Banks and mobile operators play blame game
“Organisations must establish, implement, maintain and continually improve an information security system that is appropriate to safeguard information that may be processed by it,” Von Solms told Kruger.
“Organisations are required to monitor and assess the security risk of the information processed by the organisation. As the risks are everchanging, there is a need to continually evaluate the security measures used to counteract the risks. And where a compromise of security may have a serious impact, additional security measures may be employed to supplement pre-existing measures.”
Creating new beneficiaries or changing the limits to the amount that may be transacted via internet banking can be achieved only after entering an OTP, which is an additional security measure, he says. “The OTP is a component of the end-to-end security.”
Von Solms says also that SIM swops are not new; they have been used for the perpetration of fraud for some time.
In her application to the South Gauteng High Court, seeking to compel Absa and Vodacom to give her certain information to complete an independent cyberforensic investigation, Kruger says the use of OTPs as a security measure is Absa’s choice and also its responsibility. And while she appointed Vodacom to be her mobile service provider for regular phone facilities, “for the purpose of providing OTPs used in securing my online banking, the mobile service provider acts as the agent of the bank”, she says.
Absa must have known about the risk of using OTPs as an additional factor of authentication, Kruger says.
To protect against this risk, Absa would be obliged, in terms of its obligations to continually monitor risk, to have provided