Banks should do more to protect their clients from brand hijacking and malware, which cyber-thieves use to steal information and money. This is the view of Brian Pinnock, cyber-security expert at Mimecast, in response to a case in which R90 000 was syphoned from a reader’s Standard Bank credit card account.
“Most banks do have limited systems in place to try to identify brand hijacking sites. But if they don’t constantly search for them and identify them, then it doesn’t help. Many existing tools are ineffective at finding every phishing site, so some do slip through the net; nor do the banks have mechanisms to take down the fraud site quickly. Many of these sites are hosted in foreign jurisdictions and often days go by before they are removed,” said Pinnock.
The reader, John Burke, appealed to Standard Bank and the Ombudsman for Banking Services for redress. Both confirmed that he had been a victim of “phishing”, and the ombud agreed the bank was not liable.
Burke was adamant that he doesn’t open suspicious emails or attachments.
“I have a problem with how Standard Bank dealt with my complaint. The fraud happened on July 25. I reported it at 11am on July 26, but apparently I was too late, as the money had disappeared from the beneficiary account. The interactions with the bank - the initial investigation and the appeal - and the process with the ombud were too cumbersome.
“It took Standard Bank a day to decide which fraud division would investigate. It went from the credit card fraud division to the transactional fraud division and then to the internet banking fraud division. Then a few days later they wanted to know if I had reported the theft to the police.”
Burke asked Standard Bank to explain how he compromised his PIN and why the bank didn’t know which fraud department was responsible.
“I always understood that a payment from any account to an account at another bank takes two days to clear. Standard Bank had plenty of time to reverse the transaction, so why didn’t they?”
Standard Bank’s response
Standard Bank didn’t explain how Burke compromised his details.
“The one-time password (OTP) used to authenticate the unknown device was sent to his cellphone, and we have records of the confirmation of delivery. The OTP was used to add the fraudulent beneficiary, and there is no evidence of a SIM swap.”
It said that when Burke contacted the bank the “cards were stopped immediately to prevent further losses”.
“Different types of fraud are handled by different fraud departments. The delay in starting the investigation, together with the delayed request for an affidavit, has been addressed to avoid a recurrence. This, however, had no impact on the outcome of the investigation,” said Standard Bank spokesperson Ross Linstrom.
“We have a disclaimer that payments can take ‘up to two days’ to reflect, but it does not mean that it will reflect after two days. This transaction was cleared at Bidvest Bank on midnight of July 24. Funds can take up to two days to reflect in the beneficiary account but leave the sending bank immediately.
“BankservAfrica is responsible for clearing interbank obligations stemming from the retail payments environment, which include EFTs, cheques, cards, internet and ATM transactions.”
When Burke contacted the bank, the first action was to mitigate further fraud by stopping the cards and informing the receiving bank of the fraudulent funds.
“At that point, we didn’t know which fraud department would be investigating it. This, however, does not stop the process of following the funds,” Linstrom said.
Pinnock said banks could be doing better by identifying and sharing the web links of the phishing site with relevant black lists, such as Virus Total and Google Chrome, so that clients are immediately protected by their browsers when attempting to access these sites.
“Some banks offer anti-virus applications in an effort to help protect clients from malware. Unfortunately, malware is an ever-evolving problem, and consumer-based anti-virus applications are unable to identify and stop 100percent of malware,” Pinnock said.
All banks represented on the industry body, the South African Banking Risk Information Centre, hold regular meetings to find ways to combat online fraud. Acting chief executive Susan Potgieter confirmed this.
“Our banks do collaborate in the interest of creating cyber resilience within the industry. However, it is not in the best interests of our collaboration to convey specific details of our cyber-risk initiatives in the public domain.”
SNEAKY WAYS THIEVES ACCESS INFORMATION
Pinnock explains some of the methods thieves use to obtain your personal details.
* A keylogger is a piece of malware that records every keystroke that a user makes (including the account number, password and PIN, which are usually delivered to a bank’s clients via a phishing email.
They come in two main forms: a malicious attachment disguised an invoice or delivery note or a link that a client needs to click on which downloads the malware.
Banking trojans are specialised forms of malware designed to provide a backdoor into a victim’s banking websites.
* There are troves of harvested credential information on “dark” websites from prior data breaches. These contain all kinds of personal information, including bank account details and passwords. Many consumers re-use the same or similar passwords, and these are tested on a victim’s internet banking site.
Personal information, such as credit card details, identity numbers and birthdays can be used to change passwords or enable a SIM swop (the SIM card on your phone is replaced without your knowing it).