Fraudsters ready for 2014 festive season
With credit card fraud and Internet scams an ever-present threat across the globe, South African consumers need to be particularly cautious during the run-up to the 2014 festive season.
According to Richard Keymer, head of pre-sales at SecureData Africa, phishing remains the most common way in which South Africans inadvertently disclose their personal information online.
The victims get caught by fraudsters who pose as a financial institution and circulate an e-mail that appears to be from a legitimate site such as a user's bank, but, in fact, it comes from an external party masquerading as the financial organisation, he says.
According to an article by Webber Wentzel, just under 100 SIM swap fraud cases were reported in 2011, and this increased to just under 1 000 cases in 2013, reflecting a 900% growth.
Keymer notes SIM swap fraud attempts to undermine two-factor authentication methods. He argues that while receiving a one-time-PIN SMS is not the most secure second-factor authentication, it reduces instances of this type of fraud, though it has gained notoriety due to the fact that it is cheap and easily deployed to a large client base.
The banks notify the user when a beneficiary is being created on their account and require this PIN before proceeding. In the event that the SIM swap has been performed, the hacker would now receive this notification and PIN to their device, he explains.
The use of this as a fraud method in South African banks hit the media in the middle of last year, says Keymer.
Keymer notes the banks and the cellular networks have taken measures to prevent and inform users of these attacks. For example, he says, users will now receive a notification of intent to perform a SIM swap to the existing SIM before this is completed.
"South African banks and mobile operators use SMS as an effective communication tool, and notification would often be sent to inform the user," he notes. He advises if any e-mail or SMS is received, it is recommended that users contact the service provider immediately.
Keymer believes users should initiate contact with the service provider and query the alert. He points out all too often users get contacted and dismiss the alert based on contact from the fraudster notifying the user that there was a technical issue and it has now been resolved.
"It is worth mentioning this SIM fraud is only a component of the hack, and a username and password would still need to be compromised, and this is typically done through phishing, but could be done through malware and network hacking," he concludes.