In 2013 there was a spate of Internet banking fraud using a SIM swap technique which involved Absa and MTN clients (see Internet banking SIM swap fraud: victim reports summary). The reasons, an industry insider said, were weaknesses in the systems of these two companies.
To commit Internet banking fraud a criminal needs the Internet banking details of the victim (typically stolen in a phishing attack), and access to their SIM to receive one time banking passwords.
SIM swaps are often used to receive a victim’s SMS messages, and hence one time password.
Most fraudulent SIM swaps, the source said, involve “identity theft” or unauthorised access to the SIM swap system.
Why Absa clients were vulnerable
According to the industry insider, Absa’s online banking system used to provide a wide range of information about the client when logged in to the banking website.
After a successful phishing attack on an Absa client, the criminal could log into the online banking system and gather a lot of information about the client.
Armed with this personal information about the victim, the criminal could easily answer personal verification questions from a helpdesk agent and request a SIM swap.
It is understood that Absa has now limited the amount of information available about an account holder through its online banking system.
Absa insider info
The industry insider explained that personal banking information is often stolen by phishing syndicates (aka farming), and then sold to South African fraudsters.
The value of the stolen banking details increases when the account balance and other personal info are provided as well.
The associated information makes it easier for fraudsters to identify the type of victims they are after, and ensure that there is money in the accounts they are targeting.
To get the additional information about the victims, the source explained, a rogue employee inside the bank is needed. According to the industry player this is exactly what happened at Absa.
MTN employee password system weak
The industry insider said that MTN’s employee and dealer systems are vulnerable to stolen passwords.
A fraudster can therefore access the MTN system and request a SIM swap when an employee or dealer’s password is compromised.
This weakness in MTN’s system, he said, made MTN a more attractive target for SIM swap fraud.
Absa, MTN mum on the issue
Absa said in May 2013 that SIM swap fraud is an industry problem rather than an Absa specific issue, but the new information suggests that Absa was more vulnerable to this fraud.
Absa was asked for comment on the issues which allegedly made it easier for criminals to attack Absa customers, but the bank did not comment by time of publication.
MTN also did not respond to questions about the alleged weaknesses in its system which allowed for easier fraudulent SIM swaps.