How I lost my Kenyan Digital Identity

Ever since the mobile phone took off in Kenya, much of Kenya’s digital and offline services have been built on the mobile phone number. Think of all the the buildings that insist visitors ought to provide full name, national ID number, and mobile phone details. Every time you and I load money at an Mpesa or mobile money agent, we are expected to share our national ID no., mobile phone number and signature with a complete stranger. Most of us, while we know how important this personal info, begrudgingly share it out, because we are left with no option since we need to access the facility.

Identity fraud/theft is a crime where one person uses another person’s personal data, without authorization, to deceive or defraud someone else to their advantage. Not much thought has been put into our privacy in Kenya, and why, digital identity theft could happen to any one of us. In Kenya, privacy has been bolted on as an afterthought, instead of designed into the system from the start. How safe is our digital identity?

Not so safe as I learnt last week.

After a night out, couple of drinks and a healthy buzz, on Friday , I boarded a Matatu to Nairobi’s CBD early morning, 1 am. I got off on Latema road and found out I had my pocket picked. National ID, mobile phone and all the cash I had gone.

Later that day, I woke up to a surprise. I was the victim of identity theft, and here is how it happened.

My digital identity thieves visited http://ecitizen.go.ke with my mobile phone and national ID number.

Pretending to be me, on the site, they selected forgot password

Since they already had my ID number, they chose to use it for resetting my password instead of my email address

They then proceeded to request a password reset to text a code to my mobile phone number (which they possessed)

Not knowing what had happened, the Kenyan government and Safaricom servers sent a text with a password reset code to my phone (which they had)

Here is a screenshot of the unique reset code they had access to

The identity thieves went on to use the code to reset my password and login to my eCitizen government portal

Enter new password, Confirm new password and Bam! Successful password reset by digital identity thieves. Then they proceeded to log in

Since they had my national ID number (a number we frequently share with all and sundry), they had everything they needed to take over my digital identity

All my personal details were now on full display with the authority and permission to change my personal details

Here is a glimpse of the all the information and permissions they had access to

It is unfortunate that in Kenya, our digital identity systems are poorly constructed and not well thought out. Often, they will share a default data set, even when not necessary for the service being accessed. I am afraid the rush to digital inclusion and mass registration has placed at risk our rights to privacy. How safe is our digital identity?