The main benefit of exploiting it would be to get a user's PIN, this would only work if you know who you are targeting. There is another vulnerability that can work but I'd rather not mention it here, never know who might decide they can try it out.
My 2c.
<begin_rant>
Based on my own investigations JamboPay is the evil love child of Kidero and Kiamba. Apprently they used to allegedly grab a chunk of parking receipt books every evening, burn them and keep the money. Then they realised they may as well be the ones to provide the IT system and so do with it whatever they want. They looked for someone that will agree to their terms, for months and it seems they finally found someone who agreed and so the devil child was born.
Doesn't anybody find it strange that the JamboPay came in so quickly? Equity Bank and KCB (not to mention plenty others) have approached NCC for years with a parking payment solution. Equity even offered to buy the devices and throw in a 5b loan to sweeten the deal, but still nothing. Then in a couple of months a company comes in and is now the SOLE company that can process parking payments. Like Wtf?
How can a system that we technical folk here have shown has serious security flaws, has user issues as shown below, still be the SOLE system trusted with the millions of shillings made from parking in Nairobi?
I'll end by asking why do we even need another mobile wallet? Between Mpesa, Airtel Money, Orange Money and now Equitel we have enough. And if Jambopay must stay, why can't other companies be allowed to process county payments? For now you're screwed if the jambopay system has issues. Shouldn't you be able to switch to mpesa paybill, visa or any other provider if need be? It seems all we've done is converted the easily stolen parking receipt books to ones & zeros, and given someone the "Delete" key.
I feel so ashamed for this country when stuff like this happens.
</end_rant>