FBC’s Mobile Moola Has A Serious Security Flaw: Account Holders Don’t Receive SMS Alerts When A Purchase Is Made

Garikai Dzoma Avatar
FBC Bank, zero-rate, internet banking platform, loan limit

[Updated]

FBC have since issued their own response here.

After going through the impressive five minutes it takes to open a FBC Mobile Moola account and linking the account with Ecocash, I decided to take it for a spin. After making a routine purchase I instinctively checked my phone to see how much had been deducted from my account.

There was no SMS alert from FBC so I just assumed it was a network issue. Although it doesn’t happen as often as it used to in the past, these glitches still happen. Sometimes the message comes several hours later or never arrives. However after using the card for a few days without receiving an SMS alert every time I made a purchase I became a little concerned.

I quickly narrowed possible reasons for this “glitch”. Either my account was a little bit new and had not yet been completely configured or the whole thing was by design. I got in touch with FBC’s support team on Facebook and sent them a message (DM). Turns out the whole thing is by design.

Good old greed at work here

Chat Screen with FBC Over the issue

The thing is Mobile Moola is a lite banking account that does not incur fixed banking charges that normal accounts incur on a monthly basis. Instead the lite account holder is charged a fee every-time they make a transaction including checking their balance. To encourage people to check their balances, and make money in the process, FBC deliberately does not send people their account balance information every-time a purchase is made. The reward for them is an irresistible $0.15 every time you check your balance.

A glaring security hole

So why is this a big deal you ask? Well card cloning and stealing is on the rise due to the increase in use of electronic payments. There have been numerous reports of people losing thousands of dollars to card cloning thieves. The best way to mitigate the issue is to send sms alerts for every transaction. This will mean that an account holder can quickly get in touch with their bank and stop the haemorrhage at the first sign of an unauthorised transaction.

With the FBC set up a thief will have all the time in the world to clean your account without you ever being aware. That is unless you are psychic or paranoid enough to check your balance on a regular basis. In the last case the costs pile up to such an extent where the FBC Mobile Moola account ends up costing more than a regular account!

FBC can find a compromise

It doesn’t cost much to send an SMS and FBC can still charge customers say extra $0.10 to send out balance information after each payment. That way they will still make money without compromising on customers’ security. I don’t think customers would mind that extra charge. I know I would appreciate the added security.

NB As far as I know this only affects the Mobile Moola Account and not other FBC accounts. Their FBC MasterCard now has a flawless sms alert that follows every payment.

In case you haven’t bought it already, buy the Techzim Insights report on the state of the payments sector in Zimbabwe for only $9.99 via Ecocash below:

,

21 comments

  1. Annex

    Although its a pain as you described, I’d not go as far as calling it a serious security flaw. An annoyance maybe not security flaw. The existence or non-existence of an SMs alert has zero bearing on the security of your account. Yes it does help to know every time money is taken from your account (convenience), but that’s an additional service on top of a probably secure banking platform. Your article title gives a totally different impression.

    1. Garikai Dzoma

      I like to think of it as an alarm of sorts. Whether your door is locked or unlocked an alarm is still a security feature if it alerts you whenever there is entry

      1. Leonard Mawungwe

        Garikai Dzoma, I have no doubt that you need basic training in journalism. News is what is happening and not what has happened. How can you prepare an article based on a Facebook Chat which you had on 22 September 2018. Today is 14 November 2018…Honestly? Please be serious enough to respect your readers and the Techzim image! Where is the FBC Voice in the article?… dololo

        1. Garikai Dzoma

          FBC are preparing an official response which will be published here as an update and also as a new post

    2. Anonymous

      Truly concur with you on that one @Annex. That is not a serious security flaw (not having SMS alerts).

  2. Anonymous

    the title security flaw is not worthy the story, This is a nice to have feature not a security flaw, security can not depend on a standard that has an acceptable delivery time of 48hrs and is not reliable. Chances of double charges are highly likely as you will be charged for getting that sms and at the same time u may receive it late and u will do the balance enquiry and be charged again, when this happens this becomes a problem beyond anyones control as it will still be within the sla for sms delivery.

    1. Garikai Dzoma

      When it comes to security it’s the little things that matter. Not having the feature degrades security in this case there is no doubt about that. In Zimbabwe SMS remains an important form of B2C communication unreliable as it is. The fact that FBC relies on sms to send you the balance anyway when you do check your balance rubbishes the idea that they’re not using it because it’s unreliable. In fact they use SMS to deliver the OTP you need to complete MasterCard transactions when they are handled by lesser known card processors.

  3. Thomas chisango

    Mine i get a notification email every time I make a transaction. You are telling the truth don’t misllead people

    1. Garikai Dzoma

      To be clear we are talking about mobile moola here not all FBC products. I know a lot of people with these accounts none receive any alerts whatsoever. Even FBC is confirming this in the communication shown above

      1. Anonymous

        $0.10 imari yakawanda, ita mushe

        1. Garikai Dzoma

          Well they charge you $0.15 every time you check your balance so that’s actually less than you would otherwise be charged

  4. 4chwaz

    The same tactic I’d used by Steward Bank Square account as well nooooo sms alert on credits and debits.

  5. sg

    mycash too no alerts

  6. Leonard Mawungwe

    Garikai Dzoma, I have no doubt that you need basic training in journalism. News is what is happening and not what has happened. How can you prepare an article based on a Facebook Chat which you had on 22 September 2018. Today is 14 November 2018…Honestly? Please be serious enough to respect your readers and the Techzim image! Where is the FBC Voice in the article?… dololo

  7. Anonymous

    Haa apa Gari wanyora kunge this other dude you used to have at TechZim. It seems you feel strongly about SMS’s you deemed your opinion fact. Its not a fact that not having SMS alerts on an account is a serious security flaw, if that were the case then it should have been mandatory across the entire banking sector to have SMS alerts enabled.

  8. way

    Besides. SMS and email alerts are optional for the user

    1. Garikai Dzoma

      For a normal account not for an account that is being marketed as a mobile account

      1. easy

        you might want to get your facts right sir. Anyways thanks for the article

        1. Garikai Dzoma

          Enlighten me please maybe I am missing something. This is a Mobil e account I ticked every box so did my friend so no I did not miss any option. Yet I did not receive alerts.

  9. Average Joe

    Steward back is exactly the same. They charge at every corner, mini statement they charge, check balance (even when it daily) they charge.

  10. TJ

    Surely this is not a security flaw, you can do better than this

Join Waitlist We will inform you when the product arrives in stock. Please leave your valid email address below.