Safaricom should consider a bug bounty challenge on M-PESA App

There is growing discontent online over security and integrity of the M-PESA App, a move that Safaricom should consider seriously. Granted that some of the vulnerabilities in the system are due to human errors of users, constant complaints are something the telco needs to be on top of it. They certainly keep engaging on the public on security measures they have put in place like PIN and biometrics but the situation is not going away.

One approach the company can consider is a bug bounty challenge on the M-PESA App. A bug bounty is an approach to system and application security where companies invite ethical hackers to analyze their systems for vulnerabilities. It can either be free or a bounty, like cash, offered as an incentive for people to engage.

What ethical hackers will be asked to do is test the App, find bugs and tell Safaricom about it and hopefully be rewarded for it. They can either have for duration of time, like a year or six month, or longer.

For instance, one of the complaints made is how people lose money when using the App on public wifi. On its part, Safaricom insists that it is safe and secure even on public wifi, but that doesn’t assuage customers.

Nelly Nyadzua, a cyber security professional argues that information transmitted over public wi-fi can easily be transmitted by an attacker through a process called ‘man-in-the-middle attack (MITM).  Public wifi providers cannot guarantee security is where the bone of contention is. She says that most public wifi services are unsecured or misconfigured thus cannot guarantee safe transmission of data because the data is not encrypted.

Essentially, man-in-the-middle attack refers to where there is a third party, between a user and provider that can access your details without authorization. For instance, they can access your security codes, like a PIN, and at a later time or instantly, access your App and transfer money as they wish.

Asked whether the man-in-the-middle attack can be eradicated in wifi settings, she says that would likely be a world first and tons of financial institutions around the world would want that service to also reduce fraud they face. Currently, there are other measures in place that prevent the MITM attacks such at using VPNs, using private data network – tethering.

The bounty

There are many types of MITM attacks but consider this one; you go a restaurant and find there are different wifi options. You ask a waiter for a password and they give to you. You then decide to log into the strongest one. You may find that the restaurant has a number of them and as you chose the strongest one, you are unaware that it’s someone else. It can even have the same password. So as you engage on it, you give away every data unknowingly.

It would not be the first time the telco sets up such a challenge. In 2018, they launched a bug bounty challenge that was limited to its website. The challenge is still on as it’s on the website. In the terms, there is a list of out of scope items that does not include M-PESA.

The public wifi use is common to MITM, so if the bug bounty doesn’t cover it, it means the ethical hackers cannot test the vulnerability surrounding the App. They should therefore add it to the scope, among others.

A bug bounty challenge also has a public relations face, beyond a security one. It tells the public that as an organization, you take feedback seriously and value credibility. You are putting yourself at great risk and are courageous to admit that there could be gaps you do not know about and what to establish them and fix them.

It also breeds the confidence of users, who are over 30 million Kenyans alone, that their money is safer with you.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.