One method being used to protect online bank transactions is to use out-of-band authentication. Here a message is sent to a pre-registered cell phone number seeking confirmation of a transaction. The legitimate account owner is supposed to receive the text message and enter the authorization code into the bank website. But what if the bad guys have taken over the cell phone number of the legitimate bank customer, so they receive the authentication request instead? Apparently, this is being done using phishing attacks and a SIM card swop.
Victim’s SIM swop fraud nightmare
Derick Lindsay was playing golf in George in the Western Cape when his cellphone number was hijacked almost 1 200km away in Soweto.
Four days later, on Christmas Day, he went online to check his email and discovered a shocking message from his bank confirming a R80 000 payment to an unknown property company.
The transaction had taken place on the day his SIM card was swopped, but, because he was on holiday, Lindsay hadn’t switched on his laptop in days.
The transfer was possible as the crooks had received an SMS once-off password from his bank, via Lindsay’s hijacked cellphone number – a security measure used by banks to authorise payments to new beneficiaries.