Absa has told MyBroadband that there are several misconceptions regarding Internet banking fraud and how it handles these cases.
“It is entirely in the bank’s interest to ensure that no fraud takes place and that when it occurs, those responsible are apprehended and made to account,” it said.
Absa said there is no upside for the bank when its clients are hit by fraud.
If it finds that it needs to pay back a client, the bank suffers financially. If it denies the refund, its reputation suffers.
In either case, the trust between the bank and customers is affected.
Absa’s statement follows reports that a couple took the bank to the Cape Town High Court, alleging its negligence allowed fraudsters to steal R1.6 million from their accounts.
This case followed that of Piet Malan, where R250,000 was stolen from his account after he allegedly failed to keep his Internet banking credentials safe.
In both cases, the fraud victims were also clients of Vodacom.
Absa said the assumption in media coverage is that bank employees are always complicit in perpetrating the crime.
In this respect, the bank pointed out the following:
- Bank staff, including IT support staff, do not have access to customer passwords. These are held in an inaccessible, encrypted database.
- When it is warranted, the bank investigates whether or not staff may have been involved.
To date, Absa has found no evidence indicating staff were involved in defrauding clients.
Who has your personal data?
Banks and mobile operators agree that most online banking fraud comes after phishing attacks, where attackers acquire personal data relating to a customer through a scam email or website.
Absa said it is not the only custodian of clients’ personal information, and that the information SIM-swap fraud perpetrators use is not only held by banks.
“For instance, customers who have post-paid phone contracts provide most of this information to mobile phone service providers,” said Absa.
In this scenario, a mobile network operator will have your:
- Name, ID number, and residential address.
- Banking details including account number, branch code, and bank.
- Cellphone numbers.
“This is not to shift the blame to cellphone network providers, but to demonstrate to you that the cyber criminals are sophisticated and probably have accomplices who provide them with information in entities that are not directly connected to the bank,” said Absa.
“This includes any company to whom a customer may have provided their bank account and cellphone details in order to make a payment or open an account.”
Absa said all holders of customer data have a responsibility to take strong measures to protect it.
Compounding the issue is that it is technically possible to effect a SIM swap without the necessary verification and identification, it said.
“The system depends entirely on the ethical robustness of the staff member concerned.”