Internet banking fraud: should we keep using SMS?

Executive summary: :)

Would a key fob or authenticator app keyed to your smartphone such as those used by Capitec be such a great inconvenience compared to SMS?

Perhaps there is a financial incentive for the operators to keep using SMS?
Click to expand...
 
Vermooten went on to explain that a SIM swap in itself is not a flag for fraud, but that it’s just one of the factors considered when evaluating whether activity on an account might be fraudulent.
Click to expand...

Vermooten neglected to mention that the going rate that syndicates have been paying temporary ABSA branch staff, for printouts of ABSA customers' bank account details, is as little as R2000, and that is the real starting point for the fraud that follows: the syndicates are not interested in stealing money from people who don't have available money in their bank accounts.
 
Why don't they make use of Google's authenticator. Dropbox already makes use of this for their 2-step authentication, why not our banks as well.

No need to invest a new app, its already there....
 
j4ck455 said:
...the syndicates are not interested in stealing money from people who don't have available money in their bank accounts.
Click to expand...

Agree, if you have a substantial amount then 'remove' that money from your 'online' profiles.

The bulk of my funds are kept in an account which sits on its own separate profile on which no online banking and or mobile banking is allowed. I have to physically go to the bank in person in order to have funds moved from that account to my everyday account.

And no, its not a pain. I use my credit card throughout the month and at month end it just gets paid in full from that account. So I hardly ever need to move funds from there to my everyday account.

If any funds disappear from that account then the bank and the bank alone will be responsible as it can only be removed with a signature and with me in the branch. Otherwise they will have to cough up for my losses. I just do not trust online banking for anything larger than the normal monthly expenses and or small purchases online.
 
The user should have a choice between SMS, Email, Key and google authenticator. That variety will go a long way in killing these focused & organized attacks especially if the banks manage to keep a lid on who is using what.

Not that the last part is going to happen...our crappy banks seem to be leaking confidential client info like sieves.
 
Google Authenticator, Yubikey and numerous other 2nd factor authenticators. Most of them trivial to implement and far more secure than SMS.
 
ambo said:
Google Authenticator, Yubikey and numerous other 2nd factor authenticators. Most of them trivial to implement and far more secure than SMS.
Click to expand...

This.

Google Authenticator uses TOTP its an RFC standard. There are implementations of it all over the place.
 
MKFrost said:
The bulk of my funds are kept in an account which sits on its own separate profile on which no online banking and or mobile banking is allowed. I have to physically go to the bank in person in order to have funds moved from that account to my everyday account.
Click to expand...

That is an option I have never considered, for two reasons:
1. I like being able to see all of my bank accounts in one list and how much credit/debt is associated with each account
2. I will never fall victim to a phishing scam, although it is still possible that my login details could be obtained using a keylogger or other malware, or a DNS poisoning phishing site scenario, or even more unlikely is a man-in-the-middle interception of my hashed login details sent to the bank over SSL.

It's a nice option, keeping one's funds "offline", just not an option that I currently feel I need to implement.

As far as ABSA's fraud victims are concerned, my interpretation and reading between the lines of the numerous news articles, is that there are a significant number of victims, where the bulk of the stolen money was taken from their mortgage accounts, and smaller amounts of money stolen from other accounts, linked to the same Internet Banking portfolio of accounts.

Who goes to a cellphone shop to take out a cellphone contract, and supplies bank statements for their mortgage account? No one does that, and it means that the syndicates are getting information about the liquidity of ABSA customers, directly from ABSA employees. I believe that makes ABSA liable for the fraud, at the very least ABSA should pay back 50% of what was fraudulently stolen from ABSA customers that fell victim to targeted phishing scams.
 
Last edited:
I hear you and yes I agree on what you say. I think it all depends on each persons situation in how they setup their financials.

In my case, I have no debt, accounts and or debit orders. Everything is either paid upfront each year or on a quarterly basis and this is done by means of direct deposit transfers inside the bank. For the rest we just pay/spend it on our cards and this gets settled at the end of the month from my 'offline' account.

My main reason for doing this is because I will never be comfortable with all my funds in an account that is linked to the net in any way. Thus the reason for keeping it 'offline'. I just do not trust a bank to take liability for any losses when it comes to online banking. In the way it is setup now there is no way the bank cannot be liable should any of my funds 'get lost'.

So with my setup the only funds that are 'exposed' is the funds available on the credit cards and this is the banks money, not mine.
 
I'm really curious as to where they got the information from as to that the banks can already determine whether SIM swaps has taken place, because as far as I know they don't have that capability yet, but they will have it soon.

The article is correct that the operators do have an interface available for obtaining those kind of details, but integrating with some of the operators is a nightmare, especially because they don't all use the same platform/technology.

SMS is a terrible 2nd-factor solution to begin with, because it is not encrypted and you're not assured that it will be delivered in time either.
The other problem is that you're entering the OTP into the compromised site (eg. when you clicked on a phishing link).
If our network operators could've just made the SMS's free on their own network, then the banks could've easily gone for the option of where the OTP would be sent back from the customer to the bank via SMS, which is already much more safe.

Lastly, I believe the majority of the cases where large sums of money was stolen was also due to user negligence.
 
USSD is NOT secure. The data is sent as cleartext and on the network side the ticket is logged in their database as clear text. I would not go near USSD with anything backing related.
 
Vodacom said that they too have a database that banks can use to see recent SIM swaps and handset changes, but noted that the starting point of Internet banking fraud is the ability of criminals to get hold of customers’ banking details.
“If this information is secured, the SIM swap part of the fraud process becomes irrelevant,” Vodacom said.
Click to expand...

Classic, it's someone else's problem. If the SIM is swapped then the authentication channel needs to be reverified.

If you have a fob, what happens when you lose it or it is stolen? No difference.
 
r00igev@@r said:
If you have a fob, what happens when you lose it or it is stolen? No difference.
Click to expand...

You can't use a lost or stolen fob to call in a bomb scare to parliament. You can do that with a cloned SIM.

When will the world realize that a cloned SIM card is a very serious case of identity fraud and not a bank scam.
 
The latest SIMs are processing units that have the ability to host sophiscated applications. As an example, it is possible to have a fob embedded on a SIM.

Regardless, the standard operating procedure for a bank should be to suspend transactions when a SIM swap is detected. They have the ablity and should implement it.
 
Rouxenator said:
USSD is NOT secure. The data is sent as cleartext and on the network side the ticket is logged in their database as clear text. I would not go near USSD with anything backing related.
Click to expand...

It doesn't have to be secure. Have a look at how Nedbank uses it - they push a validation request back to you, asking you to confirm or deny the transaction. It's fast (since it's session based as opposed to SMS which is store-and-forward) and the delivery destination is guaranteed with the same mechanism used in detecting SIM swaps for SMS delivery.

--deckert
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X