Internet banking fraud: should we keep using SMS?

[Rouxenator]

It doesn't have to be secure. Have a look at how Nedbank uses it - they push a validation request back to you, asking you to confirm or deny the transaction. It's fast (since it's session based as opposed to SMS which is store-and-forward) and the delivery destination is guaranteed with the same mechanism used in detecting SIM swaps for SMS delivery.

For OTP it makes more sense yes, since it is not information that needs to be encrypted. However, unless the IMSI and IMEI is included in the USSD message to the bank it is still no more secure than SMS.

Ideally you would have such a system in place and then the banks will easily detect if the incoming USSD call originates from a SIM and mobile equipment that is registered for use with the bank account.

 

[krycor]

Since they claim to have good detection of sim swops why not disallow new account additions within the 1st month of swop unless verified at the bank? <-- that will kill just about ever sim swap that has occurred i reckon? for amounts larger than say 5k transfer on a new 'account' add a safety opt-in delay of 1-5 working days delay. <-- in case they don't catch the swap.. and lastly as mentioned, make some accounts nontransferable out without bank visit.. like that homeloan thing .. that was just nasty