Phishing attacks and advanced fee fraud scams will migrate towards the mobile platform, making mobile cellular devices prone to the same risks as the Internet, according to Dr Pieter Streicher, MD of BulkSMS.com.
Streicher says the recent SMS banking scam where a Vodacom employee was charged with fraud amounting to R7 million, highlights how both consumers and corporate organisations can avoid falling prey to SMS scams.
Most of the focus on the Vodacom SMS banking scam has been on the vulnerability of SMS one-time passwords. But, Streicher points out that in this case, the vulnerability was the ability of the Vodacom employee to create a dual SIM, without the original SIM being notified at all.
“In this particular instance, bank accounts were already compromised before the SMS issue came into play. If not for the SMS notification, the fraudsters would already have had the money, and would not have needed an accomplice at network level. The biggest problem is that too many people provide their account details when exposed to phishing attacks,” explains Streicher.
To avoid this type of fraud, Streicher says consumers must make sure they protect their banking details. Consumers should be aware that SMS messages are easy to imitate. “Consider a scenario where a fraudster might imitate your banking login notification via SMS, but replace the bank telephone number with his own. Should you receive this SMS, you might phone the number in the SMS. The fraudster will then pretend to be your bank, and try and obtain your PIN,” he continues.
Regarding the Vodacom SMS banking scam, there was not much the users could have done to prevent the fraud from taking place. In this instance, argues Streicher, the solution lies at the network level. “Organisations must remember that SMS messages are not encrypted, and a malicious employee at the network level could potentially realise this. It is, therefore, a bad idea to send sensitive data via SMS,” he advises.
Streicher urges organisations to look critically at all their SMS communications, and consider the risks should these messages be imitated or intercepted. Companies should also make their customers aware of how easy it is to imitate SMS messages in phishing attacks.
The impact of mobile security breaches is far-reaching, and both consumers and organisations need to be more wary of phishing and advance fee fraud scams, concludes Streicher. Scams can be reported to the Wireless Application Service Providers Association, to the banks, network operators and the police.
Related stories:
Scam exposes SMS password danger
Vodacom beefs up security
Banking scammers up their game
Share