Wednesday, July 15, 2009

Another world first in online banking crime

A Vodacom technician has pulled off a cool R7 million on the side by hacking into security sms'es from banks to clients. As a bank client, you have no recourse to the bank when this happens because using your own computer for internet banking is entirely at your own risk.

South African banks typically wait for the shit to hit clients first before acting, and then blame high banking charges on largely preventable crime. eTokens that make use of encryption which can't be hacked into, are already in use in first world countries where banks charge way less fees than we pay in South Africa and, furthermore, are a lot more proactive when it comes to preventing security threats.

This stinks, along with the pepper sprays at Absa's ATM's.


Johannesburg - A R7m scam, allegedly perpetrated by a Vodacom employee, represented a world first in breaching SMS-based (short message signal-based) banking integrity, top security firm Kaspersky Lab has said.

On Monday, a Vodacom technician appeared in the Johannesburg Commercial Crimes Court on charges of fraud and contravening the Electronic Communications Act.

According to The Citizen newspaper, the Vodacom employee, Mbokodana Christopher Khoza, is at the centre of the grift involving R7m. Nedbank, Absa, Capitec, FNB, Standard Bank, and KwaZulu-Natal's Ithala Bank number among banks affected.

"But specialist prosecutor, Richard Chabalala, received another docket during the morning for another R3.3m and successfully requested a seven-day postponement as there are suspicions it might be the tip of the iceberg," said The Citizen newspaper.

It is suspected that Khoza is involved in a syndicate and intercepted security SMS messages issued to banking clients. Syndicate members would receive the messages and use them to conduct fraudulent online banking transactions.

Costin Raiu, chief security expert at Kaspersky Lab, a company headquartered in Moscow and which has offices worldwide, told the security breach was bound to happen "sooner or later".

How eTokens can help

"This incident is, as far as we know, a world first," he said.

"[It] only enforces my opinion that SMS-based authentication, while providing a bit better security than simple username-password combos, is outdated and no longer sufficient by itself," said Raiu.

The nature of this attack was expected to become a trend in the criminal world as other attempts to intercept security SMSes have been detected, he said.

"The solution to this problem is for banks to begin the deploying of better technologies, such as those based on eTokens, which provide superior security," said Raiu.

"With these (eTokens), the attacks involving a man in the middle working for the GSM operator are no longer possible," he said.

Generally small enough to fit in a wallet or on car keys, eTokens are physical devices or software used to authenticate users and make use of encryption to deliver codes that identify users. They receive encrypted codes from banking systems used to identify customers.

"So, in the long term the solution rests with the banks," said Raiu.

"It is unfortunate that a Vodacom staff member was able to commit fraud working with external gangsters," Vodacom chief communications officer Dot Field said in a statement on Tuesday.

"Vodacom has implemented additional security measures to ensure that this type of fraud does not happen again."

2 Opinion(s):

Anonymous said...

Apparently kaffirs just CANNOT keep their hands off the money. They are like alcoholics in a booze shop - the LOT of them. ANY chance they get to abuse their job and steal money, they do.

martha said...

I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.