Robbers Have Ditched Their Guns in Favour of Phones
Insurance is by far the world's most popular grudge purchase. However, its undisputed new rival, cybersecurity, is getting a lot more attention in recent times, especially amid convergence between traditional banks and mobile connectivity.
An ongoing court battle recently highlighted just how badly things can go wrong when a bank's security system relies on a mobile network's efficacy, which at the best of times can quite easily be intercepted by criminals masquerading as employees.
A bank's traditional architecture of large pillars and thick walls typically projects strength. It is designed to communicate might and impenetrability.
Even in instances where a robbery does take place, the looting is limited to branch tills where only a few hundreds of thousands could be taken at a time - and that's in the unlikely event you get away with the money. Most criminals would hardly attempt a bank robbery nowadays because it is just too risky to pull off. Unless, of course, you could do it all electronically.
The invention of electronic financial transactions has meant that many criminals do not even have to carry a weapon for the heist. As we have learnt from Petrus and Hendrina Malan's court battle with Absa and Vodacom, these criminals simply exploit the weaknesses in the system, and especially the authentication systems that rely on connectivity and trust.
Back in January 2016, the Malan family trust's banking account was swindled by a Durban criminal out of R249,000 in a matter of hours, as a result of a SIM-swap fraud.
With this crime, crooks identify someone with significant cash in their bank account and swap their SIM card so that the one-time PIN (OTP) the bank normally sends to a customer to access internet banking or validate transactions goes to a different phone. They then hack your account using the OTP and make off with your money.
But who is responsible for this crime? The bank or the mobile network? How do the criminals know which customer has enough money in their account? The easy target is the bank and its staff. However, the bank will say their systems leave a digital stamp when employees access customer accounts, so they would be able to pinpoint the culprit, especially if that staff member had no reason to look at a customer's information.
The fact that the Malan family is also suing Vodacom is rather interesting, though. I would assume that if a customer has a cellphone contract the mobile operator would have the customer's full banking details in order for the debit order to be processed. Additionally, the mobile operator would also be able to see balance notifications sent through SMS, so if the syndicate has an insider, they have access to the bulk of the information they need to execute the hack.
But the elephant in the room in this entire saga is: "How in the world did Vodacom allow someone else, other than an authorised member of the Malan family trust, to get a SIM swap of its cellphone number?" As far as I know, the law requires an ID and proof of address for this to happen. Clearly, this process was intercepted, and that started a domino of events that allowed the robbery.
While the responsibility of the bank is clearer and perhaps easier to articulate in a SIM-swap fraud, the culpability and duty expected of the mobile network is less recognised. In a world of increased connectivity and online transacting, our banks and mobile operators must expect more cybercrimes and must therefore budget for more grudge purchases.
This article first appeared in The Sunday Times on 23 June 2019