There are moments when your professional background quietly changes the way you see everyday life.
Working as a Systems Librarian and studying Information Science has changed the way I interact with technology. I rarely use a digital service without noticing how it handles information, protects user privacy, or guides people through everyday tasks. Over time, I’ve realized that the biggest security lessons don’t always come from data breaches or sophisticated cyberattacks. More often than not, they come from the ordinary moments we barely think about.
That is exactly what happened during a routine M-Pesa transaction.
Like millions of Kenyans, I received an STK Push, picked up my phone, and entered my PIN. The payment went through in seconds, but one detail caught my attention once again. Every number I typed remained visible on the screen.
It made me stop and think.
Almost every digital platform we use today hides sensitive information the moment we begin typing it. Banking applications replace PINs with dots. Websites mask passwords. ATMs shield our credentials from view. These design choices have become so common that we hardly notice them anymore.
Yet one of the country’s most trusted payment systems still displays a user’s PIN in plain sight during entry.
The Little Things Matter
At first glance, this may seem like a minor issue. After all, the transaction lasts only a few seconds. However, security professionals often remind us that small vulnerabilities create opportunities for much bigger problems. The less sensitive information we expose, the safer users become.
Consider a situation that many of us experience every week.
You’re standing in a supermarket queue. A waiter has just brought the bill. You’re paying for fuel or sending money while boarding a matatu. People naturally stand close to one another, and phones are often held at chest level where screens remain visible.
Now imagine entering your M-Pesa PIN in that environment.
Security Is Also About Human Behaviour
Nobody needs advanced hacking skills to capture those four digits. A quick glance from the wrong person is sometimes enough. Cybersecurity refers to this as shoulder surfing, one of the oldest and simplest forms of information theft. It doesn’t involve malware, phishing, or sophisticated software. Instead, it relies entirely on observation.
Good security design anticipates situations like these before they become problems.
One principle I learned through Information Science is that information deserves protection throughout its entire lifecycle. Security doesn’t begin when data reaches a server, nor does it end after encryption. It starts the moment information is created or entered into a system.
That philosophy explains why so many digital platforms mask passwords, PINs, and authentication codes as users type them. They reduce unnecessary exposure without asking users to change their behaviour. Instead of relying on people to remain constantly vigilant, the system quietly protects them.
The best technology works that way.
The Principle of Least Exposure
Rather than expecting users to avoid crowded spaces or shield their screens perfectly every time they make a payment, well-designed systems compensate for normal human behaviour. They acknowledge that people become distracted, multitask, or simply forget that someone else may be looking.
This approach is known as secure-by-design. Instead of adding security after problems emerge, developers build protection directly into the user experience.
Libraries operate on a remarkably similar principle.
“It’s Only Four Digits”
Although libraries exist to share knowledge, they also protect information that should remain private. Borrowing records stay confidential. User accounts require authentication. Staff credentials remain hidden from public view. We carefully balance access with privacy because not every piece of information belongs in the open.
Digital financial services face the same responsibility.
Some people might argue that an M-Pesa PIN contains only four digits, making the risk relatively small. Viewed in isolation, that argument seems reasonable. Security, however, rarely depends on a single factor. Criminals often combine several pieces of information before exploiting them. A visible PIN, together with a stolen phone, a successful SIM swap, or social engineering, can significantly increase the chances of fraud.
Strong security comes from layers, not from individual controls.
User Experience Should Never Compromise Privacy
Fortunately, solving this issue wouldn’t require a major redesign. A familiar approach already exists across countless digital platforms. The interface could briefly display the most recent digit before masking it, while replacing previous digits with dots or asterisks. Users would immediately recognize the pattern because it already exists in banking apps, websites, and countless authentication systems.
Small improvements like this rarely attract headlines.
Nevertheless, they quietly reduce risk for millions of people every single day.
Kenya has earned global recognition for transforming financial services through mobile money. M-Pesa remains one of the country’s greatest technological achievements, making financial inclusion possible for millions of individuals and businesses. That success, however, should encourage continuous improvement rather than complacency.
The strongest technologies never stop evolving.
Why This Conversation Matters
Every software update, interface adjustment, and security enhancement reflects an ongoing commitment to protecting users. Privacy isn’t something we solve once and forget. It requires constant attention as technology, threats, and user behaviour continue to change.
This is why I believe masking M-Pesa PINs deserves serious consideration.
A Thought Worth Considering
The suggestion isn’t about criticizing a service that has changed lives. Instead, it recognizes that even outstanding systems can become better. Sometimes meaningful innovation doesn’t involve artificial intelligence, blockchain, or complex cybersecurity frameworks. Sometimes it begins with a simple design decision that protects people without them even noticing.
Replacing four visible numbers with four dots may seem insignificant.
Yet those four dots could represent one more step toward making one of Kenya’s most successful innovations even safer for everyone.
Have you ever noticed that your M-Pesa PIN remains visible while you type it? Do you think masking it would improve user privacy, or is the current design sufficient? I’d love to hear your perspective.