Today in the office there was an interesting discussion brought on by a colleague who during the weekend had her SIM card hacked and cash withdrawn from her Mpesa Wallet without her knowledge. She had left her phone to charge in her neighbors house since her house didn’t have electricity. On coming back after an hour she found her phone had been formatted and later on during the day discovered her Mpesa wallet had only Kshs 12 left. Kshs 4,000 had been withdrawn. (The Mpesa confirmation message had also been deleted to remove suspicion)
On generating her Mpesa statement it showed that Ksh 4,000 had indeed been withdrawn at the exact same time she had left her phone charging at her neighbors house by a recipient whose name, wait for it, resembled the neighbors son. She confronted the mother of the culprit who admitted that her son could indeed be the one who could’ve done that as she has occasionally lost some of her own cash through Mpesa through him. The mother agreed to bare the costs and refunded our colleague her lost cash. This brought on a heated discussion as to how he could have achieved this.
Sure the formatting of android phones is pretty easy considering that most are ‘Hard Reset’ in the same way and with this he could erase the phones security pattern and he was also able to access the SIM card as it was PIN-less. But how he managed to change the Mpesa PIN is still a puzzle.
Our colleague is now scared and can’t replace her old phone number back as she fears it could still be vulnerable and be hacked again. She decided to buy a whole new SIM card with a totally different number altogether. Is there a loophole here? Is there a way someone can reset/change your Mpesa PIN if they have direct access to your SIM card?