IMPORTANT NOTICE TO ALL MPESA USERS.

Picture this. You are busy at work meeting your tight deadlines, then you are interrupted by a text message that sends you reeling.

You have just sent a stranger or rather, someone pretending to be you has just sent the little money you had in your M-Pesa. And just like that, your money is gone in an instant.

Well, this happened to one of these writers one Thursday afternoon last month.

The writer did not imagine that his money was being drained and being sent to people he had no idea who they were.

It all started after he gave a colleague his old handset. He deleted his password and fingerprint authentication and then his colleague put his. Three hours later the writer’s money started disappearing without his authority.

He rushed to Safaricom shop along Kimathi Street to inquire why his money was being sent to people he did not know. The first customer care lady he met at the shop and explained what was going on said that was impossible.

“Did you have your handset or did you share your secret pin with anyone,” she inquired.

The answers were no. Another male customer care official also at the counter had the same reaction.

Reversed the money

Luckily, the writer had already reversed the money. Once someone reverses the money it sometimes takes up to 12 hours to be credited back to someone’s account.

The Safaricom customer care official then politely asked what kind of gadget the writer was using and he told him that it was an Oppo Reno6, then he told the writer that the money had been sent by an Oppo Reno4, which was his old handset.

The victim had both the Safaricom App and the Mpesa App on his phone. What he did not know is that whereas the Safaricom App had the capability of logging itself off once he removed his sim card, the M-Pesa app has a mind of its own.

You must log off manually before giving your old phone away. Changing fingerprint authentication passwords is not enough.

But according to the customer care official, this was not possible because the writer had removed his sim card from his old handset which automatically reset itself after the new user inserted his sim card.

“I have been working here for a while and this is the first time I’m hearing of this. Our Safaricom App should be safe and once someone removes their sim card it is supposed to deactivate everything from the previous owner,” he explained.

What happened was that despite the writer deleting his password and fingerprint authentication, the

Mpesa App still recognised the writer’s colleague’s fingerprint authentication, and instead of using his M-pesa sim card it used the writers.

Sim card

The money that the writer thought was being stolen was the colleague who was sending it but instead of being deducted from his sim card it was being deducted from the writer’s sim.

Contacted for comment, the telco did not provide a written response on this inquiry. But it said that it takes matters of security seriously, pointing out that the incident only happens if one does not log off from their Mpesa APP accounts.

Instead, the telco told the writer to go to their offices and sit down with the technical team so that he could take them through what happened.

He obliged and went. For two hours the team explained that it was impossible and that the app, unlike the Safaricom App which uses both biometric authentication and PIN, M-Pesa app uses three options, facial, fingerprint authentication and pin.

Sourced from Nation.