ATM fraud: Forget EMV; Try Mobile Money

This christmas did not pass without much drama for many Kenyans. Banks had for some days before the holidays sent what looked like panic notifications advising customers to change their ATM card PIN numbers. Although I don\’t recall being a targeted recipient of the \”Change your PIN\” plea by my bank, good old twitter amplified the message at some point on 23rd and 24th December.

As fate would have it, having been unable to scamper for the seemingly account-saving change of PIN, Christmas eve would be the day fraudsters would hit my account. In the resulting helplessness of things, where else to go but good old twitter to share the experience with the rest of the world?

So off went the message, if only to tell fellow Kenyans that the earlier \”Change your PIN\” messages were not to be taken as jokes. Some of what followed would become history with some coverage on Citizen TV.

When old friend Henry called me up for an interview on the fiasco, one key message was in my mind to tell their TV audience. That message was;

\”Using mobile money is comparatively safer than using ATM cards\”.

Obviously my message did not come out in the interview – it must have been so under developed in my mind that the editors could not infer much from what I said. Or perhaps the story needed to link better with the apparent agitation by Kenya Bankers Association and Pesa Point for banks to migrate their ATMs and card systems to the Europay, MasterCard, Visa (EMV) standard. The EMV platform also seems to be called the \”chip and pin\” system by journalists. The more I thought through my mobile-money-is-better message, the more the questions to myself piled on.

To begin with, lets see what technological challenges the fraudster has; :-

For ATM skimming; the kind of fraud that has apparently hit many Kenyans to happen, the fraudster has to have accessed the victim\’s account details – which details are usually encoded in the black magnetic strip on the back side of the card. The fraudster has also to somehow discover the victim\’s four digit PIN number related to the card; which is never stored among the other details in the card – in the case of magnetic strip cards. In short, armed with the information in the magnetic strip, the fraudster makes a clone of the victim\’s ATM card and the only other thing they need is the victim\’s pin number after which they can do anything the victim can do with the account at their safest, favorite ATM.

To setup their trap for gathering the above two pieces of information, fairly common place technology is used. In both cases of the magnetic strip ATM card, the fraudster has to overcome two technological challenges; that of cloning the information in the card and that of knowing the original card\’s PIN number.

In both cases, the technological challenge of knowing the victim\’s PIN number is easily surmountable with diminishing size and increasing abilities of spy cameras. The fraudsters\’ other option is to overlay a look a like key entry pad on the ATM\’s original pad.

To gather account information on the card matching the PIN acquired, the fraudster needs only to acquire a magnetic strip reader that can be appended in a disguised manner to the ATM\’s authentic reader. Similarly, a smart card reader can be appended to the authentic ATM reader in the case of EMV cards. Once the the information is read (copied) by the fraudster, their next move is to write (paste) it to their own \”fake\” card which becomes a clone of the original one in the victim\’s wallet.

For curiosity click here so read a fraudster\’s how-to – only if you will not join in the crime.

The human action challenge

Since most, if not all ATMs in Kenya have guards assigned to them at all times, the fraudster also must plan to either bribe away the \”soldier\” or somehow get the guard to sleep so that they get ample time to install paraphernalia on the ATM. The other cheaper way to get pieces of the information required by the fraudster is to be friends with a rogue bank (card center) staff or promise to share the earnings of the venture with them. For my discussion\’s sake I shall consider this a human challenge and not a technological challenge – the later being the substantive discussion here.

The SMS alert challenge (StanChart Scenario)

In my opinion, the fraudsters\’ greatest challenge for the magnetic stripe case is that of the SMS alerts sent to the victim\’s phone detailing when and where a transaction takes place. That allows the user to act promptly in response to the attack. SMS alerts related to Point of Sale purchases usually bear  names and locations of merchants where transactions take place. Specific location information is surprisingly missing in the StanChart SMS alert messages for ATM withdrawals. The alerts do not specify the exact location of the ATM which could assist in \”nubbing\” fraudsters if for some lucky convergence of factors there are contactable, and cooperative police officers or publics in the vicinity of the crime – among other factors. A workaround for the fraudsters in the StanChart case seems to revolve around the delivery time of SMS alerts. How SMS alerts seemed to get to victims 5 hours after the fraudulent transactions whereas under normal circumstances such notifications are received instantly is a puzzle. 

The Cloning Challenge

Data on magnetic stripe cards does not have \”copy-protection\” features and hence cloning of cards based on this technology is fairly straightforward for the criminals. This is not the case for EMV cards. At the point of making a copy of the original cards, fraudsters face a tougher technological challenge of cryptography. This is where banks, merchants and card issuers implement the EMV card system. Cryptography under the EMV standard prescribes a process where data in the smart card can be protected against modification or cloning. This is one of the features that EMV proponents have successfully used to rally banks the world over (including in Nigeria) to transition from the magnetic stripe – with Kenyan banks being left behind.

Although the EMV card system carries reduced chances of ATM fraud, Rober Murdoch  and other researchers at University of Cambridge have exposed a couple of vulnerabilities with EMV implementations. These include the wedge vulnerability, the pin entry device vulnerability, and relay attacks. Below is a UK video narrating two real life fraud experiences and a re-inaction of the fraud against an EMV card

Th more scary concern here is the insistence by EuroPay, MasterCard and Visa that liability for fraud affecting an EMV (Chip and Pin) card implementation MUST be borne by the cardholder. I leave that fight for the consumer rights activists to pick up as they seem to have success with the Digital TV migration issue case.

Mobile Money – Technologically Simpler, and Superior?

An now to my theory about better safety in Mobile Money withdrawals and purchases: This is building on a not so old article in Kopokopo\’s blog. In the article, Ben Lyon argued that it is safer to pay with M-Pesa than using credit / debit cards. Ben\’s argument relates well for \”point of purchase\” situations among ATM card holders and everyone needs to take note of that to begin with.

It can be argued for the specific case of \”Point of Withdrawal\”, that technological challenges for fraudsters capturing PIN numbers in the case of Mobile Money account holders are much greater than with the ATM case. The ATM is a public machine where anyone can \”legitimately\” access the physical installation. The mobile phone is a personal device. A technological pin capturing scheme by any fraudster against mobile money systems can potentially be reduced to spying on usage of individual mobile phone key pad. This seems much more difficult than setting up spy cameras or overlaid key pads at the ATM accessed by multiple account holders. The question is if the mobile operators can assure people that the communication channel between the mobile phone and the mobile money authentication service is encrypted, which would reduce options for the fraudster sniffing the line for peoples mobile money PIN numbers across the mobile networks.

The mobile money equivalent of cloning the account holder information seemed complicated for the fraudster, until I thought about Sim Cloning. Although there are arguments suggesting that sim cloning is practically impossible, theoretically a fraudster could clone a SIM card if they had enough reason. They might as well steal the original sim card / phone from the account holder if SIM cloning became imposible. Of course the parallel to stealing the SIM card in the ATM fraud case is that of stealing the card from the card holder which is not an area of comparison in this article.

Critics of mobile money will say that mobile money agents are scarce geographically and may not be accessible for withdrawals at night. The same applies for ATM infrastructure, and mobile money fairs better on the same yardsticks in rural areas. More importantly, withdrawal of mobile money from ATMs is possible without using the all-vulnerable ATM cards. Instructions for withdrawing Mpesa and Airtel Money from PesaPoint ATMs is evidence to that. Mobile money\’s early challenges of float for deposits and agent distribution are also surmountable.

The challenge on volumes of amount acceptable within mobile money is also real. One can pay bills of $2,000 using a credit card in the UK and thats not possible in with Mobile money in Kenya. When reduced to the context of money withdrawals, Mobile money and ATM systems seem comparable since ATM systems often imply daily or weekly withdrawal limits for security.

Putting your mouth where you money is …

With possible security loopholes in Magnetic stripe systems, EMV cards and mobile money, the discussion of which one to build on and enhance is obvious – to me. Kenyan\’s financial institutions, mobile network operators and independent innovators should invest resources in making their mobile money implementations more secure –  so secure that for security considerations, they stand out ahead of solutions fronted by foreign corporation such as Visa and Mastercard.

There is already a national competitive advantage built around mobile money among Kenyan institutions. From mobile money transfers to mobile banking to mobile money withdrawal Kenya is at the forefront in showing the world how to grow the platform. The solution to the ATM fraud issue should therefore not be obviously the expensive replacement of banks\’ the magnetic stripe card infrastructure with a smart card based EMV infrastructure. Part or most of the solution is for banks and other players to better embrace Kenya\’s mobile money revolution.

Conclusion: Job Creation

By the sheer fact that mobile money systems create jobs at the agency level that upgraded (EMV based) ATM machines will not create, it can be argued that putting our mouth where our money is by developing mobile money systems more is better than mass importing new ATM machines, Point of sale terminals and other related infrastructure items


Of Mobile Money Reliability and a Case for Multi-SIM phones

Mobile Money in Kenya, and East Africa in general has become part and parcel of everyday activities. Often times users of M-Pesa in Kenya are seen complaining about how their mobile money payments (or transfers) did not go through in good time to much their hurry. Sometimes users complain about a complete failure of their attempted transactions. One would think then, \”if M-PESA is that unreliable, why not Use alternative mobile money transfer platforms?\” The reality is that the alternatives – the likes of Airtel Money, Yucash, Orange Money and Mobikash may not always be better. For instance, the alternatives might imply one driving for a long while looking for an agent to deposit money for the transaction as their agent networks are largely under-developed.

Critical minutes of need

At a critical moment this evening, I run out of power in my house (still learning to match KPLC pre-payments and usage). So having got used to the convenience of recharging the pre-paid meter account using M-PESA, I reached out for my phone telling people around that I would get power back in just a few minutes. I went ahead and used M-PESA\’s pay bill option for some units of power (business number 888880). After twenty minutes in darkness and not  having received a recharge token, I began ranting about unreliable M-PESA and slow delivery of SMS messages by Safaricom.

Emergency funds on Airtel Money

In the moment of impatience and grit (in darkness of course), I remembered I had recently loaded my Airtel Money account with some emergency funds.  Emergency it was, so I checked my Airtel 
Sim card option and used Airtel Money’s relatively simpler pay-bill service to order some units of power for the same KPLC meter. After about 1 minute, interestingly, I got SMS notifications on both Airtel and Safaricom Sim cards of the requested recharge tokens.

Simplistic conclusion

I waited 21 minutes to receive prepaid KPLC power units from Safaricom’s M-Pesa and 1 minute to receive the same from Airtel Money. There is probably an easy conclusion on the relative speeds of these two mobile money platforms. Those with more scientific minds might however wish for more “sample readings” for the same experiment. Regardless of the ultimate conclusion for such a rigorous approach, it is obvious that the speed of transactions is not the only factor for the choice of a mobile money platform.

While M-PESA may have an impressive national spread of agents in Kenya, the service is often down for various reasons (including congestion).  Orange Money, Airtel Money and others may be feature rich and perform better on transaction speeds. They may even boast of better international agent networks. However their local agent networks often fail would-be customers miserably.

Indeed there are ideal situations for instance where one has easy access to Airtel’s customer care center for money top up and Pesanet ATMs for withdrawals. In that case one might not really feel the pinch of a poor agent network. That would be more so if all they do is use pay pill options for utility payments and other integrated remittances. In that case the receiving party as well is not directly affected by the agent network’s extensiveness.

Enjoy from all sides

With mobile number portability efforts having failed to fulfill much of their promise, people may wish to try a time tested approach – getting the best from all sides. By keeping multiple SIMs – active or inactive, one can subscribe to services from all mobile network operators and enjoy the benefits from all directions. They can then invoke the service from the most ideal mobile carrier in their immediate context. With my little KPLC pay bill experiment (or accident) above am thinking I shall continue keeping at least 2 mobile money services with some emergency money for such situations. When more people begin to get smart in this suggested way, then multi-SIM devices become a necessity. The argument can be extended with much ease for voice and data services where pricing and service quality can vary significant across mobile carriers, taking into account usage at different times and geographical spaces.

Of Samsung (Wyre’s) Duos and others

Incidentally Samsung seem to have discovered the promise of Dual SIM markets in emerging economies well before other manufacturers. Samsung dual sim phones are the only ones that have worked for me over time (4 years now). Of late I have been trying Samsung’s Duos (C3222?) and I think it is as convincing as its predecessors in handling dual SIM cards. Sadly no manufacturer yet has dual SIM smart phone yet (forget the Chinese counterfeits).

In summary, multi SIM mobile phones increasingly have a way of saving consumers from unhealthy emotional attachment to their mobile networks. Gladly I think I recently convinced a friend – @techweez  to take this trend seriously. It is perhaps by recognizing the need for such mobile phones that manufacturers might endear themselves better to the peculiar consumer market in East Africa.

Sticky thoughts on Safaricom’s Direction with Bob Collymore

Two week old context

On the Saturday of December 4th 2010, I fought my way out of bed to make it on time for Mindspeak with Robert (Bob) William Collymore. Bob has been Safaricom’s Chief Executive Officer from October 2010 and many Kenyans were curious to hear ‘anything’ from him at the increasingly popular event.  Mindspeak is an event organized monthly on Saturday mornings by Mr. Aly Khan Satchu  (Chief Executive Officer of The venue for the event is  usually at the Nu Metro cinema, Westgate Mall in Nairobi’s Westlands area. The MindSpeak happened only two months after another insightful event I wrote about on ‘Reflections with Michael Joseph of Safaricom’ at the iHub Nairobi. A number of bloggers including James Murua , Tovuti Sanifu and UjenziBora have chronicled their observations at the MindSpeak event with Bob Collymore. A lot of the attendants were also tweeting the event live and their live feed was captured by afrinnovator using’s nifty tool. Mr. Aly Khan Satchu has also released a set of videos on the event in his Rich TV series. On this event, although over two weeks have passed and much has been documented, I still have a number of sticky thoughts to share. In this post I wish to hopefully enrich our view of Safaricom from my observations at the MindSpeak.

Excellent Marketing Opportunity

I have previously observed that the stiff competition among our four Mobile Network Operators (MNOs) will be won through presentation of genuine value propositions to the citizenry. Product attributes aside, it is the sheer appearance at MindSpeak by Bob that struck me as Safaricom’s marketing savvy that Yu, Orange,  and Airtel Kenya are yet to cath up with. Marketers have this argument that as competition increases it becomes increasingly difficult to distinguish a product using traditional attributes such as price, quality and functionality. Perception management then becomes the other strategy to snatch extra points from the competition.

MindSpeak has this niche audience that has significant influence over Kenya’s increasingly important generation of young professionals and students. In the few MindSpeak events I have attended, I could not help but watch the speakers gleefully attempt to persuade the audience about their most intimately held sentiments. The persuasion efforts were all in acknowledgement of the potential influence of the audience particularly through blogs, twitter and social media in general.

Connection with the peculiar Kenyan citizenry

Throughout Bob Collymore’s presentation, it was evident that Safaricom intended to be perceived as a friend of the citizenry. In the presentation, Safaricom was quite ably endearing itself to the audience. Bob was stating Safaricom’s deliberate intentions to drive social and economic change in Kenya. The presentation related very well with Kenya’s dearest development issues including health, education and agriculture. It depicted Safaricom as a development partner and enabler, particularly (and quite strategically so) for rural Kenya.

For our fairly competitive telecom industry, Safaricom’s ability to connect with the citizenry through such a forum, articulating its most carefully packaged industry position was  enviable.  It is the essence of this deep connection with Kenya’s peculiar environment that Airtel and other competitors of Safaricom do not seem to understand – despite their often superior product offerings.

Arguably, Safaricom’s competitors are too busy packaging counter-offerings, forgetting the need to genuinely connect with their fairly unique operating context. Airtel for instance are still airing global or at most Africanized (one size fits all) advertisements in Kenya. Safaricom on the other hand is spending millions on custom Kenyanized  advertisements such as this acclaimed piece.  This is why Bob could confidently say that ‘the trust that the public has for safaricom is in itself a great asset’. Whether it is trust or the perceived connection with the citizenry, Safaricom indeed has accumulated for itself a wealth of such invisible assets.

Interests of Major Shareholder(s)

Throughout the presentation and the question/answer sessions, Bob Collymore would suddenly change to a very serious (almost cautious) tone whenever he talked about Safaricom’s shareholders. I found this tweet by Aly Khan Satchu useful :-
‘@alykhansatchu: 753,000 Shareholders keep me up at Night #Safaricom #Kenya #Mindspeak we have M-Pesa and Data 11:20am’

A member of the audience asked a question as one of the many small shareholders (many kenyans are) which I do not remember. At that point I thought to myself that perhaps Bob’s Pensive tone whenever talking about his shareholders was more about Safaricom’s Major shareholder(s) – Vodafone (40%) and GoK (35%).  As a Kenyan and a very small shareholder, I have continued to be frustrated by Safaricom’s disinterest in regional expansion – to Uganda, Tanzania, Rwanda and the rest of Africa. Bob confirmed my fears when he replied to a related question, saying that that Safaricom was simply not looking at a geographical diversification (regional expansion) strategy.

I have touched on Safaricom’s options for future growth in previous posts. Bob’s answer on the ‘would-be natural’ strategy of regional expansion reminded me of observations in those past articles. By virtue of Vodafone’s 40% ownership of Safaricom’s and them (Vodafone) having other subsidiaries in Uganda and Tanzania, a constraint is placed at the board level on any Safaricom ambition to enter the markets outside Kenya. Such is Vodafone’s influence over Safaricom’s future that any thoughts of venturing into other regional markets must consider Vodafone’s existing interests on the (foreign) ground.

The above constraint in my analysis has seriously limited Safaricom’s options for growth and remains its Achille’s heel. I have also argued previously that it is vodafone’s interests that cost Safaricom its ‘rightful’ stake in the ownership of the M-PESA patent. Consider that in one of the Bob’s answers during the MindSpeak, he reiterated the position that Michael Joseph – his predecessor had been retained by Vodafone among other things to be its ‘M-PESA ambassador’. Both Michael and Bob are Vodafone appointees. It should not take much rationalisation therefore to understand that Safaricom’s leadership will always steer the company away from competition with other Vodafone’s interests in Africa and elsewhere.

The feeling that Safaricom is not being genuine about releasing an API for kenyan developers to integrate business services with M-PESA is increasingly widespread. Safaricom is not convincing either,  that the delay in releasing this widely clamoured for feature is not about Vodafone/foreign interests. I did not find Bob’s answer to a related question adequate – that the delay was due to security concerns. Its been over two years since Kenyan developers started clamouring for the API and there are no signs yet of it coming soon.

Perception of Competition

Bob’s perception of Safaricom’s competition can be summarised in at least two tweets below:-
‘@alykhansatchu: #Mindspeak Airtel can afford to destroy The #Kenya Market We cannot @bobcollymore #Africa 11:21am’
‘@gmeltdown: #mindspeak safaricom has to pay for armed patrol on their fiber cable to fend off vandalism – says Bob 10:33’

Bob and others in Safaricom wished for the audience to believe that Airtel’s super low prices for voice and SMS were meant to destroy Kenya’s mobile network industry. See my article in October 2010 on Airtel’s move. Although I do not wish to go into the discussion in the first tweet, my take is that Airtel Kenya is only trying to cut down Safaricom’s market dominance of about 80% market share to lower manageable levels. Cutting down Safaricom’s market share will not destroy the industry in my view.

The second tweet is about Vandalism of the inland terrestrial optic fiber cables layed out by the competing data connectivity providers in the recent months. The vandalism depicts difficulties and costs inherent in Kenya’s business environment. Although Bob saw a pattern to imply competitor sponsored vandalism,  it appears that Kenya government is not doing enough to provide security of investor’s assets. Obviously the security issue contributes greatly to Kenya’s attractiveness as an investment destination. A lot has been written about the cable vandalism and there is hope that the government will eventually bring the menace under control.

Customer Focus

To many Kenyans,  Customer service is Safaricom’s biggest problem. Considering its huge customer base, it is on the same matter of customer care that Safaricom can argue to be the strongest among its competitors. I have previously argued that Customer Focus is one of the significant battle fronts among Kenya’s MNOs whose winner will collect for themselves many points in the dominance war.

I was particularly impressed by Bob Collymore’s articulation of his intentions to direct Safaricom’s corporate culture towards customer focus. His thoughts that Safaricom could not make the mistake of outsourcing its customer service (call centres) were quite profound. In a demonstration of seriousness about customer focus, Bob went ahead to express his desire for attributes like honesty, relevance, simplicity, ease of use and listening to customers in its products and customer interactions.

With the noble intentions on customer focus well articulated by Bob, then I could only come up with the tweets below :-

‘@gmeltdown: #mindspeak Bob wants safaricom to embrace customer obsession as a way of life. 10:53am’
‘@gmeltdown: #mindspeak an array of customer focus intentions presented by bob. hoping safaricom will wall the talk. 10:56am’.

As a user of most of Safaricom’s products, I must say that their quality of customer service can vary greatly with their categorization of customers (post paid and prepaid) and with the various products (M-PESA, voice, and data connectivity). It is this variability in quality of customer service that would need to disappear for many to believe the good intentions articulated by Bob.

In Conclusion

To conclude this long post it is worth noting that as the competition among Kenya’s MNOs shift gears, a complex multiplicity of parameters will have to be watched by each player.

Emerging battle fronts for Safaricom, Orange, Yu and Airtel Kenya

Emerging battle fronts for Safaricom, Orange, Yu  and Airtel Kenya

It has been correctly observed that for the Kenyan Mobile Network Operator (MNO) the voice market is only a cash cow in a wide array of business ventures and revenue streams.  Last week I wrote about the epic battle between Safaricom and Airtel in the voice and Short Message Service (SMS) market. I shall call these engagements battles as they appear to be quite a number along a couple of frontiers that our MNOs will need to fight it out over time. This is all in the bigger, long term war among the operators for favor with Kenyan consumers.

In this post, I shall share some quick, simple thoughts on the various market frontiers

  1. The mobile money frontier

Safaricom’s M-PESA service in Kenya has in the past two years become a globally acclaimed success. It has revolutionised lives in Kenya. The country has also become an attractive market for products building on innovations around mobile money. All the other three MNOs have declared that they are not being left behind in the long term quest for revenues in this market and are propping up their counter-offerings to M-PESA. I have previously written about some of the sectors key success factors and potential pitfalls the you might wish to explore. I shall steer clear of  further associated debate in this post.

  1. The data connectivity services frontier

Earlier in 2010, Moses Kemibaro, a reknown Kenyan blogger also wrote on how Safaricom was slated to become the largest Inernet Service Provider (ISP) in Kenya. It appears Orange and Yu have since taken the cue and began engaging Safaricom on yet another battle – the mobile internet service connectivity battle. The battle on this frontier is bound to be so ruthless that traditional ISPs might be driven to the peripheries by the better funded, increasingly resolute MNOs.

  1. The online content frontier

In this frontier we expect to see more activity in the online content vending and advertising segments. Incidentally there are both international and local – home grown players in this market segment that the MNOs will have to contend with. The MNOs will at various points experience the might of global online content players. These are the likes of Google, Facebook, Yahoo and Microsoft and their interactions might include mutually beneficial partnerships or direct competition. Then there are the local content players, blessed with expert knowledge of the local culture and social landscape. It will be interesting to see how local niche markets emerge as local content developers become more creative in partnerships with the MNOs.

  1. The customer focus frontier

In Kenya we are more used to the term customer care. With ISO, ITIL and other global best practices becoming more popular among Kenyan firms, the usual contention on definition of terms will be unavoidable. However, whether we call it customer care, customer service or customer focus, this is the battle front whose intricacies are a little less obvious. Controversial matters on patriotic emotions and corporate social responsibility will remain customer focus concerns. However the matter of actual service delivery and support will become significant game changers. I shall reserve further arguments on this for a separate future post as opportunities arise.

The usual conclusions
On each of these battle fronts, it appears that we shall not be confined to the boredom of watching the usual two main protagonists (Airtel and Safaricom) fighting it out. Orange and Yu are already taking firm positions and claiming serious stakes on the new frontiers. These newer players are pretty much announcing that they shall not be mere by-standers.

It is almost obvious that the above competition will result in consumers receiving better services. They will be better facilitated to lead productive lives. Kenyan professionals will be engaged to come up with more innovative services whose success could be replicated to the rest of the world. M-PESA should be a good example on how great innovations can come from Africa. Sadly for some, the obscene profits margins experienced by dominant players previously will not be feasible. In the end we shall have created a more robust knowledge-based economy.

Finally, the pleasant realization from the promise of these impending battles is that in all the instances the consumer and the country wins.

Tribulations of the M-PESA Agent

M-PESA is the mobile money transfer platform introduced in Kenya by Safaricom – Kenya\’s arguably dominant mobile network operator. It is a fact that M-PESA has revolutionized lifestyles of Kenyans in the last three years. To-date there are about 20,000 M-PESA agents in Kenya according to statistics from Safaricom. It is the extensive network of M-PESA outlets that Michael Joseph – former CEO of Safaricom attributes to the phenomenal success of the M-PESA money transfer system (see my notes on ‘reflections with MJ’ in October 2010). Although the former CEO\’s assertion remains arguable, the significance of the agents and their outlets cannot be overstated in analyzing the money transfer system\’s success.

Recently I engaged a couple of M-PESA agents in some discourse to try and understand their contribution to the platform\’s success. Perhaps it is because of our age old tendency to complain over everything that I caught a few concerns that would qualify to be the \’Miseries of the M-PESA agent\’. Here are some :-

1. SMS trickery
M-PESA in Kenya is revolves around SMS texts exchanged between individuals, agents and suppliers as \’promissory notes\’. The promissory notes  in form of text messages are guaranteed by M-PESA agents deposits with Safaricom (also known as float) through a trust deed (read more on this and an early 2009 systems audit report). With the maturity of M-PESA as part and parcel of our society, even the fraudsters have jumped on board to make their contribution in the diverse society. Agents have in the recent months fallen prey to these \’cleverer\’ citizens who send fake system withdrawal messages at outlets. Unsuspecting attendants failing to scan the entire SMS message for authenticity dish out money only to discover the trickery when the fraudsters has  vanished.

For readers wondering just how that can happen see an earlier post on this blog of a \’transcript\’ detailing a real example of such an incident. Of greater concern to the agent is the fact that their contract with Safaricom pushes liability for such losses to the hapless agent.

It might be easy to say that the amounts stolen by the fraudsters using this method is little and theoretically limited to Ksh.35,000 (Approx USD 440) per instance. However those who are privy to operational details of  small enterprises like M-PESA outlets might know that once an outlet is hit with theft of such an amount, it could take months to recover. A complete closure is also possible for such affected outlets.

2. Service Outages
Earlier in the week of  8th November 2010, Safaricom put out advertisement in traditional press and social media notifying M-PESA users of a scheduled downtime that would last most of the weekend from Saturday 13th 9pm to Monday 15th 6am. The scheduled outage would be due to a planned upgrade of the money transfer platform. A service outage for a whole day meant loss of a day\’s worth of revenue (commissions) by agents. The planned upgrade was later suspended on 11th November 2010, supposedly due to other unrelated outages of the Safaricom data network, that had to be brought under control first. I was curiously shocked to learn that Safaricom had a reason to bring down a service so critical to Kenya\’s economy for over 32 hours. For a moment then I thought service availability was not an important service quality metric to Safaricom. I defer my curiosity for now until they announce the new upgrade schedule.

Scheduled outages not withstanding, it is not rare for M-PESA agents to be found helpless by customers who cannot be served because \’the network is down\’. The same is experienced by customers themselves from their phone when thet occasionally try to transfer money to others only to get a message that their transfer was not successful (to try again after ten minutes). Worse cases of service reliability affect M-PESA agents when a customer deposits money and there is a delay in the receiving the deposit confirmation text (on the customer\’s phone). The  agent is left in a precarious position of mistrust with an impatient customer who might not believe that their confirmation message will eventually come (perhaps after 20 minutes).

It is these planned and unplanned system outages (or degraded performance) that occasionally make the M-PESA agent a helpless businessman. Their supplier is also so powerful that they have no chance of negotiating favorable service level agreements to protect their small businesses from effects of such diminished service quality. Safaricom deserve a little more credit though. From the planned upgrade, it appears they have realized a need to improve the quality of their service (including increasing maximum transaction throughput from 70 to 200 transactions per second). Although the planned platform improvement might alleviate some of the recurrent outages, the little bargaining power of the agents will remain a matter of concern.

3. Employee theft
A blog post by @coldtusker sometime last year once attempted to highlight the culture of dishonesty among other costs of doing business in Kenya. Dishonesty can be argued to be prevalent among employees in Kenya.  Arguably, the desired combination of reliability and honesty among our workforce remains quite elusive. M-PESA attendants are not aliens to the purported culture of dishonesty. It should be correct to say that mobile money transfer systems include elaborate mandatory record keeping – some of which are electronically hosted by the money transfer platform. However many people forget that for as long as attendants must handle real money at some point, a temptation to steal or divert money meant for their outlet\’s operations exists.

Dishonest employees combined with an inept law enforcement system means that the M-PESA agent has to pray every day for their attendants not to yield to stealing temptations. The current police and justice system is such that it may be obvious who stole but nothing beyond knowing the thief is doable. It is this ever present fear of losing an outlet\’s cash that can permanently keep the M-PESA agent crossing their fingers. Some insurance companies I am told offer insurance cover against such losses but with 20,000 shillings \’excess\’ fees for any theft instance claimed. The insurance cover then rarely to makes sense to M-PESA agents since typically lost amounts are about the same as the \’excess\’.

4. Fake Currency
A couple of weeks back I was listening in to one of our morning radio shows. Then there was this exasperated caller who was narrating how someone had deposited fake 20,000 shillings notes at their M-PESA outlet. The outlet\’s attendant had discovered the fake notes and alerted the local police before the conman had left. The police arrived at the scene, confiscated the fake notes, and left with the conman in \’custody\’. To the astonishment of the agent, the police did nothing to assist agent who had already \’received\’ the fake deposit – hence deducted from their float. According to the caller, the conman eventually went scot free. With the current arrangement, no form of assistance was to be expected from Safaricom for mitigating such risks since the \’nonnegotiable\’ liability remains the agent\’s.

Long Conclusion
There are many other experiences that add up to bad ordeals for M-PESA agents ranging from general risks in the external environment to business risks directly related to the nature of outlets operations. It should not surprise many that the much touted 20,000+ M-PESA agents are really not having sustainable businesses. It might also be that the extensive network of agents is the single biggest success factor of Safaricom\’s M-PESA platform for money transfer. In that case, with the above sentiments of M-PESA agents, it is the same factor that Safaricom has not quite controlled to their favor. Some of the M-PESA agent\’s troubles appear to be way out of reach in Safaricom\’s external environment. It is however the same environment that an entity of their size and might could work with the government to influence – for their favor. Some of the mitigation measures are as basic as additional agent capacity building.

Incidentally, Telkom Kenya have recently launched their feature rich OrangeMoney platforms. Essar Communication\’s Yu is inducing M-PESA agents to become YuCash agents. Bharti Airtel is also sustaining their onslaught on Safaricom\’s dominance on various fronts including propping up its lower priced ZAP platform. The long term success of these competing mobile network operators in the money transfer market might just as well be pegged on how aptly they handle their value chain – including their dealers and agents.

All that said, I shall try not to contradict my earlier post on value proposition to Kenyans as the ultimate success factor and suggest that “The most significant success factor for mobile money transfer operators working in Kenya will be their value proposition to Kenyan stakeholders including their customers, agents, and shareholders”. In my opinion, patriotic sentiments and feel good aspects such as corporate social responsibility will take a back seat and value drivers (including market forces) will determine future growth paths for the competing mobile network operators.

Extended Thoughts on Reflections with Michael Joseph of Safaricom

This Mashujaa Day was a lazy one for me – some kind of forced day of rest to nurse a sore throat I had. On this day I got a coveted opportunity to form part of some 60pax audience at the iHubNairobi listening in to reflections from Mr. Michael Joseph. Michael or MJ as we call him is the out going CEO of Safaricom LTD – East Africa’s largest firm by corporate earnings. It was a lazy day so I really did not want to tweet through the session. Nevertheless I yielded to the temptation – as usual, and had some 32 tweets with the hash tag #mjreflections.

I was seated next to @UjenziBora who shared his intentions to blog his own tweet stream from the event. I liked the idea so here is my over-elaborated execution of the copied idea. I shall simply try and give my underlying thoughts on my ‘live-session’ tweets. I shall also number them so that when you get tired, you could go and come back to resume where you will have left.

  1. (tweet) Peculiar site to see MJ of Safaricom in blue jeans -> (the underlying thought) I was honestly shocked to see Michael Joseph in blue jeans, away from his corporate suit and tie signature look.
  2. (tweet) Per minute billing would have made more business sense but Safaricom could not afford the system then -> (the underlying thought) Michael had to make the best of what he did not have. He settled for the lesser revenue option of per second billing and invested in marketing to consumers the truth that per second billing was better for them than Kencell’s per minute billing
  3. One more lesson – please don\’t surprise your customers – not even for free things -> Personally I don’t mind pleasant surprises like some free KES 800 airtime. As a businessman, I still won’t mind but would execute surprises with guarded caution.
  4. MJ admits M-PESA, okoa jahazi, Sambaza etc were not invented in Kenya -> My regular readers might already know that the origin and ownership of the MPESA innovation is one of the topics I get a little over-patriotic about.
  5. 2m pounds went into the initial MPESA software by Vodafone – after some DfID competition -> These appeared to be MJ’s distractionary way of pre-empting the emotive debate of why Safaricom does not own the patent for M-PESA. In my mind he is not off the hook yet. But its too late, Kenyans have already made M-PESA indispensable, under the impression it was their (Safaricom’s) intellectual property.
  6. Success of #MPESA is not the technology, it is the distribution network -> This I agreed with partially. However I shall continue to insist on marketing blitz and a sense of nationalism around the product being additional ingredients
  7. IT guys have learnt the art of giving excuses when things go down -> At that point MJ appeared silently agitated about some technical hitch – I felt him. IT guys have an annoying way of assuming that embarrassing situations are acceptable to blame on technology.
  8. There is no redundancy for the TEAMS cable – where it lands in mombasa – Plans to arrange for redundancy in Dar es Saalam -> With the technical hitch in tweet 7, MJ was distracted away from M-PESA to data services. I did not like his way of justifying sustained high data prices – redundancy of to Optic fiber cable at the landing points, onward connectivity to the internet beyond under sea cables, etc. We need another big connectivity provider to dislodge Safaricom from an exploitative dominance position which they are gettin to.
  9. MJ thinks Safaricom will win the \’War\’ with Airtel Bharti – prefers not to call it \’Price War\’ -> May the best value proposition to Kenyans win!
  10. Best advice MJ got was \’You have to make decisions yourself\’ even if once in a while you go wrong -> That obviously worked for him, problem might be how much further this style had got into Safaricom’s corporate blood. Can Safaricom survive a different kind of leadership?
  11. MJ of Safaricom has never read more than 5 pages of any business book -> I was forced to read many such pages for my MBA. I think experience is an expensive teacher. No further comments
  12. MJ is not a great fun of social media. He thinks his successor is though -> We can only wait and see how @ , the new man at the helm fairs as he sounds like a completely different kind of guy. Hoping though he wont start off with RFP’s for change management consultants. I am told Bob Collymore will be the guest at Aly Khan Satchu\’s Mindspeak event on 4th December 2010.
  13. MJ appeals to bloggers and others to use social media sensibly – not to spread falsehoods etc -> I agree. I always try my best and hope my best is good enough
  14. MJ would not consider outsourcing customer care – it is so tempting yet so critical as far as he is concerned -> That was so clever of him. I agree with the principle, but when he gave the purported reason of creating local jobs near JKIA I was not convinced.
  15. For BPO we cant just rely on the fact that we speak english, or are in a good time zone. We have to deliver quality -> This I really liked and I really hope the Vision 2030 implementation secretariat is listening in
  16. To MJ, this BPO thing is overrated in Kenya\’s vision 2030 – I also agree -> See Tweet 15
  17. Safaricom expects payback from their base stations within one year, most of them pay back within 6 months -> I don’t know enough to comment but @mwolooto thought Safaricom was not being fair to someone – I can\’t tell how
  18. Solar energy for BTS makes sense only when air cooling is not required – I didnt know that -> Going green should make economic sense a lot of times. It appears this its not all the time though
  19. MJ would indulge in local capacity building only because it makes financial sense – sort of CSR view I dont like -> At the time of tweeting this I had got me incensed with MJ sounding like financial sense was all about being seen to undertake Corporate Social Responsibility (CSR) – hence increased revenue. I don’t understand why many multinational(ish) companies do not recognize the need to build local capacity as strategic inputs for their own local business processes. Creating jobs as CSR will always appear as though one is after sanitize their acts of exploitation!
  20. MJ is seriously not convincing on local capacity building reasons – methinks it should be more about economic synergies -> My instant rant on tweet 19 above – wont comment more
  21. MJ of Safaricom never believed in the idea of changing ringback tones. Now regrets ceding more revenue share than would have allowed -> Was great to see that even the mighty in Kenya can wink and get out-witted
  22. MJ of Safaricom now asserts that MKESHO is his (personal) idea – interesting < Great revelation. I need a followup on my ealier post on MKESHO as a hint to more intrigues to come. I pray the exclusivity ends soon
  23. Safaricom\’s deal with Equity on MKESHO ends next year – that should be good riddance to some -> See tweet 22, no
  24. Safaricom CEO @iHubNairobi,we will be launching M-PESA buy goods on Friday,u can pay for shopping @Uchumi with M-PESA -> I was re-tweeting an interesting announcement through Safaricom’s official twitter account. Too much to talk about there – wont start
  25. 700,000 M-KESHO accounts in three months other banks want to cash in also -> See tweet 22
  26. Safaricom will make it possible to pay for items via MPesa from Friday at Uchumi branches See tweet 24 – so shall the MPESA queue stall when there are delayed SMS notifications?
  27. Safaricom needs the banks – will address the exclusivity issue. They probably will not do it with Stanchart or Stanbic -> I could read Michaels bad blood with Stanchart from his lips as he said this. Could it be because they gave banking partnership to Zain for ZAP-the would be rival to MPESA?
  28. I like MJ\’s passion around #MPESA, gets carried away by the topic -> Great passion this man has, I can’t help but think he might be secretly sharing a stake with Vodafone on the MPESA patent.
  29. Really what\’s business enabling about paying a license to a regulator? -> It’s hard to tell when the regulator is genuinely seeking funds to protect consumers
  30. Consistency of management contributed to safaricom\’s market share staying at 80% over a couple of years  -> Now Safaricom must face the inevitable moment of changing guard. Good luck after some really strong/autocratic leadership
  31. RT @tonymuny: I hope there is no fee involved when paying 4 goods in uchumi via mpesa -> I had to retweet the concern raised therein – someone I met at Uchumi indicates that there should be no extra transaction charge to the customer in the planned arrangement. See tweet 24 also
  32. MJ of Safaricom thinks he is one person that does not admit defeat at all –> I shall not rule out the possibility of someone else admitting defeat at Safaricom – many months after MJ has left

With all that said, may the best value proposition to Kenyans win!
I most probably missed some big insights while I was tweeting away the session with Michael. I recommend you also check out @UjenziBora\’s post for a different if not complementary post-event-analysis based on his live tweets.

M-KESHO’s subtle hints on the future of Safaricom

M-KESHO, the newly launched financial services product is yet another demonstration of how Safaricom is constantly consolidating its gains in the country while exploring new business frontiers. The financial product appears to be a direct derivative of M-PESA\’s data warehousing essentials. There is definitely a reason Safaricom and Equity Bank are betting on M-KESHO – that of building on past successes and an understanding of the peculiar Kenyan market place.
Despite the welcome innovative moves by the pair, I must say that in my humble estimation the M-KESHO product might succeed but not so much beyond Equity Banks earlier attempt at mobile banking (Eazzy 24/7).  I stand corrected but although M-PESA succedes to foster a culture of saving among the unbanked, it may be too early to stretch it in search of interest revenues through a financial credit service – which apparently is the differentiating feature of the M-KESHO product from other mobile banking products.
The close coupling with Equity Bank\’s banking services might undermine any intentions of M-KESHO being the convenience product like M-PESA that die hard Barclays, KCB and other larger bank\’s customers would quickly embrace. It is difficult to guess how much strategic weight MJ and troops are placing on the Equity Bank partnership. Certainly though, in the partnership comes a subtle hint that Safaricom will not forever extend their business empire with derivatives of its successful products alone.

Seemingly there is a limit to how far a large company in Kenya can pursue an aggressive product diversification strategy before having to \’sleep\’ with its other would-be serious competitors. Such a limit would then appear as the beginning of hope for companies competing with Safaricom in any of the sectors it has ventured into.

Hope for Safaricom’s Competition

Much has been written about Safaricom\’s success in Kenya. From voice, to sms revenues, to money transfer and data services, safaricom has clearly demonstrated the power of leveraging on traditional revenue streams to generate new value propositions. Michael Joseph and his troops are successfully integrating their business empire with the larger Kenyan economy. So far this has the obvious result of apparently sustained competitiveness for Safaricom.
Safaricom\’s new partnership with Equity Bank whose EAZZY 24/7 service was at some point  pre-positioned as a serious competitor to the M-PESA service speaks volumes. Seemingly there is a limit to how far a large company in Kenya can pursue an aggressive product diversification strategy before having to \’sleep\’ with its other would-be serious competitors. Such a limit would then appear as the beginning of hope for companies competing with Safaricom in any of the sectors it has ventured into.
Indeed, Safaricom\’s growth remains as dependent on voice business – the cash cow – as it was two years ago if its financial report for 2009 is to go by. The competition therefor still has a chance to rival Safaricom in the money transfer, data and even voice revenue streams. The time is ticking though as MJ and troops are not anywhere near complacent with their product diversification efforts – which may still work for a little longer.
The hope for Safaricom\’s competitors lies in its continued inability to expand outside the Kenyan economy. Although Safaricom has become the dominant player in Kenya where the all important technology driven services are being discussed, sustainability of its growth remains questionable unless it expands beyond Kenya\’s borders. Regional expansion would assist the company to consolidate its successes across a wider market space.
Indeed the achille\’s heel for Safaricom as a largely Kenyan entity will continue to be its inability to expand regionally and globally. Such expansion for the company is seriously curtailed by virtue of Vodaphone – its major shareholder – being already out there as a competing global player. This constraint is apparent in the fact that even the most modest ambition to expand Safaricom\’s M-PESA service into Tanzania is not possible since Vodaphone has already rolled out the same service there – with the same brand name through Vodacom Tanzania.
In my view Zain, AccessKenya, OboPay and other would be Safaricom competitors need to only drop in some killer innovation and some incredible value propositions for the bottom of the pyramid (BOP) market in Kenya to secure the all important critical mass that they hopelessly lack. Then they can use the same product diversification and vertical integration strategies that Safaricom has applied to easily catch up and meaningfully compete.
Safaricom therefore needs to steer away from the trap to confine its success to the Kenyan economy if it is to sustain its growth and remain competitive.

M-PESA Fraud – Agents Beware!

Tricksters and dishonest people have always existed in our midst.  It is definitely naive to imagine that our new techno-savvy way of life is an exception to the age old social patterns. This afternoon, an M-PESA agent was a victim of a new line of M-PESA fraud.

Here goes the story; this is factual and occurred on February 1st 2010 in a peri-urban setting about 24 kilometres from the Nairobi City Centre

  1. About 2.00PM, a lady and a gentleman who looked to be in their mid twenties visited an M-PESA outlet, claiming to be Safaricom supervisors. The two wore valid looking M-PESA badges and even carried M-PESA promotional material for the outlet.  The two inspected the outlet’s log books then left. Note: It is normal for Safaricom to send supervisors to routinely inspect various parameters on operations of M-PESA outlets. The supervisors usually wear Safaricom badges and often take with them M-PESA promotional material to the outlets
  2. About 20 minutes after the purported supervisors left, an old looking man estimated to be at his late 50s or early 60s came to the same outlet requesting to withdraw Ksh.35,000. The man was allowed to withdraw the desired Ksh 35,000 and went ahead to initiate the withdrawal from his phone – as is the normal procedure.
  3. Shortly after, the outlet attendants received an SMS purporting to record and authenticate the old man’s withdrawal transaction. The SMS received by the attendant had a valid looking M-PESA transaction number and the old man’s purported names which were verified against an original national ID which he presented.
  4. The M-PESA attendant, convinced about the validity of the transaction (just like hundreds of others processed daily) gave the old man an initial Ksh. 30,000 and was reaching out for the remaining Ksh. 5,000. Before the exta amount could be retrieved, the old man calmly signed the outlet transaction and walked away saying he would come for the remainder later.
  5. The M-PESA attendant continued with the next customer, expecting their float to have increased by Ksh. 35,000 as a result of the withdrawal. The expected float was then not reflected in the valid M-PESA SMS after the next customer’s transaction – raising a red flag to the M-PESA attendant.
  6. The M-PESA attendant shortly after called 234 – Safaricom’s M-PESA service line for clarification and the service support person on the other end reported that the transaction withdrawing Ksh. 35,000 was not reflected in the M-PESA system
  7. Alarmed at the Safaricom claim, the M-PESA attendant frantically attempted to call out for the old man who had disappeared by then without a trace. 
  8. Late in the afternoon, the M-PESA agent went to the police station to report the incident. The police officers took initial details and promised to visit the outlet the following day for further investigations.

A number of discrepancies have since been highlighted on the fake M-PESA SMS which is copied and pasted below

P47DT685 confirmed on 01/2/2010 at 2.20PM Give Ksh 35,000 to DANIEL MAINA New M-PESA balance is Kh 42,049 Sender:MPESA +254771831462’ 

I shall leave the analysis of the text and the resulting fraud to the reader for now.

Note that according to the Safaricom M-PESA support person, the M-PESA agent only has to count their loss as no indemnity is payable to the agent for their predicament. When the known Safaricom / M-PESA representative for the affected region was contacted they disowned  ‘supervisory visit’ by the lady and gentleman 20 minutes before the \’withdrawal\’ was requested. I wonder how many more M-PESA agents have fallen pryy to this new M-PESA trickery.

M-PESA is not a Kenyan Innovation

Many Kenyans still believe that \’their\’ Safaricom owns the patents to the M-PESA innovation. Some Kenyans even claim that Safaricom hijacked their idea and developed it into M-PESA – a court case was once reported on this. The reality being that the system  was \’developed\’ by Sagentia on behalf of Vodafone, it goes without saying that the corresponding intellectual property (IP) does not belong to Safaricom. That is also not to forget that Kenya has enough software development capacity to build such a system on a robust platform.

Safaricom is paying patent fees to Vodafone just like any other network operator who will wish to use the money transfer platform. It might help for Michael Joseph to clarify if any benefits accrue to himself or others in Safaricom specifically for accepting to be the test platform for \”Vodafone\’s innovation\”. Such a clarification should of course address the opportunity cost of a more direct contribution to Kenya\’s knowledge economy through the apparently foregone IP ownership.

I would like to suggest that if for any other reason M-PESA does not succeed in other markets outside Kenya, it will be because the M-PESA is merely a Kenyan innovation, whose success is a direct derivative of  Kenya\’s patriotism. As such the innovation\’s success may not be replicated where the corresponding patriotic emotion is inexistent.
Consider the patriotism displayed in the oversubscription of the Safaricom IPO of 2008. Consider the fanatical self imposed network (Safaricom) lock-in of over 14 million Kenyans. Then you might start understanding the success of M-PESA in Kenya. Many Kenyans found M-PESA compelling merely because it was supposed to be a \’Kenyan Invention\’. Indeed the M-PESA success story may not be complete without mentioning the sense of belonging and patriotism of Kenyans as an aftermath of 2007/8 election crisis.
Had the 5+ Millions of M-PESA users initially learnt some of the facts in Olga Morawczynski\’s
article – What you don\’t know about M-PESA, the service might as well have been struggling as is the case with the Vodacom\’s attempt in Tanzania. Consider the question – why are ZAP and YuCash – alternatives to MPESA not yet success stories? In my opinion, the technological platform could have been developed by anyone else – including our own software developers. The business processes addressing the socio-economic context could only have come from the Kenyan populace – regardless of who eventually incorporated them into the software.    
I am sure at some point in history, the social scientists will have something to say about the role of Kenya\’s social-political crisis of 2007 and 2008 in the M-PESA success story.