Monica Kruger doesn’t know who is to blame for the R1.8-million loss that she suffered when fraudsters carried out an illegal SIM swop before raiding her credit card and home loan accounts to the tune of R2 million. But of one thing she is certain: it’s not her. And she has forensic evidence to prove it.
Her bank, Absa, has not been able to find evidence of any negligence or wrongdoing on her part, yet it is refusing to refund the money stolen from Kruger’s accounts.
Kruger believes that Absa and Vodacom, her mobile service provider, have in their possession vital information that will assist her in establishing who is to blame. Yet both have refused to give her the information that she believes she is entitled to.
On Monday, Kruger filed an urgent application in the South Gauteng High Court seeking an order compelling Absa and Vodacom to provide her with the information she needs to conduct an independent cyberforensic investigation into how the fraud occurred and to identify the party or parties against whom she could seek recourse. She is also asking the court to order Absa and Vodacom to properly preserve information over which they have control so that it may be used as evidence in the future.
According to Kruger’s founding affidavit, the fraud on her account took place on June 18. In the space of 32 minutes, in four transactions, more than R2 million was transferred from her credit card and home-loan accounts into her cheque account and then 80 deposits of R25 000 each were made into a Capitec account.
It was only a day or two later that Kruger found out she had been robbed and the true extent of her loss. She didn’t receive SMS notifications of the activity on her account or the adding of a beneficiary (the account into which the stolen funds were siphoned) because, unbeknown to her, she was also the victim of an illegal SIM swop (see How a SIM ‘flagged’ by Vodacom was swopped).
The day after the fraudulent transactions, she realised that her phone was not connecting to the network, so she contacted a Vodacom franchise, which advised her to contact her bank immediately to freeze all her accounts.
On reaching the Absa call centre, Kruger was told that her internet banking facility had already been suspended by its fraud department because of suspected fraud on her account. Her affidavit says she was shocked to learn that “almost R200 000” had been stolen from her cheque account. Fourteen hours had passed since her internet banking facility had been suspended by Absa, yet no one from her bank had contacted her about “such a serious calamity”, her affidavit says.
The following day she realised the full extent of the “calamity” – a loss of R1.8 million. Capitec was able to freeze the account into which the R2 million was paid and reverse transactions of about R204 000.
Kruger says in her affidavit that 80 transactions of R25 000 each were “extremely unusual and completely outside of” her pattern of banking with Absa. “These transactions also occurred at a time and on a day of the week [a Saturday] that I rarely, if ever, would have conducted any banking transactions. I am surprised that measures were not in place at Absa to prevent or limit transactions of such an unusual nature.”
Kruger’s affidavit says she engaged Adrie Stander, a forensic expert and lecturer in digital forensics at the University of Cape Town. She wanted to ensure that evidence on devices used by her to do internet banking would be forensically preserved, so she had her devices “imaged” by Stander prior to them being imaged and analysed by Absa. (When you take an image of a hard drive, the image is an exact replica of your computer at the time the image was taken and the forensic integrity can be easily tested.)
Absa started its forensic investigation in early August. A month later it sent its forensic report to Kruger’s attorney, Mark Heyink. Nothing in the report indicates any negligence or wrongdoing on Kruger’s part, according to her affidavit.
Heyink asked Absa to advise, in writing, whether it intended refunding the stolen money and if so, by when. But he was informed, verbally, that the bank would not refund Kruger. He asked for the bank’s reasons in writing, as well as confirmation that all evidence under the control of Absa or any of its agents be properly preserved “in terms of generally acceptable forensic practice and the provisions of the Electronic Communications and Transactions Act”.
Instead, the bank told Heyink it would retain all information “in line with its usual policies and legislative obligations”. But Kruger says she is not satisfied with this undertaking.
While Absa has provided Kruger with some of the information she asked for, according to her affidavit, the audit trail Absa provided was edited “to protect [Absa’s] intellectual property and certain confidential information”.
Without the complete audit trail, Kruger says it is impossible to ascertain who had access to her account and when access occurred “to rule out any possibility of any insider involvement”.
An unedited audit trail will, in all probability, contain information that will assist Kruger’s forensic experts to investigate and ascertain by whom and how her accounts were accessed, by both Absa employees and third parties.
In its reply to Heyink, Absa says there is no evidence to indicate any wrongdoing on the part of the bank or its employees, and says “it is apparent that the fraudulent transactions have, as their genesis, a SIM swop” (see “Banks and mobile operators play blame game”, below).
The bank also indicated that the only way the fraud could have occurred is if Kruger had compromised her banking credentials, in particular the password that allowed access to her account. “This is, however, contrary to what is stated in Absa’s own cyberforensic report,” Kruger’s affidavit says.
“I find it difficult to understand Absa’s position that it will not refund the money misappropriated from my account and nor will it provide me with information essential to investigate the misappropriation of funds and attempts to recover what has been misappropriated from me,” she says.
Absa’s refusal to give Kruger the information she has requested and to confirm that the bank will preserve all relevant evidence in line with its obligations in law is severely prejudicial to her, as this may lead to information being inadvertently lost or destroyed, the affidavit says.
The application will be heard on November 29.
BANKS AND MOBILE OPERATORS PLAY BLAME GAME
When you find yourself the victim of internet banking fraud linked to a fraudulent SIM swop, your bank and your mobile service provider are inclined to wash their hands of you.
Your bank will tell you that the fraud stems from the SIM swop – over which it has no control. Had it not been for the SIM swop, it would have been impossible for anyone to intercept one-time passwords (OTPs) needed to link beneficiaries to your account and to pay them.
And if you try to hold your mobile operator liable for effecting a fraudulent SIM swop, you will be told that your losses stem from fraudsters obtaining your online banking credentials or from you divulging this information to a third party. An illegal SIM swop is not enough to enable a fraudster to gain access to your bank accounts, they will say.
But what about the responsibility of organisations such as banks and mobile service providers to safeguard client information?
Monica Kruger, who was defrauded of R1.8 million in the case outlined above, sought advice from Professor Sebastiaan von Solms, an expert in information security practice.
“Organisations must establish, implement, maintain and continually improve an information security system that is appropriate to safeguard information that may be processed by it,” Von Solms told Kruger.
“Organisations are required to monitor and assess the security risk of the information processed by the organisation. As the risks are ever-changing, there is a need to continually evaluate the security measures used to counteract the risks. And where a compromise of security may have a serious impact, additional security measures may be employed to supplement pre-existing measures.”
Creating new beneficiaries or changing the limits to the amount that may be transacted via internet banking can be achieved only after entering an OTP, which is an additional security measure, he says. “The OTP is a component of the end-to-end security.”
Von Solms says also that SIM swops are not new; they have been used for the perpetration of fraud for some time.
In her application to the South Gauteng High Court, seeking to compel Absa and Vodacom to give her certain information to complete an independent cyberforensic investigation, Kruger says the use of OTPs as a security measure is Absa’s choice and also its responsibility. And while she appointed Vodacom to be her mobile service provider for regular phone facilities, “for the purpose of providing OTPs used in securing my online banking, the mobile service provider acts as the agent of the bank”, she says.
Absa must have known about the risk of using OTPs as an additional factor of authentication, Kruger says.
To protect against this risk, Absa would be obliged, in terms of its obligations to continually monitor risk, to have provided approved or alternative security.
Quoting an online news agency, Kruger says Absa has in the region of nine million customers and Vodacom, South Africa’s largest mobile operator, has more than 31 million subscribers.
“Many millions of people may be affected by and have a substantial interest in the integrity of the electronic communication services administered and offered by Absa and Vodacom,” Kruger says. “In these circumstances, a thorough and urgent investigation to get to the bottom of what happened in my case is manifestly in the public interest.”
A SIM swop is the exchange of an old, damaged or stolen SIM card for a new SIM card. When a SIM is swopped, the current SIM card is deleted from the network while a new SIM card is issued and linked to your cellphone number.