A recent case of fraud involving mPesa agents (read here), caught my eye. This fraud was committed almost a year ago and I am sure suitable measures have already been taken to counter it, but it is still interesting to evaluate it.
According to this scam, a fraudulent withdrawal confirmation SMS was sent to the agent containing information obtained through a fraudulent visit by "mPesa supervisors". The SMS was sufficiently disguised to trick the agent in handing over cash to the "client" who quickly made off with the stolen money.
The following observations can be made:
- An agent should be provided with more security information prior to authorising the withdrawal of cash. The confirmation message should ideally not be carried in an open SMS message and must display in a different way.
- It is advisable to provide more verification information in the message rather than just the remaining balance.
- Agents should attempt to develop alternative security protocols (like requiring additional information or verification against the sender of the SMS). These protocols should be kept confidential, as it is knowledge about them that will assist fraudsters to develop mechanisms to circumvent them.
- One would expect that fraud will always be with us. Even the most sophisticated systems in the world are prone to fraud attacks. (Read here). It is important to ensure that levels of fraud remain low enough so as not to impact the trust in the eco-system.