. What is puzzling now is the thought that a dispensing handset should be allowed to receive SMS texts from an origin other than the Safaricom system.
Me thinks M-PESA agents are highly exposed to fraud and theft from employees and such tricksters. Several such incidents practically eat away the float deposited at safaricom and they either inject more capital of they are out of business
I thought that the SMS was encrypted and could ONLY be deciphered by the SIM application?
ReplyDeleteAre you saying that the thieves got around this?
The most basic education to the Agent HAS to be to check the ID of the sender of the SMS.
ReplyDeleteIf it is sent by MPESA, it would normally contain an MPESA sender ID.
If it is sent by a fraudster then it would contain the Fraudsters Mobile number.
This is one of the most obvious fraud possibilities in launching such services and I am surprised that it wasn't foreseen and the agent trained accordingly.
I realise that you may think that even with training the Agent may omit seeing the sender ID on a per transaction basis, but then that is the fear that needs to be drilled into the agent that you cannot afford to miss out on seeing who is the sender of the SMS
Correction: The M-PESA fraud tool place on 1st Feb 2010 and not 2009 as earlier indicated
ReplyDeleteI hope I'm wrong, but irrespective of whether sms confirmation message was genuine or not, why would an MPESA agent pay out ?
ReplyDeleteAre the agents not suppose to key in the confirmation supplied by customer on the MPESA system and than the system would validate same and advise if Agent should honor it or not. Am I missing something here?
Beware of money theft inside safaricom department kenya. I send my money to my bother 2 weeks ago. Here in USA was 1700 hrs which means it was 02oo or 0300 AM in kenya. That money was collected in 11 minutes by someone in safaricom. I am convinced about it because at least all agents were closed at that time of the night. secondly, the recipient never got that money and the M-pesa are still investigating it. Well, whoever picked the money had an ID. Why is that too hard to trace?. Personally I will never trust M-pesa again and I am shocked that western money union partnered with them. Is someone has a solution please help.
ReplyDelete"Well, whoever picked the money had an ID. Why is that too hard to trace?."
Delete1. Lost ID's are pasted all over public places in Kenya for fraudsters to harvest and misuse.
2. Most MPesa agents are so lazy that they never examine the ID. Some simply ask "ID number" and put whatever you say in their records.
I have not had any negative experiences with MPesa to date (knock on wood!) but have always thought that it is a very leaky system and can easily be abused.
Hello Guys!!! I am very new to blogging, wana create my own blog but I don't know that from where I should start. I want a little bit help from the admin of this site if possible. Appreciation for help in advance. Thanks!!!
ReplyDeletethank's for post
ReplyDeleteseo tools free
ReplyDeleteSeo Alpha
software seo pinger free
software seo swift viewers
Download Proxy Checker
Dangerous rich snippet
fast visit auto visit blog 2014
Kumpulan seo tools online
software seo pinger
kabar makkah is best info for makkah news
ReplyDeleteInfo Makkah
Hotel Makkah
Ummulquro Makkah
Albaik Makkah
Gambar Makkah
Foto Makkah
Umroh di Mekkah
the best info furniture jepara indonesia Mebel jepara Murah
ReplyDeleteHi There ..Thanks A Lot For Your Article ..It's Very Helpful ..Nice Share
ReplyDeleteSedekah
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
Deletedrrochelleskinexpert01.com
ReplyDeletedrrochelleskinexpert01.com
drrochelleskinexpert01.com
drrochelleskinexpert01.com
drrochelleskinexpert01.com
Jaguar303 Agen Bola Terpercaya, Judi Bola, Bandar Bola, Agen SBOBET, Agen Casino, Agen Betting, Agen Sabung Ayam Online, Agen Bola.
ReplyDeleteagen bola terpercaya
Agen sabung ayam
Agen Domino99 dan Bandarq Online Terbaik di Asia
ReplyDeletehttp://warungdaftar.com/mejaqq/
Situs Situs terpercaya dan terbaik
ReplyDeletedominoqq
qq online
sahabatqq
daftar sahabatqq
idpro pkv
tiketqq
jaguarqq
sahabatpoker
PROAKUN.WIN | AGEN BANDARQ | QQ ONLINE | DOMINOQQ | BANDARQ ONLINE | JUDI ONLINE TERBAIK DI INDONESIA, adalah Website Rekomendasi Situs Situs Terbaik dan Ternama dengan Hasil Winrate Teringgi Terbaik Di Indonesia.
ReplyDeleteAgen BandarQ
QQ Online
DominoQQ
BandarQ Online
Judi Online