How crooks use SIM swaps to rob you
The fraudulent swapping of cellphone SIM cards is enablingfraudsters to clean out their victims’ bank accounts, including home loan accounts.
After obtaining your details in a phishing attack, fraudsters illegally swap your SIM card to prevent you from receiving notifications from your bank that beneficiaries have been added to your internet banking profile and that transactions have been made on your accounts. (See “How fraudsters access your bank accounts”, below.)
But the cellphone providers deny any liability, because, they say, access to a customer’s bank account is a result of a compromise of the customer’s security information – in other words, you are at fault because you were negligent with your log-on details. So even if someone manages to fraudulently carry out a SIM swap in your name, facilitated by your cellphone provider, the cellphone networks aren’t liable.
And the Independent Communications Authority of South Africa (Icasa), which regulates cellphone providers, says it has no jurisdiction over providers that fail to comply with the law governing SIM swaps – namely, the Regulation of Interception of Communications and Provision of Communication-Related Information Act (Rica).
One of the aims of Rica is to regulate cellphone-related fraud.
“It is precisely this failure to hold cellphone service providers accountable in law that exposes you and renders you vulnerable,” Clive Pillay, the Ombudsman for Banking Services, says.
Recently, an elderly Durban couple, who were allegedly victims of a phishing attack, had R280 000 stolen from their paid-up home loan account and linked cheque account after a cellphone upgrade and an illegal SIM swap (see “How SIM swap led to couple losing R280 000”).
The couple’s bank, Absa, offered them a partial settlement, admitting that it had failed to detect suspicious activity on their accounts on the day the accounts were raided.
However, their cellphone provider, MTN, denied responsibility, saying the couple’s account could be raided because they had been victims of a phishing attack and had given fraudsters their bank details.
Unlike Absa, which made the couple an offer for its part in failing to prevent the fraud, MTN has been uncompromising in disclaiming responsibility. This is despite the fact that MTN apparently carried out the SIM swap with a fraudulent identity number.
Rica states a service provider may not activate a SIM card on its system unless it has verified the identity of the person requesting the SIM.
MTN says it does not have to Rica clients each time you buy a new SIM card, but only when you first buy a SIM card from MTN.
Eddie Moyce, a customer relations executive at MTN, told Personal Finance that “MTN does not believe that section 40 of Rica finds application in circumstances of a SIM swap if the Rica information had already been recorded, verified and stored as it relates to this customer. The MTN customer in question is Rica-registered and is not required to register again.”
Moyce says: “MTN still requires the person activating a SIM swap to present a valid ID.” Yet in the Durban couple’s case a false ID number was seemingly provided to MTN.
MTN and Absa were involved in at least three cases of SIM card-related fraud reported by Moneyweb recently. In one case, Eugene Malan had R97 000 stolen from his Absa accounts – including his home loan – also after a phishing attack and illegal SIM swap processed by MTN.
Adrian Vermooten, the head of digital banking and payments at Absa, says banking fraud affects the entire banking industry, not just Absa. “Absa upholds the highest levels of security to ensure the safety of customers’ money,” he says.
Vermooten stresses the importance of you keeping your banking details – namely account numbers, personal identification numbers (PINs) and passwords – confidential.
Up until this week, the office of the banking ombudsman has advised victims of fraud committed after a phishing attack and illegal SIM swap to contact Icasa to lodge complaints against cellphone operators that don’t comply with Rica.
But this week, Icasa told Personal Finance it is not responsible for ensuring that mobile operators adhere to Rica.
“Icasa does not have jurisdiction over Rica. This law is regulated by the Department of Justice and Constitutional Development,” says Icasa spokesperson Paseka Maleka.
Pillay says that whoever is responsible for regulating Rica, be it Icasa or the Department of Justice, needs to enforce the law. “In practical terms, this simply means holding cellphone service providers accountable in law.”
Zaid Gardner, senior associate at law firm Edward Nathan Sonnenbergs, says it is disingenuous of Icasa to say it has no jurisdiction.
He says: “Part of Icasa’s mandate is to regulate licence holders, which includes the mobile operators. While the practical enforcement of Rica may fall to a law enforcement authority, for Icasa to sidestep Rica is to shrink from its broader responsibilities, especially given that Icasa has a duty to investigate complaints lodged against licence holders.
“If I lay a complaint against a mobile operator – depending on the nature of the complaint – the legislation provides that Icasa must take steps to investigate. They may refer the complaint, but they shouldn’t simply refuse to hear the matter based on lack of jurisdiction.”
On the position taken by MTN that, once it has verified your identity it does not have to do so again, Gardner says the question is whether a SIM swap triggers another obligation to verify the identity of the person requesting the SIM swap.
“This is not specifically covered in Rica, and it could be argued that a SIM swap is not an activation of a SIM card, so it’s a matter of interpretation. But if the underlying intention of Rica is to create a layer of regulation to protect consumers, then the semantics of whether it’s a swap or an activation should be of secondary importance. We know there is this positive duty on service providers to verify the identify of a customer,” Gardner says.
The Act says that non-compliance with section 40, which governs identity verification prior to a SIM card activation, is an offence. Depending on the severity of the offence, non-compliance can carry a fine of up to R100 000 or imprisonment of up to one year.
Gardner says that consumers who have been the victims of a fraudulent SIM swap carried out by service providers that failed to comply with Rica can also consider complaining to the National Consumer Commissioner, whose mandate is “very broad”.
HOW FRAUDSTERS ACCESS YOUR BANK ACCOUNTS
In order to defraud you online, scammers usually need both your bank account details and your cellphone number. They also have to carry out a SIM swap so that they can receive one-time passwords (OTPs) or random verification numbers from your bank. And they need a bank account or two into which they can transfer the money stolen from your account.
A banking IT expert, who asked not to be named, explains how each of these steps is carried out.
1. Fraudsters usually obtain your bank account details, including your internet banking password, by catching you in a phishing attack (see “Definitions”, below).
2. Scammers need your cellphone number to carry out an illegal SIM swap in your name.
Your cellphone number is not typically on your online banking profile, so fraudsters will either search for it on databases – which they buy or steal – or phish for it by way of an email that induces you to part with your number.
Be wary of unsolicited emails that invite you to sign up for a newsletter to receive “special offers”, and so on. If you sign up, you’ll be required to part with your full name, cellphone number and possibly your physical address.
3. The fraudsters carry out an illegal SIM swap so that they can receive the SMS notifications that your bank sends to your cellphone number when you log on to your internet banking profile, set up a new beneficiary, make a payment to a new beneficiary or increase your electronic account payment limit.
In order to carry out an illegal SIM swap, fraudsters usually need to collude with someone employed by the cellphone operator. Alternatively, they may steal the log-on credentials of employees of the cellphone operator. This can be done through careful observation, while sitting next to a consultant, or by using their cellphones to video the consultant serving them.
4. Armed with your bank account details, including your confidential log-on details, and your cellphone number (to which your OTPs are sent), all the fraudsters now need is a bank account, to receive the money they will siphon out of your account. They will add this account as a beneficiary on your internet banking profile – and you won’t be any the wiser, because you won’t be receiving the SMS notifications from your bank.
Obviously, the fraudster can’t use an account that’s in his name, because this would reveal his identity, but there are two other ways to “source” a bank account:
* The fraudster opens a fraudulent account using an altered identity document and fictitious proof of residence; or
* He “rents” an account from a legitimate account-holder. In exchange for a small fee, he borrows the ATM card and personal identification number (PIN) from an unsuspecting account-holder. This is usually done under the guise of someone who doesn’t have a bank account but is due money for casual labour.
The story goes something like this: “I got work for the first time as a casual labourer, but they can’t pay me because I don’t have a bank account. Can I borrow your account so that I can get my money? I’ll even give you R100.”
For an account-holder who is poor or unemployed, it’s an easy way to make money. The account-holder hands over his bank card and PIN, and the following day it is returned to him with his “fee”. Although it’s illegal to do this, the account-holder doesn’t know this and is rarely able to identify the fraudster, who is unknown to him.
“When you arrest and investigate these people, they say ‘this guy came up to me at the bank. I had never met him before’,” the IT expert says.
The daily cash withdrawal limits on most accounts are small – usually between R1 000 and R3 000 a day.
However, Capitec Bank allows its clients to increase their daily withdrawal limit to R10 000 a day. Because the limit on Capitec accounts is higher than that of most banks, its accounts are favoured by fraudsters.
“Capitec pays loans into its clients’ bank accounts and allows them to withdraw large amounts in one hit,” the expert says.
* Phishing: This occurs when you respond to a fraudulent email that appears to be from your bank or a trusted source but is not. The email induces you to click on a link in the email. A window pops up and you are prompted to enter your confidential banking information on a fraudulent website. This enables fraudsters to glean your account number and passwords.
* Fraudulent SIM swap: This occurs when fraudsters pose as you and obtain a replacement SIM card in your name. This disables your SIM and activates the new SIM, enabling the fraudsters to receive communication sent from your bank to your number. In doing so, the fraudsters are able to link beneficiaries to your account and transfer your money out of your account and into beneficiary accounts without you being notified via SMS.