‘Flaw in bank system’
A local systems analyst and IT geek, Werner Ekron, says the fraudulent transaction on Bill and Marion Ashmole's bank account could not have been executed through a SIM swap as their cellphone is still working with its original SIM card.
"Victims of online banking fraud often seem to believe that their money was stolen by means of a SIM swap, as that is the common answer given to them by the banks. The reality is that once a SIM swap was done, your current SIM card becomes inactive and you cannot swap back again."
The one-time pin (OTP), part of the bank's dual layer security that enables the account holder to create a new beneficiary or perform a once-off payment, must have been diverted to another cell number or e-mail address. According to Ekron, this indicates a flaw in the bank's internal security systems.
"Even though the fraudster did get hold of the Ashmoles' password and PIN, all he could do with it was to access their account to view their balance and make payments to existing beneficiaries. To execute the fraudulent transaction, he had to get hold of the OTP.
This OTP was intercepted and not sent to the Ashmoles' phone as the bank alleges. The fraudster had to have help from inside the bank, because the Ashmoles' account profile was 'updated'. The destination (cell number or e-mail) where the OTP had to be sent to, was changed. I suspect that the OTP was sent to an e-mail address.
Afterwards, the Ashmoles' e-mail address on their account was again changed - to dummy@ dummy.co.za," says Ekron.
André Jonker, head of personal banking at Standard Bank Western Cape, promised in the presence of the Ashmoles and the George branch manager, Susan Leendertz, that he would supply Ekron with the IP address of the computer that logged into the Ashmoles' bank account, as well as the IP address of the device on which the OTP was typed in. At the time of going to print, the bank's spokesperson had not responded to the George Herald's query regarding this promise.
The IP address can with some effort be traced through the relevant internet service provider. Ekron says this seems to be the next logical step as the Fica system has failed to identify the owner of the account that the funds were transferred to. "The bank advertises a double level of security. The first is the client's password and PIN, and the second the OTP. In this case, I believe the bank's second level of security failed the client."
It is possible for banks to put systems in place (and some of them do) that recognise the age of a SIM card. "If it is a new SIM card, the bank system should not send the OTP."
Furthermore, there are ways that banks can enable their clients to verify that they are indeed logging onto the authentic web site of their bank when they do internet banking.
"Currently it is possible to copy a web site and create a fake version to gain access to your username and password. Banks can and must do more to up their security."