Digital banking bandits abound

Skimming and SIM card swapping are only two in a list of crimes perpetrated by banking fraudsters.

Rabelani Dagada
By Rabelani Dagada, Professor, University of Johannesburg
Johannesburg, 30 Sept 2014

In last week's Industry Insight, I provided a background to digital banking in South Africa. I further stated the growth of digital banking has attracted criminal elements. This Industry Insight will reflect on two digital banking crimes: skimming and SIM card swapping.

Skimming as a digital banking related crime

Fraudsters use skimming devices to harvest the credentials of the cheque or credit card owner. Skimming usually happens in restaurants, hotels and other retail establishments. The cashier or waitress takes away the customer's card to process the payment behind the counter. The card is then swiped through the device, and thus the customer's user ID and password are extracted improperly.

Alternatively, both sides of the customer's card are photocopied.

The criminal downloads the gathered information from the device into a computer. The next step is to use the downloaded information to produce a fraudulent card. But, in actual effect, the criminal can use the photocopied information successfully without necessarily manufacturing another card. These kinds of crimes have made the South African banking system smarter than and superior to its counterparts worldwide: the vendor machine that enables customers to pay their bills at their tables, without giving away their cards, was initiated in SA partly to thwart crime.

The South African Banking Risk Information Centre (Sabric) says statistics showed that counterfeit cards which are the product of skimming accounted for 60% of the banking industry card fraud. According to Sabric, fraudsters illegally produce a counterfeit card from the information skimmed from the magnetic strip of the legitimate card. Shockingly, hundreds of handheld skimming devices are found by law enforcement agencies annually.

Some bank clients have claimed the banks have stolen their money by dispensing lesser amounts than requested. A financial journalist claimed to have "noted lots of complaints from consumers regarding this matter; this usually happens in ATMs that are found in the supermarket" (personal communication). This journalist claims that when clients call their banks to request reimbursement, the bank refuses because the bank journal confirms the right amount has been dispensed: "It does not mean that banks are deliberately robbing the clients, but the problem is more technical and banks have to do something about this. The rollers on the dispensing system do not push the money out adequately, and thus some bank notes get stuck before they are completely out of the machine," he noted.

The fact is that perpetrators of bank fraud are now targeting ATMs.

During the interviews for the study in which this Industry Insight is based, bank officials refused to confirm that some ATM cash-dispensing problems are related to criminal activity. They also declined to confirm that rollers in the dispensing systems of some ATMs were causing problems. However, a senior lecturer in security studies indicated: "Criminals put a card reader [in] the ATM, which would scan the clients' card information and PIN numbers. They will then proceed and manufacture their own clients' cards."

Shockingly, hundreds of handheld skimming devices are found by law enforcement agencies annually.

But a researcher attached to a security institute vehemently objected to this claim: "As far as I know, such type of identity theft and ATM engineering has not yet been reported in SA." Nevertheless, as the researcher of the study on which this Industry Insight is based, I can conclusively confirm that criminals in SA used to attach skimming devices to the slots of ATMs to harvest information and clone bank cards. Some digital banking criminals are qualified engineers, and there is thus a high level of sophistication. To mitigate this, banks have largely deployed new ATMs that cannot be skimmed.

The SIM card swap

In SIM card swapping, criminals request the victim's cellphone service provider to transfer the existing cellphone number onto a new SIM card by pretending to act on the victim's behalf. Criminals will find ways to get a copy of the customer's authentic or falsified ID. This will convince cellular service providers that the request is legitimate.

By the time criminals swap the SIM card, they already have the victim's Internet banking user ID and password. The only thing they still need is the one-time password (OTP), which is transmitted via the cellphone when the account holder logs in. The possession of the swapped SIM card enables the fraudsters to create new recipients within the Internet banking account of the victim. They then transfer the victim's money onto the fraudulently created recipients' accounts.

The fraudsters have, in the past, also used the OTP to increase the credit limit of the victim's account.

While these fraudulent transactions are taking place, the bank sends records of transaction to the victim's cellphone. Unfortunately, the victim does not receive the SMS alert because his/her cell number has been swapped.

Criminals are also able to steal money without doing a SIM swap. They do this by intercepting (hijacking) the OTP. Instead of the OTP going to the cellphone owner (bank account holder), the SMS containing the OTP will be hijacked by the criminal. So far, millions of rands have been stolen through this scam.

It is disturbing to note that the Financial Intelligence Centre (FIC), an offshoot of the Financial Intelligence Centre Act (FICA), failed to discover this SMS interception scam and many other incidents where money was siphoned through digital banking delivery channels. The FICA and FIC were established in SA to assist in combating money laundering.

#Dagada investigated digital banking security as part of his PhD study at the University of South Africa. Banks that participated in this study include Absa, FNB, Investec, Nedbank, and Standard Bank.