EOH shocked by its inclusion in Eskom statement

By Robert Laing for Business Day 

Techology group EOH issued a Sens announcement on Wednesday objecting to a statement that Eskom issued on Tuesday, which sent its share crashing as much as 16% to an intra-day low of R26.35.

EOH was listed twice in 14 reportable irregularities flagged in Eskom’s interim results for the six months to end-September, a Sens statement the state-owned enterprise (SOE) issued showed.

The list included that there were allegations that Eskom’s former chief procurement officer, Jay Pillay, and other senior officials in procurement were involved in acts of misconduct involving EOH.

The second mention of EOH regarded the resignation of George Sebulela in October 2018.

“A member of the board and audit and risk committee, Sebulela did not declare a conflict of interest and did not recuse himself on deliberations involving the supplier (EOH),” Eskom’s statement said.

“EOH is currently engaged with the JSE and Eskom on Eskom’s Sens disclosure,” the technology group said in Wednesday’s statement. “The two allegations mentioned in the announcement are matters that have been fully investigated and the matters concluded last year. EOH was found not to be implicated in either allegation.”

Other suppliers mentioned in Eskom’s list of reportable irregularities who gained contracts without following correct procedures included Bizz Tracers, Huarong Asset Financing, Cliffe Dekker Hofmeyr, McKinsey and Trillian.

Former Absa and MTN executive Stephen van Coller recently issued a statement following his first 100 days as EOH’s CEO in which he said “specific legacy issues have affected the company’s value”.

Van Coller announced a new structure, which among other things, will improve the group’s accountability.

By Wendy Knowler for Times Live

Do courier company drivers have the necessary training and experience to verify proof of identity and address before handing over a credit card, complete with its PIN number?

If First National Bank (FNB) client Ivan Kistnasami’s experience is anything to go by, definitely not.

He recently discovered that a fraudster had applied for a Discovery card in his name, and had it delivered to an address in Howick, KwaZulu-Natal, in November.

“With his new credit card and pin – and a massive credit limit of R102,000 – the fraudster had access to my cheque and credit card accounts, and within two days he had transferred all funds that were available, up to my credit limits, creating debt to the tune of R157,000,” the Pietermaritzburg resident said.

When he approached TimesLIVE for help shortly before the festive season corporate shut-down, his credit profile was in tatters and FNB had failed to honour his monthly debit orders.

“I believe that FNB was negligent in that they have delivered this credit card with the pin through a courier driver who clearly had no experience in verifying the documentation,” Kistnasami said.

The proof of address, a Woolworths account, bears an address which doesn’t quite match the font of the name; a clear sign of fraudulent tampering.

And the ID in Kistnsami’s name bore the photo of a black man, another obvious identity mismatch.

“FNB has my picture on their system, yet the courier driver accepted an ID document with a photo of someone very different.”

The courier company employee stamped the copy of the ID and the Woolworths account, and put his signature to the statement that he’d seen the originals and confirmed the copies to be true.

Kistnasami said when he approached FNB about the couriering of credit cards to its clients, “I was told that the bank does not allow clients to collect from the branch as they are trying to reduce the number of clients transacting at branches”.

In fact, since July 2018 FNB has not stopped allowing its clients from collecting their cards at a bank branch, but strongly discouraged that by charging them R200 if they choose to do so, while offering a free courier service.

“The reduction of card deliveries to branches is in accordance with the bank’s business and digital migration strategy, which continues to benefit customers from a convenience and cost-saving perspective,” the bank told TimesLIVE.

By December, thanks to the bank’s “convenient” delivery of Kistnasami’s card and PIN to the fraudster, he was deep in debt, his medical cover had been suspended due to non-payment, his insurance policy premiums had not been paid and his car insurance was a month in arrears.

TimeLIVE asked FNB whether fraudsters had abused the bank’s card courier policy to acquire credit cards in the name of other clients and whether it intended to implement new security measures to counter this form of fraud.

Does the bank feel it is appropriate for courier staff to have to determine whether or not an alleged card holder’s proof of identity/address are authentic or not?

Responding, FNB said very little, other than Kistnasami was the victim of identity theft and had been refunded.

“Our investigation into the circumstances of the fraud is still pending and we will communicate with the customer until the matter has been amicably finalised.

“Due to the ongoing investigation, we cannot disclose any further information on the matter.”

Kistnasami told TimesLIVE that he has repeatedly been told by FNB that the investigation was still “ongoing”.

“Yes, I was reimbursed, but the accounts are on hold. When I try to settle or balance the accounts so that I can close them, the system says ‘on hold’.

“All I want is to put this nightmare behind me and move on with my life,” he said.

“I do not want the bank to come back to me a year or more later and say I owe them a large sum of money.”

Asked to comment, Discovery said that as Discovery Card was “still operating through a joint venture with FNB” it would leave FNB to comment on the matter.

When Discovery Bank launches later this year, the spokesman said, “it will have incredibly strong security controls”, which would be explained at the time.

FNB is the only bank which charges its clients a fee for wanting to collect their cards from a branch of the bank.

Its competitors do the reverse, charging clients a fee of between R150 and R175 to have their cards delivered to their chosen address by courier.

By Jack More for Mashable 

They wouldn’t have numbered it if it was the only one.

On 16 January, security research Troy Hunt uploaded a massive cache of leaked e-mails and passwords to his invaluable website have i been pwned.

The 87GB dataset, dubbed “Collection #1,” was admittedly years old, and had been passed around by hackers for some time now. Still, the sheer scale of it — containing over 772-million email addresses — turned heads. Hold onto your digital butts, because as Krebs on Security reports, you ain’t seen nothing yet.

According to Krebs, the Collection #1 data breach is, unsurprisingly, part of a much larger collection of stolen online credentials being sold online. And, taken as a whole, it dwarfs Collection #1’s size.

Just how big are we talking? According to the hacker allegedly selling access to the data who communicated with Krebs over Telegram, the entire data set of email addresses and passwords comes close to 1TB. Brian Krebs, the infosec journalist behind Krebs on Security, tweeted a screenshot purportedly depicting a page listing the data for sale.

In addition to the 87GB Collection #1, there’s a 526GB Collection #2, a 37GB Collection #3, a 178GB Collection #4, a 42GB Collection #5, and two other folders totaling an additional 126GB worth of credentials.

The seller told Krebs that, in total, they had close to 4TB of so-called password packages. Yeah, that’s a lot. According to the image above, the “Price for access lifetime” is only a cool $45 (R630).

So your email, along with one or more passwords to various throwaway online accounts you’ve used and discarded over the years, is likely being traded on the dark web. What does this mean for you?

Well, if you’re smart about your online security, probably not too much immediately. Assuming you use unique passwords for each account online — and you definitely should — any of your passwords contained in the dataset would only gain a hacker access to one specific online service. Like, say, your old Tumblr account. And, if you use two-factor authentication, you’re likely in the clear.

However, all this goes out the window if a hacker gets access to your main email account and can initiate password resets. And if the email account in question just so happens to share a password with your now-defunct Neopets account or whatever? You might legit be in trouble. Consider getting a password manager, and make sure your email has a unique password and 2FA.

And then go about your normal online business, comfortable in the knowledge that your personal data is being sold to hackers for the low, low price of $45 (R630).

To see whether your email address has been breached, visit have i been pwned.

By Angelique Arde for Business Live

Absa is tight-lipped about its meeting this week with the banking regulator about how the bank handles cyber risks.

Caroline da Silva, head of regulatory strategy at the Financial Sector Conduct Authority (FSCA), told Money that the regulator’s meeting with Absa was the first of a series it will have with all banks. This comes after a “market conduct risk” across the sector was flagged in a retail banking diagnostic, as well as reports from customers, including one from Johannesburg attorney Mark Heyink.

In June last year, Heyink made submissions to the FSCA detailing Absa clients’ allegations of unfair treatment by the bank in dealing with online banking frauds.

Though the meeting with Absa was general, Da Silva said the issues in Heyink’s submission were discussed, including the predominance of Absa clients in cases of online fraud dealt with by the attorney.

In his report to the FSCA, Heyink, acting for 29 Absa customers referred to him by a digital forensic expert and a computer scientist, claimed that the bank had “improperly” held clients liable for losses resulting from online banking fraud and called on the regulator to investigate Absa and the ombud for banking services.

But Da Silva told Money this week that the FSCA is in an “interim position”, without legislation in place yet to regulate the conduct of banks – the Conduct of Financial Institutions Bill was published in December for comment. “We don’t want to wait for that to take action on their conduct, so we’ve drafted a set of conduct standards which will be published for comment before the end of March and will hopefully be in force before the middle of the year.”

On the question of the conduct of the banking ombudsman, Da Silva said the Twin Peaks regulatory model envisages a stronger ombud system, with a chief ombud to look at the independence, governance and decisions made by both statutory and voluntary/industry ombuds.

In October last year, the South African Banking Risk Information Centre released statistics on digital banking crime for the first time, showing that the number of incidents of online fraud had increased by 64% between 2017 and August 2018.

The conduct Heyink reported to the FSCA relates to Absa holding clients responsible for losses when the bank had allegedly:

• No evidence of negligence on the part of its clients;

• Applied incorrect interpretation of the law relating to the client’s assumption of risk;

• Failed to comply with applicable consumer protection legislation; and

• Failed in its duty of care to its customers.

Heyink and the digital experts quoted in the submission also question whether the security measures taken by Absa were appropriate.

Absa, which would not be drawn on the meeting with the FSCA, also declined to respond to these specific allegations.

Ulrich Janse van Rensburg, head of fraud strategy at retail and business banking at Absa, said internet fraud is of “huge concern” to Absa. “It has an adverse impact on the much-needed relationship of trust between Absa and its customers. For this reason, it is entirely in our interest to ensure not only that world-class security measures are in place, but that when fraud is committed, those responsible are apprehended and made to account. And expeditiously so.

“That’s why Absa takes every possible precaution to safeguard our customers’ money and co-operates closely with the SAPS and industry fraud-prevention bodies such as Sabric [South African Banking Risk Information Centre].

“However, we are unfortunately constrained in instances where the customer would have caused vulnerability by divulging their confidential banking details to third parties, very often without intending to do so. Regrettably, this weakness impacts the entire industry, not only Absa.

“Although Absa is ordinarily not liable for the frauds perpetrated on its customers by third parties in the strict legal sense, it recognises that these crimes have a significant personal impact on the victim and for this reason will come to their financial assistance,” Van Rensburg said.

Almost half of Heyink’s 29 clients accepted settlement offers from Absa covering 50% of their losses. The settlement offers, which were valid for seven days only, were confidential, ex gratia and in full and final settlement of claims against the bank.

In his submission to the FSCA, Heyink said that in consultation with clients who accepted such settlements, in every instance the client said they had accepted the settlement under duress. One client said: “We felt we had a gun to our head.”

Clients who did not accept settlements said they also felt Absa was trying to force them to accept the offer.

Absa said that it does not put pressure on clients and a week is reasonable time for a client to decide whether to accept a settlement. But Heyink said that the circumstances under which the offers were made by Absa placed clients in an unfair bargaining position.

By Shanice Naidoo for IOL

A Bloubergstrand man had his Absa business account swindled out of R3.1 million while he was in Miami for two months.
Feruccio Ferucci left Cape Town in October without suspecting that his banking information had been stolen.

Around the end of October, his Vodacom SIM card stopped working as well as his internet banking. Growing suspicious, he contacted his daughter in Cape Town to find out from Vodacom what had happened. They informed her that a SIM swap had been done.

“I did not authorise the SIM swap. My phone stopped working for about three weeks and then started working again.

“I haven’t heard anything from Vodacom telling me what happened because my phone just started working again three weeks later,” said Ferucci.

When he returned on December 2, he was shocked to find out from his staff about transactions which were not approved by them at his business in Paarl or by himself. These were fraudulent transactions which had gone off the business account during two of the weeks which his phone had not been working equating to R3.1m.

“These transactions were around R300 000 each and there were about ten transactions. I then contacted my attorney and he referred me another attorney who specialises in this type of crime. I then wrote a protest letter to Absa threatening to close my account with them and my money was refunded around December 23,” said Ferucci.

On speaking to the new attorney, he was told that this was often done to people who are overseas because perpetrators assume one would not check their phone regularly.

“The attorney told me that 90% of the cases he deals with involved people who went overseas. There is no doubt in my mind that what happened to me was promoted by employees of both Vodacom and Absa.

“They probably didn’t steal the money but they probably sell the information,” said Ferucci.

Both Absa and Vodacom have said they are investigating the matter.

IRS Forensic Investigations, which investigates financial, organised and cyber crimes director Chad Thomas said sim swaps are a major issue, with some victims reporting that they have become victims of crime while their phones have been off while they have been travelling long distances.

However, the breach of personal data, including credit card numbers is not just confined to individual hacks via trojans or malware but is also as a result of highly sophisticated cyber attacks on data stored by corporates.

“People need to take cognisance of the fact that a sufficiently determined and capable hacker can take over someone’s online footprint if the correct measures are not taken to protect their information. However, it is not just the individual that needs to take precautions, but also corporates that are storing client’s information and have a responsibility to safeguard that information,” said Thomas.

How the ANC broke Eskom

Source: MyBroadband

Eskom was once so successful that it was supplying more than half the electricity in Africa.

However, years of corruption, incompetence and political meddling has brought Eskom to its knees, and it is now begging for bailouts to stay afloat.

The company’s growing debt burden, which already exceeds R400-billion and can grow to R600-billion in the next three years, means it is technically bankrupt.

So bad is the situation that former Finance Minister Nhlanhla Nene said Eskom is the single biggest risk to South Africa’s economy.

The image below provides an overview of how Eskom changed over the last 10 years:

Image credit: MyBroadband

Source: IT News Africa

As South Africa’s business sector continues to expand across a myriad of digital platforms, cybercrime continues to threaten this burgeoning digital sphere. “There are many victims of cybercrime, with limited recourse available in terms of current South African law. The need for tighter and more effective legislation is pressing,” says Grant Christianson, e4’s Group Legal Advisor.

The end of October 2018 hopefully saw the legislative cycle for the Cybercrimes Bill nearing completion, as the Department of Justice and Constitutional Development tabled an updated version. Christianson says that the existing laws have become problematic in adequately combatting cybercrime and the new Bill is needed to effectively “fill-the-gaps” that exist in current legislation and the common law.

“According to the South African Banking Risk Information Centre (SABRIC), South Africa’s annual loss is estimated at R2,2 billion, making it a significant threat to an already volatile economy.”

While the Bill does no longer address cybersecurity, he says that it will provide a framework for combatting cybercrime. Initially drafted in 2015, it addresses criminal activity that is computer-based and is related to unlawful access to, interference with or distribution of data, electronic communications, information systems and networks. He says the Bill also creates new offences for hacking; phishing, cyber bullying, unlawful interception and distribution of data, ransomware, cyber forgery and extortion, as well as acts involving malware and identity theft. Anyone convicted is likely to be fined and/or imprisoned up to 15 years.

The Bill is also expected to align with international best practice: “There will be a requirement to co-operate with other countries to effectively deal with multi-jurisdictional cybercrime activity, as often the cyber offence is created in one jurisdiction and felt in another,” says Christianson.

As a country, with the third highest number of cybercrime victims worldwide, South Africa is a target. Christianson says that mobile technology will further impact users as the country’s growing reliance on the app economy and other mobile trends will drive cyber criminals to penetrate mobile networks: “As devices become more connected and smarter, users are more exposed and so the threat grows. Digitisation is a trend that has no end in sight and while it brings with it innovation and exciting changes, cybercrime continues to grow in parallel.”

While the timeframe for the Bill’s signature is uncertain, Christianson says that it is at least in its final stages and once signed into law, the law-enforcement industry can become more proactive in its pursuit of cybercriminals.

South Africa adopts Cybercrime Bill

Source: South Coast Sun

Parliament’s Justice Committee officially adopted the Cybercrimes and Cybersecurity Bill last week. The Bill is aimed at bringing South Africa in line with other countries’ cyber laws and the threat of cybercrime, and it has introduced new laws regarding ‘malicious’ electronic communication.

BusinessTech outlined these proposed new crimes below:

* Any person who contravenes one of the following provisions is liable on conviction to a fine or to imprisonment for a period not exceeding three years, or to both a fine and imprisonment.

* A message which incites damage to property or violence.

* Any person who unlawfully makes available, broadcasts or distributes by means of a computer system, a data message to a person, group of persons or the general public with the intention to incite:
(a) the causing of any damage to property belonging to; or
(b) violence against, a person or a group of persons.

* A message which threatens persons with damage to property or violence. As an extension of the above, the Bill also makes it an offence to distribute messages which threatens a group of people with violence, or with damage to their property.

The Bill clarifies that ‘group of persons’ means characteristics that identify an individual as a member of a group. These characteristics include without limitation: Race; gender; sex; pregnancy; marital status; ethnic or social origin; colour; sexual orientation; age; disability; religion; conscience; belief; culture; language; birth and nationality.

* A message which unlawfully contains an intimate image.

By Lily Hay Newman for Wired 

For two hours on Monday, internet traffic that was supposed to route through Google’s Cloud Platform instead found itself in quite unexpected places, including Russia and China. But while the haphazard routing invoked claims of traffic hijacking—a real threat, given that nation states could use the technique to spy on web users or censor services—the incident turned out to be a simple mistake with outsized impacts.

Google noted that almost all traffic to its services is encrypted, and wasn’t exposed during the incident no matter what. As traffic pinballed across ISPs, though, some observers, including the monitoring firm ThousandEyes, saw signs of malicious BGP hijacking—a technique that manipulates the web’s Border Gateway Protocol, which helps ISPs automatically collaborate to route traffic seamlessly across the web.

ThousandEyes saw Google traffic rerouting over the Russian ISP TransTelecom, to China Telecom, toward the Nigerian ISP Main One. “Russia, China, and Nigeria ISPs and 150-plus [IP address] prefixes—this is obviously very suspicious,” says Alex Henthorne-Iwane, vice-president of product marketing at ThousandEyes. “It doesn’t look like a mistake.”

Malicious BGP hijacking is a serious concern, and can be exploited by criminals or nation state actors to intercept traffic or disrupt a target service—like Google. But the technique also has a dopey, well-intentioned cousin known as a prefix leak, or sometimes “accidental BGP hijacking.”

In both cases, rerouting occurs when an ISP declares that it owns blocks of IP addresses that it doesn’t actually control. This can be an intentional deception, but can also simply come down to a configuration error that, while disruptive, is not intentional. On Monday, a Google spokesperson said that the company didn’t see signs of malicious hijacking, and instead suspected that the Nigerian ISP Main One had accidentally caused the problem.

“The problem here is a failure to apply basic best current practices to these routing sessions.”

There are minimum best practices that ISPs should implement to keep BGP routes on the up and up. These are important, because they apply filters that catch errors in the event of a route leak and block problematic routes. Not all ISPs implement these protections, though, and in a prefix leak like the one that affected Google, traffic will flow chaotically across networks, not based on efficiency or established paths, but based on which networks haven’t put the BGP safeguards in place and will therefore accept the rogue routing.

Indeed, on Tuesday morning Main One said in a statement that, “This was an error during a planned network upgrade due to a misconfiguration on our BGP filters. The error was corrected within 74mins.”

In this case, it appears that the Russian and Chinese ISPs, and perhaps others as well, offered a path to the Google traffic because they hadn’t implemented protective configurations.

The protocols underlying the internet were written decades ago, in a different era of computing, and many have needed major security overhauls and additions to improve trust and reliability around the web. There was the effort to encrypt web traffic with HTTPS, and the growing movement to secure the internet’s Domain Name System address lookup process so it can’t be used to spy on users, or for malicious rerouting.

Similarly, ISPs and internet infrastructure providers are starting to implement a protection called Resource Public Key Infrastructure that can virtually eliminate BGP hijacking, by creating a mechanism to cryptographically confirm the validity of BGP routes. Like HTTPS and DNSSEC, RPKI will only start to provide true customer protection when a critical mass of internet infrastructure providers implement it.

“This incident had a non-trivial impact because Google and some other prominent network routes were accidentally leaked,” says Roland Dobbins, a principal engineer at the network analysis firm Netscout. “But the problem here, as it is in most of these cases, is a failure to apply basic best current practices to these routing sessions. The key is for network operators to participate in the global operational community, get these kinds of filters put in place, and move to implement RPKI.”

While Google’s incident wasn’t a hack and instead gets into obscure internet protocol drama, the impact for users on Monday was apparent—and shows the pressing need to resolve issues with BGP trust. The flaw has been maliciously hijacked before, and could be again.

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top