Saturday, December 29, 2007

Prosperous 2008

Just a thank you for every-one that has made some time to read my blog during the past year. Thank you for bearing with me and some of my wayward ideas. I also appreciate all the feedback and comments. Also thank you for referencing this blog on others. I am humbled to see what great entries on mobile banking are published on the other blogs in this space. See the links on the side (all worthwhile reading).

Anyhow, wishing all of you a prosperous 2008. It is (no doubt) going to be an amazing mobile banking year.

Tuesday, December 11, 2007

A new record!

Today's Google Alert for "mobile banking" delivered 29 hits. This is by far more than what has been delivered to me in the past. Although not a direct metric of mobile banking take-up, it does indicate an fast growing interest in mobile banking. Much more people are talking and writing about it.

Saturday, December 08, 2007

Three rules to defend against e-Fraud

After having read my previous blog-post, I realised how scary it can be for un-informed people doing their banking in the electronic world. I thought one can make it simple by giving three simple rules to consumers that will make banking much safer. In my view these are:

1. Never write your passwords, PIN's or any security information down. Make sure that no-body can see this information or steal it in any way. When you feel that this information has been compromised, contact your bank or log on to the website or mobile phone and change the secret information to something else immediately.

2. Never communicate with your "bank" via a mechanism or channel that you are not fimiliar with. If your "bank" phone you or send you an e-mail or SMS requesting you to give security information, don't do it. Rather contact your bank via channels that you have used before (a known website, a known telephone-number or menu on your phone) to check this unsolicited request.

3. When your phone dies unexpectantly, phone your phone from another phone. If your number rings and it is not the phone in your hand that rings, chances are that your SIM has been swapped illegally. Phone your mobile Operator and report your phone as stolen so that they can switch it off immediately. Even if this does not stop a bank fraud, at least it will stop some-one calling on your account.

As with anything in life, safety is common-sense. People feel safe in their houses only because they know that they must lock-up at night. People feel safe in their cars, because they put on safety belts.... to feel safe in doing banking remotely, one must stick to a few simple rules.

Another SIM swap fraud


I was phoned by one of South Africa's popular radio hosts (Bruce Whitfield) on 567 Cape Talk on Friday to ask my opinion on another recent fraud perpetrated by means of swapping the SIM of the target account holder (See story) (Transcript of the call). It is of concern that these incidents are creating the perception that mobile banking is not safe, as it does not have anything to do with mobile banking.

In order to explain this statement, I need to describe how South African banks have improved Internet Banking by utilising an additional channel to improve the security of sensitive transactions. Most South African banks enable customers to log into their Internet banking websites in the acceptable ways through entering Username/Account-number and a secret password. Some have even improved on this by utilising soft-keypads (to counter key-logging attacks) and partial passwords. Typically this would be viewed as "strong-enough" security in most places in the world.

However, most South African banks have improved on this security by also sending a one-time password to a client's mobile phone for sensitive transactions (e.g. registration of a new beneficiary). The client is then required to enter this one-time password into the Website. This is an ADDITIONAL security mechanism for Internet Banking.

If the passwords of a victim were compromised (either by means of phishing, resetting or physical stealing), a fraudster would have been able to commit a fraud in most other countries. However in South Africa, the fraudster is now also confronted with the need to have access to the one-time password that will be sent to the victim's mobile phone. It is in these instances that an illegal SIM swap is performed to get access to the one-time password.

This fraud is solely to perform an Internet Banking fraud and has very little to do with mobile banking. We at Fundamo have deployed more advanced functionality that would have countered even these types of frauds which I will not publish. What we have deployed for one of our clients is a feedback mechanism from the Mobile Operator that would render the sending of a one-time password temporary suspended in the case of a SIM swap. The customer is then required to confirm the SIM swap with the bank first (via other security mechanisms), before the transaction can be completed.