WASPA has issued R100,000 fines to two companies for failing to take reasonable steps to prevent “fraudulent use of member’s networks and systems”.
According to WASPA adjudicator reports on the fines, the parties at fault were Mobile World AG and Buongiorno South Africa.
Both were fined R100,000 for contravention of clause 4.11(a) of the WASPA code of conduct, with R50,000 payable immediately and R50,000 suspended for 6 months.
The complaints against the companies were very similar, and were lodged by the WASPA Compliance Department.
Tests were conducted by the complainant on the members’ systems, which resulted in the fines.
The test results identified that the companies had “failed and/or omitted to implement one or more of the measures set out in section 2.3 of the WASPA Fraud Detection and Mitigation Best Practice Guidelines (version 2.1)”, stated the report.
In the case of Buongiorno South Africa, the tests showed that the page on the domain name used immediately before the network hosted confirmation page was non-compliant for the following reasons:
- Content Security Policy Frame-Ancestors Directive not set as ‘none’.
- X-Frame-Options Response Headers not set as ‘deny’.
- A 302 code was presented, which means that any security requirements that may have been set, did not render and would not work effectively.
In its response to WASPA, Buongiorno South Africa said it had taken reasonable steps to secure its networks and systems.
However, WASPA was not convinced.
“The incidence of fraudulent attacks and activities on the networks and systems of mobile service providers in South Africa and worldwide has become a major concern, not only for WASPA members but for all stakeholders in the industry,” it said.
It added that the company did not comply with best practices and had contravened its code of conduct.
In the case of Mobile World AG, the company was more apologetic.
WASPA stated tests results showed that the page on the domain name used immediately before the network hosted confirmation page was non-compliant for the following reasons:
- No Content Security Policy Frame-Ancestors Directive set as ‘none’.
- No X-Frame-Options Response Headers set as ‘deny’.
The company did not dispute the tests results, and said it wanted to remedy the issue by organising a team of technical experts to implement improvements.
WASPA issued a fine nonetheless, but added that it was the company’s first offence and noted it had committed to fixing the breach.