Big ABSA Internet banking security concerns

ginggs said:
How so? I would say most legitimate SIM swaps involve a lost, stolen or faulty SIM so how would the owner confirm?
Click to expand...
I think a better option is inform and wait. Send SMS to old SIM something like "This SMS is to inform you that a SIM swap has been requested on your account, if this is not correct, please contact ??? on ???????????? to cancel." wait a day and then do the swap.
 
boerseun said:
I think a better option is inform and wait. Send SMS to old SIM something like "This SMS is to inform you that a SIM swap has been requested on your account, if this is not correct, please contact ??? on ???????????? to cancel." wait a day and then do the swap.
Click to expand...

Assuming say 95% of sim swaps are legitimate, why should these people be punished?
 
boerseun said:
I think a better option is inform and wait. Send SMS to old SIM something like "This SMS is to inform you that a SIM swap has been requested on your account, if this is not correct, please contact ??? on ???????????? to cancel." wait a day and then do the swap.
Click to expand...

Wait a day? Dude, life goes on, you cannot always wait a day, especially in a business perspective.
 
markings said:
The only thing to stop this is that the valid owner of the SIM must opt-in and confirm the SIM swap before it can happen.
Click to expand...

There already is an opt-in which is when one physically goes to a cellular service provider with one's identification and requests the SIM swap.

The idea of sending an SMS to the existing MSISDN via the old SIM card (active or not) at the time when a SIM swap is requested is a good one purely from a notification point of view, but requiring an opt-in reply to such a notification SMS is full of pitfalls: for a start the person in possession of the old SIM card could be a criminal that actually stole the SIM card and might even be the same person that initiated the SIM swap.

The problem here is fraudulent SIM swaps, some of which have reportedly been initiated outside of normal business hours (the first in the series of recent articles IIRC).

MTN could solve that particular problem by simply locking out access to all SIM swap functionality outside of normal business hours.

Unfortunately MTN does not want to accept any responsibility or even investigate nor take action against MTN employees for their involvement, and that leaves consumers with only one option: wait for your contracts to expire and port your number to a different network.
 
Easter Bunny said:
how about if they send an sms to the number getting a sim swap? yes, if the sim is broken or lost or not working for some reason it would be a pointless sms. but for those illegal simswaps, it would prevent quite a few. you get an sms saying a sim swap has been done and if it's not you who authorised it, then phone [service provider's] number to block or cancel.

easy as pi.
Click to expand...

Not as simple as that. People legitimately do sim swap when their phones are stolen. The above process wont work. Sure you make one process for stolen phones, and others for upgrades - but the criminal will revert to the stolen phone process.
 
Hein_JHB said:
Vodacom sent me a sms when I ported from Autopage(Vodacom) to Vodacom direct and I upgraded to a phone with a micro sim and Vodacom sent me a msg "We received a request for a new or replacement SIM card on your line due to possible theft or loss. If you suspect fraud and have not requested this new SIM card immediately contact Vodacom Customer Care on 082111"
Click to expand...

So did I...
 
j4ck455 said:
  1. It is patently obvious that the victims are being targeted by a "syndicate" that has some of ABSA's employees in their pocket,
  2. such that victims are primarily chosen (by corrupt ABSA employees) based on how much disposable cash the victims have across their portfolio of bank accounts
  3. and secondarily based on the victim's use of an MTN cellphone number for Internet Banking OTPs and alerts.
  4. The MTN SIM swap fraud only happens after a victim has been chosen by a corrupt ABSA employee.
  5. It is also patently obviously that it is easier to commit SIM swap fraud with MTN than any of the other cellular networks,
  6. that points to a serious vulnerability being exploited specifically at MTN and is probably again a case of corrupt MTN employees working with a syndicate.
  7. additionally, "replacement" SIM cards are supposed to be RICA'ed before they can be used which only raises more questions.
Click to expand...

1. It is not "patently obvious" that a syndicate has Absa employees in their pocket.
2. I suspect victims are chosen from the multitude of responders to phishing sites. The syndicate logs on and checks the balances of all phishing reponders. The highest balances win!
3. The fact that MTN is the provider for the SMS probably does play a role. Vodacom sends a SIM swap SMS which would alert the victim.
4. The MTN SIM swap fraud only happens after the victim has responded to a phishing email and been selected by the syndicate as having a large enough balance.
5. Not sure if it is easier to do SIM swap at MTN but certainly with Vodacom there is a higher risk of failure of fraud due to SIM swap SMS.
6. Does seem that the only bank/CNP employee involved is the CNP employee whose credientials are used to perform the SIM swap.

Conclusion: two weak points. Customer divulging internet banking logon and CNP performing unauthorised SIM swap.
 
just visiting said:
2. I suspect victims are chosen from the multitude of responders to phishing sites. The syndicate logs on and checks the balances of all phishing reponders. The highest balances win!
Click to expand...
What phishing sites? So far there hasn't been any proof that any hacking or phishing or keylogging took place.
just visiting said:
3. The fact that MTN is the provider for the SMS probably does play a role. Vodacom sends a SIM swap SMS which would alert the victim.
Click to expand...
So do MTN, I believe.
just visiting said:
4. The MTN SIM swap fraud only happens after the victim has responded to a phishing email and been selected by the syndicate as having a large enough balance.
Click to expand...
Where did you read this?

IIRC, the two cases that came to light last week both involved a recent contract or upgrade at MTN. This makes me think the scam starts with someone at MTN, who has all the information required to get the internet banking passwords reset at ABSA, either by using a fake identity document, or with the help of an insider.
 
these days there are all kinds of insurance covers with the banks, u telling us there's no built in insurance against this issue happening?
I guess the bank is only concerned when its their money with you, not your money with them?
 
Here's another possible solution.

The whole idea behind Random Verification Numbers (RVN's) is to provide, in essence, two factor authentication. Two factor authentication works on the idea of needing, well, two things to authenticate. In the classic South African banking story, these two things are your login details, and your cellphone (more accurately, SIM card), which shows you a code that can only be used once. Without both the login details and your SIM card, you can't get in. Which is completely infallible. Not.

There's a wonderful thing called Google Authenticator, which works exactly the same way as those little LCD keyrings that generate the pins that my dad was using to log in to the VPN at work 10 years ago: they have an algorithm which generates codes that change every 30 seconds. Providing the time on your phone and the time on the server are synchronised (easy with NTP), you just enter the code that's on your phone, and yay, you can get into your gmail account (assuming you also know the login details).

Changing over to something like Google Authenticator (which, I might add, is open source) will mean that a SIM swap would be useless as a means to get into one's bank account. Obviously they could just steal your phone, but hunting someone down and stealing their phone is a fair bit more difficult than getting a SIM swap. You'd need to have a phone which can run Google Authenticator (or whatever other app they decide to use), but most of the people having money stolen by means of SIM swaps probably have smartphones anyway. Aaaand there are Java Google Authenticator apps available for the older phones anyway.

Added bonus: never again will you have the issue that your RVN just won't come through when you really need to do something.
 
dawbomb said:
Here's another possible solution.

The whole idea behind Random Verification Numbers (RVN's) is to provide, in essence, two factor authentication. Two factor authentication works on the idea of needing, well, two things to authenticate. In the classic South African banking story, these two things are your login details, and your cellphone (more accurately, SIM card), which shows you a code that can only be used once. Without both the login details and your SIM card, you can't get in. Which is completely infallible. Not.


There's a wonderful thing called Google Authenticator, which works exactly the same way as those little LCD keyrings that generate the pins that my dad was using to log in to the VPN at work 10 years ago: they have an algorithm which generates codes that change every 30 seconds. Providing the time on your phone and the time on the server are synchronised (easy with NTP), you just enter the code that's on your phone, and yay, you can get into your gmail account (assuming you also know the login details).

Changing over to something like Google Authenticator (which, I might add, is open source) will mean that a SIM swap would be useless as a means to get into one's bank account. Obviously they could just steal your phone, but hunting someone down and stealing their phone is a fair bit more difficult than getting a SIM swap. You'd need to have a phone which can run Google Authenticator (or whatever other app they decide to use), but most of the people having money stolen by means of SIM swaps probably have smartphones anyway. Aaaand there are Java Google Authenticator apps available for the older phones anyway.

Added bonus: never again will you have the issue that your RVN just won't come through when you really need to do something.
Click to expand...


Same concept still being used by IS with their credit card size number generators for VPN access, as well as some online gaming companies, that provide a key token or a phone app for the number.

It's a good system, but not full proof.
 
dawbomb said:
There's a wonderful thing called Google Authenticator [snip]
Click to expand...

Interesting. How about adding a plain old PIN/password/passphrase to sim swaps, similar to the PUK? For that matter, why not require the PUK when performing a sim swap?

You can always keep your PUK in a shoe box at home, or in some secure online storage.

In addition, they can send the subscriber an SMS whenever the PUK was requested, i.e., if you did not request it, but someone else did. This may give you some advance warning.

This will not protect you from an inside job, but it will make inside jobs more obvious.
 
Last edited:
Just remember that ABSA has been in an absolute hurry to get rid of all their IT staff and developers, everything will now be done by Barclays.

And you can already see why that was a monumental cock-up.

Hey, Maria Ramos, how does it feel now?
 
kingrob said:
Just remember that ABSA has been in an absolute hurry to get rid of all their IT staff and developers, everything will now be done by Barclays.

And you can already see why that was a monumental cock-up.

Hey, Maria Ramos, how does it feel now?
Click to expand...
:D
 
And another thing that is very obvious - MTN & ABSA simply refuse to take responsibility for their actions and refuse to engage with the public.

You're basically on your own when this crap happens.

So, if you're an ABSA customer....all I can say to you is : good luck and good night.
 
just visiting said:
1. It is not "patently obvious" that a syndicate has Absa employees in their pocket.
Click to expand...

It is patently obvious that the recent victims were targeted either by a syndicate or persons acting like a syndicate: the victims all had large amounts of disposable cash available in their ABSA bank accounts and the recent articles suggest that it was not only one bank account per victim that was cleaned out. The significance is that people do not hand over every single bank account statement to a cellular service provider, people will instead hand over the bank statement of the account into which their salary is paid.

just visiting said:
2. I suspect victims are chosen from [highlight]the multitude of responders to phishing sites.[/highlight] The syndicate logs on and checks the balances of all phishing reponders. The highest balances win!
Click to expand...

It is certainly possible that victims were chosen as part of a completely random blanket ABSA phishing email spree sent out to all and sundry until each of these recent victims took the bait and gave "the syndicate" access to their bank accounts, but the syndicate would raise most victims' suspicions with an out-of-place login alert SMS if the syndicate did not log into the victim's Internet Banking portfolio fairly soon after the victim gave away their login credentials.

If as you claim, that there really are a multitude of responders to phishing sites, the criminals would have a tough time keeping up with each and every potential victim to see which victims were well off enough to proceed to the SIM swap stage, and that would have to be done within say 30 minutes of a successful phishing attack so as not to raise suspicions with an out-of-place login alert SMS (slightly delayed alert SMSes are not unusual but very delayed alert SMSes would be more likely to raise suspicions).

It would be much easier for a syndicate to bribe/threaten/corrupt ABSA employees to look for victims as part of their normal day to day work activities.

I create and use different email addresses, usernames, and passwords for everything. Days after I closed my last bank account with ABSA, the uniquely random email address that I only ever used for ABSA Internet Banking, found its way into the hands of spammers. A person of questionable intelligence employed at ABSA Randburg was responsible for selling my email address to criminals.
 
Last edited:
Oh, something else I have obviously missed....Maria Ramos is so busy worrying about SA Rugby's transformation and quotas, that she hasn't got time to run BLAPSA anymore.
 
dawbomb said:
Here's another possible solution.

The whole idea behind Random Verification Numbers (RVN's) is to provide, in essence, two factor authentication. Two factor authentication works on the idea of needing, well, two things to authenticate. In the classic South African banking story, these two things are your login details, and your cellphone (more accurately, SIM card), which shows you a code that can only be used once. Without both the login details and your SIM card, you can't get in. Which is completely infallible. Not.

There's a wonderful thing called Google Authenticator, which works exactly the same way as those little LCD keyrings that generate the pins that my dad was using to log in to the VPN at work 10 years ago: they have an algorithm which generates codes that change every 30 seconds. Providing the time on your phone and the time on the server are synchronised (easy with NTP), you just enter the code that's on your phone, and yay, you can get into your gmail account (assuming you also know the login details).

Changing over to something like Google Authenticator (which, I might add, is open source) will mean that a SIM swap would be useless as a means to get into one's bank account. Obviously they could just steal your phone, but hunting someone down and stealing their phone is a fair bit more difficult than getting a SIM swap. You'd need to have a phone which can run Google Authenticator (or whatever other app they decide to use), but most of the people having money stolen by means of SIM swaps probably have smartphones anyway. Aaaand there are Java Google Authenticator apps available for the older phones anyway.

Added bonus: never again will you have the issue that your RVN just won't come through when you really need to do something.
Click to expand...

Whatever happened to that SA company who developed a cell based RVN? Fire... something or other...?
 
The more I think about this issue the more I smell a massive rat...

My first question is: how do they know that your number is an MTN number? With number porting being so easy for many years now it is very common that an 083 number is NOT an MTN number (mostly because MTN is k@k and they have lost many customers :twisted:) So how exactly do the know which cell provider to go to to do the sim swop?

The most plausible explaination to me is that this is an inside job at ABSA where somebody is analysing statements to see both who has cash at hand and who is paying MTN through debit orders/online payments every month.

I think that some lovely investigative journalism is required here to determine how many of these victims have a contract with MTN and how many are on prepaid. If they are all on contract then that would be very interesting indeed.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X