Online hackers cleaned me out!
Consumers’ accounts are being cleaned out by cyber hackers, raising questions over the safety of internet banking
IT’S the stuff of nightmares. You log in to your internet banking profile and to your horror you discover your current account is empty. How can this be? Just yesterday your salary was paid in and you haven’t touched a cent. Last night while you were asleep someone accessed your account and went on a wild spending spree. And to add insult to injury, they’ve also maxed out your credit card.
How can this be happening? You’re always super-careful with your banking login details – there isn’t another living soul you’ve shared them with.
As banks become more hi-tech and consumers get more security savvy, this is the kind of crime you’d think would be on the wane. But you’d be wrong – sadly cybercriminals are still laughing all the way to (and from) the bank.
For the first time ever internet-banking fraud tops the list of complaints laid with South Africa’s ombudsman for banking services, confirms Edrich Buytendorp, acting banking ombudsman. These complaints now account for a quarter of his office’s workload. And one of the biggest offenders in this category is the dreaded SIM card swop.
Last year 124 cases were reported to the ombudsman and it seems this form of crime is still on the rise despite what the banks say – there have already been 74 cases reported since the beginning of the year. In many instances the victims are web-savvy people who swear they’ve never fallen prey to dodgy phishing scams aimed at accessing their login details. And they all want to know the same thing: how did the crooks manage to do it?
This is a scam that relies on two elements. In order to raid your accounts, thieves not only need to have your banking login details, they also need to get your cellphone service provider to deactivate your existing SIM card and transfer your number to a new SIM which they have in their possession so they can authorise the banking transactions they plan to carry out from your account.
And amazingly, despite Rica and all the other kinds of bureaucratic red tape put in place to prevent just this kind of fraud, criminals are still managing to pull it off.
So just how safe are your online bank accounts? Sure, it’s great having the convenience of being able to run your finances without having to set foot in a bank, but are you making yourself an easy target for cyber conmen?
ONE VICTIM’S STORY
Earlier this month Wicus Pretorius, editor of Home magazine, was livid after discovering that hackers had plundered more than R100 000 from his cheque, credit and overdraft facilities in an unauthorised SIM swop. With only R43 in his wallet, Wicus (44) decided it was better to be safe than sorry while waiting for answers from Absa and Vodacom.
“I cancelled my internet-banking services, deleted the Absa app from my phone and transferred money from my bond account (which wasn’t linked to my internet-banking profile) into my cheque account so I can draw money with my bank card the analogue way,” Wicus says.
Earlier in April he’d narrowly avoided
a similar scam. While having dinner with friends he noticed his cellphone had lost reception. When he phoned his network provider he was notified that a SIM swop was in progress. Wicus immediately put a block on the swop and his bank account and this prevented the thieves from getting their hands on his cash.
But less than a month later he was targeted again. He realised something was awry when he got a message from Absa’s SureCheck facility to ask him if he wanted to approve a payment to a new beneficiary – a company called Douglas and Divine. He rejected the payment but a short while later alarm bells really started ringing when his phone stopped working again.
Wicus immediately drove to his nearest Vodacom branch where he discovered his SIM had been swopped. When he phoned Absa his worst suspicions were confirmed: his bank accounts had been emptied.
The only thing he’s grateful for is that his bond account wasn’t linked to his internet banking profile, Wicus says. Back in 2013 he instructed his bank to unlink it after hearing about how Esmaré Weideman, former editor-in-chief of YOU magazine and now CEO of Media24, was robbed of R360 000 in a similar scam.
This simple action prevented thieves from cleaning him out completely. Also, because Wicus acted so quickly when he noticed his lack of cellphone connectivity, Absa could stop the illegal payments and retrieve the full amount.
But for Wicus this isn’t enough. He remains flabbergasted at the idea that his account details were compromised. “How did these crooks get my personal information? I’d never give my password to anyone.”
THE BANK SAYS . . .
Despite alarming reports about bank accounts being raided and a Hawks investigation into a possible syndicate operating within Absa (YOU , 17 November 2016) there’s no reason for customers to be alarmed, insists Marius de la Rey, chief executive of the banking giant’s customer channels and distribution.
“Only 0,0001 percent of our digital customer base of five million users has been affected by internet banking fraud this year, so it’s a tiny percentage.”
De La Rey adds that he’s aware of the perception that Absa and Vodacom customers are being targeted but doesn’t believe this to be a true reflection of the situation.
“Cybercriminals employ increasingly sophisticated methods to access customer banking information through email phishing, SIM swops and other methods. Our security system doesn’t permit anyone inside the bank to determine what a customer’s internet banking login information is.”
THE CELLPHONE COMPANY SAYS . . .
“We aren’t aware of nor have we detected any security breach,” a Vodacom spokesperson tells YOU. “The vast majority of SIM swops processed on our network are legitimate, with an estimated 0,004 percent potentially involved in fraudulent banking activities.”
He adds that the company has put in place a number of security measures that are constantly enhanced to protect customers.
“A prime example is allowing the banks to check when last the customer requested a SIM swop on a specific cell number before they send an OTP [one-time password] to that number,” the spokesperson explains.
“This prevents flagged customers from adding a beneficiary during a certain window period while still allowing customers to conduct other banking affairs.”
He also insists that Vodacom notifies customers via SMS whenever a SIM-swop instruction is given. It’s unclear what measures were followed in Wicus’ case.
THE LAWYERS SAY . . .
About 85 percent of cases brought to the ombudsman go in favour of the banks as the office finds evidence of negligence on the part of consumers – whereby they knowingly or unwittingly compromised their login details or passwords by clicking on phishing emails or by divulging their personal details to fraudsters. Attorney Mark Heyink believes banks have the upper hand because they have access to legal opinion and digital forensic reports that are difficult to understand, let alone be disputed by the lay person. In a bid to get to the bottom of how his client Monica Kruger was robbed of more than R2 million from her bond, flexi, cheque and credit card accounts in July last year, Heyink made a court application aimed at compelling Absa and Vodacom to provide answers. Monica remains adamant – and Absa’s forensic reports back her up – that she wasn’t negligent in the handling of her internet banking login details. Although litigating against two giants with deep pockets such as Absa and Vodacom might prove difficult, Heyink is confident Monica and Irene Palin (another client, who lost R4 million in a similar scam) will ultimately succeed in their court actions and recoup their losses. Another attorney considering legal action against banks and cellphone companies is Johan Victor. He wants to initiate a group action for about 100 clients on a contingency basis, but believes it would be a mammoth task to prove a close link between the activities of the banks, cellphone service providers and clients’ subsequent losses.