/ 20 September 2013

Cybercrime blame game isn’t as cut and dry as its SIMs

The number of SIM card fraud cases in South Africa is rising
The number of SIM card fraud cases in South Africa is rising

With the number of SIM card fraud cases in South Africa rising sharply last year, the banks and cellphone service providers are locked in a blame game, with each party arguing that the other could do more to combat the virtual scourge.

An increasing number of South Africans are falling prey to this cybercrime du jour.

According to the South African Banking Risk Information Centre (Sabric), the number of SIM swap incidents was less than 100 in 2011.

In 2012, that number rose to over 1 000, more than 10 times what it was the previous year.

The sharp spike signalled concern from cyber security experts, banks and cellphone service providers alike.

One of the distinguishing aspects of this form of fraud is that it implicates both the banks and mobile service providers in its execution. Vodacom’s chief risk officer, Johan van Graan, explained.

“The fraudster gets the victim’s login and password details for a victim’s internet bank account, usually through phishing [soliciting personal details through emails]. That’s where the fraud starts,” he said.

The fraudster may then approach someone who has very little in his or her bank account, ask if the account can be used to receive money and pay the account holder a few hundred rands in return.

Now that the fraudster has a bank account from which to siphon money and a bank account to receive it, he or she needs to secure a SIM card linked to the victim’s bank account in order to complete the transaction.

Once this takes place, the fraudster receives the one-time PIN numbers or other additional cellphone-linked security devices intended to act as a last line of defence before a person can complete an online banking transaction.

It is from this final necessary step that the practice has gleaned the nickname of “SIM swapping”, which Van Graan said is a misnomer.

“SIM swapping is actually just another name for online banking fraud.

“When the banking fraud takes place — this is what makes me angry — the staff at the banks’ call centres say, ‘if the cellphone service providers hadn’t authorised a SIM swap, you wouldn’t have lost your money.’”

Van Graan said, by doing that, the banks are denying their own accountability in the process. But the law backs the view that banks are largely liable for losses incurred through SIM fraud, he said.

He cited a 2012 SIM swap fraud case, which “sets legal precedent” — Nashua Mobile (Pty) Ltd vs GC Pale CC, which found that the cellphone provider could not be held liable for losses incurred through SIM-swapping online fraud.

Instead of blaming service providers, he said, the banks could do more to mitigate risk by increasing security measures involving the adding of new beneficiaries.

“The banks could hold payments to new beneficiaries for more than 48 hours,” he said.

This would allow time for fraud detection systems to pick up false payments and freeze them before they are transferred.

Banks could also work more closely with cellphone service providers to red-flag possible incidences, Van Graan said.

Cellphone service providers can flag phones with newly activated SIM cards that have not made any phone calls but have authorised a number of payments in a short amount of time, he said.

Vodacom has already started collaborating with FNB on this front with good success.

In spite of cellphone providers arguing that banks could do more, the banking sector is “seen to be the leading industry when it comes to establishing public-private partnerships for the prevention and combating of cybercrime”, according to the 2012-2013 South African Cyber Threat Barometer, which solicits the views of opinion leaders in the industry.

The same report from last year estimated that the telecommunications sector, not the banking sector, was losing the largest amount of money to cybercrime — an estimated R1-billion during the year, although a large portion of it was recovered following subsequent investigations.