Incidents of customers losing money through internet or online banking fraud are increasing daily. It seems that the cybercriminals are growing bolder, as the amounts stolen now often run into millions of rands per victim.
In a typical online banking transaction, the three parties involved are the customer, the customer’s bank and the customer’s mobile service provider. In the majority of cases, the customer’s bank and the MSP deny any liability for losses suffered, claiming that the customer must have compromised his or her login credentials.
While there may in some instances be negligence on the part of the customer this is often not the case in internet banking fraud. Nonetheless the banks — even after thorough investigation of the customer’s computer device and inability to establish any wrongdoing or negligence on the part of the customer —persist in this attitude, frequently refusing any refund. The whole situation requires a proper review.
How transactions usually work
In a normal online banking transaction, the security approach used by banks in South Africa is a two-step process:
Cybercriminals have perfected their attacks against this two-step process, which have a fixed pattern and basically consist of three phases.
Phase One: Logon details
In phase one of the attack, the cybercriminals obtain the logon information of a customer through various means. This can happen through a phishing attack, where the customer is tempted by a fake email claiming to come from his bank, indicating that she must log on to her online account for some reason — a link is provided which must be clicked. If the customer does this, she is taken to a faked (spoofed) website looking just like her bank’s, created by the cybercriminal. She does not recognise the fake, and logs on using her logon information. The cybercriminal is now immediately in possession of the logon credentials of the customer.
In many cases, even when investigations reveal no fault on the part of the customer, banks and mobile service providers defend themselves by claiming that the customer was responsible for the compromise of his or her credentials.
However, this is simply no longer true. A customer’s smartphone, tablet or computer used to interact with a bank online can be infected with malicious software (malware) without the customer having any idea that it happened. Malware infections can happen in many ways, for example by just visiting a totally legitimate website, but where this site had been itself been infected, the customer’s device may also become infected. It has been established that anti-malware packages do not always recognise such an infection. The customer’s device is now infected, for example by a keyboard logger, which will send every keystroke back to the cybercriminal — including the customer’s logon credentials when she logs onto her online banking account.
The point is that the customer can no longer be held accountable for an infected device unless clear negligence on the part of the customer can be demonstrated — the level of sophistication of the cybercriminal is far superior to that of the customer. Banks and mobile service providers cannot and should not therefore make the straightforward assumption that the customer was involved in the compromise of her logon credentials, and certainly cannot when clear negligence can’t be demonstrated.
Phase one of the attack also requires obtaining the customer’s mobile number. This is extremely easy and there are many known ways of doing so.
So the fact that the customer’s logon credentials can be compromised without the customer being negligent in any way is a fact, and is one that must be accepted by banks and mobile service providers.
Phase Two: The SIM swap
In phase two the cybercriminal must now engineer a situation where the OTP will be sent to him or her and not the customer. This involves a so-called SIM swap. It is important to remember here that a person’s mobile number is not linked to his or her physical phone device, but to the SIM card within the phone. The cybercriminal of course knows this. He or she now goes to the customer’s mobile service provider with fake documents purporting to be those of the real customer, and requests a SIM swap, claiming for example that his or her phone was stolen or lost. If this SIM swap process is not very tightly controlled by the relevant service provider, the fake documents are accepted and a new SIM card is issued to the cybercriminal.
This means the relevant mobile number (that of the real customer) is now linked electronically in the mobile service provider’s database to the new SIM card — the real customer’s “old” SIM card is now electronically cancelled and is in effect “dead.” However, the real customer’s mobile number is still active, but is now linked to the new (illegal) SIM card.
The cybercriminal now inserts this new SIM card into his or her phone. This means that if the real customer’s mobile number is now dialled, the cybercriminal’s phone will be contacted instead. The customer’s phone can no longer be reached.
The modus operandi of phase two is to do it at times when it is unlikely that the customer will be easily alerted to the SIM swap or internet banking activity on her account, often over a weekend. SIM swaps can be made without the customer being involved, negligent or aware — this is a fact that must now be accepted by banks and mobile service providers.
Phase Three: The withdrawal
The cybercriminal now uses the logon information acquired in Phase One of the attack, logs into the customer’s account, requests to create a new beneficiary, waits for the OTP to arrive on his or her phone, inputs the OTP, creates a new beneficiary, transfers the money into the new beneficiary account and logs off. He then withdraws the money from the account of the (new) beneficiary to which the customer’s money has been transferred.
Three core implications can be drawn from the above:
It seems that banks are well aware of these problems, because in many cases they offer to refund the customer 50% of the loss. Why would they do this if they do not understand and buy into the core statements above?
The whole situation as it presently stands sparks some burning questions:
If these questions lead to at least some discussion, something has been achieved. Many more questions do arise, but the baseline is that customers are presently, in many cases, hung out to dry, even though in most cases they are not guilty at all. Cyber attacks have become so sophisticated that the assumptions made by banks and mobile service providers about their customers’ role in protecting themselves from attack are not tenable any more — something must change.
Professor Basie von Solms is the director of the Centre for Cyber Security at the University of Johannesburg