[kictanet] A suspected flaw in MPesa

[robert yawe]

Hi,

I had an interesting experience with MPesa on Saturday when I received a payment 
received notification with a deadline message as would happen with an 
unregistered recipient yet I am a registered user.  My registered account did 
not register the transaction at all which was interesting.

Being a law abiding citizen and client I called customer service, the person I 
spoke to as usual went off script to ask me all kinds of irrelevant questions 
such as do I have a dual SIM phone, was I expecting money from the person and 
when was my last transaction all of which are questions that do not assist in 
resolving my question.

I sometimes wonder why I actual take the trouble yet all I should have done was 
gone to an mpesa agent and withdrew the money.  As in the case of funds wrongly 
credited to a bank account I would have paid back the amount at my own rate. 
 The error in this case was equivalent to me picking cash from the floor of the 
supermarket.

I noted that the transaction has been reversed this morning still and the 
message still assumes that I am an unregistered recipient.  It is my hope that 
Safaricom's technical team have identified and sealed the hole as its 
exploitation will open them up to money laundering charges.
 Robert Yawe
KAY System Technologies Ltd
Phoenix House, 6th Floor
P O Box 55806 Nairobi, 00200
Kenya


Tel: +254722511225, +254202010696
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20110815/bdbd1a4d/attachment.htm>