Why banks still use SMS one-time PINs despite SIM-swop fraud

The latest figures from SABRIC show that the number of reported SIM-swop fraud incidents have increased dramatically in South Africa over the past year.

SABRIC stated that from January to August 2017, 4,040 SIM-swop incidents were reported.

This is compared to 8,254 incidents from January to August 2018 – an increase of 104%.

Users fall victim to SIM-swop fraud following a phishing, vishing, or SMishing attack, which all aim to trick users into providing sensitive information to the attacker.

The main advantage of conducting a SIM-swop attack is that you can access the victim’s one-time PIN (OTP) sent by their bank if their bank relies on mobile OTPs for verification.

This allows the attacker to approve payments from the victim’s account if the victim uses SMS verification.

Speaking in an interview with MyBroadband, SABRIC CEO Kalyani Pillay told MyBroadband that a lack of accessibility to smartphones for users could be a major reason why banks are struggling to move on from this older verification method.

Pillay noted that banks were steadily moving away from SIM-based verification to more secure methods, however.

MyBroadband reached out to local banks to find out more about the move away from SMS verification.


Absa confirmed that it moved away from using one-time passwords as an authentication method a long time ago.

“Absa utilises a non-SIM based approach to transaction authentication launched in October 2017 for all our digital channels to mitigate the risk of SIM-Swop fraud,” said Absa.

“Customers utilise our banking app to authenticate transactions done on digital banking channels and the authentication is linked to their device rather than their SIM card.”

Customers without a smartphone can still continue to use USSD authentication.

“Absa urges customers to always read their transaction authentication messages carefully before accepting and also to report any suspicious activity.”

Absa advised customers to download the banking app to authorise their transactions to minimise the risk of SIM-swop fraud.

Absa logo


FNB banking app head Giuseppe Virgillito did not confirm whether one-time passwords and SIM-based verifications were still used in the case of users not having a banking app.

“FNB customers are advised to use Smart inContact on the FNB Banking App to approve all online banking transactions,” Virgillito said.

“Smart inContact allows customers to receive secure online banking transaction approvals on the FNB app and does not rely on SMS or email technology which could be intercepted by fraudsters,” he added.

The InContact tool also notifies customers of transactions and allows for fraud reporting.

“FNB has seen a steady increase in the number of customers using Smart inContact since it was first launched in 2016, with the majority of customers now approving transactions or reporting suspicious online activity via the app.”

Virgillito did not state how customers without smartphones are able to verify their transactions.


Nedbank said it does not make use of mobile one-time PINs as a primary method of two-factor authentication.

“Nedbank replaced SMS OTP with Approve-It which makes use of NIUSSD (Network Initiated USSD) as second-factor authentication, which mitigates the risk of so-called “man-in-the-middle” fraud,” Nedbank said.

“Only in the event of an Approve-It not being delivered do we revert to OTP as a fall back.”

The bank added that just because SIM-swop fraud occurs, it does not mean that it is fraudulent.

“It should be noted that a SIM swap by itself isn’t necessarily indicative of fraudulent activity, as many are legitimate and carried out when handsets are upgraded or changed,” Nedbank said.

Nedbank logo

Standard Bank

Standard Bank told MyBroadband that it invests a lot of energy in ensuring its security system is robust and adaptable.

“Standard Bank takes the safety and security of its customers and banking platforms extremely seriously,” the bank said.

The bank sends mobile one-time passwords across all devices and electronic channels for any new instruction initiated by its customers.

“One Time Passwords are just one of the mechanisms used to combat fraud,” Standard Bank said.

“Other measures have proved to be very successful and due to security considerations we are not in a position to elaborate.”

Standard Bank logo

Now read: Why your bank can send you an account statement at 04:00 but not a marketing SMS

Latest news

Partner Content

Show comments


Share this article
Why banks still use SMS one-time PINs despite SIM-swop fraud