printer friendly version

Banking scam exposes SMS danger

SMS one-time passwords are not secure. This has come to light following the arrest of two members of an SMS banking fraud syndicate – a Vodacom technician and his co-accused – who have been charged with fraud involving more than R7 million and contravening the Electronic Communications Act. Their alleged victims held accounts at Nedbank, Absa, Capitec, FNB, Standard Bank, and KwaZulu-Natal’s Ithala Bank.

All were reportedly Vodacom subscribers.

“This is believed to be South Africa’s biggest online banking scam to date and raises some important questions about the security chain between banks and their online customers,” says Jenny Dugmore, CEO of FireID, a Cape-based company providing strong authentication for online applications.

Most banking customers are familiar with the process of receiving a confirmation SMS once they have done an online transaction. In this case, the syndicate was able to intercept this SMS notification with a dual SIM and use it to access a subscriber’s bank account.

Dugmore says the scam highlights the insecurity of SMS one-time passwords (OTPs). “One-time passwords are an excellent solution for strong authentication. However, these should not be sent over the air due to the ease of interception and potential for attack by hackers. It is clear from this incident that the SMSs were either in clear text, or were easy to decrypt in order for the criminals to be in a position to read them.

“Together with recent cases of SIM card swaping, whereby fraudsters were able to obtain new SIM cards for targeted bank customers and thereby divert the SMS to their own phones, this case definitively shows online bankers are at risk,” Dugmore says. “But this type of crime can easily be prevented by using out-of-band one-time password generators which do not require network connectivity. The one-time password is generated on the device, or on the end-user’s mobile phone and once used, it expires immediately.”

FireID has developed a highly secure, universal personal authentication system that makes this type of Internet transaction significantly safer. “The application enables a mobile phone to randomly generate a one-time password which is sent to the user out-of-band. This means they cannot be intercepted as they do not travel over any of the mobile phone networks.”

The application uses an OATH-compliant incremental one-way-hash mathematical algorithm to generate the passwords. “FireID’s token application turns mobile phones into self-contained password generators,” says Dugmore. “By downloading the token onto their mobile phones, users are able to generate their own passwords for online applications like banking, e-commerce, or securely accessing the company VPN.

“This latest scam proves that the time has come for financial institutions to look at new ways of securing customer information and assets,” Dugmore stresses.

Share this article:

Further reading: