Fraud - How does this work? Insider workings?

[NeonNinja]

Every Capitec account has Internet banking.

So the story already has a hole in it. Also if you are doing an inside job why phone the owner of the account? Another hole.

Also of he gave them the two digits he's an idiot. The 4 or 5 digit code automatically becomes a 2 or 3 digit code...and much easier to guess based on the info they already have.

Say what? News to me.

 

[SauRoNZA]

It's a free standard feature part and parcel of their accounts.

 

[Venomous]

Agree, as said, with Capitec a SIM swap brings you nowhere. You need the app or the physical security device and as explained, the app is not just a matter of installing to get it working.



I highly doubt it. Did he contact the Capitec fraud line/number after this incident. If he did right after the initial call maybe as the bank was warned but as said, I doubt it as he gave information out.

With that said, if it all happened as you state then this matter must be investigated. Something is not right and the only way in which this could have happened was if he gave out more details than he is letting on or if it was out and out an inside job.

errr, no.

the gent changed the pin at the bank. all his funds were still in his account after that.
that action negates the fact that he gave them info, as the provided info was rendered null and void upon the change.

 

[MKFrost]

Every account may have it but it has to be setup in the branch first. If you do not set it up then the account has no internet banking.

 

[MKFrost]

errr, no.

the gent changed the pin at the bank. all his funds were still in his account after that.
that action negates the fact that he gave them info, as the provided info was rendered null and void upon the change.

Try and explain that one to the bank....

 

[systemofpurplelimpminion]

So my dad's friend just phoned me he got scammed R16k yesterday. He's a Capitec client. He didn't articulate his story well because of his hysteria.

Here goes:
1. He was phoned by the bank.
2. They told him he could enjoy benefits he doesn't have (Internet banking, et al).
3. They ask him last 2 digits of card pin.

As soon as this happened he goes off to bank to change PIN, 2hrs later. Bank confirms it's fraud. R16k still in bank acc. He relaxes. Moments later

4. They do a sim swop on his sim, which renders his phone useless

Goes to bank to check balance with *new* PIN. R700 in bank account.
Leaves. Upon checking this morning. R1 in bank acc.

He's dumbfound because his limit was always ~R5k. Looks like the syndicates transferred money to 2 bank acc and bought R2k worth of MTN airtime. He also tells me now that the said beneficiary accounts are closed.

I'm dumb found. What the hell happened?

This process works in a number of ways, these cover point 1 and 2:
1. dumpster diving is the one method, if sensitive details such accounts numbers aren't properly disposed of
2. Social engineering, ie phoning for a different reason previously and slowly gathering information
3. Shockingly something as simple as obtaining your mail by could also provide them with some of the required details

Regarding point 3 they where probably in process of setting things up online while communicating with him on the phone, there after setting up schedule payments to some account.

 

[Nikita_k]

Every Capitec account has Internet banking.

You still need to go into the branch and activate internet banking.

 

[KalMaverick]

Someone must correct me if I'm wrong.

Capitec has 4 digit pins if I remember correctly, by having the last two digits of the pin it reduces it to 100 combinations right? Plus I'm sure a lot of people's first two digits will be 19, if not it's still easy to get the rest.

Also Capitec has a ATM/Branch pin and a cellphone banking pin. Chances of people using the same PIN for both? Most likely 90%, it is entirely possible that he ONLY changed the ATM/Branch pin in the bank and NOT the cellphone banking PIN (which can be changed in the cellphone banking menu btw).

They might have signed him up for internet banking after the sim swap. Then they could probably change limits etc.

Limits must be changed inside the bank, it cannot be done online. Although on that note I'm not 100% sure if Capitec has limits on EFTs/Cellphone transfers, I know at least ATM withdrawal limits are separate and need to be change in the bank and signed for.

Cellphone transfers can only be made to other Capitec clients (you just need their cellphone number) not to other beneficiaries.

Beneficiaries can only be created with online banking (which requires either the cellphone app, which as far as I know will only work on one cellphone, not sure how easy it is to crack it as I think the ap generates a unique code on each install which must then be added to Capitec's systems which must be done in the bank, so cannot be used on another phone or by using an authenticator).

Still, it only makes sense if the transfer was to another Capitec client (isn't that usually the case though in these cases?) as they most likely had the cellphone PIN, if it was to non-Capitec clients then I do not understand how it is possible.

EDIT: If they bought airtime which can afaik only be done using the cellphone banking menu and not online banking then it would seem that only the ATM/Branch PIN was changed and not the cellphone banking PIN and that the whole scam was done with the cellphone banking.

 

[KalMaverick]

In regards to the SIM swap. This should not have an affect with Capitec as you need either the security device or phone app to confirm transactions. Capitec do not send OTP's via SMS. Also, the phone app can only be activated in the branch when you load it. So you have to install it and then go to the bank to get the activation code for it. Cannot be done online or by phone.

I do not get the sim swop angle. Who is the service provider?

They might have signed him up for internet banking after the sim swap. Then they could probably change limits etc.

The SIM swop was done in order to get his number, the number that is connected to his mobile banking and is needed in order to do mobile banking, I can't be 100% sure but I think this is completely mobile banking related, nothing to do with internet banking.

 

[HavocXphere]

Kal...1024 combinations not 100. (2^10 = 1024)

>I'm sure a lot of people's first two digits will be 19

Why would you say that? I thought they're randomly generated...

 

[KalMaverick]

Kal...1024 combinations not 100. (2^10 = 1024)

>I'm sure a lot of people's first two digits will be 19

Why would you say that? I thought they're randomly generated...

Not quite sure I get you, when you open your account you make your own pin, 4 digits.

Last two digits are known (let's say X are the given ones)

00xx, 01xx, through to 09xx (ie 10 possibilities)
10xx, 11xx, through to 19xx (ie 10 possibilities)
20xx, 21xx, through to 29xx (ie 10 possibilities)

All the way to 99xx, that makes it 10 combinations in each group and 10 groups. 100 combinations. Explain how it can be 1000?

Also I say 19 because how many people use their year of birth as a PIN?

 

[MKFrost]

From everything I have read and from what I understand it seems like Capitec is quite secure except for the mobile banking part of things which I have to agree seems weak as there is no app/authentication involved as long as you have the pin.

Can one disable mobile banking but still have internet banking?

I never make use of mobile banking but do use internet banking. So the ideal would be to disable the mobile banking part of things if possible.

Another thing I would like to see is limits that can be set per beneficiary. I have 2 where I pay more than R20K a month while the rest are all payments of less than around R2K per month. Because of the 2 high ones I need to have high limits otherwise my payments get declined. It would be nice if I can set those specific two on a high limit while blocking the rest all at say R2K a month.

 

[chrisc]

Something not right here

Does the victim have internet banking? If so, you need to use the number generator to log in, again to load a new beneficiary and again to pay that beneficiary

If he does not have it and wants it, he needs to go into a branch, sit down at the counter, verify his fingerprints, have his photo taken and enter a PIN into the keypad on the desk, twice.

There is no other method to get money out your account, except if you go to an ATM or till at Checkers/Pick n Pay and ask for it, whereupon you need to enter your PIN in the keypad of the swipe machine

 

[HavocXphere]

ai you're right...my formula is the wrong way round....10^2 not 2^10...epic fail on my part. :/

 

[KalMaverick]

ai you're right...my formula is the wrong way round....10^2 not 2^10...epic fail on my part. :/

No worries

@chrisc4290, It was most likely through cellphone banking, not online banking.

Does the victim have internet banking? If so, you need to use the number generator to log in, again to load a new beneficiary and again to pay that beneficiary

No authenticator needed for cellphone banking, and if it was to another Capitec client, no beneficiary needed to be added.

There is no other method to get money out your account, except if you to to an ATM or till at Checkers/Pick n Pay and ask for it, whereupon you need to enter your PIN in the keypad of the swipe machine

*120*3279#, 'pay capitec client', 'enter amount', 'enter cellphone number', 'enter mobile banking pin'.

That takes maybe 20 seconds.

 

[chrisc]

I see. I would like to read Capitec's take on this, since they (as all banks do) go on and on about security. Maybe this should be reported to the Commercial Branch. It cannot do any harm to open a case

 

[Shake&Bake]

The SIM swop was done in order to get his number, the number that is connected to his mobile banking and is needed in order to do mobile banking, I can't be 100% sure but I think this is completely mobile banking related, nothing to do with internet banking.

This ^ is what happened.
They needed the sim swap done cos the owner's sim and mobile number is verified with Capitec.

If they got 2 digits from him - they could likely then brute force the rest of it.
R5k transfer limit on mobile banking - so clearing R16k is child's play.

Also there's no other security feature when paying Capitec clients via mobile banking.
I know this cos I've moved money to friends that are not beneficiaries on my Internet Banking.
All you do is enter their cellphone number, an amount and then your mobile banking PIN and the transfer goes through immediately.

So what these guys have then done is likely, just that.
They must've opened accounts with false documents or someone on the inside is assisting them with the process of opening the accounts.

Q: Can I use someone else's cellphone for Mobile Banking?
A: Your Mobile Banking service is linked to a specific cellphone number. This means that once you've registered, you can only use a cellphone containing your SIM card with your verified cellphone number. If your cellphone is damaged or you replace it, you'll need to insert your SIM card with your verified cellphone number in the new cellphone.
- See more at: http://www.capitecbank.co.za/personal-banking/cellphone-services#mobileBankingFAQs

Q: Are there daily transaction limits?
A: Yes. The following daily transaction limits apply:
Prepaid airtime up to R1 000
Prepaid electricity up to R2 500
Capitec Bank client payments up to R5 000
- See more at: http://www.capitecbank.co.za/personal-banking/cellphone-services#mobileBankingFAQs

EDIT: and yes Kal - Capitec have 4 digit PIN's.
I didn't really know this until the 1st time I went and had my card replaced.
Asked the lady helping me if I could use the same 5 digit PIN I had before - she said yes, but that only 4 digits are actually required.
A bit confused, I told I'd been using a 5 digit PIN for more than a year.
She laughed saying that the system only picks up the 1st 4 digits anyway - so the 5th was of no consequence

 

[KalMaverick]

If they got 2 digits from him - they could likely then brute force the rest of it.
R5k transfer limit on mobile banking - so clearing R16k is child's play.

That's the part I don't get though, how did they do R16k if the daily limit is R5k? Sounds like they took all the money in one day.

 

[Shake&Bake]

I see. I would like to read Capitec's take on this, since they (as all banks do) go on and on about security. Maybe this should be reported to the Commercial Branch. It cannot do any harm to open a case

Thing is though - the victim gave details of his PIN to the scammers.
May not have been the whole PIN, but twas enough to get them started.

But this has to get the attention of the bank and hopefully a reply and or change to the security measure for mobile banking will be in the pipeline.

Though the idea of MB is for it to be quick and easy.
#1 RULE - bank is not going to call you for you PIN!

 

[KalMaverick]

EDIT: and yes Kal - Capitec have 4 digit PIN's.
I didn't really know this until the 1st time I went and had my card replaced.
Asked the lady helping me if I could use the same 5 digit PIN I had before - she said yes, but that only 4 digits are actually required.
A bit confused, I told I'd been using a 5 digit PIN for more than a year.
She laughed saying that the system only picks up the 1st 4 digits anyway - so the 5th was of no consequence

I thought so haha, just didn't want to give away that I was using a 4 digit PIN