South Africans are being hit by a new spin on an old scam. Criminals hijack your WhatsApp account by taking control of your phone number, then ask your contacts to send them money.
Variants of this scam are seen all over the world. This time, though, scammers exploited weaknesses in South Africa’s number portability systems to gain control of people’s phone numbers.
Once the scammer has successfully ported your number, they install WhatsApp and reportedly wait for your contacts to send you a message, or use group chats to find victims to scam.
Impersonating you, they then send a message to your contacts saying that you have lost your bank card and urgently need them to send you some cash via eWallet.
Many victims fall for the story and send the scammer all the details they need for a cardless cash withdrawal of amount they asked for.
This lets the scammer withdraw cash from an ATM with a one-time PIN provided by the victim.
The did a sim-swop and did exactly the same on my line. Made R24000 on last count from my WhatsApp contacts. @MTNza couldn’t cancel the sim and was demanding of so much more from me then them. Took 9hrs to cancel the sim after my first report. The mobile providers are complicit
— Mlimandlela Ndamase (@PrinceNdamase) January 9, 2020
Number porting and SIM-swap scams
Scams involving the hijacking of people’s cellphone numbers are not new to South Africans.
There are regular reports of SIM-swap scams, where criminals take control of a victim’s cellphone number to intercept messages containing one-time PINs from their bank.
These criminals then log into the victim’s online banking profile and withdraw all the money they are able to.
For such an attack to work, the criminals must first have obtained the victim’s online banking credentials.
As a result of the increasing SIM-swap fraud in South Africa, networks and banks adapted their systems to make it more difficult to execute these attacks.
However, number porting is different from a regular SIM-swap, as it is regulated by the Independent Communications Authority of South Africa (ICASA).
In short, these new WhatsApp begging scams differ from SIM-swap attacks in two major ways:
- The criminals don’t need to get your online banking password. They simply ask your contacts to send them money.
- Criminals are using number portability to hijack people’s cellphone numbers rather than a SIM-swap.
Why number porting is opt-out, instead of opt-in
When these scammers try to hijack someone’s number by porting it, the person being hijacked should get a message from their operator that lets them block the porting request.
However, this is an “opt-out” system. You usually have less than an hour to respond to the SMS and if you do not block the port, it is automatically approved.
The reason number portability in South Africa works this way is due to a High Court judgement in a 2016 case between Cell C and MTN.
Vodacom and MTN tried to implement an opt-in system for porting numbers, but it caused tremendous problems for Cell C.
The proportion of failed porting requests to Cell C jumped from around 1.5% to over 60% on Vodacom, and from around 7.5% to over 70% on MTN.
Vodacom gave subscribers 40 minutes within which to authorise the port, while MTN gave a window of 30 minutes within which to respond.
Vodacom’s warning message was as follows:
Vodacom received a request to port [number] — note that you’ll lose all airtime/bundles. Reply 1 to confirm within 40 minutes.
MTN sent subscribers who were porting this warning:
Alert! MTN has received a Port Out Request from this number. You will lose all airtime/bundle SMSs. To proceed reply 1 to this SMS within 30 minutes.
While MTN stated that it implemented the system as an extra security measure to curb unauthorised porting, Cell C contended that Vodacom and MTN were blocking legitimate port requests.
According to Cell C, even when a subscriber selected to be ported within the time frame, the request would still be rejected in some cases.
Vodacom settled with Cell C to reinstate an opt-out system for porting numbers, while MTN fought the matter in court and lost.
Regulations for more secure number porting already exist – MTN
ICASA has attempted to amend the Number Portability Regulations, publishing a draft on 28 March 2018 and going through a public consultation process.
On 29 March 2019, ICASA published the final version of the regulations to promulgate.
Cell C responded by filing papers in the Gauteng High Court, stating that ICASA’s requirement that porting requests must be verified was too vague.
ICASA did not specify which forms of verification were permissible, Cell C said.
No date has been set for the hearing.
The executive for corporate affairs at MTN South Africa, Jacqui O’Sullivan, explained that the Number Portability Regulations require a donor operator to validate a port request by means of a one-time pin, which must be valid for 4 hours.
“If a customer does not respond to validate the port request within four hours using the one-time PIN the port request must be rejected,” O’Sullivan said.
“These regulations currently have no effective date. The one-time PIN validation is in the best interests of all consumers to protect them against unauthorised ports and fraud. Therefore it is critical that ICASA make the 2018 regulations effective as soon as possible.”
How fraudsters port your number
While having a validation system for number porting requests is essential, there is still the open question of how the scammers are able to port people’s numbers in the first place.
Unfortunately, it is only possible to speculate how the scammers are porting numbers.
South Africa’s history with SIM-swap fraud does suggest some likely scenarios:
- Identity theft — the fraudsters may be forging documents to persuade mobile network staff to port numbers.
- Social engineering — the fraudsters may have got the login details of staff members at network operators through tricks and tradecraft.
- Insiders — the fraudsters may be working with insiders at the cellular networks.
Defending against WhatsApp begging scams
There are a few things you can do to avoid becoming a victim of a WhatsApp begging scam.
1. Enable two-step verification in WhatsApp
This protects your WhatsApp account with a PIN.
2. If someone asks you for money, check that it’s really them
If you receive a message from someone claiming that they urgently need money, call them to see if it is really them.
— Nkgono Neria (@neriahlakotsa) January 4, 2020
3. Use WhatsApp’s number changing function
If you change your phone number, remember to migrate your WhatsApp account rather than just creating a new one.
4. Watch out for porting SMS messages
If you receive an SMS, don’t assume that it is spam. If it is a porting message from your network, you will usually have less than an hour to respond and block the port.
5. Never, ever, turn off your phone
A common tactic SIM-swap fraudsters use to get people to turn off their phones is to annoy them with a barrage of missed calls.
If you turn off your phone and a fraudster is trying to steal your number, you will miss the number porting SMS warning from your operator.
6. If you suddenly lose signal, get suspicious
So many SIM-swap fraud horror stories start with, “I suddenly lost signal on my phone”.
This is somewhat complicated advice thanks to the return of load-shedding. However, if there is no obvious reason for your phone to suddenly have no signal, contact your network operator as soon as possible and don’t rest until it is resolved.