Vodacom has implemented additional security measures after a staff member was arrested on charges of fraudulently scamming R7 million from its clients by diverting one-time PIN SMSes.
Vodacom's chief communications officer Dot Field says a Vodacom employee fraudulently created temporary dual SIM cards. The one-time passwords from the banks were then diverted to the duplicate SIM, after which the additional card was deleted.
Field says: “It is unfortunate that a Vodacom staff member was able to commit fraud working with external gangsters.” The staff member has been arrested and Vodacom has also laid criminal charges against him.
Subsequently, another ringleader was identified and arrested, says Field. The Citizen reports that specialist prosecutor Richard Chabalala has received a seven-day postponement on the case, due to suspicions the first two arrests “could be the tip of the iceberg”. A bail hearing has been set for 22 July.
Vodacom's forensic division is working with the SA Banking Risk Information Centre and the SA Police Service to investigate the fraud.
According to The Citizen newspaper, Vodacom employee Mbokodana Christopher Khoza and another syndicate member Mbusi Bhengu are alleged to have stolen R7 million from clients at banks such as Nedbank, Absa, First National Bank (FNB) and Standard Bank. They are believed to be part of a larger syndicate.
Bail was not granted when they appeared in court on Monday and the matter has been postponed.
Wait and see
Absa's managing executive of digital channels, Christo Vrey, says: “We are constantly looking at ways to improve and enhance the security of our systems.”
The bank is supporting Vodacom in its investigations, he adds.
FNB, Nedbank and Standard Bank were not immediately available for comment.
Advocate Clive Pillay, ombudsman for Banking Services, says he would only investigate the matter if he received an allegation that a bank was negligent in allowing the fraud to happen.
Pillay says the breach seems to have occurred at Vodacom, with a “Vodacom employee allegedly breaching the SMS generated by a bank”.
He says, based on newspaper reports, there does not seem to have been any fault on the part of the banks.
“We would have to wait to see whether we receive complaints from bank customers emanating from the breach and we would have to consider whether the technology used by the bank was adequate.”
Chain of events
Steven Ambrose, MD of World Wide Worx Strategy, says a chain of events and loopholes throughout several layers of the online banking process allowed people's accounts to be fraudulently accessed.
“A technological solution to a technological problem was effective in the absence of collusion and subversion.”
The scam is believed to have started with phishing e-mails and then finally to the diversion of one-time PINs led to the fraud being perpetrated. “It was an ingeniously orchestrated chain.”
Ambrose says this type of fraud can only be committed if the scammers have access to people's login details.
He adds too many layers of security will put people off banking online, but “it is incumbent on the banks and network operators to increase their oversight on this type of activity”.
Share