As banking fraud appears to be on the increase, more and more people are asking why it is almost impossible for banks to stop this scourge.
This is according to Tjaart van der Walt, Truteq Group CEO and international MD. Truteq Group also boasts offices in Pretoria and Brisbane, Australia.
Why is it taking so long to fix banking fraud?
“We are often asked this question. This problem has been around for a while and I remember discussing solutions back in 2006. So is this problem really so hard to fix that the criminals are still plying their trade a decade later?”
The simple answer is yes and no. Technically the problem of delivering an OTP to the correct user can already be solved with technology, but the problem lies in the way the financial institutions and mobile networks handle liability and their divergent interests.
Divergence of interests
In the 1980’s when the GSM standard was being designed, the purpose was to enable users to call one another while moving between different cells. Using mobile technology to secure financial transactions was not part of the specifications or the intended purpose. Three decades later, mobile telephony has turned out to be indispensable to our way of life and there is now a mobile phone in almost every pocket.
In the relationship between a bank and its customer, the customer expects the bank to hold their money safe and to take on all the liability associated with that. For high-risk transactions, banks like to reduce their risk with two-factor authentication. It therefore made perfect sense for financial institutions to use the mobile phone as the second leg of two-factor authentication. And so a problem was born.
In the delivery of a one-time pin, a mobile network operator has very little (in all likelihood no) legal or financial risk. The terms and conditions of use limit their liability and case law exists to reinforce this position. In fact, a mobile network operator will not want to be associated with the authentication of financial transactions at all. The best outcome for them is no additional risk and the worst outcome is significant and unpredictable risk.
The divergence in interest also plays a role in the SIM swap or network porting process. The identification process followed by a mobile network operator’s call centre agent to verify your identity for the purposes of a SIM swap or network port is as simple as possible. Their interest is to keep us talking and if we cannot make a call, then we cannot talk and consume credit. The banks, on the other hand, need the verification process to be as rigorous as possible in order to comply with anti-money laundering and counter-terrorism laws.
The current solution by some mobile networks is to offer banks access to their provisioning system on a best effort basis, but this leads to new problems as we will see.
Old data is dead data
The heart of a mobile network is a database called an HLR (“Home Location Register”). This is the live master database where your profile is stored for use by all the network elements. This includes your phone number, where you are, supplementary services settings and so on. When a subscriber joins the network, they will go through a process called provisioning where their information is captured in a provisioning system. This includes the phone number associated with the physical SIM. From this provisioning system the relevant information is sent to the HLR. Apart from the fact that in electronic terms the data in the provisioning system is old, many network employees have access to this system and the data should not be used for two-factor authentication.
On average about 1% of mobile phone users will change to another service provider every month. In Australia alone this is a staggering 280,000 subscribers per month. Even if a bank had the access to see if a user has ported or not, blocking a transaction purely on the basis of the user changing networks will drive hundreds of thousands of irate customers to their call centres.
Most privacy laws state that any uniquely identifiable information is private. This means that any information of a person that is either sensitive (i.e. location) or may be used to identify the user is private. The result of this is that it would be illegal for a mobile network operator to supply such information to a third party. As much as they would like it, the banks may simply not be given this information. The answer is a “black box” depersonalisation approach where the information given to the bank does not contain information such as the serial number of your SIM card or where you are, but rather things like “the SIM was ported 7 days ago”, or the “the transaction is being made in a blacklisted country”.
Don’t click on that link
“The problem is not that the cyber criminals are stealing our information, but rather that we are giving it to them,” says Van der Walt. “We click on the links in the phishing emails and we install the ‘free’ apps on our mobile phones. This mechanism to get your banking information is more about social engineering than hacking in the old sense.”
The proportion of fraud where bank insiders provided the user’s information is not known, so while it is impossible to say how much of our pain is self-inflicted, it is safe to say that we as users are not blameless.
Why don’t the banks just send the OTP to the app or use IP messaging?
Two-factor verification relies on the user making a transaction on one channel and verifying it on another because it is much harder to compromise two channels. Using the same mobile phone to make a transaction and to verify it, wipes out the benefit of the two-factor authentication. Fraudsters only have to compromise you once in order to break into your bank account and clean it out.
Using a mobile app to receive the OTP or receiving it via IP Messaging also means that the fraudsters no longer have to go to the trouble of doing a SIM swap or port. In fact, removing this manual step makes it much easier to automate attacks.
Following the money trail
Almost every part of the fraud process is committed remotely: the installation of the malware (with your help, of course), the porting or SIM swap, receiving the OTP and doing the transfer. By using anonymous proxies, the fraudsters can even prevent us from knowing which IPs they used to log into your account.
The only place where the criminals are vulnerable is at the point where they draw the cash out. Typically the money stolen will eventually be transferred to a number of accounts belonging to people who are paid a commission to withdraw the cash and deposit some of it into another account.