At about 4PM on Thursday I got a call from a friend with the news was that he and a couple of his workmates were able to recharge their Econet Buddie lines for free using some leaked recharge codes. He confirmed that he had managed credit his mobile phone with US$ 50 worth of airtime. This guy though didn’t want to use the airtime and actually joked he’d tried to call the Econet call center to tell them about the security hole and have the airtime deducted. He couldn’t get through.
I personally didn’t get the time to try the codes immediately, and I was informed by a different person later that evening that the codes were not working anymore. So I forgot about it and got on with other things. Didn’t think much of it after that until another colleague today reminded me about it. So I asked them for some details and got a somewhat sketchy picture of what happened.
The story goes: The code *150*100# was spreading virally around the country from subscriber to subscriber. The code would give a subscriber the option to get airtime without paying a cent. Subscribers used this to steal (yes, we think it’s stealing) airtime ranging from US $50 to US $700. Econet apparently picked this up soon enough and acted swiftly to disable the code.
Thereafter, all the lines that used the code were barred from making calls and some barred from receiving as well. Apparently, as we write this, those lines are now basically dead. A commenter on an article we posted earlier today says this is probably why Econet’s recharge system was down for the better part of yesterday. Twice yesterday afternoon I personally tried to recharge my prepaid line and got the message “We are currently processing high call volumes. Please try again in one hour”.
My friend at the start of this article says he went to the Econet offices in Msasa yesterday to query his blocked line. He was told Econet is still compiling the data to establish how much airtime was siphoned out and communication will be made with the affected people once this process is completed.
As for the source of the code, word around is that some Econet employee stumbled upon the codes, a number of codes actually we hear. This Econet guy then allegedly passed this treasure chest to a close relative and the viral spread began. And as the situation went out of control, the Econet guy vanished and has been in hiding since.
It’s not clear yet if this story is linked to the website hacking last night.
Share
Home
10 comments
I think econet has some serious security issues, how can a person ‘stumble’ upon such important codes? And the the hacking…not good.
Lets get this straight! Econet’s website gets hacked and is down! Then somebody moled his way into Econet’s prepaid system and came out smiling with some prepaid codes! Hellooooo?
Now Econet knows how it is like to be cheated. Anywhere a new line is worth $1.
most security breaches are stumbled upon
Imagine cell phone banking with this crowd …….. one way traffic to losing everything you’ve got
econet shud jus cey t was a christmas bonanza,ko takambovabloka here pavanotibira nema poor services avo,ngavarege ti4ne
It does seem dodgy that someone would deface their site in such a personal way, perhaps its an inside job? the issue with leaked recharge cards, sounds too like a loophole that could have only been found by an econet employee…
WHAT security? In Zim, when u surf at an internet cafe your passowrds are stored, when u put in your details on forms with companies they are left lying around – U might even be told to look for your form amongst a particular pile-easily viewing other peoples information. Econet’s subscriber registration page had an invalid SSL why? They are too cheap to pay for authoritatively signed certificates.
And too many Joomla web sites in Zim – easy to HACK. Shame !!
Not to nit-pick, but it would be more accurate say “Subscribers used this to *defraud*…” rather than “to steal”. “Stealing” connotes depriving the original owner possession of the said item.
While I’m not familiar with switches/GSM billing systems, I strongly I suspect that code was put in place for testing purposes and was never deactivated. Someone got sloppy.
My phone has been blocked and they claim they are investigating but i dont have any idea since i did not even get any free airtime.