Big ABSA Internet banking security concerns

markings said:
I think it should be possible that the cell phone providers give live updates of SIM swaps to banks which in turn should result in a freeze of all associated accounts. They are only unfrozen when the person makes a personal appearance at the bank with the appropriate documentation.

How difficult can it be to implement this?
Click to expand...
^This - All cell providers should be forced to implement this - the Banks should require you to reverify in person with them.

Easter Bunny said:
how about if they send an sms to the number getting a sim swap? yes, if the sim is broken or lost or not working for some reason it would be a pointless sms. but for those illegal simswaps, it would prevent quite a few. you get an sms saying a sim swap has been done and if it's not you who authorised it, then phone [service provider's] number to block or cancel.

easy as pi.
Click to expand...
^ This is also a good idea - delay the sim swap going through by 1 hour after sending sms to original sim card, and if thoriginal sim card holder replies by sms, cancel the sim swap.

The_Librarian said:
Um, the phone is not working, so you won't be getting the sms...
Click to expand...
As above, delay the sim swap.
 
lexis said:
It is time for the SA consumer to stand up.
MTN already lost 470000 customers in the last quarter (me included).
It would be interesting to see whether ABSA too is going to take a beating.
Click to expand...

I laughed my head off... Please rather supply a like button on an activist post.
 
The problem is that the MSISDN does not change.. so from the bank's perspective nothing has changed (they dont know the sim or imei of the person they smsing). So only way is for an automated unsubscribing of bank SMSes when a SIM swap occurs(heck do it for IMEI/device too until verified at the bank). <-- problem with all these solutions is this.. it is systems within the operator interacting with banking systems and albeit just to disable, where SIM swops are already happening without consent, putting up another system might not solve the problem(will just be bypassed) because at the end of the day MTNs subs are not secure based on the illegal swops
 
Last edited:
speaking to my wife about this, we realised that rica could be a huge source of fraud. you can now rica your sim anywhere. ANYWHERE. you give them proof of residence, id number, phone number, sim number.... all the things you need to do a sim swap and to get your online banking profile reset oflver the phone. all you need is a banking profile number, but the guy on the phone is very lenient as well, and will accept your account number or maybe even just a verification that the real you is calling (please see attached rica documents).
 
Easter Bunny said:
how about if they send an sms to the number getting a sim swap? yes, if the sim is broken or lost or not working for some reason it would be a pointless sms. but for those illegal simswaps, it would prevent quite a few. you get an sms saying a sim swap has been done and if it's not you who authorised it, then phone [service provider's] number to block or cancel.
easy as pi.
Click to expand...

Good suggestion. Send an sms to the original sim before the swap takes place. An automatic delay on the system of say 1 hour will allow the user of the original sim to get the sms and to take action if necessary.
 
“To commit a fraud on a customer’s bank account a fraudster must have a customer’s bank card/account number, Internet Banking PIN and password,” explained MTN’s chief customer experience officer Eddie Moyce.
Click to expand...

The fraudster also needs to do a sim-swap with MTN which they seem to be doing quite easily.
 
I think one thing that contributes is the fact that you can change your daily and monthly transfer limits online with ABSA internet banking. Kind of defeats the purpose of having daily and monthly limits.
 
Lord Nikon6 said:
Of course the people are partly at fault in some of these cases. However, the person sending the phishing attack then goes to an MTN store with the freshly phished info, and does an unauthorised sim swap.
Click to expand...
That's only if phishing or keylogging or hacking were involved. A simpler explanation is there's an insider at MTN and an insider at ABSA.
ajax said:
Good suggestion. Send an sms to the original sim before the swap takes place. An automatic delay on the system of say 1 hour will allow the user of the original sim to get the sms and to take action if necessary.
Click to expand...
I think these delays are already in place. They wouldn't help if there's an insider at MTN who is able to first block the real SIM (record it as being stolen) so it disappears from the network, and then process the SIM swap.
 
Vodacom sent me a sms when I ported from Autopage(Vodacom) to Vodacom direct and I upgraded to a phone with a micro sim and Vodacom sent me a msg "We received a request for a new or replacement SIM card on your line due to possible theft or loss. If you suspect fraud and have not requested this new SIM card immediately contact Vodacom Customer Care on 082111"
 
"The incident happened at a dealer store where it seems the personal authentication process broke down. We are implementing an auto SMS function to inform the subscriber that a SIM swap has been requested on his or her account prior to proceeding with the SIM swap transaction. This will allow the subscriber time to contact MTN in the event that they did not request the SIM swap."

The Standard Bank made an ex gratia payment of R40,000 to help make up the loss, but MTN has not followed suit.
Click to expand...

Unfortunately, there is no date on the article
 
Some observations

  1. It is patently obvious that the victims are being targeted by a "syndicate" that has some of ABSA's employees in their pocket,
  2. such that victims are primarily chosen (by corrupt ABSA employees) based on how much disposable cash the victims have across their portfolio of bank accounts
  3. and secondarily based on the victim's use of an MTN cellphone number for Internet Banking OTPs and alerts.
  4. The MTN SIM swap fraud only happens after a victim has been chosen by a corrupt ABSA employee.
  5. It is also patently obviously that it is easier to commit SIM swap fraud with MTN than any of the other cellular networks,
  6. that points to a serious vulnerability being exploited specifically at MTN and is probably again a case of corrupt MTN employees working with a syndicate.
  7. additionally, "replacement" SIM cards are supposed to be RICA'ed before they can be used which only raises more questions.

I suspect the reason that both ABSA and MTN are featured has to do with a lack of traceability:

Corrupt ABSA employees (e.g. at a branch) can easily perform a portfolio enquiry transaction without a record being kept that can be traced back to that particular employee. A record would however be kept if an ABSA employee were to change any of the customer's details such as the cellphone number used for Internet Banking OTPs and alerts.

Corrupt MTN employees or a syndicate using an MTN employee's login details over the Internet, must be able to perform SIM swaps and RICA SIM cards with almost no traceability.

Another concern is that ABSA has systematically been replacing the experienced Software Engineers responsible for developing and maintaining ABSA's Internet Banking platform, with very wet behind the ears inexperienced people, you can be sure that ABSA's Internet Banking platform is not as robust as it once was and it is only a matter of time before bugs are exploited there.
 
MTN made it clear that they are not liable for money lost in SIM swap fraud.
Click to expand...

How so? When indications...

According to a report in Die Burger an MTN employee said that a syndicate within MTN and ABSA are organising these crimes.
Click to expand...

Yes,unproven, but geez every possible breach in security points to these 2 companies.:wtf:
 
Easter Bunny said:
how about if they send an sms to the number getting a sim swap? yes, if the sim is broken or lost or not working for some reason it would be a pointless sms. but for those illegal simswaps, it would prevent quite a few. you get an sms saying a sim swap has been done and if it's not you who authorised it, then phone [service provider's] number to block or cancel.

easy as pi.
Click to expand...
That is no good at all because it still relies on an opt-out of the sim swap. Phone lost, battery dead, extended meeting, phone forgotten at a friends place, phone on mute and forgotten to turn ringing on again, etc. can all result in a long period where the phone owner is not available.

The only thing to stop this is that the valid owner of the SIM must opt-in and confirm the SIM swap before it can happen.
 
markings said:
The only thing to stop this is that the valid owner of the SIM must opt-in and confirm the SIM swap before it can happen.
Click to expand...
How so? I would say most legitimate SIM swaps involve a lost, stolen or faulty SIM so how would the owner confirm?
 
FSCK ABSA Bank!!!

It feels good to finally get to see ABSA bank suffer. They were incompetent and greedy when I left them more than three years ago and these fsckers can actually just drop a notch of their fscking arrogance for all I care! ABSA bank have milked me enough when I was a current account holder with them and I really hope this will have them quaking in their boots! :twisted:
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X