The Citizen recently reported on what could be the country’s largest online banking scam to date with a Vodacom employee playing a pivotal role in committing fraud involving the siphoning of funds in the region of R 7-million.
According to the newspaper the 39 year old Vodacom employee, Mbokodana Christopher Khoza, worked with a syndicate to scam money from online banking clients of Nedbank, Absa, Capitec, FNB, Standard Bank, and KwaZulu-Natal’s Ithala Bank.
Vodacom laid criminal charges against Khoza and the cellular provider is working closely with SABRIC and the SAPS on this case. “A further arrest of one of the ring leaders in the syndicate was made. Both suspects appeared before court on 13 July 2009. Bail was not granted. They are still in custody,” Vodacom said in a statement.
But how exactly did the scam work and how did they gain full access to an online banking client’s account when a variety of security measures have been built into online banking systems?
Vodacom explained that for this fraud to take place a variety of criminal activities occurred, of which phishing attacks, social engineering, SMS interception and the registration of fraudulent back accounts were part.
Vodacom said that this intricate online banking scam meant the following had to take place:
The online banking customers had to somehow compromise their PIN and password, typically through a phishing and/or spoofing attack where a false website is used. This PIN and Password gave the scammer access to the online banking account, but to create a new beneficiary and transfer money a One Time Password (OTP) is needed.
This poses two hurdles: gaining access to the cellphone number of the account holder to which the OTP is sent via SMS and then intercepting the OTP SMS without the owner knowing about it. Obtaining the account holder’s cellphone number was typically achieved either by social engineering (getting it from a bank employee) or by the same phishing scam which gave the fraudsters access to the account holder’s banking details.
Intercepting the OTP SMS without the owner knowing about it is where the rogue Vodacom employee came in. The Vodacom employee created a temporary dual SIM, active online for a very short period of time, to intercept the OTP SMS.
This OTP was forwarded to the syndicate which had by now logged into the online banking account and was awaiting the OTP to create a new beneficiary (their own fraudulent banking account) and transfer money to this new beneficiary.
The short time frame in which the ‘false’ dual-SMS is active means that the legitimate owner of the SIM was typically unaware of the downtime and therefore would not suspect anything untoward.
After the money has been transferred to the fraudulent account it is withdrawn as quickly as possible. To ensure a speedy transfer of money the syndicate typically used a fraudulent account from the same bank as the victim who was scammed.
Many security breaches
What makes this case significant is the many security measures which were successfully breached. While the Vodacom employee who intercepted the OTP SMSs stole the headlines, the vulnerabilities of the local online banking system and the failure of FICA exposed by this scam are equally worrisome.
Vodacom pointed out in a press statement that it is only possible for the fraud to happen if an online banking customer has compromised his PIN and the Vodacom security measures have been bypassed.
The online banking account holder himself – through either falling for a phishing/spoofing scam or being a victim of a key logging malware attack – is the first point of failure. Without the account holder’s banking details and password/s this type of fraud would not be possible.
The next security failure is the ability of fraudsters to gain access to the account holder’s cellphone number which is linked to the account. This may well involve a rogue banking employee or even social engineering where a banking employee is duped into providing this sensitive information to the fraudsters. Phishing and/or spoofing can also be used here.
And then there is the fact that the scammers used multiple back accounts at local banks to transfer the money into once the money had been withdrawn. The Financial Intelligence Centre Act (FICA) should have allowed the relevant authorities to track down the fraudsters and easily recover the missing funds, but the Act failed to assist in bringing the scammers to justice.
Time for improved systems?
This string of security measures which have been breached raises questions about the safety of online banking and whether it is time to jack up the online banking system in South Africa.
Vodacom said that it has already “implemented additional security measures, to ensure that this type of fraud does not happen again”, but this is only one improvement to the system where multiple security features proved inadequate.
The vulnerability of SMS based authentication, which was believed to be a strong security measure, has been exposed and some security experts suggested that it should be replaced by eTokens or even biometric authentication.
These stronger security measures will however incur additional costs to online banking clients, something which may not be well received in these economic times.
Online banking fraud – comments and views