An internal forensic investigation by MTN South Africa into suspected fraud has revealed a criminal syndicate working to defraud MTN and its customers.
MTN worked with the Directorate for Priority Crime Investigation cybercrime unit, known as the Hawks, in a covert investigation to identify the criminals.
MTN SA’s executive for corporate affairs Jacqui O’Sullivan said they gained extensive insights into the modus operandi of the syndicate.
“While the investigation remains ongoing, the collaboration has amassed a vital body of evidence against the perpetrators of the fraud,” she said.
To date, the investigation has uncovered 1,914 MTN subscriber accounts compromised by the cybercriminals.
MTN continues to scan customer accounts to proactively identify irregularities and unauthorised activity.
MTN believes the illegal access was gained using compromised credentials, including usernames and passwords, of some MTN employees and a limited number of MTN partners.
The circumstances leading to the compromised credentials are still being investigated. It currently points to a failure to protect user credentials and potential insider involvement.
When MTN noted the initial fraud in late 2020, it appeared to only relate to limited airtime fraud against the company.
However, through the course of the investigation, it emerged that some of MTN’s systems had been illegally accessed.
These systems were used as a conduit to enable a greater scheme of fraud, with the criminals using personal information they acquired outside of MTN’s systems to identify potential victims.
MTN’s investigation, which reviewed hundreds of hours of recorded sessions where the criminals were online, showed the fraudsters were using externally gained identity numbers to conduct searches within some MTN systems.
The criminals appear to have been testing the ID numbers already in their possession on the MTN system to look for matches to facilitate illegal SIM swaps.
Once a SIM swap was undertaken, one-time passwords (OTP) would be sent to the “new owner” of that number to facilitate various types of fraud.
Due to the compromised credentials and limited system access, MTN has notified the Information Regulator of South Africa.
The company has also initiated individual engagements with the 1,914 customers who it knows to have been compromised by this syndicate. Those customers are all receiving letters and follow-up calls from MTN.
A dedicated customer support team is rectifying unauthorised transactions on the affected MTN clients’ accounts.
MTN SA CEO Godfrey Motsa said the resolution of this issue is their utmost priority.
“Our initial focus has been to shut down the illegally gained access, to assist our affected customers, and to bring in the police to track down these criminals so we can see them prosecuted,” he said.
“We are taking this very seriously, and uncompromising consequence management will follow both for the criminals and any direct employee or partner that may have had a hand in facilitating this crime. We will be pursuing prosecutions to the full extent of the law.”