Cellphone banking scam – what about the banks?

Makes you think why Vodacom is all over the press due to the recent R 7m SMS banking fraud. More interestingly for me is why there is yet no response from the banks (remember all major banks such as ABSA, SBSA, FNB, Nedbank have been targeted).

Lets look at this:

  • How did the scamsters know which customers/bank accounts to target?
  • Why are the banks not mentioned in the media and take accountability?
  • How did the scamsters get access to the card-number, pin and password? Social engineering might be one aspect, but me thinks corrupt bank staff is more plausible.
  • How did the scamsters manage to open bank accounts (in order to transfer funds and then withdraw)?
  • Why did the banks not notice unusual transactional behaviour (money laundring act in place for years, makes you think how well this is not working)
  • FICA is then an epic fail. If I notice strange transactions it should have been relatively easy to track the recipient?

While Vodacom reacted very quickly and made information available to the press, there is still no word from the banks regarding this.

In my opinion the banks are at fault with their lack of security. Over 5 years ago I implemented a two-factor authentication mechanism for a large insurance company in Germany on a soft-token which is generated at fixed intervals (in our case every 30 seconds) using a built-in clock and the card’s factory-encoded random key. We eventually went as far as generating the e-tokens without the need of an actual device.

TO ALL THE BANK’S AND THEIR SECURITY SPECIALISTS & ARCHITECTS: Do a bit of research, even 5 year old technology would have prevented this – check Wikipedia here.

It is equally puzzling, that cellular service providers such as Vodacom, MTN and CellC continue to offer insecure and untrusted SMS messaging to banks and consumers as a mechanism to authenticate a user. SMS was never intended to be a secure messaging mechanism and was never intended to transmit authentication tokens – a SMS will never authenticate a user.