The recent scandal involving a Vodacom employee working with a syndicate to intercept SMS notifications from banks to customers has raised serious questions about the security of online banking. The main conclusion experts are drawing is that SMS one-time passwords are not secure.
Two alleged members of an SMS banking fraud syndicate – a Vodacom technician and his co-accused – who have been charged with fraud involving more than R7-million and contravening the Electronic Communications Act.
The alleged victims held accounts at Nedbank, Absa, Capitec, FNB, Standard Bank, and KwaZulu-Natal’s Ithala Bank. All were reportedly Vodacom subscribers.
Costin Raiu, chief security expert at Kaspersky Lab, comments: "This incident is, as far as we know, a world-first, which only enforces our opinion that SMS-based authentication, while providing slightly more secure than the simple username-password combos, is clearly outdated and in our fast paced and highly evolving cyberworld is no longer sufficient by itself."
According to Raiu, security experts around the world are aware of previous incidents where the cybercriminals found other creative ways to intercept the SMSs from the banks, meaning that this should not be seen as an isolated incident. But this is rapidly becoming a trend in the cybercriminal world.
Jenny Dugmore, CEO of FireID, a Cape-based company providing strong authentication for online applications, adds: “This is believed to be South Africa’s biggest online SMS banking scam to date and raises some important questions about the security chain between banks and their online customers."
She says most banking customers are familiar with the process of receiving a confirmation SMS once they have done an online transaction. In this case, the syndicate was able to intercept this SMS notification with a dual SIM and use it to access a subscriber's bank account.
However, says Dugmore, the scam highlights the insecurity of SMS one-time passwords (OTPs).
“One-time passwords are an excellent solution for strong authentication. However, these should not be sent over the air due to the ease of interception and potential for attack by hackers. It is clear from this incident that the SMSs were either in clear text, or were easy to decrypt in order for the criminals to be in a position to read them.
“Together with recent cases of SIM card swops, whereby fraudsters were able to obtain new SIM cards for targeted bank customers and thereby divert the SMS to their own phones, this case definitively shows online bankers are at risk,” Dugmore says.
“But this type of crime can easily be prevented by using out-of-band one-time password generators which do not require network connectivity. The one-time password is generated on the device, or in the instance of FireID, on the end user’s mobile phone and once used, it expires immediately.”
Kaspersky believes a solution to the problem is for banks to begin the deploying better and more advanced technologies, such as those based on eTokens, which provide superior security, he says. Using this technology, such an attack on Vodacom customers would no longer be possible.
In the short term, Raiu advises customers to run up-to-date operating systems, supplemented by a full security solution such as Kaspersky Internet Security, which contains specific, online banking-related protection modules.
He adds: "It is also very important to check your online account often and to immediately notify the bank if any suspicious transactions are found. Generally, the banks should be able to recover your money if the bank is notified promptly. In other cases, the banks will totally refund the losses, as they occurred through the use of the authentication system designed and deployed by the bank.
"An incident of this type can potentially cause marketplace uncertainty about the bank’s ability to keep their customer’s information and money safe and ultimately lead to reputational damage for the bank.”