Categories: FintechSocial Media

Sosholoza’s ‘Any Bank To Any Wallet’ Is Not Really Secure

Share

Accidentally, l figured out something that got me thinking: Is the Sosholoza Any Bank to Any Wallet really secure? Or it’s really “Any Bank to any Wallet?” Yeah it saved me yesterday when their services where down, l had to resort to their “new” baby Sosholoza which really came through. (Thank you Steward Bank).Once upon a time there was card cloning.

Now who needs that when you can do all the stealing without even holding the card in your hands? I guess they didn’t think it through when they introduced Sosholoza or they did. But am not all for conspiracy so l will state facts on what can be done to steal someone’s money using Sosholoza. In this case l will be stealing my brother’s money or my dad’s money or that guy who l just saw at the till in Pick N Pay or Spar- for educational purposes only of course.

What do you need?

1) The Card Number, not the account number. The card number can be found printed on top of the card, you don’t need spectacles to see that too. For those who are into definitions and are particular about statements, it is the card identifier found on payment cards, such as credit cards and debit cards. In some situations the card number is referred to as a bank card number.

advertisement

2) The PIN is the second most important think you need in this educational practical. How to get it might be through shoulder surfing. People are really careless with their pins in a supermarket paying for their groceries. Knowing that they will be walking away with their debit or credit card, some folks don’t really mind typing their PIN so the whole world can see. And worse still, some of us with thick fingers we will even ask the till operator to do it for us when we fail a couple of times dreading we would block the card, “Can you please put the PIN for me?”.

With only the card number and the PIN you are home and dry. You will need a phone with WhatsApp of course since we are talking about Sosholoza. Now navigating through Sosholoza- that’s the easy part. You can see in the screenshots below on how to steal someone’s money with only a card number and a PIN.

1st&2nd step

3rd&4th step

5th step

6th step

The most important step is step 4. where you click the link to open the page in step 5. Put the details you got from your target then you have the money.

Think about making a payment to someone. You don’t know the seller by name and they don’t know you either. All they need to see is their money reflecting in their account. How will Steward Bank know it was me who initiated the transaction if l have one of those disposable WhatsApp numbers?

Now in an ugly scenario imagine me asking you in a supermarket if you would like some cash and you pay your card, and l have ZWL $200 worth of groceries. You take out your card to swipe for me and l will be looking closely for your card number PIN. Or for me the ‘creative type’, I can take pictures and l hand you the ZWL $200. You, being in need of cash will definitely take the bait.

So Sosholoza’s ‘Any Bank to Any Wallet’ might really not be secure at all since there’s a high chance that one can easily get your card number and password and they head to WhatsApp to transfer money.

Author bio

Anesu Chiodza. (@I_amBlackShifu [twitter] | +263772119106 |
BTech Information Security and Assurance.Cyber Security Enthusiast. Penetration Testing Fanatic. Software developer and Web Developer

Also watch: How Steward Bank’s Sosholoza Works

Also watch: Zimbabwean Arrested In China For Stealing $1 300 Using Fake Bank Cards


Quick NetOne, Telecel, Africom, And Econet Airtime Recharge

If anything goes wrong, chat with us using the chat feature at the bottom right of this screen

View Comments

  • Guess the thing you need to protect is you card and PIN if you lose those(or let someone know them) then you are very compromised and its not sosholoza fault.

    Cancel reply

    Leave a Reply

    Your email address will not be published.

    • There is very little Sosholoza can do in this case. One has to keep their pin very very private. But ofcourse what isnt secure in this case is shoulder surfing.
      Also its important to note in this case VISA and Mastercard cards are even more insecure..
      If you have noticed how Zimbabweans pay, you will see that the till operator will in most cases ask for your card to swipe, which in most countries is never the case. Lets learn to say no to that too.

      Cancel reply

      Leave a Reply

      Your email address will not be published.

  • These things were mentioned before here, couldn't locate the article. Anyway, they are banking on tracking the thief down, via their phone number. I assume it only allows Zimbabwean numbers to transact. But, like any assumption, I could be wrong. Nonetheless, you can still track the mobile wallets number. So, your scam whilst possible, will not work for long and will most likely result in you getting caught.

    It's a tad irresponsible to publish such a security article as a "professional", without enquiring from Steward itself about any security measures in place. You could be making noise about something which already has solid contigencies in place.

    Cancel reply

    Leave a Reply

    Your email address will not be published.

  • NO TO TILL OPERATORS SWIPING ON OUR BEHALF.. I hope Techzim writes an article to warn people from Till operators who sometimes even ask for your card number, hanzi toda kuzoita reconciliation.

    Cancel reply

    Leave a Reply

    Your email address will not be published.

  • Why not contact the Steward folks for their response before writing an article like this one? It virtually teaches how to break into other people's accounts. The practice with all security firms around the world is that information which compromises people like the one you provided, must first be furnished to the guys with the software or hardware which is buggy. Then only after a given period, say three months, can then the article be published for public consumption and to alert others. I doubt you took these measures before publishing this article. You risk losing your reputation as a premier tech news portal by these reckless posts prompted by excitement and eagerness to tell.

    Cancel reply

    Leave a Reply

    Your email address will not be published.

    • agh gerara here, this article is directed towards awareness of the possibility of this being an issue on the user's end and has not made public any sensitive info/vulnerability directly affecting sosholoza, therefore no responsible disclosure applies here in my opinion. Though im dissapointed in the article not having a solution or it being as interesting as I anticipated considering the writer is a "Penetration Testing Fanatic".

      But its very much welcomed, we need to talk more about info sec.

      Cancel reply

      Leave a Reply

      Your email address will not be published.

      • CEH holder 😂😂 just acknowledge that someone found a loop hole, hauna nyaya kunze kwe godo

        Cancel reply

        Leave a Reply

        Your email address will not be published.

  • What ever happened to 2 factor authentication or the Simple OTP or confirmation prompts on someones phone. I actually think this is a wake up call to the USERS who are the ones responsible for keeping their PINs and CARD Numbers Safe and also Sosholoza to try and put some security into it however small it might seem.

    Cancel reply

    Leave a Reply

    Your email address will not be published.

    • That's a good point, would indeed help with enhancing security...

      Cancel reply

      Leave a Reply

      Your email address will not be published.

  • It's been two days now your sosholoza any bank to wallet isn't working its showing me issuer problems what what,,

    Cancel reply

    Leave a Reply

    Your email address will not be published.

  • Your option 1 isn't working for me why?

    Cancel reply

    Leave a Reply

    Your email address will not be published.

Leave a Reply

Your email address will not be published.

Published by
Guest Author

Recent Posts

U.S govt putting pressure on Kenya over digital tax

A couple of months ago Kenyan President Uhuru Kenyatta approved the 2020 Financial Bill. The…

September 25, 2020

Podcastle, a Chrome extension that turns articles into podcasts

The one problem that I have had with text-to-speech software is that it often doesn't…

September 25, 2020

PropertyPro expands to more African territories including Zimbabwe

PropertyPro is a Nigerian-founded startup that offers a property portal with the aim to meet…

September 24, 2020

You can now buy ZESA tokens online on Techzim Market!

A number of Techzim Community members have been asking if they could buy ZESA tokens…

September 24, 2020

ZimArt Shop, an eCommerce platform for visual artists

Antfarm Zimbabwe, a local website and software development company, has announced the launch of an…

September 24, 2020

Rocket League goes free-to-play – See why the game was played by 75 million people

Another one! This has been a crazy week for PC gamers. From Football Manager 2020…

September 24, 2020