Accidentally, l figured out something that got me thinking: Is the Sosholoza Any Bank to Any Wallet really secure? Or it’s really “Any Bank to any Wallet?” Yeah it saved me yesterday when their services where down, l had to resort to their “new” baby Sosholoza which really came through. (Thank you Steward Bank).Once upon a time there was card cloning.
Now who needs that when you can do all the stealing without even holding the card in your hands? I guess they didn’t think it through when they introduced Sosholoza or they did. But am not all for conspiracy so l will state facts on what can be done to steal someone’s money using Sosholoza. In this case l will be stealing my brother’s money or my dad’s money or that guy who l just saw at the till in Pick N Pay or Spar- for educational purposes only of course.
What do you need?
1) The Card Number, not the account number. The card number can be found printed on top of the card, you don’t need spectacles to see that too. For those who are into definitions and are particular about statements, it is the card identifier found on payment cards, such as credit cards and debit cards. In some situations the card number is referred to as a bank card number.
2) The PIN is the second most important think you need in this educational practical. How to get it might be through shoulder surfing. People are really careless with their pins in a supermarket paying for their groceries. Knowing that they will be walking away with their debit or credit card, some folks don’t really mind typing their PIN so the whole world can see. And worse still, some of us with thick fingers we will even ask the till operator to do it for us when we fail a couple of times dreading we would block the card, “Can you please put the PIN for me?”.
With only the card number and the PIN you are home and dry. You will need a phone with WhatsApp of course since we are talking about Sosholoza. Now navigating through Sosholoza- that’s the easy part. You can see in the screenshots below on how to steal someone’s money with only a card number and a PIN.
The most important step is step 4. where you click the link to open the page in step 5. Put the details you got from your target then you have the money.
Think about making a payment to someone. You don’t know the seller by name and they don’t know you either. All they need to see is their money reflecting in their account. How will Steward Bank know it was me who initiated the transaction if l have one of those disposable WhatsApp numbers?
Now in an ugly scenario imagine me asking you in a supermarket if you would like some cash and you pay your card, and l have ZWL $200 worth of groceries. You take out your card to swipe for me and l will be looking closely for your card number PIN. Or for me the ‘creative type’, I can take pictures and l hand you the ZWL $200. You, being in need of cash will definitely take the bait.
So Sosholoza’s ‘Any Bank to Any Wallet’ might really not be secure at all since there’s a high chance that one can easily get your card number and password and they head to WhatsApp to transfer money.
Anesu Chiodza. (@I_amBlackShifu [twitter] | +263772119106 |
BTech Information Security and Assurance.Cyber Security Enthusiast. Penetration Testing Fanatic. Software developer and Web Developer