Many South Africans have lost money through Internet banking fraud, with victims blaming their mobile operator for not protecting them against illegitimate SIM-swaps.
News reports emerged in 2016 that a crime syndicate had infiltrated the mobile operators and was performing SIM-swap and Internet banking fraud.
According to the report, the crime syndicate recruited Vodacom call centre agents to help with illegal SIM swaps.
Corporate law activist and trial attorney Johan Victor recently stated that crime syndicates had infiltrated the banks, too, and were assisting in SIM-swap fraud.
This raises the question as to whether SMSs are still suitable for OTP use in online banking.
MyBroadband asked the three major operators whether they believe banks should use SMSs as a security measure.
Vodacom – There is a place for using SMSs as a security measure
Vodacom said it provides a secure network and continues to upgrade and implement new measures to protect customers.
“It is our view that there is a place for using SMSs as a security measure, but this should not be used in isolation,” it said.
Vodacom said it provides the banks with a feature that allows them to check when last the customer requested a SIM swap on a specific mobile number before they send an OTP to that number.
“This is done through an automatic electronic interface and is a measure already implemented by some banks,” said Vodacom.
The feature allows banks to prevent flagged customers from adding a beneficiary for a certain period, while allowing them to conduct other banking actions.
Curiously, not all banks are using this facility, despite its ability to help protect customers against fraud.
MTN – No comment
Cell C – Cell C provided MyBroadband with comment after this article was published
“We cannot comment on behalf of the banks, however, the more security measures that are in place to protect customers, the better. SMS can be one of them,” said Cell C.
MyBroadband also asked who is to blame for fraudulent online banking transactions which were made possible thanks to fraudulent SIM swaps.
Vodacom – The victim has compromised their banking account details
Vodacom said criminals first obtain an Internet banking customer’s PIN and password through methods such as phishing emails. Only once they have these details, can they proceed to transferring money.
“They then use the personal information obtained from the customer, via social engineering and other means, to impersonate the customer and to attempt a SIM swap,” said Vodacom.
“It is important to note that Internet banking fraud cannot succeed unless the victim has compromised their banking account details and personal information, including their banking PIN or login details.”
MTN – No comment
Cell C – provided MyBroadband with comment after this article was published.
“Criminals are continuously finding new ways of committing fraud or other crimes. The primary target for these criminals is almost always to obtain personal information, and as such we urge our customers to protect their personal information,” said Cell C.
“We continuously review our processes and procedures in an attempt to stay ahead of these criminals and work closely with the banks and law enforcement to prevent these kinds of crimes.”