In 2013 there was a spate of online banking fraud which involved SIM swap fraud. According to an industry insider, between R100 million and R200 million per year has been stolen.
This industry player argued that banks can do more to fight Internet banking fraud involving SIM swaps.
The measures suggested include a delay in payments, linking physical devices to SIMs, and using additional SIM information supplied to banks by the mobile operators to detect potential fraud.
According to the industry insider, FNB was doing the most to protect their clients, which included making the most of the information available to them.
South Africa’s biggest banks were asked what they are doing to fight online banking fraud, and the responses are provided below.
CEO of FNB Online, Lee-Anne van Zyl said that where possible they use information provided to them by service providers to detect SIM swaps and are looking at ways in which to expand the usage of this across their digital channels.
She said that the SIM data is used to closely monitor transactions which may indicate fraud.
“We have a multi-layered approach to detect and mitigate online banking fraud, but so as not to alerts criminals to our security methods, we cannot disclose the details,” said van Zyl.
She added that delayed payments, as suggested by the industry insider, is not a realistic option because it compromises too much in terms of convenience.
“Many of our customers expect and want the recipient to receive their funds as soon as possible for legitimate payment reasons, therefore it is not feasible to introduce a money transfer delay on newly added beneficiaries,” she said.
“This is the reason why our Internet Banking application is unaffected by SIM swaps,” said Nel.
Capitec uses a unique number generator that can either be loaded as an PIN-protected app on a smartphone, or as a separate number generator on a keyring.
Nel concurred with FNB’s van Zyl about security versus convenience, saying that any security measure should be weighed against the convenience of clients being able to easily transact on their Internet Banking profiles.
Standard Bank spokesperson, Ross Linstrom said that given the penetration of mobile devices and the closeness of the devices to customers, there are always new and clever opportunities to leverage from an online security perspective.
“There are even greater opportunities to be explored around understanding the customers’ usage patterns, including preferred channels and transactional behaviour, which we are always exploring and even utilizing on some of our channels,” said Linstrom.
Linstrom would not answer questions on whether they use SIM information supplied to them by the mobile operators to combat online banking fraud.
He would also not comment on SIM and device linking, or delayed payments as measures to protect their customers.
Absa, which was the bank used by a large portion of the online banking and SIM swap victims this year, did not respond to questions about how they are protecting their clients.
Absa also did not respond to allegations that its online banking system made it easier for fraudsters to steal money from Absa clients than other banks’ clients.
Nedbank provided the following comprehensive responsive about their online banking security system.
In March 2012, Nedbank implemented a world first with Approve-it, an out of band transaction authentication solution. Approve-it provides clients with a convenient way to authenticate sensitive transactions on both the Retail Internet Banking and WAP banking solutions.
Approve-it utilises USSD technology to send a message to the client when completing a sensitive transaction (such as adding a beneficiary, making a once-off payment or buying pre-paid airtime) on Internet Banking or WAP, which the client can then “Accept” or “Reject” by responding to the message.
Approve-it is more secure than the traditional One Time PIN (OTP) sent via SMS, due to the fact that the transaction authentication now takes place through a different channel (the client’s phone). The client is not required to type a OTP back into the browser, as the client could already have accessed a phishing site. Approve-it is also much more convenient, as it requires a simple response of 1 to ‘Accept’ or 9 to ‘Reject’ the transaction, including the transaction details.
Nedbank is currently concluding a solution to monitor whether a client’s SIM card has been swapped, to allow the bank to safeguard the client.
Since it’s deployment, Approve-it has secured more than 32 million sensitive transactions and Nedbank has virtually eliminated losses as a result of phishing attacks on its client’s accounts.
Nedbank also launched the award winning Nedbank App Suite in August 2012. Security is a top priority for Nedbank and the Nedbank App Suite leverages world-class digital certificate technology, providing a secure user experience and offering great value banking for users. The digital certificate uniquely identifies the device and creates a secure connection between the device and the bank.
Access to secure services such as Banking, NetBank Business and Share Trading is PIN protected, making this solution both secure and convenient, with clients not required to provide extensive logon credentials each time they utilise the services. The PIN is not stored within the Nedbank App Suite, instead the security is built around the digital certificate, appropriately protected within the Nedbank App Suite. The Nedbank App Suite was engineered specifically to cater for the unique challenges in the mobile world.
Functionality to detect compromised devices forms part of the Nedbank App Suite end-to-end security layer. The client remains responsible to ensure his mobile operating system is kept up to date.
The Nedbank App Suite is available on Apple (iPhones and iPads), Android (Phones and Tablets) and BlackBerry (OS 5,6,7 and 10) devices from the various app stores as well as selected Nokia devices from Nedbank.mobi.
Transaction values processed through the Nedbank App Suite thus far have exceeded R27 billion since its launch, highlighting the trust that clients have in this solution.