Why banking fraud is here to stay

Password. (Duncan Alfreds, Fin24)
Password. (Duncan Alfreds, Fin24)

Cape Town - Internet users are contributing to banking and financial fraud by falling victims to cyber scams designed to steal cash, says a cyber security expert.

While credit card fraud has declined in SA by 28.6%, according to the South African Banking Risk Information Centre (Sabric), debit card fraud increased 8.3% to the year ended 2015.

The organisation also reported that Card Not Present (CNP) fraud increased by 12.6% to account for 75% of losses relating to South African issued credit cards.

“The problem is not that the cyber criminals are stealing our information, but rather that we are giving it to them,” said Tjaart van der Walt, chief executive of Truteq Group.

“We click on the links in the phishing emails and we install the ‘free’ apps on our mobile phones. This mechanism to get your banking information is more about social engineering than hacking in the old sense,” he added.

Trojan attacks

READ: 8 top tips for hacker proof passwords

Security firm Kaspersky Lab recently reported that cyber criminals have turned to Trojans designed to steal financial information and install malicious software on both PCs and smartphones.

“Almost every detected threat in South Africa is an advertising Trojan that can use root rights on the phone,” Roman Unuchek, senior malware analyst at Kaspersky Lab USA recently told Fin24.

Van der Walt said the divergent interests of communication and financial security between mobile phone operators and banks has left a security gap.

“Using mobile technology to secure financial transactions was not part of the specifications or the intended purpose. Three decades later, mobile telephony has turned out to be indispensable to our way of life and there is now a mobile phone in almost every pocket,” he said.

Banks typically use a one-time PIN (OTP) sent to a customer’s cellphone to secure online transactions. However, mobile operators do not want to expose themselves to additional risk.

“In the delivery of a one-time pin, a mobile network operator has very little (in all likelihood no) legal or financial risk. The terms and conditions of use limit their liability and case law exists to reinforce this position. In fact, a mobile network operator will not want to be associated with the authentication of financial transactions at all,” Van der Walt said.

The fact that many banks send the verification to the same mobile number to conduct the transaction may leave customers vulnerable if a cyber criminal has compromised the device.

SIM-swap fraud

READ: Beefed up baking malware stalks smartphones

“Using the same mobile phone to make a transaction and to verify it [financial transactions], wipes out the benefit of the two-factor authentication. Fraudsters only have to compromise you once in order to break into your bank account and clean it out,” said Van der Walt.

The problem is magnified when customers enact a SIM-swap – or if criminals conduct a fraudulent SIM-swap.

“The identification process followed by a mobile network operator’s call centre agent to verify your identity for the purposes of a SIM swap or network port is as simple as possible. Their interest is to keep us talking and if we cannot make a call, then we cannot talk and consume credit,” said Van der Walt.

“The banks, on the other hand, need the verification process to be as rigorous as possible in order to comply with anti-money laundering and counter-terrorism laws,” he added.

Van der Walt argued that about 1% of mobile subscribers conduct a SIM swap per month, implying a change in about 870 000 numbers in SA.

While not all mobile subscribers are banking customers, Van der Walt said number porting could place a strain in banks’ ability to keep track of customers.

“Even if a bank had the access to see if a user has ported or not, blocking a transaction purely on the basis of the user changing networks will drive hundreds of thousands of irate customers to their call centres,” he said.

Do you trust online banking? Let us know

WATCH this video on internet banking fraud:

- Follow Duncan on Twitter

Brent Crude
All Share
Top 40
Financial 15
Industrial 25
Resource 10
All JSE data delayed by at least 15 minutes morningstar logo
Company Snapshot
Voting Booth
Do you think it was a good idea for the government to approach the IMF for a $4.3 billion loan to fight Covid-19?
Please select an option Oops! Something went wrong, please try again later.
Yes. We need the money.
11% - 989 votes
It depends on how the funds are used.
74% - 6591 votes
No. We should have gotten the loan elsewhere.
15% - 1382 votes