I've never heard of a technical exploit compromising the M-Pesa infrastructure. Social engineering cons are on the rise, though (like sending a dummy text telling you that someone sent you money, then calling and requesting that you send it back to correct the error. If you fall for it, and have money in your account, you send them your money). Those are much harder to police, though a proposed requirement that all phone numbers sold be registered to an individual with ID may reduce these in the future. Short of sharing your PIN, it's hard to think of a way to reach into one's account and steal money.
When you send money to another individual what kind of check is there that you've sent the money to the right address? I read there's a confirmation step but in the event you accidentally sent the money to a random person that person could confirm too. Maybe a CRC on the phone number?
You receive a text notification of the transaction when it goes through, which has the recipient's full names. In case the names are different from what you expected, you can call a customer care number and have the transaction reversed (as long as they haven't withdrawn the money yet). Interestingly, this facility leads to another type of confidence con: a stranger walks up to you and tells you that they need cash but cannot get an agent nearby. You have them send money to your phone and you give them your cash. After they walk away they call the operator and claim they sent the money to a wrong number, and the transaction is reversed.
