How would you solve the problem of internet banking and SIM-swap fraud?

nkd · Jul 29, 2017

No SMS's, app verification or token

ambo · Jul 29, 2017

supersunbird said:
Who are you to decide that my number must be unavailable for so long?

(not that my SIM is linked to my primary banking at all)

The current low security procedure should have a longer hold time. I did say that the mobile networks should introduce higher security processes for those wanting better turn around times.

Goliath · Jul 29, 2017

AlphaJohn said:
TOTP+HOTP as per OATH

Its an Open standard and you can then use apps Like Microsoft or Google Authentication. For 2-Step pin's Its that easy.

Easiest would be Google Authentication me thinks..?

werfie · Jul 29, 2017

My solution have always worked well for me. Never have any money to steal. There problem solved.

faniebraai · Jul 29, 2017

werfie said:
My solution have always worked well for me. Never have any money to steal. There problem solved.

thanks for sharing it with all of us....

supersunbird · Jul 29, 2017

werfie said:
My solution have always worked well for me. Never have any money to steal. There problem solved.

No, the solution is to not keep your savings with the same bank/institution as your transactional account (unless very secure online, like Capitec, and even then, don't keep the savings in your cards account , rather in a sub account, then nothing much can happen even if they steal/rob/swipe your card and pin).

member2204 · Jul 29, 2017

Rouxenator said:
If your SIM is swapped and then used to call in a bomb threat to parilment, to set off a cellphone bomb, or to download child pr0n, or any other illegal activities YOU will be guilty of it.

No, you won't. There will be investigations and legal process where you can prove your innocence.

deweyzeph · Jul 29, 2017

member2204 said:
No, you won't. There will be investigations and legal process where you can prove your innocence.

The burden of proof is on the state to prove your guilt, not for you to prove your innocence.

Rouxenator · Jul 29, 2017

deweyzeph said:
The burden of proof is on the state to prove your guilt, not for you to prove your innocence.

And with the records from the cell network showing you number was used to do it they have all the prove they need.

supersunbird · Jul 29, 2017

Rouxenator said:
And with the records from the cell network showing you number was used to do it they have all the prove they need.

Yes, except the SIM card serial nr would not match...

deweyzeph · Jul 29, 2017

Rouxenator said:
And with the records from the cell network showing you number was used to do it they have all the prove they need.

Not really. They would need to prove that you actually made the call yourself.

Rouxenator · Jul 30, 2017

deweyzeph said:
Not really. They would need to prove that you actually made the call yourself.

Sure, the IMSI (SIM serial) and IMEI (mobile equipment serial) would not match.

But does that some banks?

supersunbird · Jul 30, 2017

Rouxenator said:
Sure, the IMSI (SIM serial) and IMEI (mobile equipment serial) would not match.

But does that some banks?

English please...

Rouxenator · Jul 31, 2017

supersunbird said:
English please...

Banks already pair your phone and app with your internet banking service. Why not use the IMEI and IMSI when processing USSD prompts?

me_ · Jul 31, 2017

I think the problem here is everyone is trying to plug the leaks in the bath after the bomb has gone off. SMS tokens are additional layers of security and shouldn't be seen as the primary. The issue is that the primary authentication method (password) has been compromised.

The real issue is the phishing emails that are being sent and users not realising. This is in part the user's fault, but we also need to look at email as a whole. The problem is that SMTP allows you to make emails look like they are from a legitimate sender even when it's actually be sent by some zombie server connected to the internet. Email authentication (where the sender is verified) has been around for some time now and would prevent the vast majority of phishing attacks and spam, yet most mail servers do not implement it. Some legitimate emails would be flagged as spam due to practices used by companies, but it wouldn't take long to flag this with the senders and have them correct their automatic mailers.

Some details on Email authentication:
https://en.wikipedia.org/wiki/Email_authentication

vic777 · Jul 31, 2017

Rouxenator said:
Banks already pair your phone and app with your internet banking service. Why not use the IMEI and IMSI when processing USSD prompts?

Banks who do check IMSI, like ABSA, get the IMSI from the MNO when you respond to the push USSD message. This is functionality that exists on all MNO's, they just don't all pass the IMSI to the bank. AFAIK there is no way using standard USSD or SMS that the MNO would get your IMEI as well

HaNsA · Jan 10, 2019

Sorry to revive this thread. But looking at the number of fraud cases this is something of great concern.

Question, I have a yubikey which I use for Gmail. Do any banks in South Africa support yubikey? This should sort the problem out.

access · Jan 10, 2019

reversible transfers/payments?

rietrot · Jan 11, 2019

Follow the money and jail the guy eventually withdrawing it from a ATM.

If they can't get the money out of the bank this problem will go away.

supersunbird · Jan 11, 2019

rietrot said:
Follow the money and jail the guy eventually withdrawing it from a ATM.

If they can't get the money out of the bank this problem will go away.

Should a cage fall down around the ATM or what?

How would you solve the problem of internet banking and SIM-swap fraud?

Senior Member

Expert Member

Expert Member

Expert Member

RIP

Honorary Master

Senior Member

Executive Member

Dank meme lord

Honorary Master

Executive Member

Dank meme lord

Honorary Master

Dank meme lord

Senior Member

Expert Member

Expert Member

Executive Member

Honorary Master

Honorary Master