Post by cjm on Jul 27, 2016 16:06:50 GMT
The one bank in South Africa that is safe from SIM-swap fraud
Only one bank in South Africa is not vulnerable to SIM-swap fraud – this is how it does it.
By Jan Vermeulen - March 30, 2016
Capitec states that it offers customers “cellphone banking that’s safe from SIM-swapping.”
Internet banking fraud that utilizes a SIM-swap scam, in addition to stolen login credentials, continues to be a problem for South African banking clients.
Many banks use one-time PINs (OTPs), sent by SMS, as a second factor of authentication to help protect your account.
In the event your online banking login details are compromised, criminals can’t get into your accounts without the OTP.
Fraudsters attack this second layer of authentication through SIM-swap scams, which results in them gaining control of your cellphone number for long enough to log into your bank account.
While some banks have moved away from using SMS for authentication, they still use systems linked to a client’s cellphone number.
Alternatives to SMS
Standard Bank said although it does not have an alternative to SMS, it is working on a solution to authenticate customers without relying on a SIM card.
“However, we are able to detect and validate customers’ SIM age and have built rules around the SIM age validation,” the bank said.
Nedbank and Absa have switched from using SMS-based OTPs to USSD-based transaction approval systems. These systems are still linked to your cellphone number, however.
FNB said it uses a multi-layered security framework, of which an OTP is one component. However, it does not offer an alternative to the systems that rely on your cellphone number.
One-time PIN delivery without a cellphone number
Capitec said it has never used a one-time PIN system that is tied to a mobile number.
If you have a supported smartphone, the Capitec app can be used to authorise online banking transactions. The app is linked to your device, and not your cellphone number.
Those without a smartphone can get a key fob security token to generate OTPs with which to log in and authorise transactions.
The trade-off with these systems is that you have to go into a branch to verify your phone, or carry a security token.
When you upgrade, or your phone is stolen, you will have to visit a branch to have the app re-linked.
Only one bank in South Africa is not vulnerable to SIM-swap fraud – this is how it does it.
By Jan Vermeulen - March 30, 2016
Capitec states that it offers customers “cellphone banking that’s safe from SIM-swapping.”
Internet banking fraud that utilizes a SIM-swap scam, in addition to stolen login credentials, continues to be a problem for South African banking clients.
Many banks use one-time PINs (OTPs), sent by SMS, as a second factor of authentication to help protect your account.
In the event your online banking login details are compromised, criminals can’t get into your accounts without the OTP.
Fraudsters attack this second layer of authentication through SIM-swap scams, which results in them gaining control of your cellphone number for long enough to log into your bank account.
While some banks have moved away from using SMS for authentication, they still use systems linked to a client’s cellphone number.
Alternatives to SMS
Standard Bank said although it does not have an alternative to SMS, it is working on a solution to authenticate customers without relying on a SIM card.
“However, we are able to detect and validate customers’ SIM age and have built rules around the SIM age validation,” the bank said.
Nedbank and Absa have switched from using SMS-based OTPs to USSD-based transaction approval systems. These systems are still linked to your cellphone number, however.
FNB said it uses a multi-layered security framework, of which an OTP is one component. However, it does not offer an alternative to the systems that rely on your cellphone number.
One-time PIN delivery without a cellphone number
Capitec said it has never used a one-time PIN system that is tied to a mobile number.
If you have a supported smartphone, the Capitec app can be used to authorise online banking transactions. The app is linked to your device, and not your cellphone number.
Those without a smartphone can get a key fob security token to generate OTPs with which to log in and authorise transactions.
The trade-off with these systems is that you have to go into a branch to verify your phone, or carry a security token.
When you upgrade, or your phone is stolen, you will have to visit a branch to have the app re-linked.