Vodacom scam a 'world first'
Jul 14 2009 19:11
Simon Dingle
Johannesburg - A R7m scam, allegedly perpetrated by a Vodacom employee, represented a world first in breaching SMS-based (short message signal-based) banking integrity, top security firm Kaspersky Lab has said.
On Monday, a Vodacom technician appeared in the Johannesburg Commercial Crimes Court on charges of fraud and contravening the Electronic Communications Act.
According to The Citizen newspaper, the Vodacom employee, Mbokodana Christopher Khoza, is at the centre of the grift involving R7m. Nedbank, Absa, Capitec, FNB, Standard Bank, and KwaZulu-Natal's Ithala Bank number among banks affected.
"But specialist prosecutor, Richard Chabalala, received another docket during the morning for another R3.3m and successfully requested a seven-day postponement as there are suspicions it might be the tip of the iceberg," said The Citizen newspaper.
It is suspected that Khoza is involved in a syndicate and intercepted security SMS messages issued to banking clients. Syndicate members would receive the messages and use them to conduct fraudulent online banking transactions.
Costin Raiu, chief security expert at Kaspersky Lab, a company headquartered in Moscow and which has offices worldwide, told Fin24.com the security breach was bound to happen "sooner or later".
How eTokens can help
"This incident is, as far as we know, a world first," he said.
"[It] only enforces my opinion that SMS-based authentication, while providing a bit better security than simple username-password combos, is outdated and no longer sufficient by itself," said Raiu.
The nature of this attack was expected to become a trend in the criminal world as other attempts to intercept security SMSes have been detected, he said.
"The solution to this problem is for banks to begin the deploying of better technologies, such as those based on eTokens, which provide superior security," said Raiu.
"With these (eTokens), the attacks involving a man in the middle working for the GSM operator are no longer possible," he said.
Generally small enough to fit in a wallet or on car keys, eTokens are physical devices or software used to authenticate users and make use of encryption to deliver codes that identify users. They receive encrypted codes from banking systems used to identify customers.
"So, in the long term the solution rests with the banks," said Raiu.
"It is unfortunate that a Vodacom staff member was able to commit fraud working with external gangsters," Vodacom chief communications officer Dot Field said in a statement on Tuesday.
"Vodacom has implemented additional security measures to ensure that this type of fraud does not happen again."
- Fin24.com
