So John K. so you start by saying "Based on your investigations" then you end up talking about allegations! "Allegedly grab a chunk..."

Let me say this;

1. The fact that a system has been compromised by users doesn't make the developer(jambopay) or the owner(Kidero) culpable. All systems are vulnerable. The issue here could probably be a privileged user with legitimate access for all we know. 

2. There are lots of factors that informs any entity to pick a solution. The fact that Equity or KCB offered solutions earlier and were not picked does not qualify as a reason to castigate another solution. Equity if i recall had a huge misunderstanding with Narok county in collection of Maasai Mara revenues.

3. That image on user review...come on! Everyone has an opinion that is biased by their particular environment. Even Iphone6 which has been sold like crazy wolrdwide has bad reviews on GSMARENA. There are a million variables why someone gives a bad review.

i am yet to fully understand jambopay , but am guessing theres a gap it bridges btn cityhall, mpesa and cars parked


Sincerely,
Jared Oyier


On 29 July 2015 at 16:41, John K. via skunkworks <skunkworks@lists.my.co.ke> wrote:
The main benefit of exploiting it would be to get a user's PIN, this would only work if you know who you are targeting. There is another vulnerability that can work but I'd rather not mention it here, never know who might decide they can try it out.

My 2c.

<begin_rant>

Based on my own investigations JamboPay is the evil love child of Kidero and Kiamba. Apprently they used to allegedly grab a chunk of parking receipt books every evening, burn them and keep the money. Then they realised they may as well be the ones to provide the IT system and so do with it whatever they want. They looked for someone that will agree to their terms, for months and it seems they finally found someone who agreed and so the devil child was born.

Doesn't anybody find it strange that the JamboPay came in so quickly? Equity Bank and KCB (not to mention plenty others) have approached NCC for years with a parking payment solution. Equity even offered to buy the devices and throw in a 5b loan to sweeten the deal, but still nothing. Then in a couple of months a company comes in and is now the SOLE company that can process parking payments. Like Wtf?

How can a system that we technical folk here have shown has serious security flaws, has user issues as shown below, still be the SOLE system trusted with the millions of shillings made from parking in Nairobi?




Inline images 1


I'll end by asking why do we even need another mobile wallet? Between Mpesa, Airtel Money, Orange Money and now Equitel we have enough. And if Jambopay must stay, why can't other companies be allowed to process county payments? For now you're screwed if the jambopay system has issues. Shouldn't you be able to switch to mpesa paybill, visa or any other provider if need be? It seems all we've done is converted the easily stolen parking receipt books to ones & zeros, and given someone the "Delete" key.

I feel so ashamed for this country when stuff like this happens. 

</end_rant>


Regards,
John K.

On 29 July 2015 at 13:41, Isaac Kiplagat <isaac.kiplagat@gmail.com> wrote:
John K...

 Can we exploit the vulnerability to raise the missing millions collected from parking from 272M to 500M in the FY and ensure that Kidero is out of office in the next ellection :). I mean, may be this was the cause of missing millions that could be accounted for from parking fees- Auditors report(political).
Or
Should we see Dan, MD Jambopay and perform comprehensive test to the system for a small pay (Economic)
 
Or
Go to media and get cheap publicity and flatten our broke ***es (Social).


This is the definition of Political and Socio-econmic development in Kenya

Regards.
Ik



On 29 July 2015 at 13:00, 0xexplorer via skunkworks <skunkworks@lists.my.co.ke> wrote:
Out of curiosity, have you alerted the service provider i.e City Hall?

Based on your experience, I suspect this is a case of collusion with the back office guys.

-------- Original Message --------
Subject: Re: [Skunkworks] NCC Mobile County App Security
Time (GMT): Jul 29 2015 09:10:23

I'll just leave this one here

I work in the CBD and often use the streets 'kanjo' parking. I like convenience hence i normally pay seasonal parking when my pocket allows, either the one month or three months. So this 'respectable' Kanjo lady approaches me yesterday while leaving the parking slot and says she notices my seasonal parking is expiring today, 29th July.

I say 'yes' and she asks whether i mind promoting her. How i ask? She offers to renew my seasonal parking then i pay her in cash or mpesa. I agree but on on condition, that i get the confirmation message from JamboPay and that when i dial *217# i will get a valid response. We agree to meet today at 7:00am at my usual parking spot. She calls me today at 6:50am asking if she should proceed to pay i say yes am on my way to town. I arrive 30 minutes later but still no JamboPay message. However she calls me and tells me that her 'person' has gone to City Hall to pay (FIRST ALARM BELL!!!).



_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke



--
Isaac Kiplagat. KIP®




_______________________________________________
skunkworks mailing list
skunkworks@lists.my.co.ke
------------
List info, subscribe/unsubscribe
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
------------

Skunkworks Rules
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
------------
Other services @ http://my.co.ke