Online banking: be very careful

Chances are good that you bank digitally these days – whether it is an online platform through your bank’s internet banking site, on a mobile or tablet app or with cellphone banking. It’s convenient and quick and can be done any hour of the day, without having to wait for office hours.

But how safe is it really? Or more importantly, have you done anything (maybe inadvertently) that could lead to your login details being compromised. This could mean that you could be liable for any losses incurred when fraud does take place.

In a recent incident, reported on Moneyweb, an MTN client’s sim card (which was linked to his Absa bank account) was illegally swapped and used to defraud the client of R97,000 from his bank accounts. He was advised by his bank that it was not liable for the loss as his login details were used, and the once-off password was also utilized that was sent to his cell number.

This is not an isolated case. The Ombudsman for Banking Services’ 2011 Annual Report (the 2012 has not yet been released) shows that 591 Internet Banking complaints were resolved (the second highest category after “ATM”). A total of 36% were in favour of the bank (213 cases) and 378 in favour of the complainant (64%).

In his report Ombudsman Clive Pillay said that Internet banking fraud-related complaints cases are “notoriously time consuming” to investigate and assess. According to the report in 2011 R17.6m was recovered from the banks, compared with R11.6m the previous year. Pillay stated that the increase is mainly because the recommendations made in internet banking fraud related cases involve large sums of money stolen from the customer.

Phishing tactics

There are various ways a criminal can steal your money online. The most well known is phishing where banking clients are asked to click on fake links and asked for your login details. With banks utilising security measures such as one-time verification codes sent to your cellphone, the criminal then also has to do an illegal sim swap to get access to your cellphone number. Some banks use technology to prevent this, such as a physical token to generate a once-off pin (Capitec) or out-of-band authentication where the client does not enter the once-off verification pin into the website again (Nedbank).

According to Susan Potgieter, the South African Banking Risk Information Centre (SABRIC’s) general manager for the commercial crimes office, phishing is still very prevalent and illegal sim swaps are on the rise.

“Phishing in general, not just with regard to banks, are cyclical – you will see that there are a lot of phishing attempts currently using the South African Revenue Service and an alleged revenue refund to try and get people to give their details,” she told Moneyweb.

When the criminal also starts using some of your personal details that can be found online this very targeted phishing attempt is known as “spear phishing”. Information about the target (you) is used to make the attacks more specific and personal. These details are sometimes easily obtainable through social media platforms – millions of people for example still have their cellphone numbers, email addresses and physical addresses open for all to see on Facebook.

Asked to comment on how careful one should be with your personal information Potgieter commented that “one could never be too careful”, but that the problem was that to be commercially active you sometimes have to give out information.

Potgieter indicated that liability of loss would be determined for each and every incident. “If I can simplify it, though: If you hand the key to the safe to a criminal who then opens it, it is a lot different from a criminal that has to use a grinder to get in,” she said.

There have been cases where the client was held liable. A judgment in 2011 from the Pretoria High Court, for example, found against the claimant who lost R200 000 as a result of a phishing scam. The claimant replied on an email and supplied login details – even though his bank warns clients often that it would never request details via email.

Other possible ways for internet banking fraud to be perpetrated is through identity theft where the criminal uses your personal information to open new accounts and then hack into your other accounts and pharming where hackers hijack a bank’s URL. Potgieter says she is not aware of the latter ever happening in South Africa.

Keylogging (via software or hardware) is where the keystrokes are recorded when you enter your login details. Many banks now ask you to click on a keypad on the site rather than typing in your details. Copycat websites and man-in-the-browser attacks (where the criminal makes it look as if your paying for example your TV licence account, but the destination bank account is changed) are also threats.

Petar Soldo, director of TMS30X30, a research company with extensive knowledge in the financial services industry, toldMoneyweb that security concerns have multiplied with the launch of tablets and apps. “It is not clear what security is in place for these devices and if the security is at the same level as Internet banking,” he said. He added that an area that doesn’t receive enough attention is the risk posed by third parties that hold a lot of customer data (eg credit cards) and which can be compromised or hacked.

“Unfortunately fraudsters are getting smarter and smarter and also people are sharing and putting more and more info online which increases the risks. Banks could argue that customers is at fault here and that they (the banks) do warn customers and make anti-virus software available,” he said.

Source: Moneyweb

More banking and security articles

MTN customer loses R97,000

Cellphone banking needs laws

FNB vs Vodacom vs MTN vs Wizzit: Mobile money survey

NFC debit card launched by Standard Bank

Latest news

Partner Content

Show comments


Share this article
Online banking: be very careful