Friday, June 17, 2011

The risk-profile for mobile operators

Online banking in South Africa is much more secure because of the use of SMS to deliver one time passwords (OTP) to banking customers. Unfortunately, even this practice can be manipulated by criminals to intercept passwords. This was recently highlighted when it was reported that a Vodacom employee colluded with criminals to intercept the OTP's sent to customers. In the process fraud of R2.4 million (about $340 000) was committed. (Read here). The immediate question is if Vodacom is liable in any way for this damage and the answer is quite clearly: no.

The commercials and infrastructure that supports existing telecommunication services (the delivery of voice and data products), were never designed to cater for the additional liability of financial services. Many examples exist where banks have been held liable for fraud perpetrated on their networks (Read for instance here). Banks have to implement systems to cater for this, they have to price their products accordingly and take out insurance to achieve this. The question is if Mobile Operators understand these implications and if they are able (and willing) to act accordingly.

In the meantime, consumers have to be made aware that the protection that they may expect from utilising telecommunication infrastructure to secure their banking , are not as rigorous as they may think. This is demonstrated by a resent post on the Internet Security Awareness Portal (Read here).

No comments: