Confusing case of liability for sim-card fraud
This crime is on the rise, but networks blame clients for disclosing bank details
Internet banking fraud involving cellphone-sim swaps - and aided and abetted by agents of the big cellphone networks - appears to be on the rise.
But the networks deny liability, arguing that it takes more than a fraudulent sim swap for criminals to access someone's internet banking profile.
To be able to run this complicated scam, fraudsters first need a consumer's bank-account number and passwords, obtained by conning the consumer out of them (phishing), or from an agent at the bank - although this has never been proved.
The criminals also need the victim's cellphone number, which they get from phishing or from accomplices in the banks who are easily able to access clients' personal details on their systems.
With their confederates at the communications companies, fraudsters get a new sim card for the victim's cellphone and the old card is deleted from the network.
And here timing is crucial: an automatic SMS is sent to the real owner about the swap. If the victim is asleep or flying or the phone is constantly busy, they won't get the message.
Armed with all this information, the criminals log into their prey's bank account and create "beneficiaries" - in fact, the accounts to which the stolen money will be moved.
For security, the bank sends the victim a one-time password to confirm the new beneficiary. But because of the sim swap, the password (and alerts that funds are being transferred) only go to the fraudster.
Agent on the inside
According to a recent report, Vodacom investigators discovered that one of its agents was fraudulently replacing sim cards for a crime syndicate operating from a Johannesburg prison. Despite this, the networks continue to argue that fraudulent electronic fund transfers can only happen if the criminal has your banking details and passwords.
And they point to a court precedent to support their stance.
Too remote from the loss
In a 2010 case involving Nashua Mobile, the judge held that a sim swap did not in itself enable a fraudster to get into another person's bank account: the cellphone service provider's "negligent omission" was "too remote" from the consumer's loss.
The cellphone networks say they are doing all they can to curb fraudulent sim swaps by their staff, and point out that they need to provide a user-friendly sim-swap service for their subscribers - the vast majority of whom don't have any criminal intent.
Recently, Vodacom's convenient late-night sim-swap service allowed a fraudster to raid the FNB bank account of Fameeda Hoosen while she slept.
Hoosen, of KwaDukuza on the KwaZulu-Natal North Coast, insists that she never disclosed her banking details on a fake internet banking site. However, the bank claims she had in fact compromised those details.
Vodacom sent the preschool teacher an SMS at 9.43pm on February 1, alerting her to the fact that a replacement sim card had been requested on her number, and suggesting that she call the network's customer-care line immediately if she suspected fraud.
But Hoosen was asleep, so did not respond and the sim swap went ahead.
When a new beneficiary was set up on her account, the fraudsters received the one-time password and siphoned R17,000 from her account.
So how much time do Vodacom subscribers have in which to respond to a sim-swap alert before the company goes ahead without the customer's feedback?
According to Vodacom, "there is a two-hour delay with all sim-swap requests, but those received after 10pm are placed in 'pend' status until 6am, and if the customer does not call in to cancel, the request is actioned by 8am".
In Hoosen's case, the fraudster timed the swap perfectly - late enough for her to be asleep, but not too late so as to place it on hold until early the next morning, when she could have alerted the network that she had not asked for a new sim card.
When asked what percentage of fraudulent sim swaps happened between 8pm and 10pm, Vodacom said the statistics on the specific time at which requests were received were "minimal".
Going in person
Asked how the network justified swapping sim cards without confirmation from the subscriber, given that there are many reasons why they could be unable to respond - such as being on a flight - Vodacom said the vast majority of requests to get a new sim card were legitimate.
"Only an estimated 0.004% are potentially involved in fraudulent banking activities," the network said.
By contrast, MTN said contract subscribers could only replace their sim cards by visiting an MTN outlet. Prepaid subscribers had the option of using the 24-hour call centre, but sim swaps were only allowed between 7am and 7pm. Clients had 24 hours to approve or reject an SMS request for the sim swap, but if they did not respond, the new sim card was not activated.
Telkom only allows sim cards to be swapped if the client goes into a shop in person, bearing some proof of identification.
At Cell C, sim cards may be replaced by contacting the call centre between 7am and 8pm and you will be required to answer a series of security questions. Sim cards can be replaced in a Cell C outlet, on presentation of a valid ID.
But the network would not reveal how long customers had to respond to an SMS notification "for security reasons" - although if you failed to respond during the allotted time, the card would be changed anyway.