Big ABSA Internet banking security concerns

[10i]

I have seen MTN staff fetch the contract SIM cards from their shop safe's when doing a SIM swop. Surely the shops need to keep track of which SIM has been sold where AND the SIM swop system should not allow someone to do a SIM swop from an activated SIM to another activated SIM (so I can't swop my MTN contact SIM card and yours so I can get into your bank account and then swop back afterwards).

That would be a serious security hole right there...

And the system that does the SIM swop should be able to tell you what SIM cards your cell number has been on with their network. So if someone was using the same SIM over and over the swop to, then rob, then swop back they would be able to trace it because the networks should keep a log of the IMEI of each device you have had your SIM card in.

Where are they getting their SIMS from? I believe this is one of the key pieces of the puzzle.

 

[ginggs]

My first question is: how do they know that your number is an MTN number? With number porting being so easy for many years now it is very common that an 083 number is NOT an MTN number (mostly because MTN is k@k and they have lost many customers :twisted So how exactly do the know which cell provider to go to to do the sim swop?

Maybe the scam originates at MTN? At least two of the incidents reported in the last week happened shortly after a new contract or upgrade.

Otherwise, just go here:
https://www.porting.co.za/PublicWebsite/

 

[kingrob]

Maybe the scam originates at MTN? At least two of the incidents reported in the last week happened shortly after a new contract or upgrade.

My feeling as well, but they obviously have buddies in the right places at ABSA to make it happen.

I'm even willing to bet that it's only from one MTN shop that the sim swaps are done, unless the syndicate is much bigger than I'm thinking it is.

 

[ginggs]

I have seen MTN staff fetch the contract SIM cards from their shop safe's when doing a SIM swop. Surely the shops need to keep track of which SIM has been sold where AND the SIM swop system should not allow someone to do a SIM swop from an activated SIM to another activated SIM (so I can't swop my MTN contact SIM card and yours so I can get into your bank account and then swop back afterwards).

What makes you think contract SIMs are somehow different to prepaid SIMs? I think on all networks one can migrate from prepaid to contract and vice versa without changing the physical SIM card.

I agree though that additional checks should be put in place, for example, if one cannot present the old SIM card when doing a SIM swap, one needs to provide a case number from the police. Will this help with an inside job though?

 

[10i]

What makes you think contract SIMs are somehow different to prepaid SIMs?

Look at a MTN SIM, if it was originally a prepaid SIM there is a P printed in the serial number on it. Contract SIMS have a C on them.

Eg. 2055211504 P 130 W13.1

What I am saying is that the system should not allow a contract subscriber to port to a prepaid SIM.

 

[ginggs]

What I am saying is that the system should not allow a contract subscriber to port to a prepaid SIM.

I believe it should, there should be no reason to hit contract subscribers R150+ for a SIM swap when prepaid users can do it for R1.

What the system should not do, is allow anyone other than a contract subscriber to swap to any kind of SIM.

 

[Ekstasis]

So is this fraud targeted at people doing internet banking from their phones? What about peeps on their pc's or laptops?

 

[ginggs]

So is this fraud targeted at people doing internet banking from their phones?

Nope.

 

[Ekstasis]

so is anyone an open target (mtn & absa client)? Nothing you can do to safeguard yourself?

 

[j4ck455]

I agree though that additional checks should be put in place, for example, if one cannot present the old SIM card when doing a SIM swap, one needs to provide a case number from the police. Will this help with an inside job though?

MTN should be running audit trail reports to see which employee user accounts are being used to perform unusually large numbers of SIM swaps daily, weekly and monthly.

I expect its more likely that MTN's systems are extremely outdated and do not allow for fancy things like audit trails, traceability and accountability.

ABSA does have audit trails where a transaction results in a change of any sort.

 

[ginggs]

MTN should be running audit trail reports to see which employee user accounts are being used to perform unusually large numbers of SIM swaps daily, weekly and monthly.

I expect its more likely that MTN's systems are extremely outdated and do not allow for fancy things like audit trails, traceability and accountability.

ABSA does have audit trails where a transaction results in a change of any sort.

Whether they have audit trails or not, ABSA and MTN are keeping quiet:

In one case which Jan is looking at the bank is not willing to provide the details to establish whether this has happened to the client. We asked them for the logs, with the client’s permission, but to date nothing.

From the article: Can you conclusively say that there is no weakness within ABSA (employee or otherwise) which has been providing access to Internet banking accounts to fraudsters (through any means)?

No answer from ABSA

 

[kripstoe]

This is still bugging me.

1. Assume I'm reckless with my account number, pin and password.
2. Assume criminal logs into my account because of my recklessness.
3. Assume criminal can get my cell no from my banking site. To go port.

Why is MTN targeted so often? Coincedance? Or there must be an internal SIM swap issue.

Also, I would get login SMSs at step 2. Before the port. So they have to do the port before even trying to login to the site.

If criminals have access to other accounts, but not (yet) have the means to swap linked SIMs because they don't have a contact within Vodacom or CellC, ABSA should advise all clients to update their pin and/or passwords immediately.

So where does it start? With a cellphone number, or with a bank account? It feels to me that its an MTN issue where debit order details are being leaked. Maybe then checked with someone inside ABSA. But then were back to square one where the pin/password is still unknown.

There's more to this issue than it seems.

 

[kripstoe]

so is anyone an open target (mtn & absa client)? Nothing you can do to safeguard yourself?

Not sure. Something is missing because I cannot at the moment fully understand how this is a simple crime. Actually seems quite complex.

 

[Ekstasis]

Not sure. Something is missing because I cannot at the moment fully understand how this is a simple crime. Actually seems quite complex.

Here's my question;

Does ABSA know what your pin and password is?

 

[kripstoe]

Here's my question;

Does ABSA know what your pin and password is?

Yes and no. Yes, they have it in a database. And here's the important part: No, nobody should be able to see it (even if you try) because it should be hashed (unreadable) in the database.

 

[ginggs]

Yes and no. Yes, they have it in a database. And here's the important part: No, nobody should be able to see it (even if you try) because it should be hashed (unreadable) in the database.

But it can be reset.

 

[Ekstasis]

Yes and no. Yes, they have it in a database. And here's the important part: No, nobody should be able to see it (even if you try) because it should be hashed (unreadable) in the database.

Ok, but then you should be able to keep these 2 bits of info secure from fraudsters, not?

 

[Ekstasis]

But it can be reset.

Not without your card

 

[Jola]

But it can be reset.

That ^

 

[ginggs]

Not without your card

Your internet banking pin/password? Says who?