Paying bills or shopping online, or via your cellphone with your credit card, is convenient and most of us use it on a regular basis.
“What all these methods of payment have in common is that sooner or later they will make use of cellular technology, either as the primary communications channel for mobile banking, or to receive a one-time PIN (OTP),” says Tjaart van der Walt, CEO of a Pretoria-based mobile network technology company.
He says that it was unfortunate that some security shortcomings on mobile networks have directly contributed to the soaring levels of bank fraud that we see today.
He says that despite the heavy reliance on mobile networks to carry highly sensitive financial information, mobile network operators bear very little legal responsibility or risk for financial transactions that run on their mobile networks – and the banks have no control. “Welcome to the financial security gridlock,” Van der Walt quipped.
He says that back in the early 1980’s when the specifications for GSM mobile communications were laid down, nobody could have anticipated the future success or the plethora of financial transactions that would one day run across these mobile networks, which is one of the contributing factors to growing credit card fraud in the country.
According to a poll by the South African Banking Risk Information Centre (SABRIC), over 16% of respondents have been victims of credit card fraud. Card fraud represents the biggest losses and a more robust method of delivering an OTP will go a long way in reducing this type of fraud.
He says that even though the fraud levels are extraordinarily high, it is not all doom and gloom as there are ways to foil cybercriminals who exploit the weaknesses of mobile networks.
“One of the cellular operators is in trial with a system that tracks every signalling event between every phone and the network, gathering a staggering amount of data that can now be processed with the latest computer hardware,” Van der Walt reveals.
Van der Walt says that the system promises to put a halt to further mobile network originated fraud by scanning realtime mobile signalling information, which allows banks to pick up SIM swaps, porting or remote spoofing as they occur.
He says a similar system in operation for Westpac Pacific banking has put a stop to mobile fraud. “One only has to contrast the huge CNP losses in South Africa to the Pacific where Westpac Pacific’s mobile banking system has had no fraud since start up over a year ago – and it becomes clear that the right technology delivers the goods.”
Van der Walt explaines that each mobile SIM card has a unique serial number called the IMSI (International Mobile Subscriber Identity) associated with your cellphone number. When a subscriber does a SIM swap or ports to another network, the IMSI associated with the cellphone number will change.
Although some South African networks now provide the banks with the IMSI of the user from an internal database, which is supposed to prevent SIM swap or porting fraud, Van der Walt says that while this method has limited success at the moment, it will eventually prove to be totally ineffective against the next generation of mobile fraud.
He says this method doesn’t stop crime committed by insiders or employees acting in concert with the bad guys, or cybercriminals.
“The problem with the mobile networks providing the IMSI to banks is that the information is not realtime and there is sufficient time lag to allow the criminals to keep doing what they are doing”.
He adds that the legality of this is also questionable, as South African privacy laws forbid the disclosure of personal information about a person to a third party, without express consent.
“Simply checking the IMSI is not enough to stop cybercriminals from spoofing your bank or hijacking your mobile phone to commit bank fraud,” he adds. “With very limited resources, it is completely possible for a fraudster to
imitate a phone and to fool the subscriber’s network into thinking you are roaming on another network. Voice calls, data, SMS and USSD allows a new generation of cybercriminals to create new beneficiaries, talk to the bank’s call centre (if required) and receive an OTP via SMS or USSD.”
“With the growth of interconnectivity between cellular networks, many smaller cellular networks around the world are offering hosting services. In essence, this means a crook can pay a few hundred dollars a month for access to a trusted network with a reach to almost any other wireless network in the world. This makes it easy and cheap for the bad guys to reach almost any GSM network.”
And there are many bad guys plying their trade. According to the Cyber Defence Review, groups in Russia, China, Nigeria and Ghana are especially active. Only a big data approach can generate the information to stop them.
TruTeq Wireless is a leading supplier of technology to 11 GSM, CDMA, 3G and LTE networks and is also the technology partner for mobile banking to international banks in 10 countries across Africa and the Pacific. TruTeq Wireless has established itself over the past 14 years as a market leader in the telecommunication and digital messaging space in Africa, with major expansion currently taking place into the Pacific Region with secure banking solutions.