Abney Associates Tech Blog, Cellphone banking fraud at record high

JOHANNESBURG – Internet banking fraud perpetrated via cellphones was at its highest to-date level in 2013, a report out Wednesday from the banking ombudsman revealed.

Cellphone phishing accounted for 46% of the total internet banking-related complaints received by the ombudsman in 2013, a 27% increase on 2012.

Cellphone phishing involves fraudulent e-mails and text messages being sent to unsuspecting bank customers in an effort to extract confidential internet banking credentials.

According to Nicky Lala-Mohan, a board member of the Ombudsman for Banking Services (OBS), SIM swaps will become a bigger problem going forward. “The fact that cellphone companies are also implicated creates additional liability,” he said at a media discussion following the release of the OBS’s 2013 annual report.

SIM swapping is where an individual (in this case the fraudster) replaces a SIM card on a particular cellphone number so that all bank communication is directed to the replacement SIM card, such as once-off passwords used to transact via internet banking.

Johan Conradie, investigations manager at the OBS, said that no sooner had banks advanced security to combat SIM swaps, were fraudsters teleporting numbers from one cellphone service provider to another.

Where there was negligence on the part of cellphone companies, the ombud referred cases to the Independent Communications Authority of South Africa (ICASA).

ATM fraud climbs

Of the 4 613 cases opened by the ombudsman in 2013 (2012: 4 450), 37% were related to fraudulent ATM transactions – a 6% year-on-year increase.

Internet banking accounted for the second highest number of cases opened per category, at 17%. This was followed by mortgage finance at 12% (a 5% drop since 2011) and credit cards and personal loans, which each held 7% of cases opened.

Fraudulent ATM transactions accounted for 23% of all the complaints received by the ombudsman’s office, but only a third of these cases found in favour of complainants, as they were most often the fault of bank customers.

For instance, cases where a customer unwittingly allowed someone to assist them at an ATM or peer over their shoulder and view their personal identification number (PIN), as well as where ATM machines were tampered with so that customers left their cards in the machines in the belief that they had been swallowed.

Lala-Mahon said that the increase in ATM-related fraud was opportunistic, “like cash-in-transit heists were a few years ago”, before police and vehicle intelligence curbed it.

He noted that banks were increasing physical security measures and controls around ATMs and said that new-generation ATMs were more sophisticated and could determine, for example, whether notes inserted into them were counterfeits.

Complaints against Capitec jump

“The internet banking onslaught against Capitec continued well into 2013, increasing the number of complaints against the bank,” commented Edrich Buytendorp, case processing and assessments manager at the OBS.

Capitec had 867 files opened against it in 2013, an increase of 615 from 2012, when it had just 252 cases. Buytendorp said this was also on account of its growing customer base and that in many cases Capitec accounts were the beneficiaries of fraud perpetrated at other banks.

Conradie explained that fraudsters often opened accounts for the sole purpose of facilitating fraud. “Where banks fail to act in line with their duty of care when opening accounts, or don’t stop accounts timeously after fraud has been reported, they could be held partly or fully liable for damages suffered by the customer,” he noted.

In one case, the bank partially compensated a customer where it had failed to stop a card immediately after it was notified of ATM fraud. The delay on the part of the bank allowed a third transaction to go through, which the bank refunded to the affected customer.

Cases opened against Standard Bank, which increased to 980 in 2013 (2012: 845), were largely ATM-related. Buytendorp noted that this was not an indication that there was something wrong with Standard Bank’s ATMs.

“Fraudsters target different banks at different times and in different ways. So when one bank improves security in one area, they will target another bank in that area,” Conradie explained.

Cases opened against Absa were down from 1 335 in 2012 to 970 in 2013. FNB also saw complaints fall, to 927 (2012: 1 260), while complaints against Nedbank climbed by 40 to 688.

Forty per cent of cases closed in favour of complainants, down 2% from 2012.

“This is attributable, in large, to the fact that many complainants were simply debt-stressed and others were victims of fraud. In these instances, there was no maladministration on the part of the bank,” the OBS report notes.

The ombud closed 5 134 cases in 2013, a considerable amount more than the 4 450 cases it closed in 2012. Forty-six per cent of the cases were closed within two months (2012: 44%).

The office awarded R23 million to complainants, an increase of R6.6 million on 2012. This was due to the larger number of cases closed in 2013, as well as bigger awards being made in ATM (R3 million), internet banking (R10 million) and mortgage finance (R4.5 million) cases.

Banking ombudsman Clive Pillay said that the OBS’s turnaround times were largely unmatched by global banking ombuds. The only ombud with a better record is in Canada, where fewer than 300 complaints were handled in 2013.