MTN washes its hands of SIM scam

On 30th December 2015, one of the partners of Claremont Audiology, Gail Jacklin, was the victim of an illegal SIM swap on the MTN network. Starting that day and continuing over the next two days, our business bank account was cleaned out. Then a few days later, most of Gail's personal account was emptied too. We were unaware of any fraudulent activity as Gail's phone had no service due to the SIM swap. Picture Facebook Reporter Ivor Powell

On 30th December 2015, one of the partners of Claremont Audiology, Gail Jacklin, was the victim of an illegal SIM swap on the MTN network. Starting that day and continuing over the next two days, our business bank account was cleaned out. Then a few days later, most of Gail's personal account was emptied too. We were unaware of any fraudulent activity as Gail's phone had no service due to the SIM swap. Picture Facebook Reporter Ivor Powell

Published Feb 21, 2016


Cape Town - Hacked and hacked-off is how you might describe Cape Town audiologist Gail Jacklin.

After nearly six weeks in which Jacklin failed to get answers to her questions after her online identity was stolen over New Year and more than R300 000 fraudulently siphoned off from First National Bank accounts using her MTN contract smartphone to effect the transfer of funds, MTN concluded its investigations and informed Jacklin they were not at fault.

The cellular giant’s security systems allegedly failed to prevent the unauthorised and fraudlulent “swopping” of the SIM card in Jacklin’s MTN contract phone. Such a SIM swop allows fraudsters to bypass bank security measures intended to guarantee a client’s identity.

MTN said: “MTN wishes to reiterate that it cannot be held liable for any fraud that may have been committed on your bank account, as such fraud can only be committed where a fraudster has your bank card/account number, your internet banking PIN and password.

“Accordingly, MTN accepts no liability with regard to this kind of fraud as it is not caused by any action on the side of MTN.”

“I don’t think that is good enough. I mean where does the buck stop?” Jacklin protested to Weekend Argus .

FNB said it was “at an advanced stage of the investigation”, and would “engage with the customer directly as soon as the investigation is finalised”.

Still unanswered is how, where and on what basis Jacklin’s SIM was swopped.

A MTN forensic investigator told Jacklin the SIM swop had been traced to a dealership in Bronkhorstspruit, and the operators of the dealership questioned, although this was not confirmed to Weekend Argus.

These operators reportedly claimed their system had gone down at the time the SIM swop occurred and the MTN investigators reportedly confirmed the dealership had recorded problems around this time.

“But what does any of this have to do with me?” Jacklin asked. “What it says is their systems have been compromised – that MTN is failing to protect its own networks as well as its customers.”

Graham De Vries, MTN corporate services executive told Weekend Argus: “We are looking unto the matter and will provide feedback of the outcome to the customer as soon as the investigation is done.”

A follow-up question regarding an undertaking given by MTN – as reported on the website Mybroadband – that (among other provisions) it was implementing as an anti-fraud measure a “SIM swop delay until the legitimate customer has confirmed the request via SMS” – was unanswered at the time of publication.

Jacklin said she was not approached about a SIM swop and had not authorised it.

Jacklin claims her private FNB account was defrauded of about R120 000 in addition to more than R200 000 already stolen from the audiology practice’s business account after she approached FNB to block the account.

She said it was reopened by a bank employee (identity known) who neglected to reblock it when Jacklin’s passwords could not be changed.

“I don’t see how I can be held accountable for this failure,” Jacklin argued.

The received wisdom regarding this kind of fraud is that it often involves a so-called “phishing” scam where customer access details are shared with the crooks by gullible clients responding to emails purporting to be official communiques from banks.

Alternatively a “key-logger” (a program recording keystrokes and transmitting these to identity thieves) or other mirroring spyware might have been introduced into the victim’s devices, giving fraudsters access to passwords and other confidential information.

Jacklin said neither police nor bank investigators had examined her devices to check if and how her security was compromised.

FNB said: “We advise clients of the appropriate scans that can be done to their devices to determine if malware exists on their devices before they can attempt to reset their password.

“While our investigation is not yet finalised, our preliminary findings do not indicate the presence of a key logger.”

Leading forensic scientist David Klatzow, who is familiar with the Jacklin case said: “The apparent lack of enthusiasm in the investigation – coupled with the intimate knowledge of the inner workings of the bank and the cellular provider – do little to dispel a suspicion that this might well have been an inside job.

“In these cases, the overriding concern of the banks and cellphone companies seems to be not being held liable.

“I’ll be advising victims of this kind of abuse to join forces and institute a class action.”

Timeline of a cyber-crime

Gail Jacklin’s tribulations date back to the second last day of last year, when much of the country – criminals excluded – had closed shop in festive mood.

She tried – from a seaside retreat on the South Coast – to log in to FNB’s internet banking website on December 30. Twice, she was rejected when the system failed to recognise her PIN/password.

A little later on the same day, her MTN contract cellphone stopped functioning, registering a persistent “no service” message.

After attempts to sort out the glitch by rebooting the handset failed, Jacklin called the MTN helpline the next day – New Year’s Eve. The consultant said the account was to be “refreshed” and would soon be functioning again.

This did not happen. On New Year’s Day, Jacklin returned to Cape Town, where she was contacted by a distraught Shannon Kruyt, one of her partners in her Claremont Audiology practice. Kruyt told her the company’s FNB account had been hacked and more than R200 000 fraudulently transferred.

Records indicated Jacklin’s MTN cellphone number had been used to process the one-time-passwords (OTPs) required to authorise a once-off transfers of funds.

Jacklin called FNB’s fraud reporting line to lock her FNB accounts (both company and private) to prevent any further transfers of funds.

Her cellphone, meanwhile continued to show the “no service” message, but with cellular dealerships shut on January 1, there was nothing further that could be done.

On January 2, after opening a case at Claremont Police Station, Jacklin (as advised by the FNB fraud unit) went to the Claremont branch of FNB to change the access details on her private account. This had not yet been hacked by this time.

However Jacklin’s identity could not be verified via her cellphone, which still had no service, and the process was aborted.

Next stop was MTN’s Claremont branch, where it was discovered a SIM swop had been done on Jacklin’s cellphone, this not having been picked up by the MTN call centre, and measures were taken to reactivate Jacklin’s SIM.

That evening a torrent of notifications streamed in as Jacklin’s service was restored. She discovered her private FNB account had been defrauded of R120 000 after the failed attempt to change her details.

Jacklin has been in contact with MTN and FNB personnel, as well as the police.

Fraudsters just four steps away from your cash

Experts say SIM swop internet banking fraud is a four-stage process.

First the prospective victim’s customer access codes have to be obtained. This is usually done by “phishing” – conning or scamming the fraudsters’ target into revealing passwords and (where applicable) customer-selected PIN numbers. Sometimes this involves a fraudster posing by email as an agent of the bank and requiring the customer to confirm information.

A more sophisticated version uses link in the email which takes the victim to a fake website copied from the bank’s.

Alternatively, malware can be introduced into the software of a computer or smartphone, giving the fraudster access to protected contents.

This content is sold to the next level of scamsters on what is known as the “Dark Market”. At this point, accounts compliant with Financial Intelligence Centre Act (Fica) regulations, which require well-verified identities for all bank accounts, need to be accessed.

According to investigators, this is done by “renting” Fica-registered accounts from legitimate holders – usually poor people – who are not able to identify them.

Finally, the victim’s passwords are matched with his or her cellphone and a SIM swop engineered. At this point the fraud comes into play. The fraudster enters the internet banking account and makes a series of one-off payments.

The bank then sends out one-time-passwords to authenticate the transaction. These are received on a SIM-swopped cellphone and “authenticated”. And the money is withdrawn.

Accounts can also be hacked by bank employees, especially if they act in concert with accomplices in cellphone companies.

Weekend Argus

Related Topics: