New online banking fraud scheme in South Africa
One fateful Monday morning in January 2014, Shandin Thompson’s cellphone would not stop ringing.
When he picked up the first few times, the person on the other end would simply disconnect the call, but then soon phone back.
Unable to take the disturbance anymore, he switched his phone first to vibrate and then, finally, off.
According to Thompson, when he switched his phone back on 5 minutes later it would no longer connect to the Vodacom network.
Those familiar with the reports of last year’s spate of SIM swap scams will be all too familiar with this story.
However, Thompson didn’t think much of it and decided to swing by a Vodacom Shop later that afternoon to find out what had happened.
He was no longer a Vodacom customer, Thompson was told, as his number had been ported to Cell C that very morning.
Bewildered at losing the number that had been his for over a decade, Thompson demanded that the fraudulent port be reversed, only to be told that it could not be done until he could prove the number belonged to him.
The following day, Thompson discovered that over R5,600 was missing from his First National Bank (FNB) accounts, with his statements reflecting airtime purchases for a variety of cellphone numbers he had not authorised.
In one fell swoop these crooks had not only gained access to Thompson’s bank account, but also stole his cellphone number of 15 years.
Not your average SIM swap fraud
While SIM swap fraud in South Africa is sadly nothing new, Thompson’s case has a number of peculiarities that sets it apart from other reported incidents.
On the one hand, the fraudsters went to the effort of porting Thompson’s number to a different network rather than just doing a temporary SIM swap.
They also elected to use cellphone banking to buy airtime instead of transferring money to a bank account they control and then withdrawing the cash.
Negligent until proven otherwise
As with the more well-known online banking fraud involving SIM swaps, neither the bank nor the operator are accepting liability for the loss.
Cell C was asked about the fraudulent number port that was done to its network, but a spokesperson for the network said that the port would not have been possible had a fraudulent SIM swap not first gone through on Vodacom’s network.
“When Cell C receives a porting request we send a notification to the porting requester to ensure that a port is valid with contact details to halt a port if it is not,” the spokesperson said.
Vodacom and FNB both argue that for the fraudsters to have transacted on Thompson’s accounts in the first place, they had to have his cellphone banking credentials, which in this case was a 5-digit PIN.
“We reiterate our regret for the financial loss you have suffered,” Vodacom said in an e-mail to Thompson. “Having said this, we confirm that Vodacom’s system was illegally manipulated by criminal activity and that we deny liability in this regard.”
Essentially the bank and mobile operator are saying that the victim didn’t keep his PIN safe enough and had either directly or indirectly (through some form of negligence) disclosed it to the fraudsters.
FNB did not answer questions as to whether it is conceivable that the fraudsters had harvested Thompson’s PIN with undetectable malware of some kind without tricking him into giving it up.
However, head of cellphone banking and messaging at FNB Mobile and Connect, Dione Sankar told MyBroadband that the banking ombudsman had ruled in favour of FNB on Thompson’s case.
Thompson said that he reported his grievance with FNB to the banking ombudsman on 11 February 2014 but was never informed of the outcome.
The Ombudsman for Banking Services was asked about this, but did not respond by the time of publication.
Some money and number returned, and police investigation
Not everyone has denied liability for the fraudulent transactions conducted on Thompson’s accounts.
One of the channels the fraudsters used to buy airtime was Thompson’s Mr. Price Money account. Mr. Price Money offers its customers a way to buy airtime by dialling a particular USSD string (*130*410#) from their cellphones.
While FNB and Vodacom denied liability, Mr. Price Money sent Thompson a letter of apology and granted him a full refund of R3,508.35 for the fraudulent transactions made using their platform.
FNB offered Thompson a refund of R200 for the transactions conducted on his account after his cellphone banking profile was meant to be blocked. This was but a small fraction of the R2,150 that was still missing from Thompson’s accounts, so in what he described as a matter of principle he declined FNB’s refund and closed his accounts with the bank.
Vodacom, at least, has transferred Thompson’s number back to him.
Cell C said that if it had received a fraud complaint from Vodacom it could have immediately reversed the port and could have escalated the matter to the relevant authorities.
To date, Cell C has not received a fraud complaint, a spokesperson said.
Following up on this statement from Cell C, Vodacom was asked whether it has taken any steps to locate and prosecute the fraudster that performed the original swap on Thompson’s SIM.
“We will of course assist the law enforcement authorities with any investigation on the SIM swap aspect,” a Vodacom spokesperson told MyBroadband.
“It may have been a pure case of identity theft or it is possible that a member of staff was complicit, in which case we will prosecute to the full extent of the law,” they added.
Vodacom said that to avoid compromising any ongoing investigations it could not comment on any specifics.
More on online banking fraud and security in South Africa
SIM swap fraud – what is done to protect you
Online banking fraud – is your bank doing enough to protect you?
Why Absa, MTN clients were targeted in online banking fraud
Industry insider reveals truth about Internet banking, SIM swap fraud
How scammers hack your bank account