Whatsapp Stokvels are back

By Bombi Mavundza for Business Insider SA

Despite the name change, the ‘stokvel’ still has the same modus operandi. Members deposit R200 – and hope to make huge profits.

The National Stokvel Association of SA (Nasasa) has previously warned South Africans that WhatsApp stokvels are most likely to be pyramid schemes rather than genuine savings vehicles – and those who have joined them have probably been scammed.

Like most pyramid schemes, the first few to join received a pay-out, but those who followed often lost all their money.

Many victims who have joined such stokvels in the past have seen group administrators disappear after making payments into the stokvels.

According to Nasasa founder and chairperson of Nasasa, Andrew Lukhele, scammers were using the popularity of stokvels to create pyramid schemes and take advantage of people.

Traditional stokvels are based on trust where everyone in the stokvel knows each other, and the terms of payout have already been set.

The Whatsapp scams often involves anonymous people, so it is impossible to track or trace the money when it disappears.

A stokvel, derived from “stock fair”, is a savings scheme where a group of people come together to save or increasing invest together.

Keep your money safe with these tips

Be your money’s best protection by following these SABRIC tips:

Tips to prevent card not present (CNP) fraud

  • Personal information includes identity documents, driver’s licenses, passports, addresses and contact details amongst others. Always protect your personal information by sharing it very selectively and on a need to know basis only
  • Never share your confidential information which includes usernames, passwords and PIN numbers with anyone
  • Review your account statements on a timely basis; query disputed transactions with your bank immediately
  • When shopping online, only place orders with your card on a secure website
  • Register for 3D Secure
  • Implement dual authentication for all accounts and products, especially for financial services products
  • Do not send e-mails that quote your card number and expiry date
  • Do not use your information if you suspect it may have been compromised. Rather use other personal information that you have not used previously in order to confirm your identity in future
  • Register for SMS notifications to alert you when products and accounts are accessed
  • Conduct regular credit checks to verify whether someone has applied for credit using your personal information and if so, advise the credit grantor immediately
  • Investigate and register for credit related alerts offered by credit bureaus

Tips to prevent phishing and vishing

Phishing:

  • Do not click on links or icons in unsolicited e-mails
  • Do not reply to these e-mails. Delete them immediately
  • Do not believe the content of unsolicited e-mails blindly. If you are worried about what is alleged, use your own contact details to contact the sender to confirm
  • Type in the URL (uniform resource locator or domain names) for your bank in the internet browser if you need to access your bank’s webpage
  • Check that you are on the real site before using any personal information
  • If you think that you might have been compromised, contact your bank immediately
  • Create complicated passwords that are not easy to decipher and change them often

Vishing:

  • Banks will never ask you to confirm your confidential information over the phone
  • If you receive a phone call requesting confidential or personal information, do not respond and end the call
  • If you receive an OTP on your phone without having transacted yourself, it was likely prompted by a fraudster using your personal information. Do not provide the OTP telephonically to anybody. Contact your bank immediately to alert them to the possibility that your information may have been compromised
  • If you lose mobile connectivity under circumstances where you are usually connected, check whether you may have been the victim of a SIM swop

Tips for protecting your personal information

  • Don’t use the same username and password for access to banking and social media platforms
  • Avoid sharing or having joint social media accounts
  • Be cautious about what you share on social media
  • Activate your security settings which restrict access to your personal information
  • Don’t carry unnecessary personal information in your wallet or purse
  • Don’t disclose personal information such as passwords and PINs when asked to do so by anyone via telephone, fax or even email
  • Don’t write down PINs and passwords and avoid obvious choices like birth dates and first names
  • Don’t use any Personal Identifiable Information (PII) as a password, user ID or personal identification number (PIN)
  • Don’t use Internet Cafes or unsecure terminals (hotels, conference centres etc.) to do your banking
  • Use strong passwords for all your accounts
  • Change your password regularly and never share them with anyone else
  • Store personal and financial documentation safely. Always lock it away
  • Keep PIN numbers and passwords confidential
  • Verify all requests for personal information and only provide it when there is a legitimate reason to do so
  • To prevent your ID being used to commit fraud if it is ever lost or stolen, alert the SA Fraud Prevention Service immediately on 0860 101 248 or at www.safps.org.za
  • Ensure that you have a robust firewall and install antivirus software to prevent a computer virus sending out personal information from your computer
  • When destroying personal information, either shred or burn it (do not tear or put it in a garbage or recycling bag)
  • Should your ID or driver’s license be stolen report it to SAPS immediately

Tips for protecting yourself against SIM swops

  • If reception on your cell phone is lost, immediately check what the problem could be, as you could have been a victim of an illegal SIM swop on your number. If confirmed, notify your bank immediately
  • Inform your Bank should your cell phone number changes so that your cell phone notification contact number is updated on its systems
  • Register for your Bank’s cell phone notification service and receive electronic messages relating to activities or transactions on your accounts as and when they occur
  • Regularly verify whether the details received from cell phone notifications are correct and according to the recent activity on your account. Should any detail appear suspicious immediately contact your bank and report all log-on notification that are unknown to you
  • Memorise your PIN and passwords, never write them down or share them, not even with a bank official
  • Make sure your PIN and passwords cannot be seen when you enter them
  • If you think your PIN and/or password has been compromised, change it immediately either online or at your nearest branch
  • Choose an unusual PIN and password that are hard to guess and change them often

Tips for carrying cash safely

Tips for individuals

  • Carry as little cash as possible
  • Consider the convenience of paying your accounts electronically (consult your bank to find out about other available options)
  • Consider making use of cell phone banking or internet transfers or ATMs to do your banking
  • Never make your bank visits public, even to people close to you

Tips for businesses

  • Vary the days and times on which you deposit cash
  • Never make your bank visits public, even to people close to you
  • Do not openly display the money you are depositing while you are standing in the bank queue
  • Avoid carrying moneybags, briefcases or openly displaying your deposit receipt book
  • It is advisable to identify another branch nearby you that you can visit to ensure that your banking pattern is not easily recognisable or detected
  • If the amount of cash you are regularly depositing is increasing as your business grows, consider using the services of a cash management company
  • Refrain from giving wages to your contract or casual labourers in full view of the public; rather make use of wage accounts that can be provided by your bank
  • Consider arranging for electronic transfers of wages to contract or casual labourer’s personal bank accounts

Postbank forced to replace 12m bank cards

Source: MyBroadband

Postbank needs to replace 12-million bank cards at a cost of R1-billion after its “master key” was compromised, the Sunday Times reported.

Citing several internal Postbank reports, the Times found that the bank’s master key was stored in plaintext during a data centre migration in July 2018. Two staff members also stored the key in plaintext on USB flash drives and one of the drives can’t be located.

One of the internal reports cited in the article, an overview of financial crime, reportedly stated that Postbank found 25,000 fraudulent transactions between March 2018 and December 2019. R56 million was stolen.

The master key was generated in January 2018, according to the report.

The article described the master key as a 36-digit code which allows anyone to read and write account balances, and read and change information on any of the cards the bank has issued.

The Post Office denied that its master key for Postbank’s cards had been compromised, saying that the “stories” were unfounded and only seek to create panic among Postbank’s clients.

Postbank’s clients include millions of social security beneficiaries who receive grants from the government every month.

No audit trail
Referring to another internal report titled “Overall IT Security Register” from January 2020, the Sunday Times reported that the Postbank had no logging in place to trace fraudulent transactions.

Postbank was not able to audit when an account was accessed, who accessed it, and what was done on the account.

A spokesperson for the Post Office said that it is on record that “systematic difficulties” were uncovered with the “reconciliation functionality” of the integrated grant payments system, and that the issue has been resolved.

R42-million stolen from Postbank in 2012
This is not the first time information security problems at Postbank has resulted in money being stolen.

In 2012, a syndicate stole R42 million from Postbank in a heist that took place over the New Year holidays — between 1 January and 3 January.

The syndicate opened several Postbank accounts across South Africa towards the end of 2011, and over New Year’s they gained access to a Rustenburg Post Office employee’s computer. From there the syndicate made deposits from other accounts into its own.

Over the next three days, automated teller machines in Gauteng, Free State and KwaZulu-Natal were used to withdraw cash from the accounts.

According to a recent MyBroadband article,  Telkom has fallen victim to the group behind the Sodinokibi ransomware, also known as REvil.

The group has claimed responsibility for the attack and has threatened to leak the Telkom client database on its the Dark Web blog.

The REvil / Sodinokibi group is one of several ransomware operators that steals sensitive data from victims and leaks it on the dark web if their targets don’t give in to their extortion demands.

The group has recruited a team of affiliates who carry out attacks on corporate networks.

According to speculation, the group may have tried to extort $1-million out of Telkom.

The company denied that its systems had been infected with ransomware.

Staff working remotely were unable to connect to servers or the Telkom virtual private network.

 

Source: NBC

Google was sued on Tuesday in a proposed class action accusing the internet search company of illegally invading the privacy of millions of users by pervasively tracking their internet use through browsers set in “private” mode.

The lawsuit seeks at least $5-billion, accusing the Alphabet Inc unit of surreptitiously collecting information about what people view online and where they browse, despite their using what Google calls Incognito mode.

According to the complaint filed in the federal court in San Jose, California, Google gathers data through Google Analytics, Google Ad Manager and other applications and website plug-ins, including smartphone apps, regardless of whether users click on Google-supported ads.

This helps Google learn about users’ friends, hobbies, favourite foods, shopping habits, and even the “most intimate and potentially embarrassing things” they search for online, the complaint said.

Google “cannot continue to engage in the covert and unauthorised data collection from virtually every American with a computer or phone,” the complaint said.

Jose Castaneda, a Google spokesman, said the Mountain View, California-based company will defend itself vigorously against the claims.

“As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity,” he said.

While users may view private browsing as a safe haven from watchful eyes, computer security researchers have long raised concern that Google and rivals might augment user profiles by tracking people’s identities across different browsing modes, combining data from private and ordinary internet surfing.

The complaint said the proposed class likely includes “millions” of Google users who since June 1, 2016 browsed the internet in “private” mode.

It seeks at least $5,000 of damages per user for violations of federal wiretapping and California privacy laws.

Boies Schiller & Flexner represents the plaintiffs Chasom Brown, Maria Nguyen and William Byatt.

The case is Brown et al v Google LLC et al, U.S. District Court, Northern District of California, No. 20-03664.

Source: eNCA

The COVID-19 lockdown alert Levels 3 and 4 have been declared invalid and unconstitutional.

The High Court in Pretoria has handed down this judgment.

The court, however, suspended the declaration of invalidity for a period of 14 days.

Government has noted the decision and says the Level 3 regulations remain in operation for now.

The court has directed Cooperative Governance and Traditional Affairs Minister Nkosazana Dlamini-Zuma to amend and republish the regulations.

It says the regulations should guarantee the rights enshrined in the Bill of Rights.

Liberty Fighters Network had taken government to court, arguing the rules are unconstitutional.

Cabinet says it’ll make a statement once it’s fully studied the judgment.

By Jan Vermeulen for MyBroadband

The Unemployment Insurance Fund (UIF) has made changes to the website for its Temporary Employer-Employee Relief Scheme (TERS) after a security researcher reported a data leak.

This leak allowed anyone to obtain the UIF reference numbers of employers who had been paid out, and look up how much they had been paid.

UIF reference numbers were published as part of a list of paid employers on a website hosted under the Department of Employment and Labour’s domain.

This list of paid employers can still be downloaded in CSV format from the UIF website, but it no longer includes UIF reference numbers.

After MyBroadband and the security researcher reported the issue, the UIF reference numbers were removed from the downloadable list.

Armed with a list of UIF reference numbers, an attacker could go to the “My Payment Status” page and query the reference number.

While this page now features a Captcha, it did not have one a few weeks ago. The Captcha was only added after we raised the matter with the UIF.

Before the Captcha was implemented, it would have been simple for an attacker to write a script to extract the amounts paid and processing dates for each of the UIF reference numbers that were readily downloadable from the same website.

It is also still possible to look up the payment status and amount paid for anyone so long as you have their UIF reference number, or ID number.

The UIF does not require that you register an account or log in to look up this information.

Screenshots of the information returned by the My Payment Status page are included below.

MyBroadband contacted the Ministry of Labour for comment and was directed to speak directly to representatives of the UIF.

The UIF did not respond to a request for comment.

By Davey Winder for Forbes

At the start of May, I reported on a critical security vulnerability that could impact every Samsung Galaxy smartphone sold from late 2014 onwards. That zero-click bug scored a perfect 10 on the vulnerability severity scale. The good news was that it had been patched in the Samsung May 2020 security update. Just as Android users were recovering from that security shocker, and some have yet to get that update on their devices, it should be noted, along comes one more.

This time it’s in the form of another critical vulnerability, but rather than applying to Samsung devices only, it’s an issue that exists in almost every version of Android. Only users of Android 10 need have no concern here, all other versions of Android, however, are potentially affected. Given that, in April, Android 10 only accounted for around 16% of users, and Google itself says there are at least 2 billion Android users out there, that’s north of 1 billion Android devices potentially at risk.

The risk being that, if exploited by an attacker, this vulnerability could lead to an elevation of privilege and give that hacker access to bank accounts, cameras, photos, messages and login credentials, according to the researchers who uncovered it. What’s more, it could do this by assuming “the identity of legitimate apps while also remaining completely hidden.”

What is StrandHogg 2.0?
Researchers at a Norwegian security company called Promon discovered CVE-2020-0096, which they called StrandHogg 2.0: the more cunning “evil twin” to the original Android StrandHogg vulnerability it also found last year. “While StrandHogg 2.0 also enables hackers to hijack nearly any app,” the researchers said, “it allows for broader attacks and is much more difficult to detect.”

Rather than exploit the same TaskAffinity control setting as the original StrandHogg vulnerability, StrandHogg 2.0 doesn’t leave behind any markers that can be traced. Instead, it uses a process of “reflection,” which allows it to impersonate a legitimate app by using an overlay into which the user actually enters credentials. But that’s not all; it also remains entirely hidden in the background while hijacking legitimate app permissions to gain access to SMS messages, photos, phone conversations, and even track GPS location details. Using the “correct per-app tailored assets,” the Promon researchers said, StrandHogg 2.0 can “dynamically attack nearly any app on a given device simultaneously at the touch of a button.”

Stealthier than your average StrandHogg
Detection would also appear to be more complicated than the previous StrandHogg vulnerability. “No external configuration is required to execute StrandHogg 2.0, it allows the hacker to further obfuscate the attack,” the researchers said, “as code obtained from Google Play will not initially appear suspicious to developers and security teams.”

However, Google told TechCrunch, which broke the StrandHogg 2.0 news, that it had not seen any evidence of the vulnerability being exploited to date. I reached out to Google and a spokesperson told me: “We appreciate the work of the researchers, and have released a fix for the issue they identified. Additionally, Google Play Protect detects and blocks malicious apps, including ones using this technique.” The latter being important as exploitation of the vulnerability requires the device to already be infected by a malicious app.

How can you mitigate this critical Android vulnerability?
It’s not all bad news for Android users, though. Those with devices running Android 10 are not impacted. There’s more good news for those of you who are, however, running Andorid 9 or earlier, as Google included a patch for CVE-2020-0096 in the May 2020 Android security update. It was described there as a critical vulnerability that could enable a local attacker to use a specially crafted file to execute arbitrary code within the context of a privileged process. The usual fractured ecosystem warnings from me have to be flagged up at this point: many users will not see that update rolling out to them immediately, and some may never see it at all if they have an older unsupported device.

Tod Beardsley, research director at Rapid7, said that “since the fix for this bug is part of the core Android operating system, Android users are once again at the mercy of their handset manufacturers and their service providers, who are often slow to act when it comes to distributing security patches. People who are worried about this bug in particular should keep a close eye on when the fix for CVE-2020-0096 hits their particular distribution.”

“Attackers looking to exploit StrandHogg 2.0 will likely already be aware of the original StrandHogg vulnerability, and the concern is that when used together, it becomes a powerful attack tool for malicious actors,” Tom Lysemose Hansen, Promon CTO and founder, said. He recommends Android users update to the latest firmware as soon as they can, and advises app developers to “ensure that all apps are distributed with the appropriate security measures in place in order to mitigate the risks of attacks in the wild.”

“Android device users need to be cautious of the apps they choose to install. Even as Google works to protect their users, malicious apps will still likely slide past their screening process on occasion,” Boris Cipot, a senior security engineer at Synopsys, said. “One way that users can stay alert and mindful is to do a bit of research on the app developers before downloading a given app. Check where the app comes from and if anything seems off, then think twice before proceeding with installation,” Cipot concluded.

Promon has issued a disclosure timeline, which shows it notified Google of the vulnerability on December 4, 2019, and an ecosystem partner patch was rolled out in April 2020 before the public fix within the latest Android security updates for users.

By Natasha Odendaal for Creamer Media’s Engineering News 

Telecommunications giant Vodacom has started engaging communities to intensify security around its base stations to guard against vandalism and battery theft.

Community members will be recruited, trained and accredited – working with police – serving as “monitoring personnel” under a new model to secure its sites.

“Incidents of base station vandalism have significantly gotten worse over the last few years,” said Vodacom Group CEO Shameel Joosub, noting that the crime is being perpetuated by organised syndicates that always find new ways to commit this type of crime.

“Our security teams on the ground have observed that quite often syndicates target base stations in far-flung and secluded areas because they know it will take police a long time to react. Hence, our sites in remote areas are repeatedly hit,” said Vodacom Group chief risk officer Johan Van Graan.

Theft and vandalism, and its subsequent damage, is costing network providers hundreds of millions of rands worth of damage every year.

Vodacom reported a 35% increase year-on-year in the number of battery thefts at its base stations, with an average of 600 incidents a month of sites impacted by theft or damage.

“We are losing between R120-million and R130-million to vandalism and theft each year. Nonetheless, we are not sitting on our laurels and are fighting back by coming up with innovative measures to stem the tide of battery theft,” Joosub assured.

Vodacom is testing a new model to secure its sites by forging partnerships with members of the community.

“As part of this new model, we recruit local people to serve as monitoring personnel to be our eyes and ears on the ground and provide us critical information police can use to effect arrests,” Van Graan said.

Locals will be trained and accredited, and linked with the local policing community forum and local South African Police Services to provide support when arrests must happen.

“In all the provinces where this model is currently being tested, it has yielded positive results,” he said, citing a substantial reduction in break-ins at at-risk sites owing to the enlistment of local people to secure its sites.

“This demonstrates that the number-one line of defence against site vandalism is the local community and vigilant community members who report incidents of battery theft or site vandalism to police,” he added.

Each theft incident can result in the network in that area being down for days, and can severely impact businesses, as well as anyone relying on the Internet to study and remain in contact with friends and family.

Vodacom plans to spend R1-billion in the current financial year to ensure its network is able to cope with widespread electricity blackouts, which will include intensified security around the telco’s base station sites and the installation of additional batteries and generators to ensure connectivity during load-shedding.

Source: IOL

South Africa’s Competition Commission told the Portfolio Committee on Trade and Industry that since the national disaster was declared in March, it had received a total of 1 354 complaints and tip offs from the public regarding inflated prices.

The committee was told that these complaints concern allegations that retailers, traders, suppliers and pharmacies are charging excessive prices for Covid-19-related products, including masks and sanitisers, personal protective equipment (PPE) and other essential goods and basic food items.

The complaints have been investigated in terms of Section 8 of the Competition Act, which prohibits excessive pricing.

According to parliament, some of the complaints relate to price increases of 1 000%.

“In two instances, firms pleaded guilty and agreed to pay a fine after the matter was handed over to the Competition Tribunal. Covid-19-related pricing investigations by the tribunal have so far led to 13 settlements through consent orders. The total value of the settlements is R12 854 694. Special Tribunal Rules for Covid-19 price-gouging matters to be heard on an expedited basis were also published,” a statement from parliament read.

The committee heard that government regulations relating to the national disaster prohibit dominant suppliers from charging excessive prices for certain specified goods and services, mainly basic food and consumer items, medical and hygiene supplies, and other emergency products and services.

“The Block Exemption regulations exempt categories of anticompetitive agreements or practices in some industries from applying Sections 4 and 5 of the Competition Act. The Commission said that authorities should be on high alert as the economy opens up, as some companies, such as airlines, may be planning to increase prices by up to 50%. Regarding the National Consumer Commission (NCC), the committee heard that from 23 March to 12 May, the NCC received 2 900 calls on its Covid-19 toll-free hotline.”

A total of 2 533 (87,3%) calls were answered and 367 (12,7%) were lost/abandoned. Of the 2 533 complaints received to date, 1 618 complaints alleged price gouging relating to regulated essential products. The remaining 915 complaints were not related to the regulation. These complainants were referred to the relevant platforms.

Committee Chairperson Duma Nkosi, said, “The committee will continue to engage with all its entities and the department in order to monitor their work, progress and support provided to South Africans, especially during the national disaster period.”

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top