Johannesburg, 17 Jul 2009
A recent banking scam which saw a Vodacom technician and his syndicate charged with fraud amounting to more than R7 million, highlighted the fact that SMS one-time passwords are not secure.
"This is believed to be South Africa's biggest online banking scam to date and raises some important questions about the security chain between banks and their online customers," says Jenny Dugmore, CEO of FireID, a Cape-based company providing authentication for online applications.
Dugmore says the scam highlights the insecurity of SMS one-time passwords (OTPs)."One-time passwords are an excellent solution for strong authentication. However, these should not be sent over the air due to the ease of interception and potential for attack by hackers.
“It is clear from this incident that the SMSes were either in clear text, or were easy to decrypt in order for the criminals to be in a position to read them,” adds Dugmore.
Together with recent cases of SIM card swaps, where fraudsters were able to obtain new SIM cards for targeted bank customers and divert the SMS to their own phones, this incident definitively shows online bankers are at risk, according to Dugmore.
"But this type of crime can easily be prevented by using out-of-band one-time password generators which do not require network connectivity, “she adds.
“The one-time password is generated on the device, or in the instance of FireID, conveniently on the end-user's mobile phone and once used, it expires immediately.
"This latest scam proves that the time has come for financial institutions to look at new ways of securing customer information and assets," Dugmore stresses.
Related stories:
Vodacom beefs up security
Banking scammers up their game
Phishers target taxpayers
Share