Publications
Partners
Fin24 user KC van den Berg, who was defrauded of R29 000 from his Absa accounts, makes an impassioned plea for properly researched and supported class action. He writes:
In February 2010 I was defrauded of R29 000.00 from my Absa Group [JSE:ASA] cheque and credit card accounts.
I am not sure whether it was due to a SIM swap or due to an Absa employee working on his own or with outside assistance.
1. I reported the fraud at my local South African Police Service (Saps) branch, as I required the Saps case number before reporting it to Absa’s forensic department.
2. I reported the case to the Absa forensic department at my local Absa branch.
3. Following Absa's refusal to accept responsibility for the fraud, I opened a case with the Ombudsman for Financial Services.
They merely agreed with Absa, purely on so-called historical assumptions and without any proof whatsoever, that I was the cause of my own misfortune by having supplied the fraudsters with my internet banking logon details.
4. I sought assistance from the Law Society of the Northern Provinces, who supplied me with the details of a local attorney who works on a pro bono basis for them.
We arranged for a meeting, after which I was advised against a law suit against Absa due to the possible financial implications vs the outstanding amount of money I lost.
5. I requested and attended a meeting with the Absa forensic team at the offices in Auckland Park on 2010/10/15.
During the meeting I submitted a report, with very suspicious details on it and contrary to their own explanation of the fields on the report, as received from the ombudsman after having been sent to the ombudsman by Absa's during the case, and requested an explanation.
I merely received an email a week later, stating that “Absa is not in a position to divulge any information on the report at this stage” and have never since [received any other communication], even after numerous emails, even including the then executive chairperson of Absa.
6. I personally retrieved the Saps file twice from the archive of my local branch after it was sent back as closed by the Pretoria branch of the Saps Commercial Crime Investigating Unit, without any evidence in it that any real investigation had been done.
It took three years and continuous emails, various visits to the CCU offices personally and pushing them to apply for subpoenas against Absa and Vodacom Group [JSE:VOD] (Vodacom cellphone numbers were used during the fraud), before the subpoenas were eventually requested and executed early this year.
The head of the CCU is currently overseeing the case personally and apparently one out of three suspects has been questioned and a statement taken from him, according to the last communication received from the CCU on 2013/03/05.
The stories I read about SIM swaps and phishing emails and the role they play in the increase of internet banking fraud don’t make sense to me, unless I am totally mistaken with regards to the processes involved with internet banking ……
SIM swaps
If somebody fraudulently performed a SIM swap, he or she would ONLY have access to
a. the calls and sms's, including the RVNs and OTPs sent by the bank to the registered account holder’s cell number as registered in the bank’s account owners’s profile when the owner of the bank account logs onto the bank’s internet banking website and perform actions like
i. creating beneficiaries,
ii. performing inter-account transfers,
iii. increasing or decreasing daily limits,
iv. account payments,
v. changing personal details like cellphone numbers,
vi. beneficiary payments.
After having performed an illegal SIM swap, the fraudsters would ONLY receive:
b. Sms's (including RVNs and OTPs) intended for the legal owner of the cell number and bank account owner,
c. Calls intended for the legal owner of the cell number.
But they will NOT receive the legal cellphone number and bank account owner’s
a. Internet banking logon username,
b. Internet banking logon PIN, or
c. Internet banking logon password
which is required to fraudulently log on to the account via internet banking and perform beneficiary creations, inter-account transfers, transfers to beneficiaries, CashSend transactions, changes in personal details e g cellphone numbers etc.
Surely the legal owner of the cell number will have to perform another SIM swap and replace the old SIM card in his/her phone with the new one in order to restore his/her service and again receive sms's and calls?
Unless the fraudsters personally know the owners of the account/s and have access to the account owner’s cellphone, it would be impossible for them to do the physical SIM replacement in order to restore the rightful cellphone account owner’s service.
Phishing emails
Phishing is, to my knowledge and understanding, an email fraud method in which the perpetrator sends out legitimate-looking email (infected with malware or malicious software, used or programmed by attackers to disrupt computer operation, gather sensitive information, etc) in an attempt to gather personal and financial information from recipients.
I have never reacted to a phishing email and am even too scared to do so, even just to see what information is requested.
The emails normally have a “Read Here”, “Please go to X,Y or Z”, “Login here” or similar link that apparently takes one to a website, looking exactly like one’s financial institution’s internet banking logon webpage.
The method is to gather logon details as one is typing it in on this website.
However, as is the case with a SIM swap and to my understanding, phishing would ONLY supply the fraudsters with one’s internet banking logon username, PIN and password an thereby giving them access to LOG ON and VIEW one’s accounts and personal information ONLY.
Therefore, in order for any fraudster to be able to LOG ON, VIEW and CHANGE PERSONAL INFORMATION like one’s CELLPHONE number in order to receive the RVNs and OTPs required to perform their fraudulent activities, whether done by means of a SIM swap or phishing email, they would require all the following information:
a. One's internet banking logon username,
b. One's internet banking logon PIN,
c. One’s internet banking logon password,
d. One’s cellphone number as recorded in one’s personal details recorded in the bank’s database.
Without the logon details (which are not available to the fraudsters through a mere SIM swap) or one’s registered cellphone number (which I assume would not be supplied to the fraudsters when reacting on a phishing email), nobody should be able to log on to one’s accounts and perform fraudulent transactions, unless
a. the bank account owner is trying to defraud the bank by personally performing the actions and transactions and making a case claiming fraud, hoping to extort money from the bank, or
b. the bank account owner is in cahoots with the fraudsters and has deliberately (verbally, in written form, via email or SMS) supplied them with one’s logon details and deliberately (verbally, in written form, via email or SMS) supplied them with the RVNs and/or OTPs received from the bank in order to extort money from the bank.
c. bank employee/s are committing these fraudulent actions by themselves or with assistance from telecommunication company employees.
Unless the perpetrators target a person personally, they would need to know his/her email address in order to send him/her a phishing e-mail to retrieve his/her internet banking logon details, should the person fall for the scam AND know his/her cellphone number in order to perform a SIM swap to receive the RVNs/OTPs intended for the legitimate cellphone and account holder in order to have full access to the bank account without the bank account holder being aware of the actions and transactions taking place on his/her account/s, is in my view extremely unlikely and very far-fetched!
Class action
Until proven otherwise, I will maintain my view that the SIM swaps and phishing emails, as being the causes of internet banking fraud, are fabricated by the banks to avoid liability and prosecution.
I am 1 000% for a class action case against the financial institutions as well as the telecommunication companies.
However, we need somebody or an institution with access to the appropriate legal knowledge, know-how and will to represent all of us that have been defrauded.
One-on-one, we do not stand a chance against the financial institutions and telecommunication companies who are in a financial position to drag our individual court cases out for years until we ran out of funds to continue with our individual cases.
- Fin24
Read more news from SIM swap victims here.
In February 2010 I was defrauded of R29 000.00 from my Absa Group [JSE:ASA] cheque and credit card accounts.
I am not sure whether it was due to a SIM swap or due to an Absa employee working on his own or with outside assistance.
1. I reported the fraud at my local South African Police Service (Saps) branch, as I required the Saps case number before reporting it to Absa’s forensic department.
2. I reported the case to the Absa forensic department at my local Absa branch.
3. Following Absa's refusal to accept responsibility for the fraud, I opened a case with the Ombudsman for Financial Services.
They merely agreed with Absa, purely on so-called historical assumptions and without any proof whatsoever, that I was the cause of my own misfortune by having supplied the fraudsters with my internet banking logon details.
4. I sought assistance from the Law Society of the Northern Provinces, who supplied me with the details of a local attorney who works on a pro bono basis for them.
We arranged for a meeting, after which I was advised against a law suit against Absa due to the possible financial implications vs the outstanding amount of money I lost.
5. I requested and attended a meeting with the Absa forensic team at the offices in Auckland Park on 2010/10/15.
During the meeting I submitted a report, with very suspicious details on it and contrary to their own explanation of the fields on the report, as received from the ombudsman after having been sent to the ombudsman by Absa's during the case, and requested an explanation.
I merely received an email a week later, stating that “Absa is not in a position to divulge any information on the report at this stage” and have never since [received any other communication], even after numerous emails, even including the then executive chairperson of Absa.
6. I personally retrieved the Saps file twice from the archive of my local branch after it was sent back as closed by the Pretoria branch of the Saps Commercial Crime Investigating Unit, without any evidence in it that any real investigation had been done.
It took three years and continuous emails, various visits to the CCU offices personally and pushing them to apply for subpoenas against Absa and Vodacom Group [JSE:VOD] (Vodacom cellphone numbers were used during the fraud), before the subpoenas were eventually requested and executed early this year.
The head of the CCU is currently overseeing the case personally and apparently one out of three suspects has been questioned and a statement taken from him, according to the last communication received from the CCU on 2013/03/05.
The stories I read about SIM swaps and phishing emails and the role they play in the increase of internet banking fraud don’t make sense to me, unless I am totally mistaken with regards to the processes involved with internet banking ……
SIM swaps
If somebody fraudulently performed a SIM swap, he or she would ONLY have access to
a. the calls and sms's, including the RVNs and OTPs sent by the bank to the registered account holder’s cell number as registered in the bank’s account owners’s profile when the owner of the bank account logs onto the bank’s internet banking website and perform actions like
i. creating beneficiaries,
ii. performing inter-account transfers,
iii. increasing or decreasing daily limits,
iv. account payments,
v. changing personal details like cellphone numbers,
vi. beneficiary payments.
After having performed an illegal SIM swap, the fraudsters would ONLY receive:
b. Sms's (including RVNs and OTPs) intended for the legal owner of the cell number and bank account owner,
c. Calls intended for the legal owner of the cell number.
But they will NOT receive the legal cellphone number and bank account owner’s
a. Internet banking logon username,
b. Internet banking logon PIN, or
c. Internet banking logon password
which is required to fraudulently log on to the account via internet banking and perform beneficiary creations, inter-account transfers, transfers to beneficiaries, CashSend transactions, changes in personal details e g cellphone numbers etc.
Surely the legal owner of the cell number will have to perform another SIM swap and replace the old SIM card in his/her phone with the new one in order to restore his/her service and again receive sms's and calls?
Unless the fraudsters personally know the owners of the account/s and have access to the account owner’s cellphone, it would be impossible for them to do the physical SIM replacement in order to restore the rightful cellphone account owner’s service.
Phishing emails
Phishing is, to my knowledge and understanding, an email fraud method in which the perpetrator sends out legitimate-looking email (infected with malware or malicious software, used or programmed by attackers to disrupt computer operation, gather sensitive information, etc) in an attempt to gather personal and financial information from recipients.
I have never reacted to a phishing email and am even too scared to do so, even just to see what information is requested.
The emails normally have a “Read Here”, “Please go to X,Y or Z”, “Login here” or similar link that apparently takes one to a website, looking exactly like one’s financial institution’s internet banking logon webpage.
The method is to gather logon details as one is typing it in on this website.
However, as is the case with a SIM swap and to my understanding, phishing would ONLY supply the fraudsters with one’s internet banking logon username, PIN and password an thereby giving them access to LOG ON and VIEW one’s accounts and personal information ONLY.
Therefore, in order for any fraudster to be able to LOG ON, VIEW and CHANGE PERSONAL INFORMATION like one’s CELLPHONE number in order to receive the RVNs and OTPs required to perform their fraudulent activities, whether done by means of a SIM swap or phishing email, they would require all the following information:
a. One's internet banking logon username,
b. One's internet banking logon PIN,
c. One’s internet banking logon password,
d. One’s cellphone number as recorded in one’s personal details recorded in the bank’s database.
Without the logon details (which are not available to the fraudsters through a mere SIM swap) or one’s registered cellphone number (which I assume would not be supplied to the fraudsters when reacting on a phishing email), nobody should be able to log on to one’s accounts and perform fraudulent transactions, unless
a. the bank account owner is trying to defraud the bank by personally performing the actions and transactions and making a case claiming fraud, hoping to extort money from the bank, or
b. the bank account owner is in cahoots with the fraudsters and has deliberately (verbally, in written form, via email or SMS) supplied them with one’s logon details and deliberately (verbally, in written form, via email or SMS) supplied them with the RVNs and/or OTPs received from the bank in order to extort money from the bank.
c. bank employee/s are committing these fraudulent actions by themselves or with assistance from telecommunication company employees.
Unless the perpetrators target a person personally, they would need to know his/her email address in order to send him/her a phishing e-mail to retrieve his/her internet banking logon details, should the person fall for the scam AND know his/her cellphone number in order to perform a SIM swap to receive the RVNs/OTPs intended for the legitimate cellphone and account holder in order to have full access to the bank account without the bank account holder being aware of the actions and transactions taking place on his/her account/s, is in my view extremely unlikely and very far-fetched!
Class action
Until proven otherwise, I will maintain my view that the SIM swaps and phishing emails, as being the causes of internet banking fraud, are fabricated by the banks to avoid liability and prosecution.
I am 1 000% for a class action case against the financial institutions as well as the telecommunication companies.
However, we need somebody or an institution with access to the appropriate legal knowledge, know-how and will to represent all of us that have been defrauded.
One-on-one, we do not stand a chance against the financial institutions and telecommunication companies who are in a financial position to drag our individual court cases out for years until we ran out of funds to continue with our individual cases.
- Fin24
Read more news from SIM swap victims here.
