Very interesting, these guys just don't sleep.
I still believe that there is some crucial information missing here, how are they getting their targets?
The sim swap/porting would be the last step after they have already targeted the victim and obtained the relevant information.
Its not like they just guessed that the client was an FNB client and knew the pin, or guessed that he had a Mr Price Money account linked to that number.
 
Its for this very reason why my mobile is not linked to my bank account in any way. I just do not trust the mobile service providers and or the controls they have in place.
 
I still believe that there is some crucial information missing here, how are they getting their targets

Well spotted.

There is some stuff I think we don't know yet. People in the industry (at banks and operators) have told us it's usually a phishing scam of some kind. Phishers either sell the data on the black market, which these fraudsters buy and use, or the fraudsters conduct the phishing attacks themselves.

That said, I'm beginning to wonder if these villains haven't found others ways to steal people's identities.

Here's an example (related to this case) of what I suspect is a fraudster attempting a "spear phishing" / social engineering attack on a call centre in South Africa: http://mybroadband.co.za/news/banking/100018-sa-scammer-caught-in-action.html
 
Its very obvious that there are inside people in the banks, and places like Mr Price who are part of this...
 
Its for this very reason why my mobile is not linked to my bank account in any way. I just do not trust the mobile service providers and or the controls they have in place.

So one time passwords, transaction notifications etc. go to a second number? Or...?
 
So one time passwords, transaction notifications etc. go to a second number? Or...?

I do get notifications on my main number yes but my mobile banking is not enabled i.e. I cannot do banking by means of my phone. I just get the SMS's of transactions. For login's etc. I make use of a separate security token which generates the codes as needed.
 
Don't believe in this cell banking anymore. Capitec have it waxed with the token based banking.
 
Its for this very reason why my mobile is not linked to my bank account in any way. I just do not trust the mobile service providers and or the controls they have in place.

Bank you with?
 
I do get notifications on my main number yes but my mobile banking is not enabled i.e. I cannot do banking by means of my phone. I just get the SMS's of transactions. For login's etc. I make use of a separate security token which generates the codes as needed.

Capitec then?
 
Capitec then?

Yes and Standard bank. The best security solution I could come up with for my personal needs are as follows:

* Standard Bank credit card which is not linked to any account, just the card on its own. R10,000 limit.

* Capitec account with no mobile banking and security token. 10% of funds held in main account and balance on sub savings account and or on fixed deposits.

* 95% of purchases/payments are made with SB card. Try and not use the Capitec card at all, just a backup should SB be off line

* Transfer [internet] from Capitec sub account to SB as and when needed.

* Additional have a SB account offshore and also just have internet banking and token access. Not linked to local SB credit card.

In this way the most vulnerable is the SB credit card. Banks are more vigilant with credit cards than with debit cards, not sure why, most probably as its essentially their money. Max I can get shafted for is R10,000.

You cannot draw from the Capitec sub savings accounts at an ATM. So even if my Capitec card is compromised then I'm limited to the bit in the main account. If funds disappear out of the sub savings then we have a clear inside job and Capitec will have to explain what happened as there is no way to access those funds except if their tokens were compromised and or somebody inside move the funds to the main account.

Not perfect but above works for me.
 
I think that there are more involved. I make use of cellphone the same bank and I get three different notifications once any transactions go off or about to go off! How did they get his login details? He might find that the culprits are not too far away!
 
As Toxicbunny said - insider information.

Grease the right palms, and you have the information you need, no questions asked, nobody will know.

There are various ways and means in getting the information out there, either by cellphone (texting/photos), writing it down, or memorizing it.
 
I do get notifications on my main number yes but my mobile banking is not enabled i.e. I cannot do banking by means of my phone. I just get the SMS's of transactions. For login's etc. I make use of a separate security token which generates the codes as needed.

Ah ok. I also don't have and have never used cellphone/mobile banking so it should not be enabled in my profile ...well, I think so :erm: That's quite an elaborate banking setup you have there!
 
Wonder why the banks aren't interested in fixing this. The OTP system via SMS has been broken for years now, and they haven't done anything. Surely using something like Google Authenticator would be trivial to implement? It would definitely be more secure than an SMS at least, they'd have to steal your phone and know the PIN to unlock your phone.
 
Ah ok. I also don't have and have never used cellphone/mobile banking so it should not be enabled in my profile ...well, I think so :erm: That's quite an elaborate banking setup you have there!

Just check if you are with Capitec. AFAIK its enabled on all account unless you ask them to disable it. I did this in writing with them just for the record i.e. gave them a formal request to disable it and had them sign to acknowledge.

Did you know that you can check your account balance on Capitec [both main and sub account] without even entering a pin? If the number is linked to your account you can do this without even entering a pin. Guess the pin is only required to transact.
 
Last edited:
Just check if you are with Capitec. AFAIK its enabled on all account unless you ask them to disable it. I did this in writing with them just for the record i.e. gave them a formal request to disable it and had them sign to acknowledge.

Did you know that you can check your account balance on Capitec [both main and sub account] without even entering a pin? If the number is linked to your account you can do this without even entering a pin. Guess the pin is only required to transact.

I'm with Standard Bank. Pretty much stuck with them for the foreseeable future too.
 
There must be a method that the banks can use to determine which NMO the transaction request is coming from and compare that to the registered number's operator (which was captured in branch when registering for mobile/cellphone banking), thus preventing this new fraud scheme.

Anybody in the know, know if this is possible?

Just check if you are with Capitec. AFAIK its enabled on all account unless you ask them to disable it. I did this in writing with them just for the record i.e. gave them a formal request to disable it and had them sign to acknowledge.

Did you know that you can check your account balance on Capitec [both main and sub account] without even entering a pin? If the number is linked to your account you can do this without even entering a pin. Guess the pin is only required to transact.

The risk is at least limited to balance enquiries. Could argue a design flaw/oversight, but I don't see it as anything major. Other than that, you'll need the Cellphone Banking PIN in order to do a financial transaction. AFAIK the PIN works on the same basis as an ATM PIN - get it wrong a number of times and your service is blocked.
 
Insiders at FNB, Vodacom and possibly Cell-C, or a small cellular shop which have access to both networks were involved in this. It's just a pity these players won't act up to the fact that it's more important to make money from bribes than from happy customers!
 
There must be technical solutions but it requires some will from the industry. It's the same with stolen cellphones - mobile operators could have reduced this theft a long time ago if they were prepared to invest in solutions. In the bigger scheme of things, these solutions cost small change to them
 
Top
Sign up to the MyBroadband newsletter