How SIM swap led to couple losing R280 000

Illustration: Colin Daniel

Illustration: Colin Daniel

Published Apr 30, 2013

Share

If you are defrauded as a result of a phishing attack coupled with a fraudulent SIM-card swap, don’t expect any compensation from your mobile operator – even if it failed to comply with the law when processing the SIM swap.

What happened to Dave and Sheila Smith of Durban (not their real names) must be every consumer’s worst nightmare.

Imagine you’re due for an upgrade on your cellphone. You get the new phone, but your old SIM card doesn’t fit inside it. So you buy a new SIM card. All goes swimmingly for a few days, until a message appears on our phone. It reads “SIM registration failed” and the phone stops working.

You go back to your mobile operator and are told you need a new SIM card, but since yours is a company contract, you need authorisation from your company. This turns out to be a ruse and a few days later you go back to the mobile operator and it is confirmed that you were misinformed; you are promptly issued with another new SIM card and you leave the store relieved to have a working phone again.

You suspect nothing untoward until you discover that during the time that you had no use of your phone, your bank accounts were cleaned out – including all the credit in your paid-up home loan.

For the Smiths, that was a loss of R280 000. The couple are of retirement age, but both still work. They finished paying off their home loan in March last year. They had left it open purely for the sake of homeowners’ insurance, which is debited from their home loan account.

The Smiths were victims of a fraudulent SIM swap that took place at Microzone Trading, an MTN franchise in Gauteng. They live in Kloof in KwaZulu-Natal.

MTN appears to have processed the SIM swap without Sheila Smith’s ID number, as required by the Regulation of Interception of Communications and Provision of Communication-Related Information Act, better known as “Rica”.

Personal Finance has in its possession a document from MTN which appears to record the SIM swap but reflects a seven-digit ID number as Sheila’s ID number. Not only is the number six digits short, it also bears no resemblance to her actual ID number.

MTN chose to ignore questions about the document.

Eddie Moyce, a customer relations executive at MTN, told Personal Finance “the correct information was supplied” to enable MTN to provide the SIM swap service. And that since the customer is Rica-registered, MTN was not required to “Rica” her again.

“MTN does not believe that section 40 of Rica finds application in circumstances of a SIM swap if the Rica information had already been recorded, verified and stored as it relates to this customer. The MTN customer in question is Rica-registered and is not required to register again. In executing the SIM swap, the correct information was supplied to the MTN SP and this enabled MTN to provide the SIM swap service.”

He says: “... any access to a customer’s bank account is as a result of the compromise of the customer’s security information as it relates to the bank account.”

But, in order for the fraud to succeed, the fraudsters need to receive the one-time passwords or random verification numbers that the bank sends to its customers – usually via SMS – to enable them to add new beneficiaries, increase the electronic account payment limit, and to pay beneficiaries.

Had MTN prevented the SIM swap, the fraud would not have been successful.

“Incorrect,” says Moyce: “Our courts have already held that a SIM swap does not in itself enable a fraudster to commit fraud on a customer's bank account.”

The Smiths’ home loan is with Absa. Since it has an access facility, the home loan account is linked to an Absa current account. The home loan is in Dave’s name, but both Dave and Sheila have signing power on the current account. Sheila handles the couple’s banking and is the nominated person to do the internet banking on the account.

A few days after Sheila was issued with her second new SIM card, she happened to go online to do some banking. It was then that she discovered, to her horror, a balance of minus R19 000 on the Absa current account – and later learned that their bond account had been plundered too.

Two beneficiaries had been added to the Smiths’ current account and the payment limit on the account had been increased from R2 000 a day to R500 000, and from R20 000 a month to R500 000. In one day, amounts of R40 000, R90 000, R120 000 and R10 700 were transferred from their home loan into their Absa current account, and then 32 payments of between R7 000 and R9 700 were made to the two new beneficiary accounts, which were both held at Capitec.

The Smiths duly reported all that they had uncovered to Absa, MTN and to the police.

As part of its investigation, Absa’s forensics department commissioned an outside company to carry out a forensic audit on the computer used by Sheila when doing internet banking. When the contractor found no evidence of negligence on Sheila’s part, Absa commissioned another contractor. The second contractor examined Sheila’s hard drive, as well as the computer used by Dave.

Although Dave’s computer was found to be “clean”, the second contractor found what the bank regards as hard evidence that Sheila’s computer was used to access a phishing website. The forensic audit also showed that “at the time, data was entered by the user of the computer” – suggesting that she divulged confidential information. This – the phishing attack – allegedly happened one month before their accounts were raided by fraudsters.

The bank says the phishing website was probably accessed via an email purporting to be from Absa and entitled “Absa Rewards”. The email would have induced Sheila to click on a link embedded in the email, ostensibly to redeem rewards.

Sheila is adamant she wouldn’t have fallen for such a ploy, but Absa reckons it has proved that she did. However, because the bank’s system failed to detect such suspicious activity on an otherwise “dormant” current account, Absa has agreed to absorb half of the Smiths’ loss.

The Smiths have accepted Absa’s offer but lodged a complaint with the Ombudsman for Banking Services, because they believe that the bank has not proved conclusively that she was phished.

The couple suspect they are the victims of an intricate scam – an “inside job” – involving bank employees who pass on information to syndicates with contacts inside mobile operators, in their case MTN.

“How else would the fraudsters have known that our home loan was paid off? How did they get my cellphone number, which is known only to my family and the bank? No other explanation makes sense to us,” Sheila Smith says.

Colonel Vincent Mdunge, of the Corporate Communications division at the South African Police Services (SAPS), says a case has been opened with the Durban Commercial Crime Unit of the SAPS.

The Smiths are hoping that charges will be brought against MTN for its failure to comply with Rica and against Capitec, if it failed in its duty of care – as required by the Financial Intelligence Centre Act – when opening the bank accounts used by the fraudsters.

Moneyweb recently reported on the case of MTN client Eugene Malan, who lost R97 000 after an illegal SIM swap following an upgrade. Malan is also an Absa client and he too had his bond, cheque accounts and credit card accounts raided, the proceeds of which were also paid into Capitec accounts. Malan claims MTN carried out the SIM swap without his ID and MTN claims it is not liable.

WHAT YOU CAN DO TO BEAT THE SCAMMERS

Be on your guard when you receive phone calls from people claiming to be from your bank, mobile operator or from computer software companies.

Fraudsters pose as bank employees in order to glean confidential information from you or pose as representatives of cellphone companies to get you to do things you wouldn’t normally do – like switch off your cellphone for an extended period. They may also pretend to be from reputable software companies so that they can talk you into unwittingly installing or accepting malware on your computer.

In a bid to stop fraudulent SIM swaps, Vodacom notifies its customers via SMS whenever a SIM swap attempt is made. If you receive the SMS but have not requested a SIM swap, you can then alert Vodacom that the SIM swap request is not from you.

But fraudsters have resorted to calling customers to try to convince them to either ignore the SMS or to switch off their phones for an extended period of time.

Johan van Graan, chief risk officer at Vodacom, says Vodacom will never call you and ask you to switch off your cellphone unless you have requested assistance with a handset-related issue that requires your cellphone to be switched off.

If you receive an SMS notification indicating that you have requested a SIM swap – when in fact you have not – you should ignore any further communication and immediately contact your cellphone operator and insist that they take the necessary steps to protect you.

Related Topics: