Many ABSA Internet banking customers are questioning the safety of their money after a spate of SIM swap fraud cases where large amounts of money were stolen. Of particular concern is that there is not much people can do after they were defrauded.
Recent media reports that fraudsters stole R360,000 from Media24 CEO Esmare Weideman – an MTN and ABSA customer – unearthed the shocking truth that SIM swap fraud is widespread, and has been happening for years.
Many SIM swap fraud victims came forward, reporting massive losses including amounts to the sum of R117,000, R110,000 and R67,500. A common thread in all these complaints are that they were MTN and ABSA customers.
Unfortunately SIM swap fraud is nothing new – see SIM swap fraud has been happening for years
MTN admits fraudulent SIM swaps, denies liability
MTN explained that the typical case involves a fraudster gaining access to a person’s Internet banking details, after which a fraudulent SIM swap is done to get a person’s bank notifications.
MTN therefore confirms that fraudulent SIM swaps are performed on its network, but denies responsibility for losses from banking customers.
Eddie Moyce, Chief Customer Experience Officer at MTN SA, said that there is a misplaced belief that mobile network operators are liable when it comes to SIM swap fraud. “The mobile network operators are not liable,” said Moyce.
Moyce explained that a fraudster needs the Internet banking details to commit this crime. ”Our courts have already held that a SIM-Swap does not in itself enable a fraudster to commit fraud on a customer’s bank account,” he said.
No clarity on ABSA Internet banking security
While it is known that all the cases involve fraudulent SIM swaps to intercept a customer’s Random Verification Number (RVN), there is still uncertainty as to how fraudsters gain access to the victim’s Internet banking details (hence username and password).
ABSA has previously indicated that phishing attacks are usually behind leaked Internet banking usernames and passwords. However, many of the SIM swap victims deny that they fell prey to a phishing attack.
These are some of the scenarios as reported by SIM swap victims:
–The victim did a SIM swap, and soon afterwards their SIM died and money is moved out of their Internet banking account
–The victim may have been a phishing victim, and their SIM then went dead and money is stolen using their Internet banking details
–The victim reports that there was no requested SIM swap and they did not fall victim to any phishing scam. Their SIM suddenly went dead, and money is stolen from their account using Internet banking
There is currently no clarity on whether all the SIM swap fraud cases involved phishing attacks.
There is also no clarity as to whether weaknesses within ABSA – rogue employees or other security problems – may be behind some of the fraud cases.
At least one ABSA customer whose money was stolen shortly after a SIM swap is questioning ABSA’s security.
She asked to see all action on her Internet banking account to see whether her password may have been changed by an ABSA employee and given to fraudsters. To date ABSA has refused to provide her with these details.
MyBroadband asked ABSA whether security weaknesses within the bank may provide fraudsters with access to a client’s Internet banking facilities, but to date ABSA has not answered this question (despite repeated attempts to get feedback),
SIM swap fraud legal opinion
Many people may assume that if they have done nothing wrong, like falling for a phishing scam, that they will be able to claim their money back after proven SIM swap fraud. Not so.
Nicholas Hall from Michalsons Attorneys said that the bank and the mobile operator are going to disclaim all liability based on their terms and conditions, arguing that negligence on the part of the consumer was to blame for the fraud.
Hall said that the bank will argue that a customer has fallen victim to a phishing scam, which shows negligence on the user’s part and hence the bank cannot be held liable for any losses.
“The bank will argue that somebody has logged on to your account, with your username and password, and they have given the random RVN and PVN number – as far as we are concerned that is you,” Hall explained.
The bank will simply argue that “How much more must we put in place to protect you?” said Hall.
If there is conclusive proof that weaknesses within the bank are behind fraudsters getting access to your Internet banking details, it remains a challenge to legally get your money back.
“If it is an inside job, it raises the question of vicarious liability – where you can hold an employer liable for the actions of their employees”. However, even here it is challenging to argue a case.
Hall explained that for a vicarious liability case to hold, the employee who caused the damage (hence fraud) had to act within the course and scope of their employment. This, Hall said, puts a big hurdle in the way of holding the bank responsible.
“If you want to sue somebody [for the loss of money through a SIM swap scam] the banks are not the way to go,” said Hall.
Mobile operator also a challenging route
Hall said that a victim may have more success going after the cellphone providers, purely because it will be easier to prove gross negligence on their part. However this will also pose serious challenges.
Hall highlighted that there are two components to SIM swap fraud – getting access to an individual’s Internet banking details and getting access to the person’s SIM card.
“The problem consumers will have with going after the mobile operators is the causation issue, which means that it is not enough to do an illegal SIM swap to steal money out of an Internet banking account,” he explained.
The cold, hard truth about SIM swap fraud liability
Hall said that, unfortunately, the party who is ultimately liable in SIM swap fraud is the person who committed the fraud. “This is ultimately where the legal liability lies,” Hall said.
Hall said that the sad truth for SIM swap victims is that fraudsters are notoriously difficult to find, and even if they are found it is very difficult to get money back from them.