How did an EcoCash agent steal over $12000, are new security measures needed?

Leonard Sengere Avatar
EcoCash agent shop

Tafadzwa Taziveyi was (is?) an EcoCash agent in Hwange who worked (works?) from Shanduka Econet shop. Tafadzwa is 23 years old and as all young adults probably feel, he felt he could do with a little more money in his life. He decided the law was a hindrance and found himself a friend who felt the same.

His friend, whose identity is not known yet (guess Tafadzwa ain’t a snitch) works (worked?) from Econet headquarters in Msasa, Harare. This unnamed friend is being called an Information Technology (IT) specialist. They shared the same belief that the law was merely a codification of suggestions.

What they did was impressive, in a bad way of course. Shame on you Tafadzwa and Co. They stole about $12 681 from 25 clients in four days. Four days! 25 clients! $12 681!

It was all too simple for Tafadzwa and friend though, which does not fill me with confidence in the EcoCash system. I understand that internal controls work to a point and it is almost impossible to implement controls which can stop collusion (working together to beat the system) by employees, which is what happened here.

What they would do is target those clients who came to buy sim cards. After those clients filled in the details needed in order to obtain a sim card, Tafadzwa as an employee in the Econet shop would have that information. They would let the clients use their lines, create EcoCash accounts and transact.

Once they saw that there was a sizable amount in an EcoCash account (IT specialist handy here) they would report the line as lost and proceed to issue themselves the replacement sim. The IT specialist would then deactivate the old sim (the one in the client’s hands.) The client details needed to fill out the application for replacement sim would be in Tafadzwa’s possession so they were covered there. Document-wise everything would be in order.

Once they had the replacement sim and the PIN, they would then proceed to transfer the money into their own accounts. The IT specialist probably used different EcoCash accounts, none of them his, when receiving money from his friend in Hwange. That would explain how it is that they know that money was sent to him/her but do not know who he/she is.

The problem with their plan was that although the client would no longer be getting messages of the out-transfers and so would be in the dark, it remained that the client could no longer do anything with their sim. That’s because that old sim would have been deactivated. These clients would obviously get in touch with Econet, angry that their sim cards were not working.

They would be told, by the helpful other Econet employees that they replaced their lines and they would hiss fits and that’s how the whole thing unfolded. That is why this crime spree lasted only four days, from 29 September to October 4th this year. It was stupid and not thought out.

Of the $12,681 that was stolen, $4,935 was recovered.

Tafadzwa was arrested in Hwange and the IT specialist is still at large, for now. The lesson to be learnt here is that crime does not pay.

This story comes at a time when the country has shown its commitment to cyber security as a new Ministry of Cyber Security was created. We are close to the Computer Crimes and Cybercrimes Bill being passed into law. With Minister Chinamasa at the helm any would-be IT specialists better watch their backs. The government will tolerate no computer crimes any longer.

For Econet though I am a bit understanding. Auditing basics tell us that almost any system can be circumvented if employees choose to collude. So maybe the hiring process would be questioned but still it is the smooth talkers who ace job interviews and besides a company cannot be expected to anticipate a change in character of their employees.

Can Econet do more to ensure better system security? Probably. What is it they must do? Heck if I know.

11 comments

  1. C Chokwadi

    Your speculations at how the sim is deactivated is very wrong. U need to do more research on the sim replacement procedure by replacing ur own sim card. Noone can deactivate a sim card outside the MNO capacity. All u can do is trick the identity of the replacer by using fake IDs like u said tafadzwa was the inside man.
    These boys were silly tho thinking they can get away with it

  2. samue

    The main issue I see is that Econet do not own the codebase for their eco-cash system. a vendor does. that is not good for a company their size and also for the speed they need to move at. This is where we come back to that question again “what is it that constitutes core business” for a company like econet. I am sure in deciding to outsource the development of such a system or pick an off the shelf product they viewed themselves as a sales company or a service company but not an innovation house that want to react fast to the market. They chose an iron jacket that everybody else in the content is being made to wear by Comvimva their vendor.

    For speed of reaction to issues such as these and also to opportunities in the market which may be seasonal and transient I feel the whole ideology and business model needs revisiting.

    There are many issues to deal with here but this is the corner I have aimed at because I feel for the money being made by this company not enough has been ploughed back to develop national capacity in the area of technology development. If you knew just how simple an SMS Centre is develop using SMPP protocols or how simple a mobile wallet is to develop you would wonder why all those licence fees are still going out.

    The country and its companies are still being run by lawyers and accountants. the problem is beyond even zanu….. sorry I digress

    1. TheKing

      1, From what I know, when Econet embarked on EcoCash, it did not have internal capacity to develop the system and hence the fastest way was to outsource to a vendor.
      2. Econet is doing customizations and developing further on top of the core EcoCash system.
      3. Econet is struggling to fill senior developer posts(yes, even in this environment were 90% are unemployed)
      4. While you talk about how simple it is to develop telecoms systems, you are being naive as well. A company like Econet does not face development issues, they face scaling issues. Anyone can develop as you pointed out, but how many can develop something that will scale well.

      Besides all this, any system whether developed internally or externally can have its controls beat by employee collusion

  3. Mhlupheki Mlilo

    Why not publish the names of the victims of the scam. A lot of people who were swidled may not be aware up to now considering the massive transactions made by individuals

  4. Bobbie

    “They shared the same belief that the law was merely a codification of suggestions.”
    Best line I’ve read this year! Whoever wrote that needs to be knighted! I laughed so hard!

    1. Tendai Katsuwa

      Laughed too !!

  5. Frank

    There would be an easy and fairly simple way to stop people of bad character from getting this position but it would be at the expense of the company. I am speaking of a basic psychological test to detect those who have the predilection for this kind of thinking but the tests have to been done by a psychologist and can be expense.

  6. Sagitarr

    One simple way to improve any financial system is by having an audit trail of every action/transaction including the actors. The challenge perhaps might lie with the unwieldy size of that audit trail file and corresponding maintenance overheads etc Those who have worked with ATMs will understand what I’m alluding to. Every activity on an ATM is recorded including its status and who did what, where and when. It should be someone’s responsibility to go through the audit trail identifying all exceptions and recommending/implementing actions. This will not eliminate theft and collusion but will allow better regression when faced with issues such as the one above. If a system is so crappy that you know the modus operandi of theft/subversion but cannot identify the culprit then as a corporate, you have too many blank cheques.
    On an aside, I understand EW’s hiring philosophy is that they will find you if you’re “sharp enough” to me this is very theoretical and won’t hold good for long. Something scientific needs to be implemented in the recruiting process to reduce such malfeasance.

  7. Son of man

    the fact that they managed to identify culprits means that the system is sound enough. Collusion is always difficult to predict,prevent and eliminate.i would have been dead worried if they did not have a clue,so hands up to ecocash.

  8. JR Wezhira

    i remember watching this movie, the conman ended up being hired by the FBI…he is still young, and can be used by econet internally, and how to breach the system, his job will be to breach the system, both the IT and the agent need to be kept, $12000 is not really a lot of money, imagine if a couple of zeros had been added, what with the new zippit…

  9. JR Wezhira

    i remember watching this movie, the conman ended up being hired by the FBI…he is still young, and can be used by econet internally, and how to breach the system, his job will be to breach the system, both the IT and the agent need to be kept, $12000 is not really a lot of money, imagine if a couple of zeros had been added, what with the new zippit…from me

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed