Tuesday, October 16, 2007

Mobile Banking Fraud!

Two cases of transactional fraud was recently reported in South Africa. The one related to the arrests of waitresses at a well-known restaurant. Waitresses were paid for "skimming" of credit card information, which were later utilised for fraudulent transactions. Read more here.

In the other it was reported that criminals conducted fraudulent transactions on ABSA clients, by swapping client's SIM cards. Read more about it here. This was a much more elaborate sting and was based on a security measure implemented by ABSA where a one-time password is sent to a clients cellphone for entry into a website. By swapping SIM cards, criminals could intercept this critical and important password in order to complete the fraud.

Both of these fraudulent acts were possible because of a weak Dual Factor Authentication (DFA)implementation (or the lack thereof). Criminals were able to steal clients' identity, because this was solely based on one factor (the card, or the mobile phone). If one managed to intercept this device (only one factor), one would have access to the client's financial information and it is possible to commit a fraud.

An improved version of DFA would have prevented these frauds. For instance, even if the SIM have been swapped, the one-time password would only be visible after entry of a private key, or if the card have been skimmed, could only be used if a secret PIN entry is required before a payment can be completed. Both these designs are incorporated in Fundamo technology, which makes it the most secure mechanism to interact with your bank.


cantona said...

Hi Hannes,

Was just wondering if you had any information on that fraud attempt.I work in the online banking sector and currently developing mobile banking.Do you have any links to articles on this?

Anonymous said...

Interesting article , this article make some interesting points.

Bank web