Accidentally, l figured out something that got me thinking: Is the Sosholoza Any Bank to Any Wallet really secure? Or it’s really “Any Bank to any Wallet?” Yeah it saved me yesterday when their services where down, l had to resort to their “new” baby Sosholoza which really came through. (Thank you Steward Bank).Once upon a time there was card cloning.
Now who needs that when you can do all the stealing without even holding the card in your hands? I guess they didn’t think it through when they introduced Sosholoza or they did. But am not all for conspiracy so l will state facts on what can be done to steal someone’s money using Sosholoza. In this case l will be stealing my brother’s money or my dad’s money or that guy who l just saw at the till in Pick N Pay or Spar- for educational purposes only of course.
What do you need?
1) The Card Number, not the account number. The card number can be found printed on top of the card, you don’t need spectacles to see that too. For those who are into definitions and are particular about statements, it is the card identifier found on payment cards, such as credit cards and debit cards. In some situations the card number is referred to as a bank card number.
2) The PIN is the second most important think you need in this educational practical. How to get it might be through shoulder surfing. People are really careless with their pins in a supermarket paying for their groceries. Knowing that they will be walking away with their debit or credit card, some folks don’t really mind typing their PIN so the whole world can see. And worse still, some of us with thick fingers we will even ask the till operator to do it for us when we fail a couple of times dreading we would block the card, “Can you please put the PIN for me?”.
With only the card number and the PIN you are home and dry. You will need a phone with WhatsApp of course since we are talking about Sosholoza. Now navigating through Sosholoza- that’s the easy part. You can see in the screenshots below on how to steal someone’s money with only a card number and a PIN.
1st&2nd step
3rd&4th step
5th step
6th step
The most important step is step 4. where you click the link to open the page in step 5. Put the details you got from your target then you have the money.
Think about making a payment to someone. You don’t know the seller by name and they don’t know you either. All they need to see is their money reflecting in their account. How will Steward Bank know it was me who initiated the transaction if l have one of those disposable WhatsApp numbers?
Now in an ugly scenario imagine me asking you in a supermarket if you would like some cash and you pay your card, and l have ZWL $200 worth of groceries. You take out your card to swipe for me and l will be looking closely for your card number PIN. Or for me the ‘creative type’, I can take pictures and l hand you the ZWL $200. You, being in need of cash will definitely take the bait.
So Sosholoza’s ‘Any Bank to Any Wallet’ might really not be secure at all since there’s a high chance that one can easily get your card number and password and they head to WhatsApp to transfer money.
Author bio
Anesu Chiodza. (@I_amBlackShifu [twitter] | +263772119106 |
BTech Information Security and Assurance.Cyber Security Enthusiast. Penetration Testing Fanatic. Software developer and Web Developer
11 comments
Guess the thing you need to protect is you card and PIN if you lose those(or let someone know them) then you are very compromised and its not sosholoza fault.
There is very little Sosholoza can do in this case. One has to keep their pin very very private. But ofcourse what isnt secure in this case is shoulder surfing.
Also its important to note in this case VISA and Mastercard cards are even more insecure..
If you have noticed how Zimbabweans pay, you will see that the till operator will in most cases ask for your card to swipe, which in most countries is never the case. Lets learn to say no to that too.
These things were mentioned before here, couldn’t locate the article. Anyway, they are banking on tracking the thief down, via their phone number. I assume it only allows Zimbabwean numbers to transact. But, like any assumption, I could be wrong. Nonetheless, you can still track the mobile wallets number. So, your scam whilst possible, will not work for long and will most likely result in you getting caught.
It’s a tad irresponsible to publish such a security article as a “professional”, without enquiring from Steward itself about any security measures in place. You could be making noise about something which already has solid contigencies in place.
NO TO TILL OPERATORS SWIPING ON OUR BEHALF.. I hope Techzim writes an article to warn people from Till operators who sometimes even ask for your card number, hanzi toda kuzoita reconciliation.
Why not contact the Steward folks for their response before writing an article like this one? It virtually teaches how to break into other people’s accounts. The practice with all security firms around the world is that information which compromises people like the one you provided, must first be furnished to the guys with the software or hardware which is buggy. Then only after a given period, say three months, can then the article be published for public consumption and to alert others. I doubt you took these measures before publishing this article. You risk losing your reputation as a premier tech news portal by these reckless posts prompted by excitement and eagerness to tell.
agh gerara here, this article is directed towards awareness of the possibility of this being an issue on the user’s end and has not made public any sensitive info/vulnerability directly affecting sosholoza, therefore no responsible disclosure applies here in my opinion. Though im dissapointed in the article not having a solution or it being as interesting as I anticipated considering the writer is a “Penetration Testing Fanatic”.
But its very much welcomed, we need to talk more about info sec.
CEH holder 😂😂 just acknowledge that someone found a loop hole, hauna nyaya kunze kwe godo
What ever happened to 2 factor authentication or the Simple OTP or confirmation prompts on someones phone. I actually think this is a wake up call to the USERS who are the ones responsible for keeping their PINs and CARD Numbers Safe and also Sosholoza to try and put some security into it however small it might seem.
That’s a good point, would indeed help with enhancing security…
It’s been two days now your sosholoza any bank to wallet isn’t working its showing me issuer problems what what,,
Your option 1 isn’t working for me why?