Hacking mPesa for fun and profit [Part 1 of 4]
by Idd Salim on Sep.01, 2010, under Coding, Symbiotic, Zunguka
Mpesa : Well thought!
Well, I always am up for a big challenge. Ask all the neighbor’s daughters in my estate and they will testify. So, over the last week, since the inception of the pZ gateway, I have been privileged to have a-lot of Spare time to study the internal aspects of Mpesa, especially the IIS-based (cringe!!) web interface.
Mpesa is a VERY secure system. Well-thought and very polished.
But that is just for the average hello-world pinging -t and script-kiddie hackers we see around here.
There are 2 types of hacks I have discovered for the Mpesa system, especially the web interface.
- Constructive Hacks – That can help you as a C2B or B2C client use m-pesa better and more effectively. I will share these mostly ont his blog.
- Destructive Hacks – Hacks that can make you vulnerable to fraud based on some small details over-looked by Mpesa developers. I won’t share these, of-course, due to my moral and societal obligation as a WhiteHat.
Hack 1 of 4 – Porting Mpesa to Mozilla Firefox.
One of the biggest headaches about Mpesa Web interface is that it works *only* on IE6/7/8 and on Windows XP only. Not Opera. Not Firefox. Not Unix. I have visited alot of client sites where they have a spare Mpesa PC. How sad!
Well, the good news is that this cannot be further from the truth! Mpesa can work on VISTA. Mpesa can work on Firefox. Mpesa can work on Ubuntu and even on Lynx.
“Share, Salim!! How do we make Mpesa work on Firefox!! Please Share!!”, I hear you shouting. Relax. I will share. For Free.
Step 1 – Get your certificate from Voda
Go to https://vmtke.ca.vodafone.com/certsrv/ via your IE and login.
Get your cert
Important : Mark the SSL Certificate Keys as Exportable.
After 24 hours, come back to this site and INSTALL the keys to your IE browser.
Step 2 – Export the Keys from IE to a File
Click on :
- Tools [menu]
- Options [menu]
- Content [tab]
- Certificates [button]
- Select the ‘Vodafone MT KE 2009′ Certificate and click on Export
- Click Next
- Select ‘Yes, Export the private Key’ – Click Next
- Select PFX, Enable strong Encryption – Click Next
- Enter a password and confirm it. Important, save this password nowhere! Memorize it. – Click next
- Browse for file and save the Certificate + Key Combo. – my_mpesa_cert.pfx
Step 3 – Import the Key to Firefox. Any OS, Any PC
Open Firefox and follow the following steps
- Open Mozilla Firefox.
- Click Edit in the top menu, and select Preferences from the drop-down menu.
- Click the Advanced icon.
- In the Certificates section, click Manage Certificate.
- Click Import, and choose the text file containing the client certificate.
- Supply the token password if prompted. Same password you used during Export.
- Click OK. The new certificate is listed in the Your certificates tab.
- Restart Firefox, and Open : https://www.m-pesa.com/ke/ and Walla!!
I can see Kasomo and Alitsi smiling because I have just un-masked one of the biggest security PLUSES of Mpesa is that it thrives through security. Words like FireBug and Firefox WebDevToolbar come to mind. But be nice. Be positive.
Have fun!
Back to code kiasi.
The inexplicable madness of the 999/98 #RedCalls
by Idd Salim on Sep.01, 2010, under Personal
Kenyans will believe ANYTHING!
So, yesterday after coding from 9am to 10PM, I was just chilling and billing while waiting for the killing as I continue my money-machining.
I decided to watch a comedy as a warm-down. I slotted Michael McIntyre Wembley DVD and as i laughed my glutes off, I logged to on 2go as went to the Nairobi chat room.
Normally, there are over 40+ chatters heres. Only 13 guys were there in this night. Strange. “Ohh well, they must be on the Kenya room”, I thought. I adjusted my crouch and switched to the Kenya room. 10 people in Kenya room!
Hmmmn… Why are people offline today? I wondered. Could they all have finally got hook-ups and were on “Masaa ya Kubambwa na kushikwashikwa’? All at once?
I was feeling social and all chatty. Living in a big house all by myself can be a very lonely ordeal sometimes. So I decided to call someone, whisper sweet nothings to her, then sleep. I checked my airtime on my Zain Line, and it took 2 SMSes for my credit balance to be sent to me. Too many zeros. #LotsaMoney!
My friend picked up the call. Real FEAR in her voice. ‘Salim, is that you?’, She asked. ‘No, it is the gay oogambooga boogie man from Timbuktu!’, I answered in my indian-patel-robot voice. (am very good in voices. Indian, Somali, Kamba, Alien and Robot). Clang!! She hang up! This hot mamsilla never hangs up on Salim. She knows my number and my swagger. So, I called again. She did not pick up. I sent her a sweet SMS and called. She asked me to check out Facebook.
I checked Facebook and was confused. Then I called her and I was enlightened.
“There are these guys who are calling people and if you pick up the calls, you DIE IMMEDIATELY!”, She said. “10 people have died in Ukambani already. They are also using SMS texts to kill people. The phonecalls come from a number ending with 999 or 98 and the number shows as RED on your phone. Even the MulikaMwizi black-and-greed phones phones show the numbers in red. The SMS text is yellow/purple/green on all phones.”
I scrolled through some Facebook posts and was dumbfounded by what I saw.
“Someone on Campo just received such a call!”, one stated, “It is all over Easy FM news. The INSTANT death is caused by radiation.”.
Well, I can send an SMS to your phone that will restart the phone, send an SMS that will self-destruct on a set amount of time, etc.. but COME ON!!
I decided to call random numbers. Just for the kicks. It amazed me how many people had their phones off out of the utter fear of Kifo Pap! My Guys friends (especially the gay ones) and chics either never answered the phone, or answered with real, tangible FEAR reeking out of their breath.
My Gawd! What next? The midnight nipple-nibbler phenomenon? Where a strange man appears in your bedroom in the middle of the night and starts nibbling (well I know people who will relish this), and the only way to top him is to SMS ‘noNibble’ to 6090?
Grow up people! Read a book.
Back to code.
Is Zain celebrating 2-1 on the 83rd Minute?
by Idd Salim on Aug.23, 2010, under Personal, Symbiotic
Bend Over, daggering
Raila once quoted me and said, “Wameona Simba amenyeshewa na ametulia, wakadhani ni paka mkubwa”.
The sad Google swahili translator processes this as: “The see lion in rain. He has relax. They think big pussy”
Well, thanks to Mblayo, I got this disturbing video of the Zain truck:
The Zain Marketers (who safcom’s has ruthlessly out-performed, out-thought, out-conned us and out-sold for over 8 years now), came up with what they thought is a daggering blow at SafCom.
They hired PA System and went to blast the ‘Bend Over’ song at Safcom HQ.
Dunno if the traffic police, Nema, the ZainWanaringasasa crew and the ThisWeekSijaona conglomerate will take this lightly. I, for one, know Mwai is devastated by this.
But wait! For the life in me, I would assume for a moment Zain would show some class and focus on the areas where SafCon makes them bend-over, daggering style, e.g:
- Social Networking
- 3G or 4G Data
- Zap vs Mpesa
- International Call rates
- Data Rates
Just a thought.
Now, lemmi make some windows servers bend over.
Have a bendy night, wont you?
Wazi.
It is official, Safaricom concedes. Blocks all Calls to Zain
by Idd Salim on Aug.19, 2010, under Personal
Cry baby? Again?
Please let me put in 7 laughs Kwanza for Safcom. – Ha… Ha… Ha… Ha… Ha… Ha… Ha…!
Michael Joseph was ranting on KTN as 2 PM today about this deal.
Thanks to the new Zain Tarrif. You can now call for3 bob per minute to ANY network in Kenya.
Safaricom has BLOCKED all calls to Zain as at 1PM Kenya time. Most of the Safcom calls were calls from jamaaz telling jamaaz tu SHIFT to Zain. Talk of viral migration.
This morning, Safcom had 15M+ Subscribers. I predict they will have only Mwai and 4M others by close of day.
The only reason I had kept my Safaricom line was because of Mpesa. Now I have Zap. Now, Zain just needs to stream-line Zap and work with local developers and Zain will rule this Market.
More later.
Back to code!
Wazi.
FaceBook fast approaching the plateau phase in Kenya
by Idd Salim on Aug.18, 2010, under Symbiotic
It is sad. Honestly, really sad.
I sat with Buju the other day and he asked me : “Salim. Wewe huwezi unda your own Facebook na venye code unaimesea?”. My response is the same respose I once gave DjCK, Okech and Sebi. “Put me in a position that I won’t have to worry about rent for 6 months, and I will give you the world.”
So, the discussion went on. I pointed out that ANYTHING Safaricom touches, turns to a pile of shiite. Mxit has MILLIONS of people all over the world. Safaricom brought it to Kenya, did over 100 pages of color ads, and it died, as expected. Meanwhile, 2Go is keeping Kenyans teens awake till 3am.
Next up, Facebook. In this encouraging post about the opportunities for Kenyan Coders, I did on March 9 2010, Facebook had 580, 000 Kenyans. On its own. No advertising, just viral value additions. Then Safaricom started doing their Ads and USSD codes + TV ads using that smigo-faced ugly rasta jamaa. 5 Months later today, the site has 776, 920 users. Pathetic, if you ask me. Facebook has Stagnated, As soon as SafCom stepped in.
They say EVERYONE IS ON FACEBOOK… Well, we must be the smallest country in the world.
Facebook has STAGNATED since Safaricom touched her
“So”, Buju continued. “Now that ONLY 19.43% of the Kenyans with the Internet are on FB, and the growth is stagnating., what can developers do to harness the massive 81% that is NOT on Facebook?”. I smiled.
“And what is this other system you are saying that is being tested now and will come to really shock Mpesa?”, He asked. I smiled more.
Back to code!
Wazi.
-
Advertisement
