- Mar 2, 2016
SIM-swap fraud has become increasingly common in South Africa. How would you solve this problem?
FNB is already leading the way with this, they are now sending OTP validation messages through the banking app, rather than via SMS.Internet banking should just not use SMS or other SIM relevant authentication, it's that easy.
While other things can be done with SIM swaps (like network data being used by a criminal, the losing party is the Telco, and it's their own issue to deal with).
Either use a little dongle, or an app to generate a HOTP.SIM-swap fraud has become increasingly common in South Africa. How would you solve this problem?
Push notifications should be the first option in the banking app, so you just approve/decline the transaction. TOTP/HOTP can be a fallback if there's no internet connection on the device.
Who are you to decide that my number must be unavailable for so long?A big challenge is flexibility and user experience. As already mentioned - not everyone has a smart phone (or the right smart phone - main stream OS, non- rooted, etc).
The banks should allow a range of second factor options. Their own apps, open third party apps like Google Auth, open hardware token standards like U2F (yubikey) and SMS as a last resort. Limit the choices based the value and risk profile of the account.
The mobile networks could also tighten up their systems. Provide 2nd Auth factors to request an express SIM swap. Set the default SIM swap delay to two days. A few hours is not enough