Thus Spaketh Idd Salim

Kenyan coders are all smiles. The real die-hards like Kasomo and Salim cant stand up OK because the erection that the new Mpesa move generates has taken all the blood from the legs. We have been waiting for this. Now it is Here! With one blow of the keyboard, The Mighty Safaricom (not to be confused with the satanic Safaricon), have finally made our wishes come true.

We, at Symbiotic, can now finalize our ZungukaPay payment gateway and overtake all the wannabes in the market.

“What has Safaricom done, Salim?!!”, You ask

Well, something they should have done even before Semenya started growing hard Female nipples. Safaricom, of late, have decided to attach the Number of the Money Sender and Money receiver in the M-Pesa mReceipt. How simple is that, to the un-educated eye!! How cool is that to payment gateways developers!!

Maybe, even the guys at Safaricom did it accidentally, but let me not spoil this post.

Now I will have to re-do the payment modules I had done for TumaSMS, Sembuse, Sovaya and Zunguka… But I aint complaining.

Now I have a clear and valid reason to apply for a Safaricom Mpesa Business Account.

I will blog once the payment gateway is done.

Kudos Safaricom!

Tick… tock… Tick… tock… Goes my HackOmeter. “Have they been hit yet?”, I ask myself. I switch on the TV to see if a Kenyan Bank has yet been hit. “Not yet”, I conclude. “I see voluptuous women flaunting naked in the streets an on bill boards. Soon the rapists are coming.”, I tell my friends. And Ohh, what a sad day it will be.

The Topic for today is SMS Banking.

What it is MEANT to do:

SMS banking is a remote banking service via mobile phones. Upon each money withdrawal operation with a card account (purchase using a card, cash withdrawal in an ATM), the client connected to the SMS Bank system receives an SMS message with information on the transaction. Such SMS message usually includes the charged amount, part of the credit card number, date, time, and place of the transaction (shop or ATM location). Full stop! That is what SMS Banking was meant to be, should Be and Must remain as.

What is has been ABUSED to be:

But hang on, there. What about these services all over the news that allow a user to check balances, transfer money, stop checks etc, all from SMS (or USSD as the case of Equity and Barclays) ? Isn’t that what SMS banking really is?

Well, this is classic example Security Through Obscurity.  Like walking at Tom Mboya at 2am waving a KSHS 1000 Note and reaching home safe. You won’t do that for long.

Shamelessly stolen from The RSA Website, :

We have all read about the iPhone and Blackberry SMS attacks and vulnerabilities. There is current commercially available (let alone black market) software that allows eaves dropping and spoofing of SMS. The lack of SMS confidentiality has been established by congressional members, city mayors, and international government officials in dozens of cases where their text messages were intercepted and made public. Like landline communication, cell phone communications including SMS should be considered to have no confidentiality.

An SMS can be:

• Intercepted on its way from your phone to Zain/Safaricon/Safaricom.
• Changed and edited [The content, the destination Numbers, The Source Number etc].
• Delayed.
• Deflected and even deleted before it ever gets there.

This can be done with equipment that cost less than USD 10, 000 and also with techniques that anyone who knows the difference between Hellon and Arunga can master in a week.

How Can this be done?

There are 3 Knows ways to Intercept communication between 2 sources that are sent via SMS:

• Phone cloning – The best. Totally bamboozles the MSP Cell Towers [Saf/Zain]. They see two phones with same phone number, MIN and ESN. Very effective on CDMA networks but not as effective on GSM – More Info -
• SIM Copying – VERY Illegal because it is 100% efficient. Clones the SIM and yours becomes active whereas the clone is dormant but receives copies of all your SMS and calls.
• Patched Firmware  – A very easy and common method is for a hacker to upload a super-firmware to their phone. This upgrade turns their phone into a super-phone radio transmitter and they can receive SMSes that are addressed to THEM and people AROUND them. You can really have fun with this at a club, a mall or a bus-stop.

Ever been robbed or attacked then the assailants returned your phone / SIM? Chances are you got cloned and All your phone-calls [as long as you are on the same Cell Area] and ALL your SMSES [irrespective], get delivered to YOU real phone and its clone.

Where is the problem?

Ok. Enough phone hacking lessons. For those dumb enough not to grasp where the problem is, so far, please, allow me to reiterate:

• Your SMSes are neither CONFIDENTIAL nor PERSONAL. Get over it! In a recent article about how guys from SafCon sell data call and SMS records shows the first level of breach. Your data can be bought!
• Your SMSes can be intercepted by hackers. SafCon can fire all those name-spoilers they hire, but your information is only secure from humans. It is NOT digitally secure. SMS and USSD traffic is rarely encrypted, if ever.

What is MY problem?

Just your money, my reader. You dont want all your hard-eraned cash to end up in Nigeria, do you?

Why doesnt Safcon [Not to be confused with Safaricom] etc do something?

Honestly, not their problem. You send SMSes, they make money. And it is not their mandate to SECURE these systems. they offer the ROAD. If you get an accident on it, hard luck!

Is All Lost in the Mobile Banking Sector?

Not by a long shot. But that is a topic for another day, or you can skype/gmail/yahoo me @iddsalim so tell you HOW Symbiotic is Countering this menace. Power through serious code..

Adios!

Back to code!

Well, someone once told me : “There is no group of people easier to lie to, than Kenyans”. I agreed. Especially the Kenyan non-gay male.

So, for the last 8 years or so, I have been reading reports from steadman on how many people like raila on mondays and how many like kibaki on fridays after 2 bottles etc. I took them as gospel truth. There was no way of verifying these stats.

For things that I have no knowledge of, I always Assume that THAT the truth is what I am told but people, I assume, know better.

But when someone grows the balls to LIE TO MY FACE about things I Know about, it really annoys me to the gut. Even more annoying than sitting with a Man Urinals FC fan. Are we that dumb?

Synovate are paid Millions of Kenya Shillings to research and report. But this time, they lied to my favorite news reporter, KK, at [HERE] and this really annoyed me. Thus Spaketh Synovate:

• Kenya now has over 2 million registered users on Facebook.
• Email is being discarded in favour of social networks like Facebook and Twitter by new Internet users in Kenya. One quarter of Kenyans who are online do not have email addresses.
• 79% of Kenya’s Internet users are members of Facebook.
• Daily and weekly internet usage in Kenya have both doubled in the last two years whereas monthly usage grew by over 80% in the same period.
• Kenyan Internet users spend approximately 70 minutes online during each visit. This utilization is comparable to the average amount of time spent on television.

Ohhh.. Phullllleeeez!!! How about some facts. How about some REAL facts.

• Kenya now has 561, 000 registered users on FB. Not 2M.
  
• Email is being discarded in favour of social networks like Facebook and Twitter by new Internet users in Kenya. One quarter of Kenyans who are online do not have email addresses. [Ohh dear!! You need an email address to register on twitter and facebook. Chicken and Egg, anyone?!]
  
• Only 16.7% of Kenya’s Internet users are members of Facebook. Not 79%!! Where did they get that from. There are just over 4M Kenyans with Internet – [Check Here]

I could not bother with the rest.

It is one thing to tell Kenyans that KTN is the best TV today and that KBC is the best after they pay some few coins, but please, leave the Internet Data and Statistics to the open. This is FREE and IMMANIPULATABLE information that we CAN verify.

This time, SINNOVATE, you have been measures, weighed and found wanting.

Amen.

Back to code!