Big SMS banking scam exposed

R13...

R13...

Honorary Master
Joined
Aug 4, 2008
Messages
54,053
Reaction score
29,682
Location
the One State...
Just as the banks thought SMS notifications were safe,
SMS banking is not safe. The Citizen learns that the security chain between the bank and the phone user has been breached.
Click to expand...

Mokonyane said the syndicate is able to block and delay an SMS notification from banks.

"The Vodacom employee is the one who diverts SMS notification to their cellphones.

"That is how they get access to your personal details, such as account number and how much is in a bank.

"They do their business at Hilton Hotel in Sandton.

"We asked the engineer how much he earned by doing this scam, and he said over R2,4 million," Mokonyane said.

He said last month the syndicate did a scam through Nedbank, where they had opened a trust account and got away with R2,4 million.
Click to expand...

http://www.moneyweb.co.za/mw/view/mw/en/page292518?oid=304940&sn=2009 Detail&pid=287226
 
WTF !

This is almost the same kind of thing that happened about a year ago with the SIM swaps that was done. However this time done from the inside without SIM swaps....

Some scary shyt right there. Time we take our money and put it under our beds :p
 
The 3rd Force today announced:
An official spokesman for the Third Force today confirmed that they were in talks with a new banking institution. Officials have said that they are in the final stages of negotiating a contract with The First National Bank of Sealy Posturepedic. The Third Force has of course stipulated that they will only allow the bank to run the financial matters of South African Citizens if they meet certain criteria:
1. All bank vaults (hereafter refered to as mattresses) will be fitted with electrified springs, however making sure that the current would not penetrate the foam.
2. All mattresses would be fitted with infra red beams which would be networked into an alarm system.
3. All mattresses would be fitted with CCTV, the CCTV would only activate once the infra red beams were activated, this was to stop the CCTV from recording "personal exercise regimes".
4. The bank would offer the option of making these mattresses snake friendly...

The discussions have however hit a snag, they have yet to develop a mattress that will be safe for the law abiding citizen to be able to deposit or withdraw cash without being electrocuted or snake bitten.
Click to expand...
 
So, I'm guessing the banks aren't going to be too sympathetic here...to the customer, that is. Naturally.
 
Why does Standard Bank keep telling clients that sms is more secure than e-mail banking ?

I receive my internet banking session password via e-mail and it seems to be secure,
even if an e-mail is intercepted, what can a criminal do without my account number,
pin and password ?

So the security steps is :
1. session password
2. account number
3. pin
4. password

I received two scam e-mails from Nedbank last month, which I warned people about on twitter, I don't understand how people are scammed if they practice basic security.

1. you never share or divulge a password or pin
2. you do not throw old bank or home statements in your black bags (burn or tear or archive)
3. you never open e-mails not addressed to you personally or from any source you are not expecting an e-mail from.

How are people being scammed ?

Where does this syndicate get the account and password and pin of the people they are scamming ?

Vodacom's contracted customers database ?

I'm on pre-paid, so none of my details are on a database yet, and when I do register just before the time period lapses I will definately remain on pre-paid.

I wonder now, can these scamsters get access to my banking details in any form when I purchase airtime online from Standard Bank - what receipt information is passed from Standard Bank to Vodacom in this type of transaction ?
 
Not the banks.
It is just not possible to find an honest employee of any colour or creed in this country anymore. We are all out to enrich ourselves. Hard work has been replaced by dishonest/criminal get quick rich schemes.
 
larrychang said:
It is just not possible to find an honest employee of any colour or creed in this country anymore. We are all out to enrich ourselves. Hard work has been replaced by dishonest/criminal get quick rich schemes.
Click to expand...

I find the same.

Everywhere we are involved, people want more and more and more without being willing to give something - or do some work - in return for it.
 
blunomore said:
I find the same.

Everywhere we are involved, people want more and more and more without being willing to give something - or do some work - in return for it.
Click to expand...

Blame Apartheid... no seriously blame it... :D

I think this is true the world over maybe not on a s a blatant scale as in S.A. but it happens and it happens a lot...
 
There is NO technology or system that cannot be breached and abused by dishonest people. It's not the banks. It's not the phone companies. It's not any technology or system. It's corrupt people. Technology cannot save our society. For all our great technical advances we've forgotten the really big lessons on what it takes to build a viable and progressive civilisation. The great challenge is to re-learn how to make good people. Until we do, things will get worse.
 
No system is 100% secure, moreso where there is a human element involved. Whoever said crime does not pay was smoking his socks. Crime pays... big time.
 
I think what is scarey is that if you had some money taken, the bank will have blamed you and claimed that since SMS is inherently secure, it must be YOUR fault.
 
I couldn't care if it is dishonest people - these are dishonest people employed by the bank/cell company, or were employed by the bank/cell company and allowed to take with them the ability to steal from the bank's clients. The bank is or should be liable, regardless of how much anyone tries to defend them. They need to remove the human element asap...
 
Last edited:
The Citizen managed to view the documents and evidence including four cellphones, four passports, two identity documents, 10 Nedbank cards, 18 Standard bank cards, four Ithala bank cards, 18 FNB cards, 22 Absa bank cards, eight Vodacom starter packs and nine invoices which were all confiscated by the police.
Click to expand...
So what happened to RICA??
 
What irks me about this story is the fact that an employee had the ability to 'divert' stuff at will... If he was able to do it, ain't there more of them with the same ability? Either through direct 'legit' methods or other hush-hush ways?

Sackboy said:
So what happened to RICA??
Click to expand...

What about it? :confused:
 
Vodacom explains

Vodacom explained that for this fraud to take place a variety of criminal activities occurred, of which phishing attacks, social engineering, SMS interception and the registration of fraudulent back accounts were part.

Vodacom said that this intricate online banking scam meant the following had to take place:

The online banking customers had to somehow compromise their PIN and password, typically through a phishing and/or spoofing attack where a false website is used. This PIN and Password gave the scammer access to the online banking account, but to create a new beneficiary and transfer money a One Time Password (OTP) is needed.

This poses two hurdles: gaining access to the cellphone number of the account holder to which the OTP is sent via SMS and then intercepting the OTP SMS without the owner knowing about it. Obtaining the account holder’s cellphone number was typically achieved either by social engineering (getting it from a bank employee) or by the same phishing scam which gave the fraudsters access to the account holder’s banking details.

Intercepting the OTP SMS without the owner knowing about it is where the rogue Vodacom employee came in. The Vodacom employee created a temporary dual SIM, active online for a very short period of time, to intercept the OTP SMS.

This OTP was forwarded to the syndicate which had by now logged into the online banking account and was awaiting the OTP to create a new beneficiary (their own fraudulent banking account) and transfer money to this new beneficiary.

The short time frame in which the ‘false’ dual-SMS is active means that the legitimate owner of the SIM was typically unaware of the downtime and therefore would not suspect anything untoward.

After the money has been transferred to the fraudulent account it is withdrawn as quickly as possible. To ensure a speedy transfer of money the syndicate typically used a fraudulent account from the same bank as the victim who was scammed.

Many security breaches

What makes this case significant is the many security measures which were successfully breached. While the Vodacom employee who intercepted the OTP SMSs stole the headlines, the vulnerabilities of the local online banking system and the failure of FICA exposed by this scam are equally worrisome.

Vodacom pointed out in a press statement that it is only possible for the fraud to happen if an online banking customer has compromised his PIN and the Vodacom security measures have been bypassed.

The online banking account holder himself - through either falling for a phishing/spoofing scam or being a victim of a key logging malware attack - is the first point of failure. Without the account holder’s banking details and password/s this type of fraud would not be possible.

The next security failure is the ability of fraudsters to gain access to the account holder’s cellphone number which is linked to the account. This may well involve a rogue banking employee or even social engineering where a banking employee is duped into providing this sensitive information to the fraudsters. Phishing and/or spoofing can also be used here.

And then there is the fact that the scammers used multiple back accounts at local banks to transfer the money into once the money had been withdrawn. The Financial Intelligence Centre Act (FICA) should have allowed the relevant authorities to track down the fraudsters and easily recover the missing funds, but the Act failed to assist in bringing the scammers to justice.

Time for improved systems?

This string of security measures which have been breached raises questions about the safety of online banking and whether it is time to jack up the online banking system in South Africa.

Vodacom said that it has already “implemented additional security measures, to ensure that this type of fraud does not happen again”, but this is only one improvement to the system where multiple security features proved inadequate.

The vulnerability of SMS based authentication, which was believed to be a strong security measure, has been exposed and some security experts suggested that it should be replaced by eTokens or even biometric authentication.

These stronger security measures will however incur additional costs to online banking clients, something which may not be well received in these economic times.
Click to expand...
source: http://mybroadband.co.za/news/Business/8796.html

Good grief ! The world has become a sinkhole of greed and crime.

Additional banking costs ? My ass has four hooves, is it time for me to burn my bankcard and start a pillowbankie ?
 
BLIXEMPIE said:
This type of crime happens worldwide. It's not just an SA thing.
Click to expand...

Yea maybe, but in civilized countries it is dealt with properly. The offenders are caught and put away. Corruption is the core problem here and will bring any industry to its knees. Because there is so much corruption at all levels in SA business I expect these sort of things to happen on a much bigger scale than anywhere else.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X