First published in the Daily Maverick 168 weekly newspaper.

A user from a low-level hacking forum published the personal data of hundreds of millions of Facebook users online earlier this month.

This massive information leak could lead to an increase in SIM-swap fraud, says Pieter de Swardt, country manager for global fintech company Entersekt.

“One of the spin-off effects of Covid-19 has been the increased use of digital platforms, not just banking but also e-commerce. Entersekt encourages clients, not just banks but also commercial websites, to move away from the use of SMS one-time pins [OTPs] as a means of verifying a transaction. An out-of-band solution is preferable because you don’t have to type any information back into the channel… Typically, an OTP has to be typed back into the site you are transacting on or, if you opt to do an instant EFT, you have to type in your online banking details,” he says.

Banks seem to have recognised this threat and are moving away from the use of one-time pins. Both Absa and Standard Bank downplayed the threat of SIM-swap fraud, with Absa saying that bank fraud relating to SIM swap fraud in the past financial year was less than 3%. Carolina Reddy, head of fraud risk management at Standard Bank, said less than 1% of fraud losses in the past year were related to SIM-swap fraud.

Yet the South African Banking Risk Information Centre (Sabric) 2019 annual report, the most recently published report, shows that bank fraud related to SIM swaps increased from 1.9% in 2018 to 9.1% in 2019. And, given that online commerce has grown significantly in the past year, it would make sense that SIM-swap fraud would also have continued its upward trajectory.

Trish Ramdhani, First National Bank’s head of fraud, says data breaches can pose a significant threat – particularly when it comes to emails. Cybercriminals can take control of your email and intercept financial information, such as bank statements and OTPs. “SIM-swap [attacks] are another reason we have chosen to migrate to secure [communications] on our platform,” she says.

FNB recently moved from using SMS one-time pins to verify transactions to requesting verification via the client’s banking app. The FNB app, Ramdhani says, is not susceptible to SIM swaps or vulnerability from the data breaches on third-party email providers.

“Our multilayered security approach on the FNB app makes it a safer and a more secure option than both email or SMS communication. Online Secure is a unique service FNB offers to protect cardholders against unauthorised use of their FNB card for online purchases and it was released to add an extra level of protection. Online Secure allows you to verify your purchase by approving it on your FNB banking app, instead of using a four-digit OTP sent to your phone.”

Ramdhani says the bank has seen a reduction in fraud losses since implementing the online secure authentication method.

“This, paired with our recently launched virtual card, which has dynamic CVV, means our clients’ security when shopping online has been significantly enhanced,” she says.

Ulrich Janse van Rensburg, head of fraud strategy at Absa Retail and Business Bank, says when you transact online the bank initiates a two-factor authorisation control driven through either the Absa banking app or via unstructured supplementary service data (USSD).

“Customers who adopt the Absa mobile banking app have free access to our digital fraud warranty, signalling our confidence in the security of our app as the safest way to bank,” he says.

Standard Bank customers still use OTPs to verify transactions, but Reddy says the bank is “on the journey” of adopting two-factor authentication, such as biometrics, and is migrating away from OTPs.

Nedbank was not able to respond before DM168 went to press.

What to do

When you realise you are no longer connected to your network, you may be a victim of a SIM swap attack. If so, De Swardt says it is vital that you contact your bank and your mobile operator immediately.

FNB recommends cancelling your bank cards because your card details will have been compromised.

Clients can also temporarily block cards and/or their banking profile on the banking app when their cards have been misplaced. “But we advise that this be used only as a temporary measure that can be corrected once the client has found the card or determined if it relates to fraud, in which case it must be cancelled,” Ramdhani says.

Protect yourself

Sabric says you can protect yourself from SIM-swap fraud by:

• Informing your bank if your cellphone number changes so that your notification contact number can be updated;
• Registering for your bank’s notification service so that you are alerted to activity or transactions on your accounts; and
• Regularly crosschecking your cellphone transaction notifications with activity on your account. DM168

This story first appeared in our weekly Daily Maverick 168 newspaper which is available for free to Pick n Pay Smart Shoppers at these Pick n Pay stores.