The South African Banking Risk Information Centre was responding to questions
by Fin24 on how widespread the fraud is, and whether it is specific to Absa Group [JSE:ASA] and
MTN Group [JSE:MTN] as indicated by a stream of Fin24 user letters.
Fin24’s sister publication Die Burger reported on Monday that Media24's CEO Esmaré Weideman had R360 000 stolen from her cheque account in what seems to be a hit from a SIM swap syndicate.
What followed was an outcry from victims who had lost hundreds of thousands of rands in SIM swap bank fraud.
Technical adviser and owner of Swift Consulting Liron Segev said SIM swapping is not new, but what is novel and worrying is that SIM swapping is being done primarily to get people’s banking details and prevent them from receiving notifications that a transaction has occurred.
“In the past people were defrauded as their SIM was swapped and used in international PABX, which rang up massive bills.
“It was also used to dial premium rated numbers so that the caller pays for the calls made.”
Sabric CEO Kalyani Pillay said SIM swap bank fraud almost always works hand-in-hand with phishing and/or smishing, so consumers should be wary never to respond to emails and SMSs from entities posing as their bank.
With SIM swap bank fraud the consumer is defrauded twice: first by the SIM swap, then the bank fraud.
SIM swap occurs when criminals request your mobile phone service provider to transfer your existing cellphone number onto a new SIM card by pretending to be you, or pretending to act on your behalf, Pillay explained.
The fraudster will produce falsified copies of your identity document, cellphone number and other Fica-required documents that may convince the service provider that the request is legitimate.
Once they have illegally assigned your cellphone number to their SIM card, they will receive all your calls and SMS notifications, which include your in Contact and One Time Pin (OTP) messages.
Your phone will stop receiving any incoming calls or messages.
When it comes to bank fraud there is a major problem for everyone, said Segev.
He said: “The hacker needs to have two passwords – one to log into the account and one to do any transfer or add beneficiaries.
“To do this, the hacker needs to get the password to internet banking – this is usually done via a phishing attack where the hacker impersonates that bank and asks to 'reset' or 'confirm' the password.
“Then the hacker needs to target that individual and clone their SIM.
“This is usually done with internal help from either someone inside the network or by impersonating the person and asking for a SIM swap at an outlet shop, saying that the original card is faulty.
“Very little documentation is required at this point and a little ‘encouragement’ is offered to the person doing the swap.”
Why is this a problem?
1. Because the bank did nothing wrong – the customer fell for
the phishing attack and gave their username and password, despite repeated
warnings not to do so. Therefore, the customer is responsible.
2. The bank cannot be responsible for the SMS notification as this is passed via the cellular networks which they have no control over.
3. The cell operators cannot be held responsible for any banking fraud as it was not their system that was hacked into.
“The only thing people can do is NOT to fall for any phishing scams, nor
divulge their personal info to anyone, including people inside the bank.
"The SIM swap without the bank login details is pointless,” said Segev. “The hacker needs both.”
What you should do
Segev said that two SIM cards struggle to operate on the same network at the same time.
“If you are experiencing issues with your phone, call the customer service and ask specifically if there is another SIM registered on your account or if a SIM swap was recently requested.
"If yes, call the bank ASAP and ask them to stop your online banking immediately.”
Read personal stories involving banking fraud on MyFin24.