UW Computer Security Research and Course Blog

I was recently informed about a rather interesting service that is being used in Kenya called M-PESA.   According to their website, “M-PESA provides an affordable, fast, convenient and safe way to transfer money by SMS anywhere in Kenya. Through M-PESA you can:  

At first glance, I thought that the original intent M-PESA was for buying and transferring airtime while financial transactions were just a side affect; however, according to the FAQ M-PESA is intended to be “an innovative mobile payment solution that enables customers to complete simple financial transactions including person to person money transfer. It is aimed at mobile customers who do not have a bank account, either through choice, because they do not have access to a bank or because they do not have sufficient income to justify a bank account.” What caught my attention about this whole idea was the use of SMS for the transactions because security and SMS do not inherently go hand-in-hand. However this typically does not present that much of a problem because the assets are usually limited when dealing with SMS. Yet with M-PESA, the target has a much higher value since each account can have up to Ksh50,000 (about $765) at any point in time. 

Adversaries
So first, who are some of the potential adversaries? Looking at the system, there are two main adversaries that come to mind. The first is any other user of the system (registered or not), while the second is the M-PESA agent.Since the M-PESA agent takes care of all exchanges of actual cash, the agent has the usual opportunities to skim of the top of any transaction; however the agent has another opportunity because when new customers wish to sign up and have an older SIM card, the agent will swap out the old SIM card for a new one and configure the phone. This SIM could easily have an infected version of the M-PESA that could send another phone number PIN numbers and other information whenever it was run.However I think that the more interesting question is how an outsider could compromise the system because an agent would be registered with the company while an unregistered user could attack anonymously. (Registered users can send money to phone numbers that are not registered. The unregistered user would receive an SMS message indicating that they had received money and would need to go to a M-PESA agent to withdraw the money. They do not need to register to withdraw. Instead they just need to show some ID and the SMS message which has a code.) If they could forge a message to a non-registered phone number (such as a pay-as-you-go phone), they could quickly withdraw the money and dispose of the phone long before they were tracked down.

Threats
Unfortunately I was not able to actually get my hands on the program to see how it attempted to make interactions secure but with the information given on the website and some information from a previous user, I have some thoughts on what may be a couple of potentially exploitable vulnerabilities.

• The outgoing SMS message must contain information about the sending phone number, the receiving phone number, the sending phones pin number. 
  • Is the system vulnerable to a replay attack? Why make Ksh200 when I could make Ksh400?
  • Is the message encrypted, and how hard is it to extract the pin number? The phone numbers are public information, so all I need to exploit this system is the pin number since phone numbers can be spoofed.
  • Are the outgoing messages stored on the phone? I have learned that the receipts were physically stored on the phone (yet they did not appear to contain much useful information), but I do not know if the outgoing SMS message is sent and then erased, or if it stays in memory. If it stays in the memory, this could be a problem with a community phone where a village pools together to share a cellphone. In this situation, then the above attacks would be much easier especially since the attacker would have physical access to the phone and could erase any receipts received during the attack.
• The pin number is limited to 4 digits. So if an attacker is unable to gather the pin number through technical or social means, a brute force attack may not take very many tries. However the problem with this approach is that the victim will receive an SMS message for every attempt. This would not be desirable since it would tip the victim off about the attack. Thus this problem would likely require more technical means than the previous attacks. However if the adversary could duplicate the SIM card and convince the cell network that he was the victim, the SMS messages could be intercepted during the attack.
• I am sure that there are many more points of vulnerability, and I would love to hear other people’s thought about the system especially if they are able to get ahold of a SIM card with M-PESA on it.

Conclusion
At this point these are just speculations, and Safaricom may have adequately dealt with these issues, yet knowing that M-PESA protects a valuable resource and that SMS is difficult to secure, I think that the M-PESA system will be thoroughly probed by adversaries.