Millions Stolen as Scam Put's Banks in One Helluva SMS

By Lavern de Vries



Gauteng police are working with Vodacom to trace the victims of a
multimillion-rand SMS banking authentication scam, described by a top
security firm as the first of its kind.



Police spokesperson Superintendent Lungelo Dlamini said on Thursday
that members of the Joburg Commercial Crimes Unit were liaising with
commercial crime units across the country to determine how many people
had been affected by the rip-off.



Security experts have billed the scam as a world first.

"This incident is, as far as we know, a world first, which only enforces our opinion that SMS-based authentication, while, slightly more secure than the simple username-password combos, is, outdated, and in our fast-paced and highly evolving cyberworld no longer sufficient by itself."

Costin Raiu, chief security expert at
Kaspersky Lab, suggested that banks deploy better and more advanced
technology to stay ahead of criminals.



"This incident is, as far as we know, a world first, which only
enforces our opinion that SMS-based authentication, while, slightly
more secure than the simple username-password combos, is, outdated, and
in our fast-paced and highly evolving cyberworld no longer sufficient
by itself."



He advised readers to check their online accounts often and notify the bank immediately if suspicious transactions are found.



Banks should be able to recover clients' money if they were notified promptly, Raiu said.



It is not known which banks were involved in the scam.



Dlamini would not be drawn on how much money was allegedly siphoned by
a Vodacom engineer and his accomplice through an elaborate scam
involving the blocking and delaying of SMS banking alerts to Vodacom
clients.



A Gauteng newspaper had reported that the Vodacom engineer and his
partner allegedly stole R2,4-million. Other media reports said that
when the pair appeared in the Johannesburg Commercial Crimes Court on
Monday, the State prosecutor received another docket for another R3,3m.



Dlamini said the docket was with the court and police would not comment on the issue.



On Tuesday Vodacom released an internal letter informing employees of
the scam and asking them to "convey the facts to our families, friends
and customers".



Signed and sent out by Vodacom chief communications manager Dot Field,
it explained that the alleged fraud was committed with the help of
fraudulently created temporary dual SIMs.



A customer's internet bank account would be logged into, and the
one-time password from the bank would be sent to the temporary dual
SIM, which enabled the transfer of money out of the customer's internet
bank account to their own account. When the transaction was successful,
the temporary dual SIM would be deleted.



The email also implied that customers would have to compromise their
PIN and password via phishing (when fraudsters get hold of sensitive
information such as usernames, password and credit card details by
masquerading as a trustworthy entity) for this type of fraud to occur.



Dlamini said police suspected a syndicate was behind the scam, and more arrests were expected.

• This article was originally published on page 1 of The Star on July 17, 2009

Related articles by Zemanta

• Torpig: "One of the Most Advanced Pieces of Crimeware ever Created".' (pindebit.blogspot.com)


• BofA Targeted by Malicious Code Phishing Attack (pindebit.blogspot.com)


• 30% Chance IT WON"T get Hacked? (pindebit.blogspot.com)


• Nothing Phishy About PCI 2.0 Certified "Card Present 2FA" (pindebit.blogspot.com)