[ad_1]
An intricate web fraud comprised of senior managers, their juniors and strategically recruited brokers covering all regions across the country are behind the power token theft at the loss making power utility firm, Kenya Power, The Informer can now reveal.
Our investigations have established existence of system manipulation for both postpaid power bills and prepaid power tokens through collusion between rogue KPLC employees, brokers as well as willing customers who want their bills irregularly reduced.
The masterminds of the multi-million shady deals involve KPLC IT and Finance employees granting unauthorized access and assigning special roles to non- staffers and brokers besides giving rogue non staff members with Virtual Private Network (VPN) to enter KPLC domain and manipulate bills
This blatant theft has gone unabated due to absence of a validator module to regulate transactions of prepaid power token purchases and the status quo remains to date.
“Prepaid transaction requires a customer to provide meter number, telephone number and correct amount of money. This information is generated from Safaricom network to KPLC server with M-pesa reference number. KPLC server generates tokens which are transmitted to the customer number, this is billed in the pay bill number 888880 with Safaricom. A program developed in-house by KPLC known as RADIS was to translate Safaricom data to a language KPLC system could understand and to handle dropped transactions. The programmers in KPLC were supposed to develop a validator module to regulate these transactions but this was never done.” A report by the DCI shows.
A forensic audit undertaken by twin specialised units; Cyber Security and the Criminal Intelligence Unit domiciled at the Directorate of Criminal Investigations narrowed down the firm’s “operating systems in use, the system performance, reliability, strength, weakness and as well as incidental and pro-longed compromises.” An investigation report reads in part.
The probe pointed out that failure to develop a validator was by design as this provided a loophole exploited by the rogue system administrators led by the then program developer Samson Kimani who were working under former IT manager Titus Kitavi.
This has not been corrected to date.
Lack of a validator to flag irregular transactions enables rogue Kenya Power employees to generate illegal tokens for sale alongside a genuine transaction.
“A customer making a genuine request for token would have reference numbers i.e RFXYZ. In the event of failure in transactions due to various reasons KPLC Prepaid team after verification from Safaricom Portal would generate the said Tokens manually through the Graphical User Interface (GUI). Rogue individuals altered genuine M-pesa Reference Numbers by replacing the last digit and consequently generating irregular tokens and selling the same to unsuspecting customers. KPLC transactions on Safaricom pay bill no. 888880 does not tally with the Tokens submitted from the Itron Eclipse based on the Audit Report.” The report shows.
Recently, the utility firm attributed power token hitch purchase to technical hitch and alleged many transactions.
“We have managed to address the IT hitch affecting the system that occurred yesterday but vending of tokens remains slow due to a high number of customer transactions,” A statement to newsrooms read in part.
The probed established that KPLC installed the Postpaid Integrated Customer Service (ICS) in the year 1997 after contracting Indra limited, a subsidiary of Indra Systema domiciled in Spain to develop and install the system.
Consequently, the system operated until early 2017 when KPLC again contracted Indra Ltd to upgrade the system to a more viable Intergrated Customer Management Service (InCMS).
Specifically, the contract award covered upgrading as well as maintenance of the new system up to May 2018.
Curiously, the contract has never been renewed further providing loopholes for the internally generated budding fraud.
Due to the rising number of power connected clientele, system upgrade from ICS to inCMS for better customer management where applications such as One Time Charge (OTC), Cash receipting and complementary rebilling were maintained became inevitable.
The report further shows the subsidiary firm, Indra Ltd maintained an OTC module within InCMS for the purpose of reconciliation, for example, “a customer whose account was due with Kshs 10,000 would have Kshs 10,000 debited in their account thus balance carried forward of negative 10,000 and vice versa. This application was known as One Time Charge (OTC).” It adds in part.
“These necessary applications were unfortunately abused through collusion between rogue KPLC employees, brokers as well as willing customers who wanted their bills irregularly reduced. The architecture of the fraud involved KPLC IT employees granting unauthorized access and assigning special roles to non Kplc staff/brokers
This application giving rogue non staff members with Virtual Private Network (VPN) to enter KPLC domain and manipulate bills.” The report findings show.
[ad_2]
Source link
