Standard, MTN point fingers in fraud case

By Leon Engelbrecht, ITWeb senior writer

Johannesburg, 07 Dec 2007

Identity theft and a fraudulent SIM swap cost a children's charity R90 000.

Standard Bank says more vigilance on the part of the client and her cellular service provider would have left the organisation none the poorer. But MTN says it too is not to blame.

The Star newspaper reported yesterday that an online fraud syndicate had hacked into the bank account of a Cape Town non-profit and stole R90 460 from orphans and other vulnerable children.

The Novalis Ubuntu Institute had its account hacked in mid-November, after criminals stole the identity of its CFO, Anne-Lise Bure-Shepherd. They cancelled her SIM card and had MTN issue a replacement card, which allowed the criminals to receive a one-time password (OTP) to access the account and transfer its funds to other accounts.

Standard Bank director of self-service banking Itumeleng Monale says the bank "sympathises with our customer's position and the loss of funds" and has "done a thorough investigation of the matter".

Phishing victim

She says the institute has confirmed receiving a phishing e-mail. "Although the client is not confirming that they responded to the phishing mail, all the evidence suggested their details were compromised and the modus operandi of the fraudsters is consistent with a phishing compromise.

"Despite the client compromising their details, the fraudulent transaction would not have been authorised, nor would the fraudster have been able to transact as we use an OTP. [An] OTP is a unique and secure code sent to a customer every time certain transactions, like once-off payments, take place," Monale says. "All of Standard Bank's security features prevented the fraud up until this point.

"The breakdown in the security procedure lies with the mobile operator. The customer's cellphone SIM card gets falsely declared stolen by the fraudster at the service provider. A replacement SIM card is issued, rendering the customer's original SIM card void.

"What this means is that all security messages and codes sent to the customer by Standard Bank are sent to the fraudsters who utilise the customer's replacement SIM card. Using Standard Bank's secure OTP, the criminals were able to change and add beneficiaries and transfer money out of the customer's account using the original information obtained through the phishing compromise."

Monale says Standard Bank has of late spent a considerable amount of time warning consumers to keep their personal information safe and not divulge sensitive information like PIN numbers and card numbers.

"Given the increase in the number of false SIM swaps in SA, customers should notify their cellphone providers if they become aware of any suspicious activity on their cellphone," Monale advises.

"This could include the loss of signal, service disruptions or network unavailable messages. Treat this with suspicion and contact your service provider immediately and check your bank accounts."

MTN shifts blame

MTN spokesperson Ntombi Mhangwani says: "MTN regrets the loss of funds to the NGO" but is not to blame. "MTN SA is constantly reviewing its systems to ensure customer details are protected from such fraudulent activities."

Mhangwani says, in this case, the fraudsters already had enough information on the victim to defraud her and this information was not obtained from MTN. "The perception exists that all this fraud is as a result of MTN's processes failing, when in fact the victim is partially to blame for not protecting sensitive information such as bank account numbers and passwords."

She concedes, however, that MTN may have to revise its policies surrounding the issuing of SIM cards. At present, MTN relies on the dealer to authenticate the subscriber.

"MTN acknowledges that, in light of the rise of fraudulent activities using SIM swaps, this process may need to change. We are in the process of implementing an auto SMS functionality to inform subscribers that a SIM swap has been requested on their account prior to proceeding with the SIM swap transaction to allow the subscriber time to contact MTN in the event that they did not request the SIM swap."

Client feels betrayed

Bure-Shepherd says it "seems that the customer is always to blame. We are left with the question: How safe is Internet banking really? It appears that our vulnerability is far greater than we think.

"We feel very exposed on three levels, one with the fake identity document, with SIM swaps being done so easily and with the banks not really being able to guarantee security on their side," she adds.

"Novalis' experience seems to show that people doing Internet or cellphone banking are far more exposed to risk than is generally realised, especially if, as the police suspect, insiders may be involved," Bure-Shepherd says. "And do the banks or the cellphone providers take any responsibility, or does the customer carry all the risk? That's what it seems to come down to."