Thus Spaketh Idd Salim

Mpesa : Well thought!

Well, I always am up for a big challenge. Ask all the neighbor’s daughters in my estate and they will testify. So, over the last week, since the inception of the pZ gateway, I have been privileged to have a-lot of Spare time to study the internal aspects of Mpesa, especially the IIS-based (cringe!!) web interface.

Mpesa is a VERY secure system. Well-thought and very polished.

But that is just for the average hello-world pinging -t and script-kiddie hackers we see around here.

There are 2 types of hacks I have discovered for the Mpesa system, especially the web interface.

• Constructive Hacks – That can help you as a C2B or B2C client use m-pesa better and more effectively. I will share these mostly ont his blog.
• Destructive Hacks – Hacks that can make you vulnerable to fraud based on some small details over-looked by Mpesa developers. I won’t share these, of-course, due to my moral and societal obligation as a WhiteHat.

Hack 1 of 4 – Porting Mpesa to Mozilla Firefox.

One of the biggest headaches about Mpesa Web interface is that it works *only* on IE6/7/8 and on Windows XP only. Not Opera. Not Firefox. Not Unix. I have visited alot of client sites where they have a spare Mpesa PC. How sad!

Well, the good news is that this cannot be further from the truth! Mpesa can work on VISTA. Mpesa can work on Firefox. Mpesa can work on Ubuntu and even on Lynx.

“Share, Salim!! How do we make Mpesa work on Firefox!! Please Share!!”, I hear you shouting. Relax. I will share. For Free.

Step 1 – Get your certificate from Voda

Go to https://vmtke.ca.vodafone.com/certsrv/ via your IE and login.

Get your cert

Important : Mark the SSL Certificate Keys as Exportable.

After 24 hours, come back to this site and INSTALL the keys to your IE browser.

Step 2 – Export the Keys from IE to a File

Click on :

• Tools [menu]
• Options [menu]
• Content [tab]
• Certificates [button]
• Select the ‘Vodafone MT KE 2009′ Certificate and click on Export
• Click Next
• Select ‘Yes, Export the private Key’ – Click Next
• Select PFX, Enable strong Encryption – Click Next
• Enter a password and confirm it. Important, save this password nowhere! Memorize it. – Click next
• Browse for file and save the Certificate + Key Combo. – my_mpesa_cert.pfx

Step 3 – Import the Key to Firefox. Any OS, Any PC

Open Firefox and follow the following steps

• Open Mozilla Firefox.
• Click Edit in the top menu, and select Preferences from the drop-down menu.
• Click the Advanced icon.
• In the Certificates section, click Manage Certificate.
• Click Import, and choose the text file containing the client certificate.
• Supply the token password if prompted. Same password you used during Export.
• Click OK. The new certificate is listed in the Your certificates tab.
• Restart Firefox, and Open : https://www.m-pesa.com/ke/ and Walla!!

I can see Kasomo and Alitsi smiling because I have just un-masked one of the biggest security PLUSES of Mpesa is that it thrives through security. Words like FireBug and Firefox WebDevToolbar come to mind. But be nice. Be positive.

Have fun!

Back to code kiasi.

Share on Facebook

Cry baby? Again?

Please let me put in 7 laughs Kwanza for Safcom. – Ha… Ha… Ha… Ha… Ha… Ha… Ha…!

Michael Joseph was ranting on KTN as 2 PM today about this deal.

Thanks to the new Zain Tarrif. You can now call for3 bob per minute to ANY network in Kenya.

Safaricom has BLOCKED all calls to Zain as at 1PM Kenya time. Most of the Safcom calls were calls from jamaaz telling jamaaz tu SHIFT to Zain. Talk of viral migration.

This morning, Safcom had 15M+ Subscribers. I predict they will have only Mwai and 4M others by close of day.

The only reason I had kept my Safaricom line was because of Mpesa. Now I have Zap. Now, Zain just needs to stream-line Zap and work with local developers and Zain will rule this Market.

More later.

Back to code!

Wazi.

Share on Facebook

The fibre is here. Actually it was here, the NO-fibre camp cut it, it was restored by the YES-fibre team etc… etc… And the beat goes on. I was adviced not to blog today and I am pissed off by some idiotic fellas I had an unfortunate fate of entering into a business deal with (details withheld as Google will index them). No Wonder I am slowly contemplating employment (*seriously*). BUT, the mind-boggling nature of the potential for Google  in today’s East Africa (Read: Kenya) is colossal and I hate going to bed with something colossal in my pan… errr…. my chest. So I have to get it out.

The greed to do everything, anything and everyone hard and deep has Seen Safaricom tap into only 1/10th of its population with the Internet service. Self-consoling marketers will argue that most of the Devices in Kenya are NOT Internet-ready, but you just need to  see the crazy figures on the net about device-ids of FB Pokers from Kenya and EA to see that this can’t be further from the sad truth.

Sovaya is a Local Internet company that had/has the ability to deliver this solution. Why they are not doing it City-wide is as complex as writing the Dijkstra’s Algorithm PoC code in VB, but that is where we are.

This opens up space for a serious, big, bold and service-before-profit, no-nonsense company like Google to come and show the local players (read: jokers) how it is done.

Serious and Afforfable Wifi for Business and Home use

This model would have the following (direct and indirect) benefits to google:

• Massive Direct sales for the Nexus One .
• New radio-station trivia and social experiments based on GeoCaching.
• Development of MANY and SENSIBLE Android apps for the local market – Believe me, Kenyans CAN code like crazy!
• Unprecedented Experiences like LBA, LBS, Localization based on Wifi Tower ID and GPS Location powered by GoogleMaps.
• GoogleCheckOut would oust/complement Mpesa as it would be agnostic. If Google were to get to bed with Saf, then EVERYONE would be on Mpesa. Else, Everyone, would be on GcO standalone.
• Helping local artists, farmers and small-scale vendors by leveraging platforms like KeleleMobile, MaduQa, SMSoko etc to help then sell digital content to the Masses without seeing the MNOs eat over 60% of their per-sale profits.

Google has a chance to be the darling of 120m people and has that market Space open for the Nexus and other GoogleApps.

Back to Code.

Share on Facebook

One API to rule them all...

Great day today for Kenyan coders. Ok, let us say, EastAfrican Community coders, for political correctness. I don’t even know how to break this news, so I will just do it my plain no-beating-around-her-bushes method. No, the Octopus has not predicted that Safaricom, MTN and Zain will start supporting local innovations. No. The octopus would rather die than err. To err is to human; not to octopus.So, the hustle continues.

As a CSR, being  head of a team of very gifted coders at Symbiotic, I had committed to head the Pay.Zunguka Gateway and API development team and see to it that the Pay.Zunguka API was out before Mid May 2010. But one thing did not lead to another, and we had to inevitable delay the launch.

Well, here it is now. The API. The EuberAPI. One API to rule them all.

Download the API NOW!!

So first things first. What is an API, you would ask? Huh? You are having a larf if you expect me to answer that!! The API has been developed in PHP, jQuery and MySQL and the documentation provided with it makes it totally idiot-proof. Anyone and everyone can use the API and start earning from their hustle, Immediately! All transactions from Mpesa/Zap/yuCash will hit your system, via the API in 5 seconds. Anyone who can copy-paste, can use the API.

Safaricom have indirectly played ball this time round, so flawless end-to-end mPesa support is the first feature of the API. I hope this will not make them Mad. My QA team is still testing the ZAP and yuCash modules, but jump to it. Play with the fully working mPesa support and share your thought on the approach, the model, the logic and the illogic.

If you are a ‘BIG’ fish (read a big corporate with a lot of sensitive transactions) and don’t want to use our API as a payment aggregator, we can license the actual product. This would apply to guys like DSTV and KPLC. So instead of waiting for 48 hours for the transactions to hit their backend system, we can guarantee KPLC customers that their bills paid via Mpesa/Zap/yuCash will be reflected in their account within 5-7 seconds. Cute huh!

Like all my friends will tell you (real friends, not facebook jokers), I believe in seeing, showing and action. Si mdomo mob. So dive right into it! Visit http://pay.zunguka.com/ NOW and have a blast !!

Wazi.

-Salim, Idd

Share on Facebook

So, Today at 9:54am, I checked in after a thorough security search for metals and other things like screw drivers, hacksaws and pangas etc; stuff that can be used to HACK servers. (Fck! As I blog here, I remembered just I LEFT MY ID THERE!)

So we were welcomed with the usual ‘leteni IDs’ Kenyan greeting and we waited to be led to the training room. I sat on row 1 and the training started at 10:01 Sharp. Bwana Dennis Makau was out tutor and this guy really knows his stuff. Lively and not a boring monologuesue jamaa. He took us through all we wanted to know. He had rich knowledge of kila kitu. 10 outta 10.

Mpesa is REALLY one powerful tool, especially to developers.

Then came the tea break. I stole the chance I took my time to take the SmartTV ladies and the Sarova team on hwo they can really leverage Mpesa (powered by the virtual or dedicated modules of pay.Zunguka.com to maximize their profits and improve customer care, to a level Mpesa does not deliver – Last mile.)

After my pitch, Still at the tea-break, I checked out the Dell Sites and Gmail and Decided, “let me check my website”. Ha! Bummer!

IddSalim.com is Blocked from Safaricom LAN

And then came the hack

As you would expect, I couldn’t just sit there with all my skills. So i decided to chokora kiasi.

No, I did not escalate my privileges, get access to MJ’s PC and download data from their SQL Servers etc, like all my hack-mates would have expected. I am a Whitehack hacker, remember? I just prodded the systems. I discovered quite a few things.

1 – Mpesa Web Interface source code is susceptible to SQL Injection.

Mpesa Input not 100% Sanitized.

I took Mr Makau through a process where the Vodacom Mpesa SSL Certificate can be spoofed and replicated to grant access to rogue machines. Also, I mentioned to him the logic bug where after an account has been closed, the user session gets ‘bamboozled’ and the interface gives DB Server information.

But all in all I was really, really impressed with the accounting procedures and logic, flow logic and overall eagle-eye view of the system.

As a business tool, the Mpesa web Interface is perfect. But it’s security was well-thought… well-googled… but not well-consulted.

Back to code!

Share on Facebook