Internet banking fraud: should we keep using SMS?
South African mobile network operators Telkom Mobile, Cell C, and Vodacom all have systems in place that let banks flag potentially fraudulent transactions based on whether a subscriber’s SIM has been recently swapped.
“SMS remains a secure method of authentication,” Telkom Mobile said when asked whether they are taking steps to ensure that the short message service remains a secure second factor of authentication for online banking.
“It is the theft of SIM card details that enables the fraudulent activity,” Telkom said.
According to Telkom, they have an interface that can be queried to find out if a SIM has been swapped which banks can use to minimise fraudulent activity.
Cell C has a similar system, a spokesperson for the network recently told MyBroadband, explaining that the information is made available to banks in real time.
“At the moment, only FNB (directly) and Nedbank (through Intersect) are using the capability with Cell C,” the spokesperson said. “However, we are in discussions with the other banks.”
Other ways to prevent SIM swap fraud
Vodacom said that they too have a database that banks can use to see recent SIM swaps and handset changes, but noted that the starting point of Internet banking fraud is the ability of criminals to get hold of customers’ banking details.
“If this information is secured, the SIM swap part of the fraud process becomes irrelevant,” Vodacom said.
That said, Vodacom added that they have implemented a number of features to help protect subscribers against unauthorised SIM swaps:
- A warning SMS is sent to customers before a SIM swap is completed. If it is unauthorised, customers should immediately call Vodacom.
- A service where participating customers can elect to have all interaction with Customer Care subject to PIN authentication rather than answering security questions.
Vodacom pointed out that subscribers who have registered for the call centre PIN authentication service should ensure that their PIN is not compromised to help protect them from fraud.
One has to wonder whether it’s worth all this effort, for both the operators and banks, to try and keep SMS as a second factor of authentication for online banking.
Would a key fob or authenticator app keyed to your smartphone such as those used by Capitec be such a great inconvenience compared to SMS?
Perhaps there is a financial incentive for the operators to keep using SMS?
Banks already exploring alternatives to SMS
According to Cell C and Vodacom, the financial impact on them if banks decide to move away from SMS as an authentication mechanism would be minimal.
“Currently, the bulk of SMS volumes from banks are related to credit card swipes and notifications of payments in or out of accounts,” Cell C said.
The spokesperson for Cell C went on to say that banks are already exploring other notification systems to protect secure information, such as USSD messages.
Adrian Vermooten
Absa plugged into operator SIM swap databases
MTN did not respond to requests for comment on this issue, but feedback from the head of Absa’s digital division, Adrian Vermooten, suggested that MTN does have an interface banks can use to look up recent SIM swaps.
According to Vermooten, they currently use the SIM swap database interfaces provided by Vodacom and MTN.
He said that they don’t use Cell C’s interface yet because it is brand new, but confirmed that they are in discussions with the operator to link into it.
Vermooten went on to explain that a SIM swap in itself is not a flag for fraud, but that it’s just one of the factors considered when evaluating whether activity on an account might be fraudulent.
More infosec and online banking fraud news
SA first in Africa… for malware
Government spyware servers in South Africa: Telkom, Govt mum
AARTO website hack: are you at risk?
Internet banking fraud: what can be done?
Shocking reality about SIM swap fraud and money lost
Beware: SA bank card limits don’t apply overseas
Loading ...