Security

MTN updates SIM swap process

Read time 5min 40sec
ITWeb Security Summit 2016

Don't miss the definitive event for security professionals:
17-18 May (conference and expo), 19 May (workshop)
Vodacom World, Midrand
Book today!

MTN South Africa will only process SIM swap requests during working hours in an attempt to tighten security measures and avoid SIM swap fraud.

Since 2013, MTN has been using an SMS verification process where it sends an SMS to the requesting number to verify the authenticity of a SIM swap request. Now MTN SA says it has "put a halt to activation of SIM swaps processing between 20H00 and 07H00".

"By restricting the activation of SIM swaps during working hours, MTN has ensured customers are given an opportunity to detect and approve SIM swap requests," the telecoms operator told ITWeb.

Next month, MTN plans to also embark on a campaign where it will encourage its customers to provide a secondary number or e-mail address for SIM swap verification purposes.

The tightening of security comes after the very public case of Cape Town audiologist Gail Jacklin, who reportedly had over R300 000 stolen from her First National Bank (FNB) accounts after a fraudulent SIM swap on her MTN account.

However, she is not the only South African calling for action from both mobile operators and banks after having large sums of money stolen through fake SIM swaps.

Customer complaints

There is a Facebook page dedicated to SIM swap fraud which aims to keep people up to date with the latest news about these cases. The Facebook group says it covers cases "involving MTN, FNB & others" and uses the hashtags: #hackedatMTN and #thiscanhappentoyou.

Complaints Web site HelloPeter also has numerous grievances posted about SIM swap fraud

In April, MTN will launch a campaign for customers to provide a secondary number or e-mail address for SIM swap verification.

User jacquicoet complained she was a victim of SIM swap fraud in December 2015, which led to money being siphoned out of her FNB and Nedbank accounts via cellphone banking. Her HelloPeter post indicates the banks had assisted in trying to recover her money but the same could not be said for MTN.

"MTN has not made any response at all, after two months, since the crime was committed. I have reported the info by e-mail, MTN representatives in stores & call centres & by numerous phone calls."

An MTN representative, identified only as Kevin, responded to her HelloPeter post promising an "urgent escalation has been sent to our fraud division for assistance on the investigation" and that she would be called by MTN during the course of that day. Two weeks later, she posted another complaint on HelloPeter indicating no call had ever come from MTN.

MTN declined to respond to ITWeb's request for comment on customers' claims the MTN fraud department is hard to get hold of and unhelpful. MTN also would not furnish ITWeb with any statistics on the number of fraud cases logged by the department, or how many employees were responsible for dealing with fraud complaints.

HelloPeter user anisa786 also complained about SIM swap fraud on her brother's account, which led to R70 000 being debited off his Standard Bank account. However, a response from an MTN representative identified as Mantoa on HelloPeter makes it clear "MTN SP does not accept liability for claims resulting from fraudulent SIM swap".

"By the time the fraudulent SIM swap is processed, the fraudsters have already gained had access (sic) to your bank account," Mantoa explains as the reason for MTN not being responsible.

"MTN SP is not responsible for the safety and security of your bank account."

In this case, anisa786's brother received a call from "an MTN employee" stating he qualified for an upgrade, which was likely a scam that he fell for, resulting in the fraud, and absolving MTN of any responsibility.

Criminal puzzle

These type of phishing attacks are often linked to SIM swap scams because the actual fake SIM swap is only one piece of the criminal's puzzle. In order to gain access to bank accounts, the fraudster would need bank card or account numbers as well as Internet banking PINs and passwords. These are often sourced through e-mail or telephonic phishing scams or accessed through malware targeted at a PC or cellphone. The SIM swap process then allows the criminal to intercept one-time PIN (OTP) numbers used by most banks and drain accounts.

All of South Africa's major banks have sections on their Web sites warning of scams and how to avoid them. Most banks associate SIM swap scams with targeted phishing scams.

"The fraudsters usually use SIM card swapping as part of an extensive process which includes phishing. By the time they have swapped SIM cards, they usually already have enough of your personal banking details (login and password, etc) to transact on your online banking account ? with the SMS OTP as the last link in the chain," says FNB.

Standard Bank also maintains SIM swaps take place "after fraudsters have received a client's logon details as a result of the client responding to, for example, a phishing e-mail".

Nedbank says fraudsters may obtain personal information by calling and posing as a consultant and then requesting the user confirm personal information with them, or by sending a phishing e-mail.

"Nedbank will never call, SMS or e-mail you to request you confirm your self-service banking profile credentials, your passwords or your Internet banking details," according to Nedbank's Web site.

"If Absa becomes aware of a SIM swap, a temporary hold is placed on your account for 36 hours to allow you to authenticate yourself and advise us if the SIM swap was legitimate," the bank's Web site reads.

Capitec claims its users' accounts can't be accessed by an unauthorised SIM swap because the bank's verification process is linked to the user's phone and not the SIM.

"No other person can access your accounts using the app if they do an unauthorised SIM swap on your cellphone number because it's linked to your cellphone," according to Capitec.

The bank says if a customer's cellphone is lost or stolen, they can inform the bank, which will immediately suspend remote banking access to avoid any fraud.

Have your say
Facebook icon
Youtube play icon