Early last week, Equity Bank was given the go ahead by Communications Authority of Kenya to roll out its services using the Thin SIM technology. This is following months of intense consultations, Parliamentary Committee meetings regarding the effect that the Equity ThinSIM will have on Safaricom’s SIM card and its customer’s data safety.
In our first article in this series, we looked at the technical details of the Think SIM and if it ACTUALLY a threat to the existing GSM SIM cards. However, we did end with the note that, no technology is fault proof. It therefore requires constant iteration to seal the vulnerabilities discovered in the course of its use.
That has been the case with GSM technology, it is also not 100% secure and unfortunately not much in terms of sealing the loopholes has been done thereby making it possible for the new Thin SIM technology to ‘see through’ and able to exploit those vulnerabilities.
This article looks at the existing GSM technology, why its broken and requires fixing even if not in light of the Thin SIM technology. There is also a need for an independent body other than GSMA that will play the same role that GSMA has been playing but for the Thin SIM instead as it presents a new set of modus operandi.
Over to our friend Asepm……….
So what did we find and what did we not find?….
As I said … I break things, and what I found would probably be sound if I dint send any panic to every single being by telling you all that GSM is BROKEN, like for real, I wont even go to GSM as a protocol on how its really broken and fixing it would probably mean a black out of 80% of mobile communication (no not in Kenya … worldwide actually)…. ok now am just speculating but major changes would face the protocol to recode/patch it up to 60-70%
So, how entirely does MPESA work. Simple, not really …
A user interacts with the Sim Tool Kit (STK) menu, which in turn interacts with the Sim card and later on to the SIM applications which are on the said SIM card, and finally the magic happens… well that was simple… yeah sure… actually that’s not all that happens.
See if I was to spill this I probably wouldn’t last long before am tracked but here is one thing…. the MPESA Pin that you enter does not necessarily leave the SIM i.e its not transmitted to Safaricom for confirmation nor verification. This all happens in the sim card. Now, does this pose any real challenge if anyone say like the Thin-Sim client knew about it? Hell Yes.
It is a definitely a challenge as the user input is the one that will be monitored. By all means, this is very hard if not impossible to monitor and regulate . Thus I give this to Safaricom, yes the Equity Thin Sim Card does pose a threat. I would however like to point this out, you actually do get a reply hence a sort of warning that something would have happened in case of an un-authorised or illegal transaction, however, it is still not safe as the user will not not have the ability to know who, between Equitel and Safaricom, to follow up with once the illegal transaction has been done. That ladies and gentlemen is the heart of the matter. Who will take the fall for un-authorised Mpesa transactions if indeed a Man in the Middle attack was to be carried out by a third party other than Equitel -the owners of the ThinSim, and Safaricom the owners of the main SIMcard!
The one year trial period granted to Equity Bank could be a potential mine field for those who will use the two Sim cards. Safaricom has already made it clear it will not be liable if a customer loses their money via Mpesa and it is determined that they had a ThinSim operating on the same phone they use their Safaricom Sim card on.
My solution to this technical aspect is to have an independent body other than GSMA to thoroughly scrutinise the existing and later code that is supposed to be applied to the thin SIM.
The only problem is, does the Communications Authority of Kenya have the expertise, ability and the tools to monitor and effectively regulate Equitel’s Thin SIM technology during that 1 year trial period.
(image courtesy of @wainainamungai)