I was in my hotel room in Kano preparing for my journey to Katsina the next day for the launch of Livestock Xpress (this is a topic for another post) in cattle markets, when I got a call from Simisola (pusedo name); a colleague. She was crying profusely as she was asking me to help her block her official email because someone got access to her bank account. I couldn’t connect the dots, what has crying got to do with her official email and how does this connect with her bank account? Sit back and let me give you the full gist.

So, Simisola has a car and she does not like to drive alone, so she would either wait for her husband to come and keep her company or she would be in the company of her colleagues who are going her way. On this fateful day, none of the people who used to go home with her was available, so she decided to give someone a lift so as to achieve two things; help someone in need and still keep a company home. It was the person she gave a lift that stole her phone. This is where the real drama started from.

Apparently, she did not notice this until she got home and she tried calling the number so that she could be sure if truly she had lost the phone. Guess what the guy on the other end said. “So, you small girl dey drive car abi?” The guy cut the call and that was the last time she was able to access the line.

The next day, she decided to check her email through her husband’s phone and she started seeing debit alerts flooding in. The guy or whoever was with the phone was on airtime buying spree. The guy bought airtime worth more than 100k in batches. And things got worse when the guy took a loan on behalf of Simisola. This whole issue opened up so much lacuna in the Nigeria payment space. I understand that this is a convenient argument with due diligence.

I had this same conversation with Jacobs during my days in KongaPay when I was auditing the Banks’ USSD process. Why won’t there be pin requirement when I want to purchase airtime for myself? This is the vulnerability these hoodlums are capitalising on. They patiently keep purchasing airtime. I am sure they have a way they move the airtime from the line to turn it to money. The guy is still not at loss by selling a 100k airtime for 20k. Either he is able to get the airtime out as money or not, Simisola has lost her hard-earned money. Simisola tried deactivating her account and all the USSD codes advertised by her bank didn’t work. She called the bank’s customer service severally; the phone numbers were not going through. Later, she resorted to blocking her line.

According to a video that went viral about a guy that was arrested recently, this is how the criminals achieve this feat: 

1. Dialling *425*100# will list bank accounts that your SIM is connected to.
2. For access bank account owners, Dialling *901*00# will send your bank balance, it is easy for other banks too.
3. They will use *565*0# to retrieve your BVN.
4. Since some people save their bank account number on their phones, or people like me that have sent my account number to someone before either through SMS or WhatsApp message. All they need to do is to go through your contact list or my sent messages to retrieve my account number which makes it easy to get all other information about me.
5. They use the information they gather to reset your PIN.
6. What else are you waiting to read? Your money is gone. LOL

Several years ago, when someone steals your phone, it is just about selling the device, nowadays, having access to your financial institution has joined the mix, so no one is safe. Even your featured phone is no longer safe, the incentive is on the SIM and not the phone. Device manufacturers are working really hard to make the smart devices secured and no more theft appealing but the drive has now moved to the SIM cards.

I think the bigger elephant in the room is the use of these sims in qualifying and accessing loans. Why should anyone be able to collect loan by just dialling a USSD code. This makes loan accessible to all but on a flip, it brings us to the issue of someone collecting loan on my behalf and having me to pay for it...I WILL NEVER PAY. We would rather go to court to settle it!

I created this post to share the steps I asked Simisola to do after her horrible experience. I feel someone might benefit from this. 

1. Use SIM lock. To do this, below are your network default PINs to create a new pin. Using a sim lock does not only stop people from having access to the SIM, they won’t also be able to swap your SIM. Hope you know what can happen if someone connive with an agent that do welcome and swap your SIM? You won’t want to think about it. I have witnessed high level fraud using this method.

2. Protect your phone with password, even if it is a featured phone.
3. If you notice your phone is stolen, block it immediately.

These hoodlums also choose soft targets, so help our parents and loved ones to do this on their phones.

All we have to do is to pray that one day all financial institutions will make it difficult for users to have access to customers funds.

NB: I hope you know that the CBN suggests that banks will pay if someone uses your phone to make transfers ‘even if it’s your fault’ (https://nairametrics.com/2016/10/10/ussd-cbn-suggests-banks-will-pay-if-someone-uses-your-phone-to-make-transfers-even-if-its-your-fault/)

Update: In a separate interview, another fraudster said it is difficult to apply this fraud on a SIM that is PIN locked. Hope this gives you a sign of relief.