Recent newspaper reports have again highlighted what everybody knows – cybercrime and specifically internet banking crime is increasing at an alarming rate and ordinary people are losing hundreds of thousands of rands. Apart from the cyber criminal the roleplayers in these incidents are the bank, the cellphone company and the customer themselves.
a. Blaming the user for compromising their logon info
In many cases the bank immediately indicates that the customer compromised their logon details by personally reacting on some phishing or other form of email attack. This however is not necessarily true. Research statistics show that this way of attacking is less recurrent and user computers are now directly infected with malware when visiting a perfectly legitimate and legal website, but which had previously been infected with malware (malicious software).
Such malware, now on the user’s computer, can do many things, but one of the most dangerous is keystroke loggers. In this way the criminal gets hold of the user’s logon info without the victim ever knowing about it. Conclusion: Banks cannot say anymore that the customer was explicitly part of an action to compromise their logon details.
b. Blaming the user for not updating their anti-virus (AV) software
It is generally accepted now that the traditional way of trying to detect malware through AV software has failed. Criminals now use so-called zero day vulnerabilities, i.e. weaknesses in operational software which have not yet been identified by the AV companies. Conclusion: Even if your AV software is 100% up to date, it will still not identify the malware entering your computer.
c. The rich functionality of the Internet banking packages provided by banks
If a criminal has acquired your logon info, the only way they can get your money out is by creating a new beneficiary, by doing a one-time payment or by buying airtime and other goodies. Some customers do not need these functionalities. Conclusion: If banks can allow customers who do not want these functionalities not to include them, internet banking crime will definitely decrease.
d. Separating the cellphone company’s responsibility from the bank’s responsibility
In many cases so-called SIM card swops are done to intercept the one time password (OTP) sent by the bank to the customer’s cell phone. By intercepting this OTP the criminal can complete the cycle and transfer money out of the account. In some way, banks therefore ‘subcontracts’ a cellphone company to complete the banking transaction. The bank ‘forces’ the involvement of the cellphone company as part of the bank’s transaction. Conclusion: There must be grounds to question the bank’s idea that problems arising in the cellphone company do not touch it.
e. Specialised ‘super-safe’ dedicated internet banking software
It is a fact that such super-safe software for internet banking can be developed. Such packages can be developed to be immune to the type of cyber-attacks we see today. At the University of Johannesburg (and other SA universities) several such packages have been developed. Conclusion: It will surely be more expensive, but again customers will be willing to pay for more secure internet-based banking.
The cellphone company
As discussed above, it should be questioned whether the customer should at all be involved with this ‘sub-contracted’ role player.
However, looking more closely at the SIM card swop problem, there can be no doubt that fraud and corruption do exist. SIM swops happen in the middle of the night, when surely the real owner is asleep and the retail shop closed?
At the University of Johannesburg a SIM card swop system based on biometrics, using the real owner’s fingerprints, has been developed and successfully tested. This provides more security.
In the same vein, the RICA registration seems to be of no use as a person can buy a whole batch of SIM cards from a dealer, RICA all of them at once with some fake address and documents, and then sell them as fully RICA’d without the buyer doing anything.
Conclusion: An urgent investigation into the value and success of RICA should be carried out, and the law changed if necessary.
There can be no doubt that customers are suffering by losing money. Although banks claim that the total amount lost is a small percentage of the total amount processed through internet banking, saying to a customer who lost R 250 000.00 that actually he need not be so upset because he is part of only 0.06% (or whatever small percentage) seems criminal – for that customer it is 100% of his loss!
Tips for the customer:
- Do not be naïve or careless. Doing your banking from the same computer used by your kids for surfing all over the internet is dangerous and reckless.
- Have a proper anti-virus package which is regularly (daily) updated.
- If you do not want all the risky and dangerous functionalities in your internet banking package, force the bank to disable them and give you a more ‘closed’ account.
- Consider creating a second internet banking account which has all required functionalities but which you only use for direct payments. Keep home bonds, investment account etc in the ‘closed’ account.
- If you have lost money through some fraudulent internet banking transaction, keep pestering your bank until you get proper answers – even if you send a message every day.
* Professor Von Solms is Director at the Centre for Cyber Security at the University of Johannesburg