This Ecocash horror story shows how systems can fail you

Earlier this week I wrote about the need to make banks and Zimbabwe’s financial institutions accountable for some of the losses that people suffer through hacking and fraud incidents. There was a lot of debate on both sides, especially the more security conscious among our readers insisting that it’s the responsibility of account holders, not banks to make sure that their money is safe.

The assertion they made was that most fraud incidents taking place are not the fault of banks or the fintech that run the systems. They contend that if account holders follow best practices they will be safe. While this is largely true, the fact of the matter is most ordinary users are ill-equipped when it comes to matters of security. Also at times, the systems meant to serve and protect you interact in such a way that even a security-conscious person who does the right thing fails to anticipate loopholes that end up costing them their money.

An Ecocash horror story

Such is the story of one Ecocash user who chose to remain anonymous. According to this user, they lost their phone in a smash and grab incident on the 28th of June this year. The thieves go away with their phone which also happened to have their Ecocash line. They did what anyone of us would do and had their line blocked and made a police report as soon as they could.

To their horror, they learnt that while their Ecocash wallet was empty, someone had managed to still make a Bank to Wallet transfer because like all of us those two are usually linked. The thieves only needed the Ecocash pin in order to empty all linked bank accounts. It’s not clear how the thieves got this pin but given the franchise model employed by Econet where agents have access to their system, there is always a chance that someone with access either carelessly or deliberately gave away that pin.

To thwart the thieves and prevent the money from being moved further the user asked for the Ecocash account to be blocked and the PIN barred. After a while, they got a message from a friend asking them why they kept asking people for assistance when a said friend had already sent them about 5 000 ZWL in their CABS account. It turns out the thieves were not content with the money they had already gotten. They were now actually using social engineering to trick the victim’s friends into sending money and emptying it via Bank to Wallet transfers.

Long story short by the time the victim had closed their Ecocash account the thieves had made off with thousands of dollars. The only way they managed to stop them was by closing the Ecocash account permanently. Somehow, just like in the case I highlighted in my previous article, the thieves kept getting access somehow even after passwords were changed. Even more baffling is that the thieves managed to transfer the stolen money to another Ecocash number and were able to spend it.

This again is like the incident I highlighted where the person’s account kept getting emptied each month. Each time the money lands it sits in the account for barely five minutes before a mysterious ZIPIT transaction moves it to another account where the trail gets cold. Changing passwords and phones hasn’t helped. The process of adding their new account to payroll is ongoing but until then they have to stick with the compromised account.

Even the vigilant can still lose money

The moral of this story is that even the vigilant can still stand to lose their money. In this case, the thieves were somehow able to obtain the Ecocash PIN, it’s not clear how, and exploited that weakness to full effect by emptying a linked account. This is despite the fact that the user had reported their line stolen as soon as they could. Also even after the line had been barred, using some unknown means, the thieves still managed to get away with their loot.

In this case who is to blame? Naturally, the victim has to shoulder some of the blame. Perhaps they didn’t have a lock on their phone allowing the thieves to be able to use it. It’s not clear maybe they even had their Ecocash PIN saved in their contacts. But after the Ecocash line was locked/blocked how were the thieves able to bypass that?

It’s the same thing with card cloning. While you would want the user to keep their card safe the truth is banks should not be issuing cards that are so easy to clone. If they were accountable for losses incurred via card cloning it would change their Cost-Benefit Analysis when it comes to whether they should phase out Magisripe cards for example.

The whole point of this article is not to blame one institution. It is rather to show that systems might be compromised and leveraged in ways you did not anticipate as an ordinary user. Ways fintechs themselves ought to research and make the customer aware off and not in some half-hearted advertisement on their Twitter feed or some cryptic SMS send out to customers in a half-hearted attempt to evade liability.

You should also read

• EcoCash WhatsApp scam on the rise, Police say US$100 million lost so far
• US$100 mil EcoCash WhatsApp scam doesn’t make sense & here’s why
• Beware of investment scams operating via EcoCash
• Screenshots: Don’t fall for this Ecocash scam