Payments via electronic/Mobile should be guided by ISO Standards On Aug 4, 2015 4:59 PM, "George Irungu via skunkworks" < skunkworks@lists.my.co.ke> wrote:
Unfortunately thinking on the part of the attendants is frowned upon. I support the no-hard-cash directive but only if when there is a problem with the system then cars are allowed to park for free.
A much simpler solution would be to allow more payment platforms- mpesa, airtel money to reduce chances of downtimes.
*From:* Jared Oyier via skunkworks [mailto:skunkworks@lists.my.co.ke] *Sent:* Tuesday, August 4, 2015 4:24 PM *To:* John K.; Jangita; Skunkworks Mailing List *Subject:* Re: [Skunkworks] NCC Mobile County App Security
Maybe it’s coz you are so much against the system.. :)
City Hall was loosing a lot more money by accepting “cold hard cash”.
From a policy implementation or a system implementation point of view, if you allow such exceptions then within no time there will be no one using the system or following the policy however good the solution could be.
-- Jared Oyier Sent with Airmail
On August 4, 2015 at 3:57:20 PM, John K. via skunkworks ( skunkworks@lists.my.co.ke) wrote:
Well. The parse error just cost me 2,300. Had a meeting in town, luckily got a parking tried to pay for parking to no avail for almost 10 minutes, either the NCC app crashes shows the message "Parse Error" (whatever the f*** that means), I give up. Look around for the yellow jacket guys, damn, nobody around so I find a watchman nearby, and he agrees to pay for me the 300 when the council guys show up.
I get back 1.5hrs later, only to find my car clamped. WTF? The watchman is there, gives me back my 300 and says they don't accept cash anymore. City council lady nearby even comes and confirms yes we don't accept cash anymore. What the fuck? This is the height of stupidity, I have cold hard cash in my hands, are you in the business of receiving e-transactions or cash? I was so mad things almost got out of hand. I showed her the app with its stupid error, nothing, says I pay the fine or they tow, insists the system is up and it's my fault for not trying harder.
I have money but that's no, its still not money according to them; did Kenya change it's laws and real paper currency has no value any more?
Hope they get sued this is f** bullshit.
Regards,
John K.
On 2 August 2015 at 11:02, Jangita via skunkworks < skunkworks@lists.my.co.ke> wrote:
quite obvious... Kenya yetu
[image: https://mailfoogae.appspot.com/t?sender=aamFuZ2l0YS5ueWFndWRpQGdtYWlsLmNvbQ%...] ᐧ
On 1 August 2015 at 21:30, Joseph Koech <josephkoech.dev@gmail.com> wrote:
I wonder, how comes tried and tested payment platforms like PesaPal and Lipisha were not used. Ama ni kujuana.
On 1 Aug 2015 15:59, "Jangita via skunkworks" <skunkworks@lists.my.co.ke> wrote:
lol, I've always asked myself if say New York can fall back on traffic police when electricity disappears!
[image: https://mailfoogae.appspot.com/t?sender=aamFuZ2l0YS5ueWFndWRpQGdtYWlsLmNvbQ%...] ᐧ
On 1 August 2015 at 15:39, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
I wonder why they just don't fall back to cold hard cash when the system is down. What happens if it's down for a week?
Regards,
John K.
On 31 July 2015 at 17:45, Kennedy Kairu Kariuki <kkairu@gmail.com> wrote:
Someone mentioned the issue on depending on one system eJijiPay hitch hands motorists free parking
http://www.businessdailyafrica.com/eJijiPay-hitch-hands-motorists-free-parki...
Kind Regards,
Kennedy KK
Mobile: +254-721-699119 / +254-20-5283207 Skype: k.kairu Gtalk: kkairu
On Wed, Jul 29, 2015 at 11:08 PM, John K. <kamau.john@gmail.com> wrote:
They did but how did a financial app get to production without it in the first place. And.. It had to be pointed out by the public for the fix to be issued.
On 29 Jul 2015 10:07 pm, "Kennedy Kairu Kariuki" <kkairu@gmail.com> wrote:
I thought they said they've fixed the HTTPS issue on twitter????
Kind Regards,
Kennedy KK
Mobile: +254-721-699119 / +254-20-5283207 Skype: k.kairu Gtalk: kkairu
On Wed, Jul 29, 2015 at 9:12 PM, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
What I wrote is based on what I have heard from 2 different unrelated sources, and since I have no proof it makes it all an allegation, hope that makes it clear. Whether they came in via dubious methods or not I have no proof and all I have is hear say. That being said, the system is here and so it must be judged by industry standards when it comes to handling real world money.
Regarding..
@1. The system was not compromised, it had no security at all. How can a system that will accept payments from hundreds of thousands of users not even have https, and to make matters worse a hard-coded IP address? The system is going to be a mobile wallet, the first thing in mind should be security, nothing else. There should not even have been a version 1.0 without a basic audit be a team of security engineers. I find it impossible to trust a company handling money that could not figure this out on their own.
@2. I agree there are a lot of variables to consider and maybe they did win legitimately. However, there are already established firms that have gone through the hassle of figuring it out. Why do we need another mobile wallet? This part makes no sense to me. Here's a simple workflow of how to get your cash to that 2nd wallet.
*Bank > Mpesa/Orange/Airtel > JamboPay Wallet > City Council*
Why that extra step is required? All the other platforms work just as well, and they're tried and tested. If you are in tech you know that the solution with the fewest points of failure is the best. I find it hard to swallow that between Safcom,Equity,Orange,Airtel,PesaPal,KopoKopo, etc nobody offered a competitive solution that would have worked without as many hitches.
@3. If one of the company's prime form of payment gets 1 star reviews then this should raise flags everywhere. This is a sign that they have a big problem with either the developers, project managers, QA or management. I can only imagine what the back-end is like
Let us not forget this is a company processing payments that can seriously impact your life. If you pay for parking and it doesn't reflect, then you find your car clamped while your kid sits in the cold rain waiting to be picked up, what will JP tell that parent? and that's just one scenario, I can think of plenty more. And to make matters worse it seems the system has been forced on us, it's a take it or leave it scenario and it's clear all the possible implications have not been well thought out.
Finally, defending a sloppy solution is not the way forward, I prefer we tell the hard truth, ignoring it won't make it go away. They should be held up to the same (if not higher) standards that other systems are held up to. They either improve or we (the city) finds another provider.
No https? I still shake my head the day I saw my pin in plain text. Amazing.
Regards,
John K.
On 29 July 2015 at 18:44, Jared Koyier <jaredkoyier@gmail.com> wrote:
So John K. so you start by saying "Based on your investigations" then you end up talking about allegations! "Allegedly grab a chunk..."
Let me say this;
1. The fact that a system has been compromised by users doesn't make the developer(jambopay) or the owner(Kidero) culpable. All systems are vulnerable. The issue here could probably be a privileged user with legitimate access for all we know.
2. There are lots of factors that informs any entity to pick a solution. The fact that Equity or KCB offered solutions earlier and were not picked does not qualify as a reason to castigate another solution. Equity if i recall had a huge misunderstanding with Narok county in collection of Maasai Mara revenues.
3. That image on user review...come on! Everyone has an opinion that is biased by their particular environment. Even Iphone6 which has been sold like crazy wolrdwide has bad reviews on GSMARENA. There are a million variables why someone gives a bad review.
i am yet to fully understand jambopay , but am guessing theres a gap it bridges btn cityhall, mpesa and cars parked
Sincerely, Jared Oyier
On 29 July 2015 at 16:41, John K. via skunkworks < skunkworks@lists.my.co.ke> wrote:
The main benefit of exploiting it would be to get a user's PIN, this would only work if you know who you are targeting. There is another vulnerability that can work but I'd rather not mention it here, never know who might decide they can try it out.
My 2c.
<begin_rant>
Based on my own investigations JamboPay is the evil love child of Kidero and Kiamba. Apprently they used to allegedly grab a chunk of parking receipt books every evening, burn them and keep the money. Then they realised they may as well be the ones to provide the IT system and so do with it whatever they want. They looked for someone that will agree to their terms, for months and it seems they finally found someone who agreed and so the devil child was born.
Doesn't anybody find it strange that the JamboPay came in so quickly? Equity Bank and KCB (not to mention plenty others) have approached NCC for years with a parking payment solution. Equity even offered to buy the devices and throw in a 5b loan to sweeten the deal, but still nothing. Then in a couple of months a company comes in and is now the SOLE company that can process parking payments. Like Wtf?
How can a system that we technical folk here have shown has serious security flaws, has user issues as shown below, still be the SOLE system trusted with the millions of shillings made from parking in Nairobi?
[image: Inline images 1]
I'll end by asking why do we even need another mobile wallet? Between Mpesa, Airtel Money, Orange Money and now Equitel we have enough. And if Jambopay must stay, why can't other companies be allowed to process county payments? For now you're screwed if the jambopay system has issues. Shouldn't you be able to switch to mpesa paybill, visa or any other provider if need be? It seems all we've done is converted the easily stolen parking receipt books to ones & zeros, and given someone the "Delete" key.
I feel so ashamed for this country when stuff like this happens.
</end_rant>
Regards,
John K.
On 29 July 2015 at 13:41, Isaac Kiplagat <isaac.kiplagat@gmail.com> wrote:
John K...
Can we exploit the vulnerability to raise the missing millions collected from parking from 272M to 500M in the FY and ensure that Kidero is out of office in the next ellection :). I mean, may be this was the cause of missing millions that could be accounted for from parking fees- Auditors report(political).
Or
Should we see Dan, MD Jambopay and perform comprehensive test to the system for a small pay (Economic)
Or
Go to media and get cheap publicity and flatten our broke ***es (Social).
This is the definition of *Political and Socio-econmic development in Kenya*
Regards.
Ik
On 29 July 2015 at 13:00, 0xexplorer via skunkworks < skunkworks@lists.my.co.ke> wrote:
Out of curiosity, have you alerted the service provider i.e City Hall?
Based on your experience, I suspect this is a case of collusion with the back office guys.
-------- Original Message --------
Subject: Re: [Skunkworks] NCC Mobile County App Security
Time (GMT): Jul 29 2015 09:10:23
From: skunkworks@lists.my.co.ke
To: kamau.john@gmail.com, skunkworks@lists.my.co.ke
CC: lmwangi@gmail.com
I'll just leave this one here
I work in the CBD and often use the streets 'kanjo' parking. I like convenience hence i normally pay seasonal parking when my pocket allows, either the one month or three months. So this 'respectable' Kanjo lady approaches me yesterday while leaving the parking slot and says she notices my seasonal parking is expiring today, 29th July.
I say 'yes' and she asks whether i mind promoting her. How i ask? She offers to renew my seasonal parking then i pay her in cash or mpesa. I agree but on on condition, that i get the confirmation message from JamboPay and that when i dial *217# i will get a valid response. We agree to meet today at 7:00am at my usual parking spot. She calls me today at 6:50am asking if she should proceed to pay i say yes am on my way to town. I arrive 30 minutes later but still no JamboPay message. However she calls me and tells me that her 'person' has gone to City Hall to pay (FIRST ALARM BELL!!!).
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
--
Isaac Kiplagat. KIP®
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
_______________________________________________ skunkworks mailing list skunkworks@lists.my.co.ke ------------ List info, subscribe/unsubscribe http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------
Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke
