Publications
Mobile wallets are extremely attractive to cyber criminals, according to Fabio Assolini, senior security researcher at global cyber security firm Kaspersky Lab.
In his view, one-time passwords (OTPs) - an additional layer of security used by many banks for verification purposes - should not be used anymore either.
Assolini was speaking at an information session hosted by the company in Cape Town on Monday.
Mobile phone risks
There are various opportunities for fraud using mobile phones, Assolini noted.
"The user identification of your mobile carrier is via your SIM card, but what if someone steals your phone or activates your phone number with another SIM card without your knowledge or consent?" he asked.
That is called a SIM swap.
It can be done through what he called "social engineering" – by presenting false documents to your mobile operator. This is risky for the criminal, though, because they would need to go there physically and might, for instance, be recorded on security cameras.
That is why, Assolini said, some cyber criminals prefer to have someone at the mobile carrier working for them, adding that they would usually bribe the employee to assist them.
Smelling a rat
Sometimes the corrupted employee does not want to lose his job, so he or she would install a so-called "rat" (remote admin tool) in the company’s system, and get paid for doing that.
This allows the cyber criminal to enter the carrier remotely and perform the tasks they want to themselves.
Having done a SIM swap, cyber criminals can then steal your money, because they will be able to get the OTP that has been SMS'd to you.
Help, I'm stranded...
Using the victim’s WhatsApp account is usually the next biggest target of cyber criminals.
They use the person’s WhatsApp account, pretending to be that person, and ask his or her contacts on WhatsApp for money.
In SA, SIM swap fraud incidents doubled in the space of a single year, the South African Banking Risk Information Centre (Sabric) said in 2018.
Scourge
Assolini gave the example of how Mozambique decided to deal with increasing problems with SIM swap fraud in the country.
Local banks and mobile carriers got together and created a simple system where banks would check with a client’s carrier whether a SIM swap had been done recently. If that was the case, the bank would not do a wire transfer until it could be sure their client had indeed requested it.
Within a month, SIM swap fraud in Mozambique had decreased by 50%, and after six months it was just about non-existent, he said.
"Banks need to stop sending OTPs and tokens by SMS – yet they do it because it is very cheap to send SMSes," said Assolini.
"If you suddenly find you have no mobile signal when in an area that you should have, contact your carrier as soon as possible," Assolini told Fin24.
"There will continue to be a lot of victims of SIM swaps until telecommunications companies and banks get together - like in Mozambique - and decide to do something about it.
"Consumers need to put pressure on these companies to do something about it."
