Now cons don’t need your pin
HOW lovely it is that, thanks to technology, we no longer have to stand in a bank queue to move our money around – we can do that propped up in bed, on our smartphones.
But how terrifying that crooks – lots of them – are using that technology to move our money out of our accounts and into theirs.
I used to console myself with the knowledge that, given my line of work, I’m wise to all the fraudsters’ tricks – phishing, smishing, cloning, skimming and more.
I can make out a fake corporate e-mail in seconds – the “Dear Client”, and dodgy sentence construction are give-aways – and I’m always on high alert at an ATM.
But now I fear that there’s pretty much nothing I can do to stop someone reaching into my bank accounts and helping themselves.
Too many people have come forward to say that they’ve had thousands, even hundreds of thousands, whipped from their accounts, despite not having compromised their internet banking passwords.
In one case I investigated, a forensic investigation commissioned by the bank – Absa – could find no evidence that the victim had responded to a phishing e-mail, but refused to reveal how the fraud was committed.
Banks continue to insist that victims must have compromised their details somehow and deny responsibility, while refusing to provide them with information.
If they do pay any money back to the victim, it’s usually 50% of the loss, as “goodwill gesture” – on condition they sign a confidentiality agreement.
On the other hand, the cellphone companies say: yes, the fraudsters stole your money with the help of a fraudulent SIM swap – so that they received the one-time-password and not the would-be victim – but the fraud couldn’t have been committed without the account details and PIN having been compromised in the first place.
And they have legal precedent on their side in the form of the case of Nashua Mobile (Pty) Ltd v GC Pale CC t/a Invasive Plant Solutions, in which the court held that a SIM swap does not in itself enable a fraudster to commit fraud on a customer’s bank account.
A few weeks ago, Personal Finance reported that George businesswoman Monica Kruger, who was defrauded of R18-million, has launched a high court application to compel Absa and Vodacom to give her information enabling her to establish who was liable for her loss.
In response to that report, three people came forward to say they were also victims of online banking fraud, coupled with fraudulent SIM swaps, all of them Standard Bank customers and Vodacom subscribers.
In Your Corner has recently received complaints from two others who share that combination, with neither company accepting any responsibility in both cases:
● Brigette Brun of Durban North: On October 3 fraudsters signed into her business account and created 20 new beneficiaries; then, having done a SIM swap on her Vodacom cellphone number, they did 19 account payments to the value of almost R185 000. The bank managed to recover R35 000, leaving her with a loss of R150 000.
Standard Bank told her its investigation had “eliminated any internal collusion or negligence resulting in your plight”.
To add insult to injury, those fraudulently created beneficiary accounts were all with Standard Bank, but when Brun asked the bank for information to help with the criminal investigation she has instigated, the bank refused, saying it was “confidential third party information”.
It has since provided it to police when served with a subpoena.
● Sue Steyn of Johannesburg: On a Sunday in August, a SIM swap was done on her Vodacom business account cellphone number by a fraudster who then logged onto her internet bank account and made payments totalling R40 000.
● Responding, Standard Bank said each fraud case was considered on its merits and victims were encouraged to use the Banking Services Ombud as an independent party should they not agree with the outcome of the investigation.
“PIN-based authentication is secure,” the bank said. “Customers need to ensure that they do not divulge this wittingly or unwittingly to third parties.”
The bank failed to say how many such frauds were reported by their customers on average every month.
A Vodacom spokesman said only 0.004% of its SIM swap requests were “potentially involved in fraudulent banking activities”, there having been a “marked” decline in the past year.
The network was “not seeing” a trend in online banking fraud affecting Vodacom subscribers with Standard Bank accounts.
The spokesman repeated the line about online banking fraud not succeeding without account and log-in details being compromised.
“The best way to prevent a banking fraud scam is to be alert to phishing sites that often request this type of information.”
“Looking ahead, Vodacom is developing an innovative suite of solutions using the likes of biometrics to assist banks in authenticating their own customers to prevent banking fraud.”
Until banks are forced to be more forthcoming about how non-PIN fraud is being committed, our best protection is to monitor our bank accounts – especially at weekends – and have our bank’s fraud hotline listed as a cellphone contact.