From JazzCash to Cashless – Hacker steals money from retailers’ mobile accounts

In a recent development that could undermine the government and private sector’s efforts towards financial inclusion, a fraudster siphoned off Rs15 lacs from 22 mobile accounts of retailers who deal in JazzCash, the mobile financial services (MFS) arm of Pakistan’s largest cellular service provider, Jazz (formerly known as Mobilink).

According to the details obtained by Profit, the hacker, who remains untraced, identified and exploited a loophole in the ‘sales system’ of the company’s MFS network. He was, therefore, able to replicate Subscriber Identity Module (SIM) cards of JazzCash retailers from Defence, Kemari and Saddar areas of Karachi and stole their money around Christmas time last December.

It started during winter vacations when the retailers who usually have between one and two lacs in their accounts every day found that their SIM cards, all of which were on pre-paid line, stopped functioning one after the other. Perplexed and unable to do any transactions, they first contacted the helpline and then the area franchise only to hear that the SIM malfunction was due to some technical glitch.

Two weeks into the incident, the Pakistani subsidiary of the Netherlands-based VimpelCom Group was still investigating the matter hence it chose not to make it public – doing which, they said, would harm the “national interest” because both the government and private sector have been striving to earn masses’ trust for mobile banking. Such incidents could be detrimental to these efforts, which aim to document an otherwise cash-based economy.

With Jazz MFS department not revealing the details, both retailers and aforementioned franchises were clueless as to what had actually happened.

Some of the affected retailers our correspondent spoke to confirmed their SIMs were blocked on Sunday, December 25, but they had no idea that their money was stolen. A few complained that their mobile accounts were not functioning even three weeks after they were blocked and they were not able to do any business. As the number of complainants multiplied, officials with authorised access to the back-end checked the details and found that a fraud was committed.

“Someone converted or duplicated all the affected SIMs to post-paid mode and then swept their [retailers’] accounts, bringing their credit balance to nil,” an official told Profit on the condition he would not be identified. The company instructed franchisees not to disclose the details of the incident, he said referring to the instructions Jazz had sent to those aware of the development, restricting them from making the information public.

A technical glitch caused all this disruption was the official word from the company but franchisees who were under stress knew it was something else. Left on their own, they warned each other informally and came up with their own solutions to prevent against the looming threat, Profit learned during background interviews of those who had firsthand knowledge of the developments. For example, they identified mobile accounts of retailers who had large balance and changed their status to ‘open order’, which would mean no further transaction could be performed unless the previous order was closed.

Explaining the standard practice, an official said the right to transfer a SIM from pre-paid to post-paid rests with the franchises or the company-owned service centres. Normally, the name of the officer performing this task and the location of the franchise or service centre is entered in the database and the procedure does not require biometric verification because the SIM owner can produce his original identity card.

In this incident, there was no information in the database regarding who performed this transfer and from which location he executed it, the official said. The thief even obtained retailers’ MPIN, a four-digit personal code necessary to perform the transaction, he said adding this cannot not be done without obtaining some help from an insider.

“It was a facility in our sales system, which was misused and nothing else,” Jazz’s Vice President Digital and Financial Services Aniqa Afzal Sandhu told Profit in an interview at the company’s headquarter on Friday (January 13). “Our MFS platform was not compromised and we have to be very clear about it,” she said explicitly in the same breath.

Explaining, Sandhu said Jazz had provided all its customers with a facility to convert their SIMs from prepaid to postpaid and vice versa without immediately submitting their biometric information since the latter had already done that at the time of SIM registration. Under the facility, customers could change a SIM’s feature immediately and had up to midnight to submit their biometrics. The fraudster saw an opportunity here and misused this facility, she says.

“The company has closed this facility now and no one can convert the SIM from prepaid to postpaid and otherwise without first performing the biometric verification,” the VP said.

The development comes at a time when 85% of the country’s population remains unbanked (lacks access to any financial services) and State Bank of Pakistan, along with Pakistan Telecommunication Authority, is pressing for the implementation of its National Financial Inclusion Strategy: the central bank aims to bring 50% of Pakistan’s adult population in the financial inclusion by 2020.

Because of its link with development, financial inclusion has a key role in achieving United Nations’ 17 Sustainable Development Goals, some of which include poverty alleviation, job creation, quality education, good healthcare and reduced inequality.

The case under discussion is the latest assault on SBP’s efforts to earn trust of people usually skeptical of electronic payments, but it is certainly not the first. Better known in the telecom world as social engineering, these incidents have happened before involving other MFS providers including a major player, according to our sources.

The State Bank of Pakistan’s Chief Spokesperson Abid Qamar confirmed these incidents happened in the past and the companies reported them to the SBP, the apex regulator that audits MFS accounts of telecom operators and requires them to submit compliance report on such incidents. However, the central bank refused to share operator-wise details, saying the Privacy Act prohibits disclosure of such information.

Profit could not obtain any official data regarding the number of social engineering cases reported or hackers caught, but industry sources say such incidents, like duplication of SIMs, were not uncommon. In fact, companies conduct internal research on social engineering, some say.

“It barely takes five minutes to replicate a SIM card if you have its International Mobile Subscriber Identity (IMSI) number and Ki value,” Information Security Expert Rafay Baloch said referring to the authentication parameters required to authorise duplication of a SIM card.

Baloch, who was among 2014’s best ethical hackers in the world and did research on the subject while working for PTCL, explained that service providers use these two secret parameters for authenticating an account – IMSI is a unique 15-digit number used to identify a SIM globally and the Ki value is a 128-bit randomly generated value.

“If both of these values are obtained, the SIM can be easily cloned,” Baloch said. These parameters can either by obtained from telecom operator and its web portal or from the original SIM using different freeware easily available in the market.

Once a SIM is replicated, all one needs to do is to reset the MPIN and he can perform a financial transaction and that’s exactly what seems to have happened in this case. How the hacker or the group involved got hold of retailers’ personal data – like his date of birth and mother’s maiden name, a must to reset the MPIN – remains unclear.

“He seems to be very close to the retailer. It can be the retailer himself. There are lots of ifs,” Sandhu says of the hacker who could be one person or a group that “already has that information” because he is close to the retailer. “We don’t know if it was his brother or a close friend,” Sandhu said.

The VP acknowledged that the hacker or hackers were at large but said, “I won’t call it a crime.” She further said the scale of the incident was minuscule and the company was in contact with those affected – those affected were not even 0.1% of the total retailers.

“We involved the regional business head who identified the group of retailers affected so that we are able to scale that process nationwide and we don’t ever have these incidents in future,” she said adding all these retailers were compensated within a week. “These are our business partners, so we will be transparent with them.”

Responding to a question Jazz MFS team said if they informed 65,000 retailers, they would panic as there are a lot of scams that use mass SMS. “We don’t want to do such kind of communication through SMS, we prefer to do it through our own sales channel, which is authentic,” Sandhu said adding they had managers dedicated to speak to these 22 retailers and they were constantly in touch with them. The company has created a report on this incident, which will be a part of the compliance report submitted to SBP.

In a country where more than a third of conventional and 90% e-commerce transactions are based on cash, it is only natural for both the private sector and the regulator to avoid reporting news that undermines public’s trust in electronic payments. But, experts Profit spoke to seem to have a different take on the subject.

“It is still better to announce [theft] than wait for it to be leaked from elsewhere, which could be more damaging,” says Parvez Iftikhar, an Islamabad-based expert on Information and Communications Technology.

The ICT expert says the purpose is not to discredit mobile banking, but to create awareness in order to strengthen the mechanism to prevent such incidents. The one under discussion was very small in its scale, he said, but if these things were not stopped and a large scale incident took place, people would certainly lose trust in mobile payments.

“Trust is the most significant element in mobile banking, and such incidents could do a great deal of damage, especially to a new product,” Iftikhar said of JazzCash, a relatively new player in the MFS segment, which delivered a stellar performance last year to become the market leader.

In 2016, JazzCash managed more than 100 million financial transactions (its highest ever) through its mobile accounts. This translates into an almost four times increase compared to 2015. The product, which provides basic financial services, such as deposits, money transfer, bill payments, mobile top-ups, savings, insurance, ATM cards and payments for a variety of services now has more than 1.5 million monthly active mobile accounts. It has become the leading MFS provider in the mobile accounts category, the company claimed in a celebratory press release earlier this month.

Unlike Iftikhar, Barrister Zahid Jamil, an international expert on cybercrimes who helped various countries draft their cybercrime laws, has a rather critical view of the current mechanism of mobile banking system.

“Whether a technical glitch or a hack, why are they concealing it?” Jamil asked after Profit shared with him the details of its findings. These incidents happen, but you need to alert your investors, clients, regulator and other telecom operators about the threat, he said.

A harsh critic of current mobile banking mechanism, Jamil feels the incident is only a part of a bigger problem: the entire mobile banking model is working on outdated SMS technology, which is not encrypted, he said.

“How could you enable money transfers on SMS basis, which is inherently the most unsecure technology in the world?” Jamil says of the mobile payments platform. He adds there should be a dual authentication process using proper internet-based encrypted technology, not USSD codes – a protocol used by GSM cellular telephones to communicate with the service provider’s computers.

“I have been saying this for a long time that our current mechanism is a failed one and it will continue to be so unless we move to the more advanced 21st century technology,” Jamil said of mobile banking system, which was introduced before 3G technology came to Pakistan. “The world has changed now and so should we.”

The mobile payments are working on bank centric model, but such platforms should be managed by companies that specialise in payment solutions, Jamil argues. Banks culture is relaxed and they don’t have incentives to invest in information security nor do they have expertise in that area, he adds.

Jamil’s reservation regarding the flaws in current mechanism may not be completely far-fetched because there are many loopholes that are being exploited by some elements – something Profit learned on the sidelines of investigating JazzCash incident.

For example, retailers were changing last four digits of a CNIC to make multiple payments for the same person thus crossing their monthly limits. It finally took the State Bank of Pakistan to intervene. The SBP paired CNIC number and mobile phone number to fix it.

There are many malpractices in mobile payments, including violation of monthly transfer limits, that still go unchecked. One official told he alone was managing monthly business of Rs5 crores from nearly 200 clients. Even if each client consumes his monthly limit of Rs50,000, he should not be getting more than Rs1 core in business – and there are many like him.

Sandhu, however, disagrees. The bank-led model is the best model as per the ground realities we face as a country, she said referring to the day-to-day complaints they receive from retailers, which are similar to those found in conventional banking. She adds that their MFS apps run on encrypted technology. If that wasn’t the case, the incident would be much bigger, she says.

The SBP, too, throws its weight behind telecom operators. “We have a regulatory framework, which is based on the feasibility reports that cover ground realities of our country,” says Qamar. Telecom operators themselves do an assessment of new technologies to make the system more secure and adopt them at the right time, he adds.

Since many social engineering or hacking cases remained within the companies, we could not find out if any hackers were caught. The ones involved in this incident, too, went scot-free. However, if caught, they may face up to seven years in prison and up to Rs1 crore in fines depending upon which section of the Prevention of Electronic Crimes Act 2016 they are booked under.

Iftikhar, the ICT expert, says after forensic experts investigate the issue and get more details, only then it can be determined whether the hacker can be traced but that’s not always easy – the 2014 hack of Yahoo in which details from more than 500 million user accounts were stolen is a case in point, he says.