As more and more banks migrate banking services to mobile, enterprising and sophisticated (often globalised) criminal networks have devised ever ingenious ways to use mobile phones to separate customers from their money.
This is according to Tjaart van der Walt, Truteq Group CEO and international MD. Truteq Group also boasts offices in Pretoria and Brisbane, Australia.
“Our mobile identity has become a natural target for criminals because most banks today use their customers’ mobile phone as another way (or second-factor) to identify and authorise credit card, ATM, point-of-sale or Internet banking transactions. All these types of fraud have one thing in common – it uses the mobile phone to authorise the transaction.”
As the problem of banking fraud has been growing, said van der Walt, “so has the media attention it has been receiving. However, the true scale of the mobile and online banking fraud may be underreported because it is in the best interest of the banks not to draw too much attention to these losses.”
There are a number of different ways that criminal syndicates defraud bank customers and understanding the steps helps us to limit the risk.
In order to increase security, many banks use a two-factor authentication process. This process uses the transaction request and a verification sent via a different channel to complete the transaction. The thinking is that it is much harder to compromise two legs in a transaction than just one. We know this two-factor authentication as the one-time pin (OTP), usually sent via SMS or sometimes a USSD request to our mobile phone.
Unfortunately, even though it is indeed harder to compromise two-factor authentication, it is still possible and the criminals are getting better and better at what they do. To get to your money, the cyber crooks use a series of steps as old as the first raids on banks.
Banking fraud often starts with the stakeout – this is the most important step as it provides your banking detail to the criminals. There are a number of different way to get to your information. The main ones are:
* The malware insertion – the target or victim clicked on a link in an email that installed a virus (malware) on his computer. The malware detects when he goes online and quietly installs a key-stroke logger or tracker that sends a recording of keystrokes, mouse clicks and so forth to the criminal HQ. It may also record other information such as Gmail login detail that may be used to get more personal detail needed for the next step.
* The free-app deception – The victim installed a “free” app or game on his mobile phone. Nothing in life is really free, so the app comes with some built-in malware that “skins” or mimics his mobile banking app. Skinning is when an application mimics a real app and passes the information between the user and the app (recording or modifying it in the process) and the less sophisticated version that looks like the real app, but only records your information. Either way, the criminals end up with the banking login, password and any information contained in the online banking profile.
* Syndicated crime – A bank employee or insider sells the information.
After the stakeout, the fraudsters have the target’s bank login detail and personal information.
They use the personal information to either do a SIM swap or network port, posing as the customer. This usually requires calling the victim’s mobile network provider’s call centre or visiting a mobile network shop where some identification process is followed. This process is usually not very difficult because the criminals now have some important information about the end user obtained during the stakeout.
The mobile network either issues the criminal a new SIM card, identical to the victim’s existing SIM, or ‘port’ the victim’s SIM to another mobile network. Once this process is complete, the criminals will receive any OTPs on their “mule” SIM.
Getting into the victim’s bank account is now straightforward as they have all the information needed. Working from the victim’s computer or a series of anonymous proxies to hide their trail, they do not leave any tracks.
This is where the criminals actually steal the cash. They are now free to log in, create new beneficiary (or beneficiaries) and receive the OTP on their mule mobile phone or via the malware on the victim’s phone.
Then they transfer amounts to accounts created either with falsified information or owned by people recruited with promises of quick cash. These accounts are emptied through cash withdrawals at ATMs.
By the time the fraud is discovered, it is too late and there is almost no trace to follow. The porting and SIM swapping in step 2 required a complex set of provisioning and de-provisioning operations to take place within the mobile networks.
In the case of porting, authorities investigating the crime have to initiate investigations in two competing mobile networks and get them to work together.
“It is now up to the victim to prove that he or she is not liable for the loss. Some banks will refund the victims quietly to avoid bad press, but this is not always the case,” says Van der Walt.