Illustration: Colin Daniel

First National Bank (FNB) has come under fire from customers who have been victims of online banking fraud. The bank denies it has been the target of attacks and that there is an inherent weakness in its security system – specifically the reliance on one-time passwords (OTPs) for authentication. But security experts disagree. They say the use of OTPs in banking is outdated and risky.

When asked if the bank is concerned about the number of attacks on customers, Marcel Klaassen, the head of sales at FNB Business, said it is “concerned that people are falling victim to relatively simple and obvious scams”. The bank would “redouble its efforts regarding consumer education and usage of our free software”.

The reality, however, is that there is malware (malicious software) out there that you can’t see, touch or feel, says Schalk Nolte, the chief executive of Entersekt, a software company that develops authentication systems for banks. “Your bank can’t expect you to protect yourself. It should give you the tools,” he says.

In the past, banks said that, for internet banking fraud to take place, crooks had to clear several hurdles. They had to:

* Obtain your banking details, including your username and password. They would generally get these from you in a successful phishing attack.

* Obtain your cellphone number.

* Commandeer your cellphone number to obtain the OTPs that your bank sends you via SMS when you do certain transactions – like adding a beneficiary. To get the OTPs, they would do an illegal SIM-card swop, which would, in effect, disable your phone while they received your OTPs and siphoned money out of your account.

* Open a beneficiary account into which to deposit the money.

But this is not how internet banking fraud always works. For example, fraudsters don’t need to do a SIM swop to get OTPs. They could get them from you. This is how: assuming you’ve been phished – in other words, you’ve received an email that you think is from your bank. You click on a link embedded in the mail and it leads you to what you think is your bank’s online banking page. You enter your online banking details, but they aren’t being entered into your bank’s site; they’re being fed into the fraudster’s site. The fraudster detects that he has caught you, and enters your details into your bank’s website. This generates an OTP. Since you think you’re on your bank’s website, you enter the OTP, which the fraudster uses.

A SIM swop is necessary if the fraudster does the crime in stages and not in real time, as described above. If he gleans your credentials today, but takes over your account only at a later date, he will need OTPs from your SIM.

“The OTP system is flawed because anything you type into a browser can be defeated. In the browser there are a number of ways your OTP can be compromised, including via key logging (the recording of keystrokes on a computer keyboard via software or hardware) and malware,” Nolte says.

Nolte says that as far back as 2009, the world’s leading IT research and advisory company, Gartner, warned that browser attacks were circumventing two-step authentication enabled through OTPs.

While a safe browser will often pick up that a site is fraudulent, it is not foolproof, he says. You can be using the safest browser in the world, but if you’ve fallen for a phishing scam and your last line of defence is an OTP, you’re “dead in the water” because you’re on the fraudster’s site, not the bank’s.

Yet some banks in South Africa – FNB and Standard Bank – still rely on OTPs to authenticate customers when they log on to their online banking profile and when certain transactions are done online.

OTPs are sent via SMS, which was not designed for banking, Nolte says. “SMS is clear text, which is very vulnerable to malware, and SIM swops are a big problem,” he says.

Because of the high incidence of illegal SIM swopping, Capitec Bank used to issue customers with a security token. But the token generated an OTP, so it did not solve the problem (for the reason explained above).

In 2012 Capitec became the first bank in South Africa to make use of Entersekt’s digital certificate-based technology. Charl Nel, the bank’s head of communications, says that coupled with biometric fingerprint security, Entersekt provides a high level of security to the bank’s clients. A number of the traditional banks have followed suit, but without fingerprint verification, Nel says.

Entersekt’s product bypasses your browser by establishing a secure channel between the bank and you via a mobile application. Instead of verifying you, it verifies your mobile device using electronic certificate technology (certificates are not tied to the SIM card or phone number). So, if a fraudster were to illegally swop your SIM, any communication from your bank to your number could not be picked up on any device but your own.

Nolte says you should have PIN protection on your phone, so that in the event of it being stolen or lost, you aren’t vulnerable to fraud. “Your phone is a very personal device. It takes between three and five minutes for you to notice when it’s missing,” Nolte says. That means that within a short time you can notify your bank and the certificate linking your phone to your banking profile can be broken.

If someone steals your phone, he or she still needs your PIN to get into your phone and your password to activate your banking app.

Instead of sending you SMSes via a cellular network provider, Entersekt sends you encrypted messages to your phone. These are “push-based authentication”, meaning you’re asked to accept or reject a transaction with a single tap on your screen.

Nedbank started using Entersekt’s product in mid-2012. Six months later, the bank’s chief executive, Mike Brown, reportedly said it had not had a single case of a phishing attack.

An Absa spokesperson this week said the bank has an agreement with Entersekt “as only part of the multiple layers of security utilised to protect customer information”.

Personal Finance asked Standard Bank if it uses Entersekt’s product, and if not, how the bank’s technology compares. The bank’s spokesman, Ross Linstrom, said the features offered by Entersekt’s software are “not unique”.


The breaches at First National Bank (FNB) show the bank isn’t using a robust system, Peter Hill, an expert in IT governance, says. “Banks overseas don’t send their customers SMSes. And they take full responsibility when a customer is the victim of banking fraud.”

Online banking fraud involving phishing and SIM swops points to a failure on the part of banks and cellular service providers to protect your information, he says. “In one of the cases I read about, involving FNB and MTN, there were about 20 breaches of the Protection of Personal Information (Popi) Act.”

When Popi becomes fully effective (following the appointment of an Information Regulator and a one-year grace period for compliance), around the middle of next year, he says banks will be compelled to report to every affected person when there has been a security breach. They will also have to provide those affected with a description of the possible consequences of the breach, the measures they will or have taken to address the compromise and the measures those affected can take to mitigate any adverse effects of the compromise.

The only reason a bank can have for not releasing the information immediately is that it will impede a criminal investigation by the police or a similar body.

Hill says that if you ask any of the affected customers who they spoke to or reported the incident to, they will either all have different answers and or will tell you how they were sent from pillar to post.

“That’s because no person at the bank is personally accountable; there is no information officer in the organisation. When Popi is fully enforceable, there has to be.

“Popi sets a standard that is good practice, and if a company can’t meet good practice, it shouldn’t be in business,” he says.