Earlier this week I wrote about the need to make banks and Zimbabwe’s financial institutions accountable for some of the losses that people suffer through hacking and fraud incidents. There was a lot of debate on both sides, especially the more security conscious among our readers insisting that it’s the responsibility of account holders, not banks to make sure that their money is safe.
The assertion they made was that most fraud incidents taking place are not the fault of banks or the fintech that run the systems. They contend that if account holders follow best practices they will be safe. While this is largely true, the fact of the matter is most ordinary users are ill-equipped when it comes to matters of security. Also at times, the systems meant to serve and protect you interact in such a way that even a security-conscious person who does the right thing fails to anticipate loopholes that end up costing them their money.
An Ecocash horror story
Such is the story of one Ecocash user who chose to remain anonymous. According to this user, they lost their phone in a smash and grab incident on the 28th of June this year. The thieves go away with their phone which also happened to have their Ecocash line. They did what anyone of us would do and had their line blocked and made a police report as soon as they could.
To their horror, they learnt that while their Ecocash wallet was empty, someone had managed to still make a Bank to Wallet transfer because like all of us those two are usually linked. The thieves only needed the Ecocash pin in order to empty all linked bank accounts. It’s not clear how the thieves got this pin but given the franchise model employed by Econet where agents have access to their system, there is always a chance that someone with access either carelessly or deliberately gave away that pin.
To thwart the thieves and prevent the money from being moved further the user asked for the Ecocash account to be blocked and the PIN barred. After a while, they got a message from a friend asking them why they kept asking people for assistance when a said friend had already sent them about 5 000 ZWL in their CABS account. It turns out the thieves were not content with the money they had already gotten. They were now actually using social engineering to trick the victim’s friends into sending money and emptying it via Bank to Wallet transfers.
Long story short by the time the victim had closed their Ecocash account the thieves had made off with thousands of dollars. The only way they managed to stop them was by closing the Ecocash account permanently. Somehow, just like in the case I highlighted in my previous article, the thieves kept getting access somehow even after passwords were changed. Even more baffling is that the thieves managed to transfer the stolen money to another Ecocash number and were able to spend it.
This again is like the incident I highlighted where the person’s account kept getting emptied each month. Each time the money lands it sits in the account for barely five minutes before a mysterious ZIPIT transaction moves it to another account where the trail gets cold. Changing passwords and phones hasn’t helped. The process of adding their new account to payroll is ongoing but until then they have to stick with the compromised account.
Even the vigilant can still lose money
The moral of this story is that even the vigilant can still stand to lose their money. In this case, the thieves were somehow able to obtain the Ecocash PIN, it’s not clear how, and exploited that weakness to full effect by emptying a linked account. This is despite the fact that the user had reported their line stolen as soon as they could. Also even after the line had been barred, using some unknown means, the thieves still managed to get away with their loot.
In this case who is to blame? Naturally, the victim has to shoulder some of the blame. Perhaps they didn’t have a lock on their phone allowing the thieves to be able to use it. It’s not clear maybe they even had their Ecocash PIN saved in their contacts. But after the Ecocash line was locked/blocked how were the thieves able to bypass that?
It’s the same thing with card cloning. While you would want the user to keep their card safe the truth is banks should not be issuing cards that are so easy to clone. If they were accountable for losses incurred via card cloning it would change their Cost-Benefit Analysis when it comes to whether they should phase out Magisripe cards for example.
The whole point of this article is not to blame one institution. It is rather to show that systems might be compromised and leveraged in ways you did not anticipate as an ordinary user. Ways fintechs themselves ought to research and make the customer aware off and not in some half-hearted advertisement on their Twitter feed or some cryptic SMS send out to customers in a half-hearted attempt to evade liability.
9 comments
This is not the first time I have a friend who lost their phone to thieves and they did the same and conned people using that line it would seem they work as a syndicates with these econet agents and the agents even called to harrass him and get him arrested, there is a huge loophole and econet needs to make sure they plug the hole. The agents are engaging in illegal activities.
Did they report immediately or they started they own manhunt to recover the phone, then after checking their bank accounts and discovered that their money was missing that’s when they reported the matter?? Most of the time it’s the nature of humans to act after it’s late? How was the pin able to be changed if they didn’t have that same number. If they had the same number after a replacement is it possible that the same number was now active on two SIM cards??
So they blocked the line and the ecocash account and after a while they got a message from a friend who was inquiring about their recent surge in asking for financial assistance??? So it means the line wasn’t blocked it was/is still active. Didn’t they alert their friends and family that they had been robbed and someone has access to their ecocash account and phone number?? Maybe dark arts were involved or its someone who is closer to them you knows every bit and byte about them
In this case econet themselves should be investigated. How does a barred line make transcations. Someome is stealing at econet.
What the hell???
It’s difficult to draw conclusions without hearing the story from the horse’s mouth. If it’s true, most likely there is someone on the inside who is able to bypass the block and give thieves continued access to the Ecocash account. In that case, Econet is to blame because its their system. This is similar to SIM card fraud where an attacker works with a mobile operator employee to hack into accounts protected by the victim’s mobile number.
There is missing info in these claims. If someone were to request the PIN to be reset, or just accessed it, there would be an audit-trail of that at Econet.
Didn’t they replace their line after blocking it? Which would have resulted in them also receiving transaction alerts and should effectively have prevented the other line from working at all (even with the PIN).
I’m one of those who believes you must also scrutinise who is telling the story. Not that it didn’t happen, nor that it’s impossible for Econet staff to be complicit, it’s also possible the story isn’t precisely correct.
And again, where are these funds being transferred to where they can’t be traced? An offshore ZWL account 🤣 Even lite accounts require KYC to be fulfilled.
If it was blocked, then it’s simple and straightforward…Econet needs to check in their system who authorized the unblocking, we all know in this day and age you need a user ID and password to access these files ,there is cameras even to pin point who was sitting at that work station when these dubious authorisations were being made…Is it also possible to have 2 separate SIM cards using one number
What’s happening at Econet Zimbabwe there’s no Econet Airtime in the streets?