Victim's SIM swop fraud nightmare
Derick Lindsay was playing golf in George in the Western Cape when his cellphone number was hijacked almost 1 200km away in Soweto.
Four days later, on Christmas Day, he went online to check his email and discovered a shocking message from his bank confirming a R80 000 payment to an unknown property company.
The transaction had taken place on the day his SIM card was swopped, but, because he was on holiday, Lindsay hadn't switched on his laptop in days.
The transfer was possible as the crooks had received an SMS once-off password from his bank, via Lindsay's hijacked cellphone number - a security measure used by banks to authorise payments to new beneficiaries.
Both Vodacom and Standard Bank - the service providers involved - have washed their hands of the matter, saying victims have been left out of pocket due to their own fault.
Vodacom said that in such cases, personal information has already been compromised before fraudulent SIM swops are done. And Standard Bank said Lindsay unwittingly gave up his online banking details - card number, pin and password - and that they were not responsible.
However, Lindsay and his wife Cheryl are adamant this isn't the case. "I've been Internet banking for years. I've been with Standard Bank for more than 20 years. Why would I do this now?" he asked.
Lindsay's case follows other reported thefts using the same method.
Rhodes University computer science lecturer Barry Irwin said SIM swop frauds weren't random.
"Targets are carefully selected. How exactly remains a mystery, with much in the way of urban legends and conjecture from bank employees, people leaving ATM slips behind and garbage being rifled through." In addition, personal details are kept at all places where accounts are held.
South Africa has world-class electronic banking, but even people who never use public computers and have checks in place are duped into giving away details. Banking details can unknowingly be handed to criminals by users being diverted to false websites. Or key-logging software that logs keystrokes could be secretly recording every detail of the owner's computer activities.
"In general, the Internet is a reflection of the real world, where con artists try to lure the gullible and greedy," said Geoff Rehmet, of Internet Solutions. "As a general rule, you should be just as cautious online as in the physical world."
Standard Bank concluded that Lindsay had been a phishing victim. In an email, with no reference number, the bank says he'd entered secret banking details on a false website purporting to be official.
"Due to the fact that your loss was not facilitated through any fault or negligence of Standard Bank staff or its systems, we regret to advise that Standard Bank will not be able to make payment to you."
The bank was able to recover R435, but would not pay out the remaining R79 565.
No details of the investigation or proof that Lindsay had visited a false website were given to him. Neither are any details of the bank account to which the funds had been transferred. Instead, the number of the banking ombudsman is given for him to lay a complaint if he found the bank's decision unacceptable.
Online behaviour expert Ramon Thomas, of Netucation, said companies offering technological services needed to beef up user awareness. Of the roughly 1,5-million people who banked online, 50 percent checked only statements and balances, and did not do transactions, he pointed out.
"The number one problem we found with the adoption of Internet banking is that people are afraid of their money being stolen and their accounts being hacked."
Phishing had been happening for years, Thomas said. "They knew it was coming. It was just a matter of time. If they took the approach of educational marketing consistently, what would happen is that the client would feel safe and secure. It does not help putting the information on the website - it needs to be done through the traditional channels."
Professor Jan Eloff, head of computer science at the University of Pretoria, said he had witnessed an alarming increase in the volume and complexity of cyber-crimes.
Sim card swop fraud was not new. "It is common knowledge that Internet banking users must always be aware of vulnerabilities, in most cases unknown, and never 'feel' safe," he said. "The dilemma that we as end-users of automated environments such as Internet banking have is that the responsibility for securing your private information is becoming more and more your own responsibility."
Online crime - and in particular sim swop fraud combined with Internet banking theft - was a complex chain of events and involved multiple parties. This made it difficult to find the weak links in the chain, Eloff said.
"The sim swop fraud, as reported in South Africa, is a multifaceted problem and it would be difficult to pinpoint one specific area of vulnerability."
Vulnerabilities needing to be addressed included procedures and technology used by banks; manual and automated procedures for sim card swopping at telecoms providers; technology that linked a phone to a specific sim card; and types of identification documents.
New-media expert Lucien Pierce, of Phukubje Pierce Masithela Attorneys, said banks and cellphone companies would have a clause in contracts stating non-liability, unless they had been grossly negligent. Pierce said cellphone companies had an obligation to do proper and thorough checks before authorising sim swops.
"The victim and the cellphone company would have to share the blame," he said. "Unless the banks have given out that information, you can't really attribute blame to them."
Gross negligence was difficult to prove, but a civil claim was an option, albeit expensive, for victims.
This week, Lindsay, who has sought legal advice, spoke of his shock and anger at the response of both service providers. "It's not a professional way of doing things.
"If I've done something wrong and they can prove it, I'm prepared to suffer the consequences."
- GLOSSARY OF TERMS
SIM swop fraud: This happens when fraudsters obtain a victim's phone number and have it illegally assigned to a new SIM card by doing a SIM swop. The SIM card in the genuine owner's phone is cancelled, and one-time passwords used by banks to add beneficiaries and transfer money are diverted to the SIM card in the possession of the fraudsters. This allows them to plunder money from an account that, banks claim, they have accessed through details usually obtained through phishing (see below).
Phishing (password hijacking): This can be done over the phone or via the Internet, or as an urgent email purporting to be from a bank telling victims that their account information needs to be urgently updated. The mail includes a hyperlink, which takes victims to a site that appears to be genuine, but in fact has been set up by the scamsters to harvest information supplied by gullible victims.
Pharming: Viruses are transmitted via infected attachments or downloads. The virus redirects bank users to a false website that is similar in design to the genuine one, but where confidential information is compromised.
Spoofing: A website set up to resemble an official site where the fraudsters harvest confidential information when people transact on it.
Keystroke logging: Done either through hardware or software, all keystrokes are logged on a computer to be retrieved and used by criminals to access information such as bank details. Key loggers can be installed on a PC as simply as running an email attachment that installs the software on a computer.
Deposit slip scams: A cheque is deposited into a victim's account, usually for an order or purchase. A copy of the deposit slip - with an official bank stamp - is faxed through and goods are released. But when the cheque is discovered to be fraudulent, the deposit is reversed, leaving the victim out of pocket. A variation on this is where a cheque for more than the asking price is deposited into the victim's account "in error" and the fraudster requests a refund of the difference. By the time the cheque is found to be fraudulent, the conman is long gone and the victim is left out of pocket.
419 scams, also known as Advanced Fee Fraud: The grandaddy of scams, victims are sent an unsolicited illegal or legal proposal promising great financial benefit. An upfront fee must be paid, and complications usually arise - and are repeated - that require further payments to resolve.
Identity theft: Personal information (like bank details and ID documents) are stolen, picked up in rubbish bins, intercepted on the internet, or simply gleaned by fraudsters watching you as you complete activities related to personal information. This information is used to open bank accounts or retail accounts and to obtain finance, with huge debts being run up, resulting in the victim receiving a bad credit listing.
Spyware: Software that is secretly placed on your computer, either by email or when you surf the internet, to harvest your personal information.
Sources: www.whitecollarcrime.co.za; the South African Banking Risk Information Centre; Information and Communication Technology Services at the University of Cape Town; Microsoft