Saturday, December 08, 2007

Another SIM swap fraud


I was phoned by one of South Africa's popular radio hosts (Bruce Whitfield) on 567 Cape Talk on Friday to ask my opinion on another recent fraud perpetrated by means of swapping the SIM of the target account holder (See story) (Transcript of the call). It is of concern that these incidents are creating the perception that mobile banking is not safe, as it does not have anything to do with mobile banking.

In order to explain this statement, I need to describe how South African banks have improved Internet Banking by utilising an additional channel to improve the security of sensitive transactions. Most South African banks enable customers to log into their Internet banking websites in the acceptable ways through entering Username/Account-number and a secret password. Some have even improved on this by utilising soft-keypads (to counter key-logging attacks) and partial passwords. Typically this would be viewed as "strong-enough" security in most places in the world.

However, most South African banks have improved on this security by also sending a one-time password to a client's mobile phone for sensitive transactions (e.g. registration of a new beneficiary). The client is then required to enter this one-time password into the Website. This is an ADDITIONAL security mechanism for Internet Banking.

If the passwords of a victim were compromised (either by means of phishing, resetting or physical stealing), a fraudster would have been able to commit a fraud in most other countries. However in South Africa, the fraudster is now also confronted with the need to have access to the one-time password that will be sent to the victim's mobile phone. It is in these instances that an illegal SIM swap is performed to get access to the one-time password.

This fraud is solely to perform an Internet Banking fraud and has very little to do with mobile banking. We at Fundamo have deployed more advanced functionality that would have countered even these types of frauds which I will not publish. What we have deployed for one of our clients is a feedback mechanism from the Mobile Operator that would render the sending of a one-time password temporary suspended in the case of a SIM swap. The customer is then required to confirm the SIM swap with the bank first (via other security mechanisms), before the transaction can be completed.

No comments: