SIM swap Internet banking fraud up 900% in a year
Cellphone networks claim they’re least responsible
Cellphone networks claim they’re least responsible
-
Join the MyBroadband community
South Africa’s biggest forum. Discuss, discover, and connect with thousands of members.
-
Question of the Day: What is your employer's plan for the 30 June protests?
SIM swap fraud up 900% in a year
- Thread starter rpm
- Start date
K
kingrob
Guest
If it's up by 900% in one year, the process needs to be changed and made much more difficult to circumvent.
But it would be really difficult if you have fraudsters working at the major commercial banks & cellphone companies, unless you require employees working with sensitive customer data to do polygraph testing on a regular basis.
I know there are people who can even fool the lie detector test, but for the majority it will work.
But it would be really difficult if you have fraudsters working at the major commercial banks & cellphone companies, unless you require employees working with sensitive customer data to do polygraph testing on a regular basis.
I know there are people who can even fool the lie detector test, but for the majority it will work.
It will take many silver bullets to minimize future incidents, but the bigger problem is that ABSA still refuses to investigate the most plausible explanation, which is that ABSA's own employees are working with one or more syndicates and are helping to target ABSA customers with large amounts of disposable cash, long before any illegal SIM swap takes place.
If I were in charge at ABSA, the first thing I would do is lock-down the ability (specifically of branch employees) to printout the result of a PORT ENQ, keep it on screen and require a supervisor override in cases where it really needs to be printed out, then review the other types of transactions that should probably also have the same printout lock-down applied. That will immediately make it more difficult for the syndicate(s) to target new ABSA victims, although it will result in the victims that the syndicate has already identified, being bombarded with phishing emails until they cave in.
If I were in charge at ABSA, the first thing I would do is lock-down the ability (specifically of branch employees) to printout the result of a PORT ENQ, keep it on screen and require a supervisor override in cases where it really needs to be printed out, then review the other types of transactions that should probably also have the same printout lock-down applied. That will immediately make it more difficult for the syndicate(s) to target new ABSA victims, although it will result in the victims that the syndicate has already identified, being bombarded with phishing emails until they cave in.
Last edited:
d0b33
Honorary Master
I've set my OTP to my email instead. Mostly if I travel but at least I won't be a victim of this.
akescpt
Honorary Master
If they investigate and find syndicate activity they would be liable then isn't it? Baastids. Lots of money to be repayed.
d0b33
Honorary Master
FNB, but they still force SMS for some transactions I think.
gregmcc
Honorary Master
I'm also with FNB. I changed my otp to email a while back and haven't had any problems. I don't get any sms's from them. All notifications are via email
From our (consumer) point of view, ABSA would be liable, but just look at how the cellular operators have managed to avoid being held accountable by the legal system for fraudulent SIM swaps, then look at ABSA and you will realise that ABSA has been doing exactly the same thing by blaming ABSA customers for falling for phishing attacks whilst keeping quiet about how very specific ABSA customers were targeted by the syndicate(s) to start with.
ABSA will not admit that ABSA employees might have been involved with a syndicate because it might open a door in the future for a court to rule that ABSA is partially to blame and should partially compensate ABSA customers that were targeted with the help of ABSA employees.
If ABSA does fire ABSA employees for working with a syndicate, it is highly unlikely that ABSA could keep that information a secret to prevent that possible future liability door from being opened, ABSA would probably try to spin such firing of employees as "fraudulent activity not related to Internet Banking".
At the very least, ABSA needs to make it much more difficult for syndicates to target new ABSA victims (prevent the relevant data from being printed out and monitor transactions performed on back office terminals where it would be easier to snap a photo with a cellphone camera without raising eyebrows from ABSA customers on the other side of the counter).
Last edited:
It doesn't matter as you don't seem like the type of person that would fall for a phising attack.
AfricanTech
Honorary Master
I really doubt that they're not investigating whether it's an inside job. They may not tell anyone, but believe me, with the amount of regulations that apply to banks, they are definitely investigating.
That earlier post of mine did not accurately reflect what I really believe is going on behind the scenes within ABSA, I would also be very surprised if ABSA has not been investigating all along (with very little success).
I feel obligated as an ex-ABSA customer to jab ABSA where it hurts (even if ABSA never reads this), since ABSA has a vested interest in not telling the whole truth about ABSA employees being involved with syndicates.
In the end, the solution to phishing, is educating the older generation, and the banks are not going to start putting their customers through training sessions before giving out access to Internet Banking. IMHO everyone should be discussing phishing with family and friends, now more than ever (even if you have previously explained phishing, do it again and not just with ABSA customers).
The reason ABSA is being targeted is because of the instant transfer option when you do EFTs. You can transfer to another bank, pay extra for instant transfer, and the money is immediately available for withdrawal on the other side. This gives the criminally inclined more chance to get away with your money before you notice. The solution to this is quite simple : mandatory waits on transfers based on which channel the transaction was performed on, and the proper implementation of multi-factor authentication that does not rely solely on cellphones. For example : if you transfer via online channels, mandatory wait is 48 hours for under R1000 amount, 72 hours for over R1000 amount, with 2 factor authentication for under R1000 amount, and three factor for over R1000 amount. You could also scale the amounts by how trusted the beneficiary is. If it has just been added, via the online channel, the mandatory wait should be 72 hours.
So lets look at the reason the banks DON'T do this. They DON'T wait you using retail channels (visiting a branch) because it costs them more money. They would rather you use the online channel because its much cheaper for them, even though they essentially charge you the same amount. From a systems perspective, 3 of the 4 big banks can already implement these controls now if they wanted to, 1 of the 4 already has implemented these sort of controls but you have to a. know about it, and b. opt-in.
In my view, this whole problem sits squarely with the banks. Trust and verify - its the maxim they operate by internally, until it comes to spending money on retail banking. We, as customers, need to start holding them to a higher standard.
*DISCLAIMER* I work for one of the big four banks...
So lets look at the reason the banks DON'T do this. They DON'T wait you using retail channels (visiting a branch) because it costs them more money. They would rather you use the online channel because its much cheaper for them, even though they essentially charge you the same amount. From a systems perspective, 3 of the 4 big banks can already implement these controls now if they wanted to, 1 of the 4 already has implemented these sort of controls but you have to a. know about it, and b. opt-in.
In my view, this whole problem sits squarely with the banks. Trust and verify - its the maxim they operate by internally, until it comes to spending money on retail banking. We, as customers, need to start holding them to a higher standard.
*DISCLAIMER* I work for one of the big four banks...
I have to use instant EFT all the time, at least 5 times a week. Instant EFT is not unique to ABSA.
Maybe adding a second celphone no for verification, with an unique pin sent to both. Most business people has 2 or 3 phones these days.
Maybe adding a second celphone no for verification, with an unique pin sent to both. Most business people has 2 or 3 phones these days.
Yeah doesn't FNB also have the instant transfer option.
You might be partially correct on that point, so far a lot if not all of the money transferred by the fraudsters has gone out of ABSA accounts and into Capitec accounts.
I don't know the details of the relationship between ABSA and Capitec, I do know that Capitec used to rely on ABSA for ATM transactions, and I speculate that that relationship probably extends to other things like being able to transfer money immediately from ABSA accounts to Capitec accounts (probably without any additional service fees being applied at the ABSA leg of the transaction).
As Zenbaas pointed out, FNB does in fact have instant transfer functionality via Internet Banking for an additional fee.
Uhm, yeah, sure. Some stats to back that up?
The problem with all of these solutions are more difficulty to the legitimate customers in the end.
ScrnScrm said:
So you want to take away functionality that we've had to make things more secure? I don't know, I don't like it. I actually also prefer doing my business online than in a bank (that way I don't have to take time off to go and stand in a queue next to some smelly dude).
What about mandatory transfers on NEW channels? I.e. if it is the first time I'm using a device/PC that hasn't been registered before yet, THEN force a wait.
Google does this quite well with their two-step verification: if it is a new browser, then I have to enter a pin, if it is my existing browser that I've always used, then I may choose to "remember the device". It's also simple enough for people to understand.
After installing the FNB app on a cellphone or tablet, the device itself has to be authorised by the user in Internet Banking before the app can be used by that user on that device, unfortunately FNB requires that the credentials used, have to be those of the primary Internet Banking user (as opposed to secondary usernames created with limited permissions by the primary user).
Similarly, a browser should be authorised for use with the specific user's credentials which could be achieved using encrypted cookies and the following procedure for new browsers/devices:
Authorising the use of a browser or other device (that has a bank's app installed), for use with a specific user's credentials, shall require that the user enters two different One Time PINs that are sent to both the user's cellphone and email address.
The banks could also require that Geolocation/GPS be enabled when authorising a new browser/device, and then include the location information in the OTP SMS and email, which might set off enough alarm bells if you receive an email/SMS saying that someone is using your Internet Baking credentials and is attempting to use a browser/device in Hillbrow (Little Nigeria) or any place where you are not (start looking over your shoulder if you receive such an alert and the location matches your location).
My next job should be at FNB.
Similarly, a browser should be authorised for use with the specific user's credentials which could be achieved using encrypted cookies and the following procedure for new browsers/devices:
Authorising the use of a browser or other device (that has a bank's app installed), for use with a specific user's credentials, shall require that the user enters two different One Time PINs that are sent to both the user's cellphone and email address.
The banks could also require that Geolocation/GPS be enabled when authorising a new browser/device, and then include the location information in the OTP SMS and email, which might set off enough alarm bells if you receive an email/SMS saying that someone is using your Internet Baking credentials and is attempting to use a browser/device in Hillbrow (Little Nigeria) or any place where you are not (start looking over your shoulder if you receive such an alert and the location matches your location).
My next job should be at FNB.
No, I am not saying that. I am saying that security should be commensurate with the situation, and not blanket. When you have static rules that never change, criminals learn them, and use them against you. Obviously, if you have a beneficiary that you pay every month, you should be able to do so from any channel with less security than a newly added bank account. If its a new beneficiary, a simple telephonic (security) check of the add could lift the restrictions. If you are savvy, and understand hacking methods, then you choose to have minimal intervention with instant transfers. My point is, keep it horses for courses.
Your idea of registering the PC ala Google or Facebook is already in extensive beta testing.
This sounds like a cool idea. Obviously not all phones are GPS enabled and thieves can still access your details via a PC (but yes, you could do an IP-based geo-lookup) but cool idea nonetheless.