Internet users are contributing to banking and financial fraud by falling victims to cyber-scams designed to steal cash, says a cyber security expert.
While credit card fraud has declined in SA by 28,6%, according to the South African Banking Risk Information Centre (Sabric), debit card fraud increased 8,3% to the year ended 2015.
The organisation also reported that Card Not Present (CNP) fraud increased by 12,6% to account for 75% of losses relating to South African issued credit cards.
“The problem is not that the cyber-criminals are stealing our information, but rather that we are giving it to them,” says Tjaart van der Walt, chief executive of Truteq Group.
“We click on the links in the phishing emails and we install the ‘free’ apps on our mobile phones. This mechanism to get your banking information is more about social engineering than hacking in the old sense,” he adds.
Security firm Kaspersky Lab recently reported that cyber-criminals have turned to Trojans designed to steal financial information and install malicious software on both PCs and smartphones.
“Almost every detected threat in South Africa is an advertising Trojan that can use root rights on the phone,” Roman Unuchek, senior malware analyst at Kaspersky Lab USA recently told Fin24.
Van der Walt says the divergent interests of communication and financial security between mobile phone operators and banks has left a security gap.
“Using mobile technology to secure financial transactions was not part of the specifications or the intended purpose. Three decades later, mobile telephony has turned out to be indispensable to our way of life and there is now a mobile phone in almost every pocket,” he says.
Banks typically use a one-time PIN (OTP) sent to a customer’s cell phone to secure online transactions. However, mobile operators do not want to expose themselves to additional risk.
“In the delivery of a one-time pin, a mobile network operator has very little (in all likelihood no) legal or financial risk. The terms and conditions of use limit their liability and case law exists to reinforce this position. In fact, a mobile network operator will not want to be associated with the authentication of financial transactions at all,” Van der Walt says.
The fact that many banks send the verification to the same mobile number to conduct the transaction may leave customers vulnerable if a cybercriminal has compromised the device.
“Using the same mobile phone to make a transaction and to verify it [financial transactions], wipes out the benefit of the two-factor authentication. Fraudsters only have to compromise you once in order to break into your bank account and clean it out,” says Van der Walt.
The problem is magnified when customers enact a SIM-swap – or if criminals conduct a fraudulent SIM-swap.
“The identification process followed by a mobile network operator’s call centre agent to verify your identity for the purposes of a SIM swap or network port is as simple as possible. Their interest is to keep us talking and if we cannot make a call, then we cannot talk and consume credit,” says Van der Walt.
“The banks, on the other hand, need the verification process to be as rigorous as possible in order to comply with anti-money laundering and counter-terrorism laws,” he adds.
Van der Walt argued that about 1% of mobile subscribers conduct a SIM swap per month, implying a change in about 870 000 numbers in SA.
While not all mobile subscribers are banking customers, Van der Walt says number porting could place a strain in banks’ ability to keep track of customers.
“Even if a bank had the access to see if a user has ported or not, blocking a transaction purely on the basis of the user changing networks will drive hundreds of thousands of irate customers to their call centres,” he says.
By Duncan Alfreds for Fin24