70 points by melenaboija on Nov 23, 2015 | 37 comments
Top comment:
mhogomchungu on Nov 23, 2015
Tanzanian here.
I think calling the service "M-Pesa" is misleading since a lot of other people are offering the same service.
Here in Tanzania,
"M-Pesa" is the name for the service offered by vodafone,a mobile communications company.
"Tigo Pesa" is the name for the same service offered by tigo,a mobile communication company.
"Airtel money" is the name for the same service offered by airtel,a mobile communication company.
"EzyPesa" is the name for the same service offered by zantel,a mobile communication company.
For the above reasons,i generally call the service offered by these companies as "a banking service managed by mobile phone companies".
"Sim banking" is the name of the service offered by a "traditional" bank called crdb[1] so a more generalized name that accommodates both traditional banks and cellular network operator banks is in need.
Most traditional banks are also offering the same service.
The only thing they all have in common from the user's perspective is that the services are offered through ussd codes[1] meaning they are not tied to mobile phones and they work with any device that supports ussd codes.
I have an application called ussd-gui[4][3] that i use to manage by money at vodafone "bank" using a mobile broadband modem on my linux system.
Definitely British. Vodafone started the same service in Fiji, where they call it MPaisa (paisa meaning money in Hindi). A competing service by rival Digicel is called Mobile Money.
It's interesting how SIM hijacking is a serious attack vector for the likes of Twitter, and every month brings a front-page HN article on how SMS is worthless as a form of 2FA, yet in more corrupt and lawless parts of East Africa the phone companies can secure an entire banking system based on phones.
The two use cases (2FA via SMS and M-Pesa) have different threat models and use different parts of the technology stack.
2FA via SMS requires a private channel, but SMS wasn't built to be end-to-end encrypted (although it could be, using the SIM's processor, such a proposal will be shot down by the state actor members of the relevant standards body. See the less-than-perfect security profile of 5G), and so whenever a message is diverted within the system, somebody else can take over.
M-Pesa requires message to be trustworthy, and the SIM app can sign them with a key that resides only on the chip. The transactions are probably not very private (so it might be possible for an eavesdropper to figure out that user A sent X currency units to user B) but that's not a make-or-break requirement for the system to do its job (unlike for 2FA via SMS).
What if you lose your phone? Is there some sort of recovery mechanism to get your money?
If so, wouldn't it be possible for criminals to social engineer this recovery process, similar to how they use social engineering to steal numbers in the US?
If you loose your phone then you must walk in to the nearest office of your mobile phone network provider. And there are many across the country (Ghana). No one can do it on your behalf, and you can't do it over the phone or online. You have to physically go to their office with with a valid ID to recover your SIM card.
Even if you don't get to recover your SIM card early enough, anyone with access to your phone must know your wallet PIN code to be able to make transactions
If you loose your phone here in Tanzania, the phone company will require a police report and a copy of a photo ID(passport, drivers licence or national ID card) that matches the lost line and some will additionally ask you to remember the last few calls that was made by the lost line. All the above will have to be done person in one of many branches operated by the phone company.
I'm fairly certain mpesa and all other mobile money platforms just runs on top of plain ol USSD, which similar to SMS isn't encrypted as far as I know.
It's "secure" because the system requires a pin to authenticate the USSD session. So a SIM swop won't provide an attacker access to the victims account.
I suppose there's a possibility for doing a MITM attack but you'd have to do it between the tower and phone (GSM I think) or between the telco servers (SMPP or SS7), none of which I think are trivial or even possible in some cases
I dug through the literature again, and there are several systems: some using USSD exclusively, others using SIM applications that apparently employ both USSD and SMS for communication.
In all case there's some amount of authentication going on, and they all allow retrofitting additional lines of defenses if necessary.
2FA SMS is helpless as long as it's layered on top of plain old SMS (which for political reasons won't become secure).
I had to restore my iPhone last week. This was a bit problematic because I use my phone as the 2FA token generator for online banking. I was able to restore 2FA on my phone using... a text message.
G-Cash, in the Philippines, was the first mobile based money transfer platform. It was launched in October 2004, a year before M-Pesa.
There have been many attempts to replicate M-Pesa's extraordinary success. M-Pesa in Kenya is a significant outlier in the mobile money space.
[Edit: assumed M-Pesa founding date of 2007 in wikipedia was when M-Pesa launched. It actually launched pilot in Oct 2005. Exactly one year after Philippines system]
There's a lot of other *Pesa systems in East Africa and they all are relatively successful: TigoPesa, HaloPesa, AirPesa, etc etc. Everyone talks about M-Pesa because it was first in East Africa but at this point, it's a commodity.
One thing that has always impressed me about these systems: I've never read a story about a corrupt manager of the deposited funds betting them on the stock market and losing them. That's something we in The States have had a hard time preventing and worked hard to legislate against. And still, in a very rough parallel, we utterly failed at it during the housing bubble.
So if my conception of the situation even makes sense, how have M-Pessa and equivalents avoided this pitfall?
They haven’t. I just got my 10gb package stolen by voda today. The company is dishonest and no one around here trusts them. People might get money through M-pesa, but they convert it into cash asap.
"Kenyan" and "British" are poorly defined categories. They are not mutually exclusive. M-Pesa is a large and complex thing (company, product, service, cultural or economic effect, why not all of those things!)
So the answer is null.
And since people get so hung up on bs about categories, they will argue about it from an emotional instead of a rational perspective. Those arguments will be endless as (see first paragraph) there is no correct or provable answer.
It is important to do this analysis and remind ourselves of these facts whenever a poorly defined question arises involving complex systems (like culture, society, economics or politics).
Following the money is an unconvincing argument that leads to publicly traded companies being mostly nationless, Nissan being primarily French, Jaguar being primarily Indian, and WeWork being fully Japanese.
Wonder what the etymology is on that? Seems close to 'peso', but that wasn't really where the Spanish were hanging around, so maybe it's just a coincidence?
> that wasn't really where the Spanish were hanging around
For a while, Spanish currencies and conventions acted as reference for most of the trading world operating across oceans, regardless of Spanish presence. It was a bit like the modern USD.
Safaricom is good at sales and marketing in East Africa, not at innovation from inside of the company. They do use some clever partners though at times, and the combination can be pretty good. They've obviously taken M-pesa and grown it into a mature product - listening to their clients, but primarily from a sales channel.
31 comments
[ 4.2 ms ] story [ 76.5 ms ] threadM-Pesa – a mobile-phone based money transfer and microfinancing service: https://en.wikipedia.org/wiki/M-Pesa
70 points by melenaboija on Nov 23, 2015 | 37 comments
Top comment:
mhogomchungu on Nov 23, 2015
Tanzanian here.
I think calling the service "M-Pesa" is misleading since a lot of other people are offering the same service.
Here in Tanzania,
"M-Pesa" is the name for the service offered by vodafone,a mobile communications company.
"Tigo Pesa" is the name for the same service offered by tigo,a mobile communication company.
"Airtel money" is the name for the same service offered by airtel,a mobile communication company.
"EzyPesa" is the name for the same service offered by zantel,a mobile communication company.
For the above reasons,i generally call the service offered by these companies as "a banking service managed by mobile phone companies".
"Sim banking" is the name of the service offered by a "traditional" bank called crdb[1] so a more generalized name that accommodates both traditional banks and cellular network operator banks is in need.
Most traditional banks are also offering the same service.
The only thing they all have in common from the user's perspective is that the services are offered through ussd codes[1] meaning they are not tied to mobile phones and they work with any device that supports ussd codes.
I have an application called ussd-gui[4][3] that i use to manage by money at vodafone "bank" using a mobile broadband modem on my linux system.
[1] http://crdbbank.com/tz/alternative-banking/simbanking.html
[2] https://en.wikipedia.org/wiki/Unstructured_Supplementary_Ser....
[3] https://github.com/mhogomchungu/ussd-gui/blob/master/icons/u....
[4] https://github.com/mhogomchungu/ussd-gui
2FA via SMS requires a private channel, but SMS wasn't built to be end-to-end encrypted (although it could be, using the SIM's processor, such a proposal will be shot down by the state actor members of the relevant standards body. See the less-than-perfect security profile of 5G), and so whenever a message is diverted within the system, somebody else can take over.
M-Pesa requires message to be trustworthy, and the SIM app can sign them with a key that resides only on the chip. The transactions are probably not very private (so it might be possible for an eavesdropper to figure out that user A sent X currency units to user B) but that's not a make-or-break requirement for the system to do its job (unlike for 2FA via SMS).
M-Pesa simply has quite high fees to cover fraud losses.
If so, wouldn't it be possible for criminals to social engineer this recovery process, similar to how they use social engineering to steal numbers in the US?
Even if you don't get to recover your SIM card early enough, anyone with access to your phone must know your wallet PIN code to be able to make transactions
It's "secure" because the system requires a pin to authenticate the USSD session. So a SIM swop won't provide an attacker access to the victims account.
I suppose there's a possibility for doing a MITM attack but you'd have to do it between the tower and phone (GSM I think) or between the telco servers (SMPP or SS7), none of which I think are trivial or even possible in some cases
In all case there's some amount of authentication going on, and they all allow retrofitting additional lines of defenses if necessary.
2FA SMS is helpless as long as it's layered on top of plain old SMS (which for political reasons won't become secure).
This was for the Dutch ING bank.
There have been many attempts to replicate M-Pesa's extraordinary success. M-Pesa in Kenya is a significant outlier in the mobile money space.
[Edit: assumed M-Pesa founding date of 2007 in wikipedia was when M-Pesa launched. It actually launched pilot in Oct 2005. Exactly one year after Philippines system]
So if my conception of the situation even makes sense, how have M-Pessa and equivalents avoided this pitfall?
Do you happen to know anything about what makes M-Pesa such an outlier?
So the answer is null.
And since people get so hung up on bs about categories, they will argue about it from an emotional instead of a rational perspective. Those arguments will be endless as (see first paragraph) there is no correct or provable answer.
It is important to do this analysis and remind ourselves of these facts whenever a poorly defined question arises involving complex systems (like culture, society, economics or politics).
Even server infrastructure was hosted offshore until relatively recently[1]
[1] https://cointelegraph.com/news/m-pesa-shuts-down-as-they-mov...
Is it not Saudi Arabian?
AFAIK they poured multiple billions into SoftBank, which poured those billions into Uber, WeWork and others.
This gives a more succinct history. The idea was that of British citizens working for Vodacom(Safaricom) in Kenya.
https://en.wikipedia.org/wiki/Paisa seems to indicate it's possibly from the Portuguese.
For a while, Spanish currencies and conventions acted as reference for most of the trading world operating across oceans, regardless of Spanish presence. It was a bit like the modern USD.
“If you see the document I sent to @SafaricomLtd you will understand that. All they did was code!”