Safaricom unveiled a service a while back that allows subscribers to buy data bundles directly from their M-Pesa account by dialing *544#. The service is relatively convenient since it eliminates the trouble of first having to purchase airtime through M-Pesa, then using the airtime to purchase data bundles. In addition to buying yourself data bundles, the service allows you to purchase bundles for other subscribers using your M-Pesa account.
And that’s where the loophole lies.
The usual PIN security feature, that’s always present when conducting any M-Pesa transaction, is absent in this service. Meaning anyone who gets their hands on your phone can purchase data bundles, for themselves, through your M-Pesa account without having to key in your M-Pesa PIN code.
Apparently this loophole has been there for a while now. Peter Etelej from musings.theonlinekenya.com exposed this Safaricom Security loophole two months ago. In his post, Hacking M-Pesa – Safaricom Security Loophole, Etelej highlighted on how he had spoken to Safaricom and informed them of this security risk. Two months down the line Safaricom is yet to take any actions to this regard.
This isn’t the first time such a security lapse has been present on the Safaricom network. When Safaricom first introduced Changa na Bonga Points, a service that allows subscribers to share their Bonga points with other subscribers, the service did not require one to key in a PIN resulting some cases of unwarranted and unauthorized transfer of loyalty points from certain subscribers’ accounts, as posted in Capital FM Business.
Safaricom later launched a PIN feature aimed at discouraging unauthorized transfer of Bonga points and protect ones Bonga points.
As we wait for Safaricom to take any responsive actions, all you have to do is make sure nobody uses your phone, ever.