Here’s the follow up article to What needs to change with M-Pesa in 2020, which I published on 28th December 2019.
I wanted to include Privacy Issues as point number 1 before Transaction Costs in the article linked above. Actually, the draft article still has that as the first point. I decided against it, because I felt this topic needed an article of its own. Also, transaction costs were a big conversation at that time. And I feared the discussion around privacy would somehow be lost.
One thing that has continuously bugged me about M-Pesa, something we all use almost every day, is how it has almost completely wiped away the idea of privacy for every Kenyan using it.
Think about it. When you sign up for M-Pesa what details do you give away:Full Names, Government Identification Number, Date of Birth, and much more.
What about when you withdraw money from an Agent? You give away your ID number, your phone number, plus the Agent remains with your full names. Here’s a stranger you’ve never met, asking you for all these private details about you, just so that you can get physical cash that’s already yours.
There’ve been numerous concerns about how safe this data is: How is the information we give agents stored? Who has access to the data? What measures have been taken to ensure that the data doesn’t land in the wrong hands? What happens when the data lands in the wrong hands?
We’ve not seen any serious information or announcements from Safaricom on the same. For example explainer videos on how customer data is handled, or how agents keep safe what we give them. Neither have we seen any serious responses from the company on the growing concerns of Kenyans concerning fraud, spam messages from businesses or other weird companies, SIM swaps, and much more.
A study by Myriad Connect, back in 2018, estimated that seven out of ten Kenyans reported to have fallen victim – or know someone who has fallen victim – to financial transaction fraud. And you know what these fraudsters are targeting most? Mobile Money.
Of course from 2018 to now, the number of Kenyans falling prey to fraudsters keeps increasing. We’ve seen them use new methods to trick innocent Kenyans. Some will call you, some will text you, and some will be very convincing including knowing all your official government names.
Hakikisha by M-Pesa:
Have you ever received a call/text on your Safaricom line from some random person who tries to tell you you’ve won something, or your line or bank account has an issue?
I believe most of us have. Though all of us reading this site are clever, and know too well not to fall for such scams. But think of an old person getting a call from a new number, and the caller on the other end knows their full official name. How easy will it be for the fraudsters to steal from them?
And how do these fraudsters know our full names? Well, M-Pesa is the new Truecaller. Only that it is 100% accurate.
When Safaricom introduced Hakikisha for M-Pesa, they hailed it as a new way to reduce mistakes when sending out cash. So you’ll be able to see the full names of whomever you’re sending money to, before you actually okay the transaction. This, they said, would be limited to 5 tries a day so as not to be misused.
Well, many months later, Kenyans, including fraudsters, found incredible ways to use the feature. Also with much thanks to the mySafaricom App where the limit to 5 tries doesn’t seem to work. Say you
- Receive a message from someone you don’t know, use Hakikisha. Try sending them one shilling, see their full name, then cancel the transaction before entering your PIN on the mySafaricom app. Now you know the full names of the person.
- Got a missed call, well, Hakikisha.
- Remember a number of someone you heard some while back but don’t know their name, Hakikisha. Which opens so many avenues for stalkers and creeps. They can hear your number out when you say it loud to a Supermarket teller, or when you write it out at a security entrance.
- Now if you’re a fraudster, and you want to con someone, all you need to do is guess a random array of Safaricom numbers, get their full names from Hakikisha, and call or text them. Works even better if you can get these numbers from unsecured loan and bank apps.
Instead of Hakikisha, what can Safaricom do?
Well, this is one thing I’ve thought about a great deal over the last few weeks. Hakikisha exposes your full names to everyone who has your Safaricom number. It is obviously a violation of your right to privacy. I don’t want everyone to know my official names. Did I sign up to M-Pesa so that anyone who can get my number from anywhere including guessing it, gets to know my full names?
Article 31 of the Constitution of Kenya states: “Every person has the right to privacy, which includes the right not to have — …the privacy of their communications infringed.”
Instead of Hakikisha, I propose this to Safaricom:
- Remove option for people to see full names of people they’re sending money to. Limit that option to business pay bills and till numbers.
- Prompt people to double-check and confirm that that’s the right number they’re sending money to. If I can go through 8 steps to buy data, let me go through 2 extra steps to confirm I’m sending cash to the right person.
- Introduce a 5 minute un-usable window once money has been sent and received.This window will help someone who’s made a mistake to reverse the transaction.
- This un-usabe window means I can see I have received money from someone, but I cannot use it in anyway. If it’s not my cash, the sender can reverse it. This simple step solves issues with Fuliza automatically using up funds, people rushing to withdraw the cash, or other excuses people give when they receive money from wrong numbers.
With this, you not only remove the upper hand fraudsters have had over the past year, you also solve all issues with M-Pesa reversals.
Safaricom needs to be on the fore-front of addressing issues raised by customers around fraud. It shouldn’t be left for people to speculate. There should be statements by the company letting people know that this and this has been said, and this and this is being done. The company should also be very clear about how customer data is handled, and how Kenyans can be sure that the stupid spam messages we receive aren’t as a result of Agents selling our numbers.
In the same breath, Kenyans need to be relentless in our noise. When we suspect something is happening, we need to make noise about it. We need to demand accountability, and transparency from the companies that take our data.