Kenya’s IPO revealed Internet Security flaw

Investors using the online application process for the Safaricom IPO were probably not aware that a security flaw meant that their confidential details and amount invested could be read through a comparatively simple hack.

At the centre of the security flaw was kenyaipos, the website that was built to facilitate online share applications for Safaricom's initial public offering. It was a first for Kenya and the region. Initially, many investors found it gratifying that they could escape the pain of queuing for hours at the brokers' offices to apply for shares.

For these Internet savvy investors who went online to apply for their shares, all they needed to do was to enter their CDS account and national identity card numbers to access the website.

However, the site had a security problem. By simply manipulating the CDS numbers one could view crucial details about fellow investors making privacy a major drawback for the system. Curious Internet users had access to the number of shares applied for, physical addresses as well as contacts of applicants they did not know.

The danger of such a flaw is that it erodes confidence in the information and ultimately acts as a deterrent to potential users. Besides, there is the danger of such critical information landing in the wrong hands and causing real financial loss to investors.

"The developers should have considered additional information such as date of birth, three names as opposed to the two required numbers to gain access to the site," said Muchuki Mwangi, an education manager at Internet Society. Mwangi believes that this breach of privacy could be the subject of a law suit.

Business Daily

Tweet  LinkedIn  Send to a friend  Share