Fraud - How does this work? Insider workings?

NeonNinja

Neon Resident
Joined
Nov 22, 2009
Messages
24,791
So my dad's friend just phoned me he got scammed R16k yesterday. He's a Capitec client. He didn't articulate his story well because of his hysteria.

Here goes:
1. He was phoned by the bank.
2. They told him he could enjoy benefits he doesn't have (Internet banking, et al).
3. They ask him last 2 digits of card pin.

As soon as this happened he goes off to bank to change PIN, 2hrs later. Bank confirms it's fraud. R16k still in bank acc. He relaxes. Moments later

4. They do a sim swop on his sim, which renders his phone useless

Goes to bank to check balance with *new* PIN. R700 in bank account.
Leaves. Upon checking this morning. R1 in bank acc.

He's dumbfound because his limit was always ~R5k. Looks like the syndicates transferred money to 2 bank acc and bought R2k worth of MTN airtime. He also tells me now that the said beneficiary accounts are closed.

I'm dumb found. What the hell happened?
 

MKFrost

Expert Member
Joined
Oct 23, 2012
Messages
3,837
I'm not sure but there has to be somebody on the inside otherwise how do they know which accounts to target?

They definitely do not select these accounts at random, they target those where the reward is worth the trouble they go to. Things like this scare the daylights out of me. I have essentially stopped using my bank accounts to hoard cash. Opened an investment account with Allan Gray and dump anything over R10k in there on a continues basis.

Drawback is that I have to wait a day or three to get access to money if needed and the costs are a bit higher but I sleep better at night. I now try and keep the minimum in my bank. The daily limits mean nothing, seems it is either somebody in the bank assisting with this or they have a way past it.
 

NeonNinja

Neon Resident
Joined
Nov 22, 2009
Messages
24,791
^^ that refers to Internet banking don't it?

I'm inclined to go with insider as well...

Thing is I've never heard of this variant before. How did they get to the money? Why did they ask the last 2 digits of his PIN? Why were they doing the sim swop? Can't connect the dots... He don't even use Internet banking to strike some coherency in the ordeal.
 
Last edited:

HavocXphere

Honorary Master
Joined
Oct 19, 2007
Messages
33,155
^^ that refers to Internet banking don't it?

I'm inclined to go with insider as well...

Thing is I've never heard of this variant before. How did they get to the money? Why did they ask the last 2 digits of his PIN? Why were they doing the sim swop? Can't connect the dots... He don't even use Internet banking to strike some coherency in the ordeal.
Wait - he gave them the last two digits?!?!

Then its likely a brute force thing...by having the last 2 digits, it reduces the number of possible combinations from about a million to about a thousand, meaning they would need to try 500 on avg.

Though without a physical clone of the card I don't see how that would help. Unless the capitec online platform uses the pin too & was built by an idiot.
 

MKFrost

Expert Member
Joined
Oct 23, 2012
Messages
3,837
Was just thinking....

The reason for asking for the 2 digits of the pin might be to crack the whole pin quicker. If you know the last 2 of say 4 or 5 digits it decreases the possible combinations by a long shot.

In regards to the SIM swap. This should not have an affect with Capitec as you need either the security device or phone app to confirm transactions. Capitec do not send OTP's via SMS. Also, the phone app can only be activated in the branch when you load it. So you have to install it and then go to the bank to get the activation code for it. Cannot be done online or by phone.

Also, when activating the app or when getting the activation code you have to be there in person as you have to have your fingerprint scanned. Without it they cannot do it.

This has to be an inside job to a large degree but even then how did they bypass the fingerprint story......
 

NeonNinja

Neon Resident
Joined
Nov 22, 2009
Messages
24,791
The guy sounded earnest and was drawn by all the "hype" they were advertising to him and were checking if he's the owner of the said account/card by verifying the last 2 digits.

I also asked about card cloning, and it don't seem his card was cloned.

He went to the bank to change his PIN and upon checking the balance with new PIN, balance was still intact. Few hours later, phone is barred from network and upon checking balance again. It's all gone.
 

Wyzak

Expert Member
Joined
Mar 12, 2007
Messages
4,034
Somehow he missed the part where they say "never give your pin to anybody" and "the bank will not ask you for your pin"
 

ld13

Honorary Master
Joined
Oct 28, 2005
Messages
12,756
If I only want the last two digits of someone's PIN it means I already have the first 2/3 digits in the bag.

I do not get the sim swop angle. Who is the service provider?
 

NeonNinja

Neon Resident
Joined
Nov 22, 2009
Messages
24,791
If I only want the last two digits of someone's PIN it means I already have the first 2/3 digits in the bag.

I do not get the sim swop angle. Who is the service provider?

Well thing is he changed the PIN.

Provider is MTN.
 

NeonNinja

Neon Resident
Joined
Nov 22, 2009
Messages
24,791
Do you guys think he'll get reimbursed seeing that he gave them last 2 digits of PIN?
 

BloodBurner9000

Well-Known Member
Joined
Apr 26, 2012
Messages
111
1. He might be a Capitec client but that doesn't mean his Capitec accounts were hacked.
2. Capitec does not use otp's or pins (but a does use a password and pseudorandom number generating security tag for all online transactions from limits, payments to nee beneficiaries) so does not use your card PIN
 

MKFrost

Expert Member
Joined
Oct 23, 2012
Messages
3,837
I do not get the sim swop angle. Who is the service provider?

Agree, as said, with Capitec a SIM swap brings you nowhere. You need the app or the physical security device and as explained, the app is not just a matter of installing to get it working.

Do you guys think he'll get reimbursed seeing that he gave them last 2 digits of PIN?

I highly doubt it. Did he contact the Capitec fraud line/number after this incident. If he did right after the initial call maybe as the bank was warned but as said, I doubt it as he gave information out.

With that said, if it all happened as you state then this matter must be investigated. Something is not right and the only way in which this could have happened was if he gave out more details than he is letting on or if it was out and out an inside job.
 

NeonNinja

Neon Resident
Joined
Nov 22, 2009
Messages
24,791
Hmm. Okay. As noted before, he doesn't use Internet banking. Unless of course there's also something he isn't telling me or the banks.
 

R13...

Honorary Master
Joined
Aug 4, 2008
Messages
43,526
Hmm. Okay. As noted before, he doesn't use Internet banking. Unless of course there's also something he isn't telling me or the banks.

They might have signed him up for internet banking after the sim swap. Then they could probably change limits etc.

My uncle's son did something similar to my uncle. My uncle doesn't know a thing about internet or computers, so the son signed him up and kept helping himself to his money monthly
 

R13...

Honorary Master
Joined
Aug 4, 2008
Messages
43,526
Though even with two digits they'd still have 3 shots at guessing the PIN before it locks the account
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
44,691
Every Capitec account has Internet banking.

So the story already has a hole in it. Also if you are doing an inside job why phone the owner of the account? Another hole.

Also of he gave them the two digits he's an idiot. The 4 or 5 digit code automatically becomes a 2 or 3 digit code...and much easier to guess based on the info they already have.
 

Johnone

Senior Member
Joined
Jul 7, 2011
Messages
774
The sim-swap might have been for mobile banking. I've noticed, and previously mentioned on MyBB, that mobile banking is less secure with Capitec, because you don't need the dongle code to transfer money out of the account. So, if someone has your phone and your mobile banking pin, they have access to all your money at Capitec.
 

ld13

Honorary Master
Joined
Oct 28, 2005
Messages
12,756
So, if someone has your phone and your mobile banking pin, they have access to all your money at Capitec.

Dude.

If someone gains access to your house keys and your alarm pin, then all your base are belong to someone other than you. :erm:

Also: If someone has your phone and your banking pin, they have access to all your money at [Insert bank name here].
 
Last edited:

MKFrost

Expert Member
Joined
Oct 23, 2012
Messages
3,837
The sim-swap might have been for mobile banking. I've noticed, and previously mentioned on MyBB, that mobile banking is less secure with Capitec, because you don't need the dongle code to transfer money out of the account. So, if someone has your phone and your mobile banking pin, they have access to all your money at Capitec.

I think you might just be onto something. All you need with mobile banking is the 5 digit pin. No security app or anything. That must be why they did the SIM swap i.e. the mobile banking is linked to the number.

But then again, if you add a beneficiary does it not require the app? Not sure, never did it this way before.
 
Top