Gaining access to someone’s online banking account often requires fairly directed attacks and a good deal of patience on the hacker’s part.
Adrian Vermooten, head of digital channels and payments at Absa Retail, explained that a cybercriminal usually gets a user’s account number, PIN, and password through a phishing attack before moving on to getting access to their cellphone number.
However, even these initial phishing attacks have become increasingly sophisticated, Vermooten said.
While the typical scam e-mails that purport to be from the bank asking for your login credentials are still doing the rounds, Vermooten said that recently many people have been falling for an e-mail claiming to be from the South African Revenue Service (SARS).
The typical structure of this phishing scam is an e-mail claiming that SARS wants to pay out thousands of Rands to you after evaluating your tax return.
You are told to click through to the SARS website and are then prompted at a very official looking page for your online banking details.
“Hacking” the cell networks
With your online banking account credentials in hand the hackers need to breach the next factor of authentication, for which most SA banks use SMS.
If they didn’t already get your cellphone number, Vermooten explained that scammers try to track down where you work, which could often be as easy as searching for you on Google.
They then phone your workplace and try to social engineer your cellphone number out of whomever they speak to.
After they get their hands on your number, the hackers find a way to hijack your number for a short while to intercept the random verification number sent out by the bank.
Vermooten explained that while it is possible that the scammers get insiders at the networks to do this for them, it is also entirely possible that the employees of cellphone operators become victims of the hackers themselves.
Without an insider at the mobile network, Vermooten explained, cybercriminals use other methods to try and hijack your number.
One such trick is using the video camera on a smartphone to record the passwords employees type into the web-based admin software they use at many mobile networks.
This is obviously not done overtly, Vermooten explained, with the hackers engaging employees in conversation while placing their phone down on the counter before asking for something that requires them to log in.
Getting the money out
The next part of the attack is to transfer the money into an account that can’t be traced back to the fraudsters.
One way the scammers get their hands on one without trying to get around FICA, Vermooten said, is also through social engineering.
They would tell a fellow traveller in a taxi a sob story about how they’ve just got a job for the first time in months but that their employer insisted on paying their salary to a bank account, which they don’t have.
Offering the target account holder a nominal fee of R100 or so for their help, the scammer now has a completely legal bank account to transfer the money to, Vermooten explained.
Moving away from SMS
Scammers can take six months to get the necessary information together before executing the attack on your bank account, Vermooten said.
“Remember, this is their full-time job,” Vermooten explained when asked what could be done to curb this kind of scamming.
If the banks or cellular operators tighten security constraints in one place, the fraudsters will simply target something else, or switch banks.
Despite this inevitability, Vermooten said that they are in discussion with the mobile networks, and are looking at ways to move away from SMS as the second factor of their authentication mechanism.
Business customers at some of South Africa’s banks have been using USB security dongles for some time. Capitec has also issued consumer banking customers with stand-alone random number generators, or given them the option of a security app that is linked to their smartphone.
The bottom-line for users at this stage is the same message the banks have been putting out for years, with renewed emphasis:
- Keep your account number and/or username, PIN and/or password secret;
- Do not, under any circumstances (even if it looks like a message from SARS), click a link in an e-mail, SMS, or any other electronic communication and fill in your complete online banking details if it asks you to.