How would you solve the problem of internet banking and SIM-swap fraud?

Jamie McKane

MyBroadband Journalist
Super Moderator
Joined
Mar 2, 2016
Messages
2,748
#1
SIM-swap fraud has become increasingly common in South Africa. How would you solve this problem?
 

supersunbird

Honorary Master
Joined
Oct 1, 2005
Messages
45,216
#3
Internet banking should just not use SMS or other SIM relevant as second authentication, it's that easy.

While other things can be done with SIM swaps (like network data being used by a criminal) the losing party is the Telco, and it's their own issue to deal with.
 

deweyzeph

Executive Member
Joined
Apr 17, 2009
Messages
6,518
#4
Internet banking should just not use SMS or other SIM relevant authentication, it's that easy.

While other things can be done with SIM swaps (like network data being used by a criminal, the losing party is the Telco, and it's their own issue to deal with).
FNB is already leading the way with this, they are now sending OTP validation messages through the banking app, rather than via SMS.
 

konfab

Honorary Master
Joined
Jun 23, 2008
Messages
17,846
#5
SIM-swap fraud has become increasingly common in South Africa. How would you solve this problem?
Either use a little dongle, or an app to generate a HOTP.
a598h.jpg

Then to address the sim-swap problem.
Mobile operators should allow users the option to biometrically encode their accounts. So in order to execute a sim-swap, you have to go to a branch and put your finger in a fingerprint reader, and you can log the fingerprint of the employee who performs the transaction as well.
It is pretty sad when a bank is more technologically advanced than a bona-fide technology company.
 

AlphaJohn

Executive Member
Joined
Sep 10, 2012
Messages
6,036
#9
TOTP+HOTP as per OATH

Its an Open standard and you can then use apps Like Microsoft or Google Authentication. For 2-Step pin's Its that easy.
 

Praemon

Expert Member
Joined
Jan 11, 2007
Messages
1,228
#10
TOTP+HOTP as per OATH

Its an Open standard and you can then use apps Like Microsoft or Google Authentication. For 2-Step pin's Its that easy.
Push notifications should be the first option in the banking app, so you just approve/decline the transaction. TOTP/HOTP can be a fallback if there's no internet connection on the device.

Ultimately though, the issue is that not everyone has a smart phone. So SMS is always going to be the most basic of authentication, and it's up to Telco's and banks to work together to identify sim swaps and add additional security to that process. ie. Telco's confirm a sim swap has happened, and the bank requires you to go into the branch to verify/approve the sim swap.
 

Ockie

Resident Lead Bender
Joined
Feb 16, 2008
Messages
48,393
#13
Really? This has been discussed to death already. Stop using SMS's and third parties to verify your customer.
 

bigboy529

Expert Member
Joined
Apr 23, 2012
Messages
2,753
#14
Apart from stopping to use SMS for validation, banks should stop sending SMS's all together, no marketing, no notifications, nothing, they can send all transaction notifications etc through their apps as push notifications which is not at all tied to a cellphone number.
This way if someone gets caut out by some SMS scam they'll only have themselves to blaim, since if banks stop using SMS it should catch on pretty quickly with consumers.
 
Joined
Jun 19, 2015
Messages
13
#15
I fully agree with the way FNB does their verification via the app and completely cut out sim notifications.
 

ambo

Expert Member
Joined
Jun 9, 2005
Messages
2,669
#18
A big challenge is flexibility and user experience. As already mentioned - not everyone has a smart phone (or the right smart phone - main stream OS, non- rooted, etc).

The banks should allow a range of second factor options. Their own apps, open third party apps like Google Auth, open hardware token standards like U2F (yubikey) and SMS as a last resort. Limit the choices based the value and risk profile of the account.

The mobile networks could also tighten up their systems. Provide 2nd Auth factors to request an express SIM swap. Set the default SIM swap delay to two days. A few hours is not enough
 

supersunbird

Honorary Master
Joined
Oct 1, 2005
Messages
45,216
#19
A big challenge is flexibility and user experience. As already mentioned - not everyone has a smart phone (or the right smart phone - main stream OS, non- rooted, etc).

The banks should allow a range of second factor options. Their own apps, open third party apps like Google Auth, open hardware token standards like U2F (yubikey) and SMS as a last resort. Limit the choices based the value and risk profile of the account.

The mobile networks could also tighten up their systems. Provide 2nd Auth factors to request an express SIM swap. Set the default SIM swap delay to two days. A few hours is not enough
Who are you to decide that my number must be unavailable for so long?

(not that my SIM is linked to my primary banking at all)
 
Joined
Aug 26, 2010
Messages
12
#20
Two step authentication integration between the cell phone manufacturers and the banks so the fingerprint reader on the cell phone can negotiate directly with the bank through a proper encrypted protocol, with a bank managed database for public key private key checks on bio-metrics and user selected pin - for starters.
 
Top