OK Zimbabwe suffered a $70 000 hit in their finances after Isaiah Marange, a 33 year old man from Chitungwiza hacked into OK’s Money Wave system.
According to The Herald, Marange signed up and opened a Money Wave account making an initial deposit of $5 under the name Kundai Liberty Musamba.
On 26 December 2016 he then allegedly hacked into the system and credited $35 000 to his account claiming to have made the transaction at OK Queensdale till number 5.
Marange went on to credit an additional $35 000 and was joined by some accomplices that they went with on a spending spree swiping at a number of wholesale stores that include National Foods and National Tyre Services.
In some instances Marange is alleged to have looked for customers in these stores with cash and asked to swipe for them and get the hard cash in return.
The issue came to light for OK Zimbabwe after their Queensdale branch received bank statements from CABS that did not tally with the branch’s reconciliation statements.
The issue has since been taken to court and Marange was remanded last Friday until February 14 2017 on $300 bail.
Ok Zimbabwe has since failed to recover any of the money they were swindled. How exactly he performed the crime is still a mystery but this highlights how weak cyber security is in Zimbabwe.
Share
Home
18 comments
This was no hacking at all, this smells all inside job and it is being peddled from within OK as hacking knowing that no one is going to prove the nature of hacking or that it wasnt at all.
Opening an account is not hacking.
Transfering money into that account is not hacking.
Do OK have a permanent online presents? (public access not transactional network)
If the answer is no, then how can a outsider have access to the systems without help from insider.
Is OK financial system directly linked to customer Money Wave network? If they are not, how did Isaiah Marange jumped between the two networks without help.
How did Isaiah Marange workout the maximum transfer and do it in 2 batches, either he had prior knowledge of how the systems work or he was being fed the information of what to do from inside.
Who authorised such big transfers, that cannt be automatically done unless if OK thinks its small change, of which the question is, what is the maximum OK thinks needs a human verification be transfer?
Even if it were an inside job, if it meets the definition of what hacking is, it is hacking.
It is also known that, only a fraction of most breaches are from external entities.
The majority have involvement of inside people….mostly out of greed and/or employee disgruntlement.
Without also knowing what actually transpired (in detail), you cannot brush i aside as “not hacking”. You are only speculating based on zero-knowledge of their network and the actual system that was allegedly compromised by means of a “hack”
I wouldn’t rush to ‘hacking’. This is likely someone with inside knowledge of the policies, and found a loophole within them.
“Ok Zimbabwe has since failed to recover any of the money they were swindled. How exactly he performed the crime is still a mystery but this highlights how weak cyber security is in Zimbabwe.”
If you do not know how the crime was committed how does it get linked to cyber security or even be classified as a cybercrime?
Besides that, $35,000 is a large amount to be credited to an account without anyone noticing. Large deposits are supposed to be flagged and reported to the RBZ anti-money laundering department.
I bet his cv is in the bin of many recruiters.
How come these guys don’t get recruited as cyber security.
Have a look at his linkedin profile.. and you’ll understand why. I highly doubt this was true hacking, over someone with knowledge of their systems & potentially inside help.
What is Money Wave? Is it a bank? Do they issue debit cards at OK that can be accepted at National Tyre Service, National Foods and other wholesalers? Techzim can do better reporting that lifting a story out of the herald.
Quality reporting costs money
Interesting.Hacking doesnt mean you only can hack systems that you have public access to.As long as when you scan for networks and add IP Block ranges with even simple tools such as NMAP, you are able to identify the networks and penetrate them.Remember most hacks work from the blackbox so that doesnt mean these guys didnt penetrate the system.I can guarantee you one thing.In zimbabwe I have noticed that most companies are just lux with their security.Most companies just implement softwares with the default settings still active, They use servers they dont patch up.If you visit google hacker database you will notice that some commands that are known rate high in our environs,
And if you are limited with penetration testing never think you own all the answers dear.
“…Interesting.Hacking doesnt mean you only can hack systems that you have public access to..”
What sort of IP Block are you talking about, private or public?
Can you scan this block and tell me whats on it 192.168.29.48/28?
It is a live network l use.
Our country’s criminal code is very weak on what it terms “Computer-Related Crimes”.
CHAPTER VIII
COMPUTER-RELATED CRIMES
162. Interpretation in Chapter VIII.
163. Unauthorised access to or use of computer or computer network.
164. Deliberate introduction of computer virus into computer or computer network.
165. Unauthorised manipulation of proposed computer programme.
166. Aggravating circumstances in relation to crimes under sections 163, 164 and 165.
167. Unauthorised use or possession of credit or debit cards.
168. Unauthorised use of password or pin-number.
So very simply, that’s the extent of “hacking” that we have in our laws.
It’s defined as a computer related crime, not cyber crime, there’s a big difference.
That’s the closest we get to “cybercrime” in our laws until the new Cybercrime bill becomes law.
Being close doesn’t make it the same thing. The term cybercrime was used to sensationalise the article. The crime hasn’t even been proven to be any of your listed computer related crimes, in the first case, so how does one jump to the cyber crime conclusion.
There are no facts in the article supporting the notion of a cyber crime. I presume they read a headline with cybercrime misused by Herald, and rushed to write their own version. The Herald can be forgiven as they aren’t IT people, Techzim should know better.
Lol, the computer nerds have come out to play rattling their lightsabers of superior knowledge at each other. Lots of noise but basically no knowledge addition
Ironically, your contribution doesn’t add any knowledge too.
….