Hacking MPESA PINs

Today in the office there was an interesting discussion brought on by a colleague who during the weekend had her SIM card hacked and cash withdrawn from her Mpesa Wallet without her knowledge. She had left her phone to charge in her neighbors house since her house didn’t have electricity. On coming back after an hour she found her phone had been formatted and later on during the day discovered her Mpesa wallet had only Kshs 12 left. Kshs 4,000 had been withdrawn. (The Mpesa confirmation message had also been deleted to remove suspicion)

On generating her Mpesa statement it showed that Ksh 4,000 had indeed been withdrawn at the exact same time she had left her phone charging at her neighbors house by a recipient whose name, wait for it, resembled the neighbors son. She confronted the mother of the culprit who admitted that her son could indeed be the one who could’ve done that as she has occasionally lost some of her own cash through Mpesa through him. The mother agreed to bare the costs and refunded our colleague her lost cash. This brought on a heated discussion as to how he could have achieved this.

Sure the formatting of android phones is pretty easy considering that most are ‘Hard Reset’ in the same way and with this he could erase the phones security pattern and he was also able to access the SIM card as it was PIN-less. But how he managed to change the Mpesa PIN is still a puzzle.

Our colleague is now scared and can’t replace her old phone number back as she fears it could still be vulnerable and be hacked again. She decided to buy a whole new SIM card with a totally different number altogether. Is there a loophole here? Is there a way someone can reset/change your Mpesa PIN if they have direct access to your SIM card?

Most people use common PINs for their M-Pesa, like birth years, number patterns, so probably the kid is smart enough to know what the PIN was. Just probably.

The PIN was guessed, maybe the son previously saw the woman performing a transaction and remembered it. Kids have a way of glimpsing what you do on your phone without you noticing.

Guys, the son is not a kid but a 27 year old jobless man. My colleague saw him for the first time this weekend

More reason to believe he just guessed the PIN or knew the PIN

This was possibly social engineering, not hacking per se. We are all very careful when we transact in a new M-Pesa shop. But the one in the 'hood? That one most probably doesn’t even ask to see your ID, you probably don’t cup your phone in your hand to hide your transaction the way you would in the CBD. That kid probably saw the PIN at some point and remembered it, from your story he steals money from his mother as well, probably the same way.

Someone with a proven history of “stealing” from M-Pesa looking over your shoulder to see your PIN is not hacking :slight_smile:

Your colleague should probably go to the police with evidence and get him locked up.

There was no need since the mother refunded her the money

The next victim may not share your sentiment.

Funny you should say that coz we had already asked her why she didn’t go to the authorities with this and she said she had contemplated on taking the matter forward at first but the suspects mother hit her with this verse from the bible, Matthew 5:25 “Settle matters quickly with your adversary who is taking you to court. Do it while you are still together on the way, or your adversary may hand you over to the judge, and the judge may hand you over to the officer, and you may be thrown into prison.”

I myself use this same verse when caught with a misdemeanor in traffic as it works with those difficult cops who want nothing less but for you to appear in court the next day.

Well being a sunday and the mother taking it upon herself to refund the money she just decided to drop it. Which mother wouldn’t stand by her child in such a situation anyway, i know mine would have done the same thing, scolding not withstanding.


This guy claims ability to hack Mpesa and SIM card remotely, is he our guy?

Maybe it’s time Safaricom makes MPESA interoperable with other networks for the sake of the user

This must be a new one, if he is as good as he claims then he shouldn’t bother safaricom employing him but rather borrow a leaf from that KRA hacker and reap enough funds to globe trott, drive expensive cars and live the life. That way his Mpesa hacking claims would no doubt be legit.

This to me looks like last week’s episode of the Good Fight. Hacker claims a hack is happening, he needs a flash drive sent to the FBI so that they can help stop it. Thing is, the hacker needed access to the FBI system using the flash drive to initiate the hack, and was successful.

If what he’s saying is true, then he has to have access to Safaricom core network, which is impossible. Maybe another Kenyan looking to blackmail for a job?

There are better ways of getting Safaricom’s Collymore, CAK, and CID’s attention, hack and deplete the MPESA accounts.

1 Like

It’s hard but not impossible, remember we still don’t know what caused the network outage that happened earlier in the week, then right after the outage this guy pops up.

“I can also recover money from dead Mpesa accounts,” That tagline is enough to open a shop and start a booming business. He will shorten the process it takes for berieved relatives to withdraw cash from their dead relatives mpesa accounts significantly.

Guys, the screenshot below has been trending around… The lady claims that her details may have been compromised as a result of poor data security at safaricom. How true could this be? In my opinion, it might be spetre vulnerability, or those malicious apps which read user input on a device, or safaricom is really not secure. But I doubt she gave out her details as safaricom indicated. nonetheless, is there any device hacking strategy which could even expose information about when you started using the sim??? (do you even remember when?)

1 Like

My cousin also went through a kinda similar thing sometime last year. Someone somewhere apparently managed to change her MPESA and sim registration details, including her MPESA PIN then replaced the line. She just noticed that there was no network signal on her phone all over sudden and for a while she was doing her best to troubleshoot the problem, ata alidhani labda shida ni simu. In the mean time when her pals were trying to call her calls were going through to a certain Njoroge guy, at least that’s what they were saying. They even thought alikua sponsor :joy::joy:, but by the time she reported the issue to Safaricom her cash had already been withdrawn. She was so freaked out even after Saf had blocked the line from the other side that she just bought another new line altogether
Naona tutarudi kueka pesa kwa mattress sasa hehe

1 Like

That’s scary :joy::joy:… Maybe safaricom was hacked and they are planning to tell us after 5 years like Yahoo did. These cases are so many for us to just disregard them.

A stranger calls you and they have your mpesa pin? The only hack here is that someone gave out their personal information.