An industry insider with extensive knowledge of Internet banking fraud involving SIM swaps has revealed how fraudsters steal millions of rand from South African online banking clients.
To shed light on exactly how the fraud works, an industry player agreed to speak to MyBroadband under the condition of anonymity.
They said that the process followed by fraudsters to steal money from online banking users in South Africa is nearly always the same:
- Get the person’s Internet banking details, typically through a phishing attack;
- Get a banking account/s to which money can be transferred to and withdrawn;
- Clone the SIM card used by the person;
- Create beneficiaries (using the list of banking accounts) and transfer money to these beneficiaries; and
- Withdraw the money from these accounts.
In each of these steps the criminals can exploit different weaknesses in the system to achieve their goal.
1. Getting the person’s Internet banking details
According to the industry insider, the Internet banking login details (account number, username, and password) of a victim are typically stolen through a phishing attack.
Other ways in which the login details can be attained include computers in public areas (such as Internet cafés) which record sensitive information, keystroke logging software, or malware which provides criminals access to a victim’s computer.
However, phishing remains the most popular way in which personal banking details are stolen.
There are mainly two groups of criminals which gather personal information to be used in online banking fraud:
- The fraudsters, who use phishing or other methods to steal personal details which they will use to steal money later; and
- “Farming” syndicates, who gather personal banking details which are sold to fraudsters who will then use the info to steal money.
While the farming and phishing syndicates operate in countries across the world, the people who finally steal the money are always based in South Africa.
The farming syndicates often sell the stolen personal banking details to fraudsters based on the bank account balance of the victim.
Fraudsters can, for example, request to purchase the stolen banking details of a group of Absa clients with more than R100,000 in their accounts.
This means that the farming syndicates, who use phishing attacks to steal personal banking details, have access to banking employees to gather information such as bank balances and potentially mobile numbers.
The percentage of Internet banking fraud using info bought from farming syndicates versus being obtained through phishing attacks is uncertain, said the industry player.
2. Obtaining bank accounts to get the money out
To withdraw the money which was transferred, the fraudsters need active bank accounts. This is usually achieved in one of two ways:
- Create a bank account using fraudulent personal details, including fake ID books and fake utility bills;
- Use the existing bank account of an unsuspecting person, to transfer and withdraw the money.
The industry insider explained that the fraudsters often use a legitimate existing accounts to which they transfer money by purchasing the account from the person to whom it belongs.
The person may only have R50 in the account, and he is then offered a few hundred rand for his account details and his bank card.
For larger fraud transactions, multiple accounts are prepared to be used for the money transfer. This preparation takes place before a SIM swap occurs.
3. SIM swap time
Armed with a victim’s online banking login details and bank accounts into which the stolen money can be transferred, a SIM swap is needed to receive the one-time-passwords sent to the banking client via SMS.
A SIM swap typically happens using the following methods:
- Using identity theft to convince a SIM swap assistant that they are dealing with the account holder; and
- Stealing passwords from employees at the mobile operators or mobile dealers.
Post-paid cellular users’ SIM cards can be cloned through a helpdesk by answering personal verification questions such as a home address or work number.
The situation is more complex for pre-paid customers where the personal verification questions focusses on the latest recharges or last numbers called.
By using a fake ID book and other fake documents a person can also do a SIM swap at a mobile dealer, such as an MTN store, a Vodashop, or a Cell C shop.
If a fraudster gains access (through a stolen password) to a support agent’s account, or that of a mobile dealer assistant, the SIM swap process becomes easy.
The SIM swap is typically performed late at night to avoid detection by the victim.
Some fraudsters are also encouraging the victim to switch off their cell phone by harassing them with multiple calls. After the phone is switched off, they do the SIM swap without fear of detection.
Some mobile operators send an SMS notification that a SIM swap has been requested. To avoid the SIM swap being stopped, the fraudsters either use the above method or call the victim masquerading as a mobile operator employee to tell them the SMS was sent by mistake (and should be ignored).
4. Creating beneficiaries, transferring the money
After the SIM swap has taken place and the fraudster has access to the number used by the Internet banking victim, beneficiaries are created, and the money transferred to these beneficiaries.
5. Withdrawing the money
In the case of ATM withdrawals, the money is often transferred shortly before midnight. The maximum daily amount is withdrawn before 00:00, and the same amount just after midnight. The card is then destroyed.
It is also understood that large amounts have been withdrawn by people inside banks, but the exact details about these incidents remain sketchy.
Summary of Internet banking fraud involving SIM swaps
Internet banking fraud involving a SIM swap typically happens in a few basic steps: getting the personal banking details of a victim; getting bank accounts to transfer the money to; do a SIM swap; create beneficiaries and transfer the money to them;, and then withdraw the money.
Phishing is typically the first step of this process, and the SIM swap the last step before the money can be stolen.
What can be done to stop it?
The industry insider suggested a few ways to assist the fight against online banking fraud involving SIM swaps:
- Implement a delay (around two days) on all transfers to newly created beneficiaries;
- Use additional information, most of which is supplied by the mobile operators, to detect potentially fraudulent activities. This includes the age of a SIM, calls made from the SIM, and the device linked to the SIM; and
- Link physical devices (like mobile devices or laptops) with online banking profiles to add an additional layer of security.
The industry player said that while FNB has been quick to implement the additional security features, other banks are not using all the resources available to them to fight Internet banking fraud involving SIM swaps.