Here’s something to know, Safaricom has recently updated how the STK Push works. You now get a pop up message.
You remember when Safaricom silently introduced STK Push as a means for completing M-Pesa payments? It was a silent rollout and I remember stumbling upon it and wondering “Woaah, this is new, and so cool!“
There had been no mention of it anywhere. And my first thought was – what if someone initiates such a pull request on someone who doesn’t know such a feature exists? Can they manage to make them compete a transaction unknowingly?
My answer arrived not more than a month later when my sister and my aunt were conned significant amounts of money. They received calls, and the person at the end of the line told them not to worry, just input your PIN number to confirm your details.
It was an easy thing for fraudsters:
- Guess a Safaricom Number. You already know the Prefixes.
- Use Hakikisha and see the full names of the customer.
- Call them, pretend to be whoever from Safaricom fixing their details or whatever other lies fraudsters tell.
- Run them through different shenanigans – including Fuliza etc, and then finish by asking them to enter their M-Pesa PIN.
I don’t think my family members would have lost money this way had such an update to M-Pesa been communicated well. For many people, the first time they saw such a feature when certain supermarkets implemented it. And how many people visit supermarkets?
I am not saying that the STK Push is a bad thing that should be scrapped. Rather, I am making the point that a proper means of communicating would make every customer aware of the feature, thus reduce the chances of fraudsters taking advantage.
New USSD Pop-up for M-Pesa PIN:
The reason for writing this now – of course in light with the current fiasco around re-registration which has also not been properly communicated – is because I’ve recently noticed a new update to the feature.
The previous implementation of the STK Push has had issues. You may have experienced this whenever you’re in supermarkets or whenever there’s a request to be pushed to your phone. The pop-up never appears, even after numerous tries.
The reason for this is because different smartphones handle background services differently. Some are very aggressive in how they block background activities. So when the push happens, the phone doesn’t pick it up and you cannot compete the transaction.
As a solution, Safaricom seems to now be rolling out a USSD pop-up. It’s the same technology, but now it pops up in the similar manner we’ve seen Data notifications pop up. Instead of bringing the SIM Toolkit to the front, you get this Pop Up telling you to enter your M-Pesa Pin.
The good thing: it works without fail. The bad thing: ONE. It doesn’t mask the M-Pesa PIN. TWO. It hasn’t been communicated to users, at all. Some people have been seeing it for a while, some are only seeing it now. And that opens up avenues for abuse.
How fraudsters can abuse this:
Similar to the original implementation, fraudsters can still reach out and try to make you enter your M-Pesa PIN completing unknown transactions.
But that’s not all.
Unlike the SIM Toolkit which hides your PIN when you are completing a transaction, the pop-up method can’t do it. Anyone around you can see you enter the PIN.
What’s stopping fraudsters from having a similar thing but instead of trying to just make you complete a transaction, they now use it to collect M-Pesa PIN numbers for different users?
Will it be proper to blame innocent users? Whose fault will it be?
Proper communications – in fact, a friend puts it as “over-communication” – is the only way to ensure fraudsters don’t thrive. Let people know about a feature. After they know, keep reminding them. Let it be as clear as day, and even boringly repetitive.
The communication must be done in a language that’s easy and proper. I am dwelling on this because Safaricom nowadays pushes a lot of messages promoting different things and getting your attention to different products. From travel packages to cooking gas deals – if you use the M-Pesa Super App you know what I am talking about.
Wording is also important. For example, in the above image can you really tell that’s a message from Safaricom? And what’s stopping scammers from pushing such links with such “lucrative” deals as a way of collecting personal data?
Safaricom is really big, and I believe it should be clear to them that there can be no end to innovation among scammers. Any loophole they see, they will jump on. Safaricom shouldn’t be the ones giving them chances.