Hacking MPESA PINs



:sweat_smile: Hii kenya/dunia anything is possible, I remember a while back when someone ‘stumbled’ upon guys details stored in plain text by Jumia, I wouldn’t be surprised Saf has a couple of leaks here and there esp when it comes to info from way back.


One of the reasons I switched to the Equity ecosystem is because I noticed some Mpesa agents sell customer details.

That book you sign after depositing/withdrawing contains so much of your information. Those calls/texts you get from con artists - they got your number from some agent.

The same applies to some buildings that require you to sign a book at the front desk.

Equity agents do not have access to that much information.


Hapo umenichanua, this explains alot;you know I always wondered where these cons get someone’s number coz I just don’t see them sitting down & guessing peoples numbers all day.


& on that note, does the Mpesa Book/Register(yenye unasign ukitoa/weka pesa) have any solid use case &/or is it sth required of Saf by some law?
Coz the way I see it, hii kitu ni obselete & pointless considering that all transactions are ‘online’ & the fact that most Mpesa attendants si keen ikikuja kwa kujaza hio kitabu only makes me feel Safaricom should do away with it.


Yea btw these books ni miti tu wanaharibu i dont see the point of having these books. I’ve worked as an mpesa attendant once n my boss told me that the books go back to the super agent but no one knows what they do with them. Some entries ata hua zimejazwa nusu kwanza ukipata customer wengi u forget to ask for some customer details, so unajaza vitu zako. There was this agent i used to go make transactions at, alikua anascribble tu kwa entries kujaza spaces, the whole book unadhani alikua anaandika while sleeping :joy:


I think she made up a story to entertain you guys…

that Ksh 4,000 had indeed been withdrawn at the exact same time she had left her phone charging at her neighbors house by a recipient whose name, wait for it, resembled the neighbors son

that what gave it away when you Go withdraw from M-Pesa the Name and in this days the ID number will be the same as that displayed on the phone…


this MPESA hacking vibe is real btw,chungeni sana,there also this new trend of social engineering where you are called and they try to figure out your financial information by purporting or impersonating customer service persons…kindly just save your financial providers offficial customer care lines and also use truecaller if you can


I have received these calls and i usually act like information is being mined but actually all i give is useless data at least telcos earn some money from the scammers.


Woi. Mbona unataka kuturudisha misri?


Does mpesa use your location when making withdraws, I was at Lungalunga trying to withdraw cash directly from a Kiambu Mpesa agent i know for my foreman which would be cheaper than sending directly then for him to withdraw, but got an error message that I need to be at the mpesa shop to make the withdrawal.
About mpesa fraud, saf should recheck their sim swap rules, let it be a little difficult they should even ask the last 3 phones you used your sim card in, I recently got 7 loan messages on my tablet saf line which I have never called anyone texted anyone but somehow they got the number, it might be from the number recycling by saf.


Yes they do, your phone will ping the BTS and if it’s not the same one pinging the Mpesa agent phone the transaction won’t go through. I believe they want to avoid what you were trying to do. Sometime back I understand that agents could lose revenue if the system could tell you were away from the agent. Now the transaction just doesn’t go through.


If you try 2-3 times it goes through (but such transactions can easily(VERY) be reversed if you call Saf - I think this is another reason Agents are wary of someone transacting while not in the same area as them).


Another one:


Guys can you enlighten me on this, a relative received 83k last month but the mpesa text had no sender id and the whole amount was received in one transaction. I am wondering did Safaricom scrap off the 70k per transcation limit? How come there was no sender id? mpesa statements are also blank on sender info and indicate it’s one transaction


This is interesting. @martingicheru and team can make an awesome article out of it if you have documented evidence.


I’ll upload the screenshots once i get them


Have you been in touch with Safaricom? There are too many red flags in that transaction.


Too many, the money is already spent no need contacting them


Lol. How would you spend money you have no idea where it came from?


It seems these Mpesa woes are not going away soon. Problem is the spectrum of carrying out the hacks is really wide so it could be so many things at once. From social hacking all the way to system hacks. With the naivety of some people and negligence by agents and employees, social hacking looks like a very high possibility.