November 2013 Issue

The 'Newsletter on Financial Fraud' from CustomerXPs is your monthly insight into the various new fraud types and methods used by fraudsters globally in the banking space. 

This will help you stay abreast of all the latest happenings in the banking fraud space.

Card-not-present seen as fastest growing type of credit card fraud

The U.S. credit card fraud incident rate rose by 17% between January 2011 and September 2012. The fraud dollar-to-nonfraud dollar ratio remained stable during the same period, however.

The card-not-present (CNP) fraud incident rate grew by 25% during the time period, far outpacing the counterfeit fraud incident rate, which grew by 14%. CNP fraud, which refers to purchases made without physically presenting a credit or debit card, such as online purchases, accounted for almost half (47%) of all credit card fraud.

While the rate of card fraud attempts rose, the average loss per compromised account fell 10% during the time period.

In contrast to credit card fraud, the debit card fraud incident rate was unchanged, and average fraud losses per account dropped by 3%. Most debit card fraud occurs at ATMs, grocery stores, and gas stations.

Courtesy: ABA Banking Journal

Industry insider reveals truth about Internet banking, SIM swap fraud

An industry insider with extensive knowledge of Internet banking fraud involving SIM swaps has revealed how fraudsters steal millions of rand from South African online banking clients.

Internet banking fraud involving SIM swaps made headlines in April and May 2013, after numerous ABSA and MTN clients had fallen victim to criminals.

An anonymous industry player said that the process followed by fraudsters to steal money from online banking users in South Africa is nearly always the same:

1. Getting the person’s Internet banking details

According to the industry insider, the Internet banking login details (account number, username, and password) of a victim are typically stolen through a phishing attack.

Other ways in which the login details can be attained include computers in public areas (such as Internet cafés) which record sensitive information, keystroke logging software, or malware which provides criminals access to a victim’s computer.

However, phishing remains the most popular way in which personal banking details are stolen.

There are mainly two groups of criminals which gather personal information to be used in online banking fraud:

The fraudsters, who use phishing or other methods to steal personal details which they will use to steal money later; and

“Farming” syndicates, who gather personal banking details which are sold to fraudsters who will then use the info to steal money.

While the farming and phishing syndicates operate in countries across the world, the people who finally steal the money are always based in South Africa.

The farming syndicates often sell the stolen personal banking details to fraudsters based on the bank account balance of the victim.

2. Obtaining bank accounts to get the money out 

To withdraw the money which was transferred, the fraudsters need active bank accounts. This is usually achieved in one of two ways:

Create a bank account using fraudulent personal details, including fake ID books and fake utility bills;

Use the existing bank account of an unsuspecting person, to transfer and withdraw the money.

The industry insider explained that the fraudsters often use a legitimate existing accounts to which they transfer money by purchasing the account from the person to whom it belongs.

The person may only have R50 in the account, and he is then offered a few hundred rand for his account details and his bank card.

For larger fraud transactions, multiple accounts are prepared to be used for the money transfer. This preparation takes place before a SIM swap occurs.

3. SIM swap time

Armed with a victim’s online banking login details and bank accounts into which the stolen money can be transferred, a SIM swap is needed to receive the one-time-passwords sent to the banking client via SMS.

A SIM swap typically happens using the following methods:

Using identity theft to convince a SIM swap assistant that they are dealing with the account holder; and

Stealing passwords from employees at the mobile operators or mobile dealers.

Post-paid cellular users’ SIM cards can be cloned through a helpdesk by answering personal verification questions such as a home address or work number.

The situation is more complex for pre-paid customers where the personal verification questions focus on the latest recharges or last numbers called.

By using a fake ID book and other fake documents a person can also do a SIM swap at a mobile dealer.

If a fraudster gains access (through a stolen password) to a support agent’s account, or that of a mobile dealer assistant, the SIM swap process becomes easy.

The SIM swap is typically performed late at night to avoid detection by the victim.

Some fraudsters are also encouraging the victim to switch off their cell phone by harassing them with multiple calls. After the phone is switched off, they do the SIM swap without fear of detection.

Some mobile operators send an SMS notification that a SIM swap has been requested. To avoid the SIM swap being stopped, the fraudsters either use the above method or call the victim masquerading as a mobile operator employee to tell them the SMS was sent by mistake (and should be ignored).

4.Creating beneficiaries, transferring the money

After the SIM swap has taken place and the fraudster has access to the number used by the Internet banking victim, beneficiaries are created, and the money transferred to these beneficiaries.

5. Withdrawing the money

In the case of ATM withdrawals, the money is often transferred shortly before midnight. The maximum daily amount is withdrawn before 00:00 and the same amount just after midnight. The card is then destroyed.

It is also understood that large amounts have been withdrawn by people inside banks, but the exact details about these incidents remain sketchy.


Summary of Internet banking fraud involving SIM swaps

Internet banking fraud involving a SIM swap typically happens in a few basic steps: getting the personal banking details of a victim; getting bank accounts to transfer the money to; do a SIM swap; create beneficiaries and transfer the money to them;, and then withdraw the money.

Phishing is typically the first step of this process, and the SIM swap the last step before the money can be stolen.


What can be done to stop it?

The industry insider suggested a few ways to assist the fight against online banking fraud involving SIM swaps: 

  • Implement a delay (around two days) on all transfers to newly created beneficiaries;
  • Use additional information, most of which is supplied by the mobile operators, to detect potentially fraudulent activities. This includes the age of a SIM, calls made from the SIM, and the device linked to the SIM; and
  • Link physical devices (like mobile devices or laptops) with online banking profiles to add an additional layer of security.


The industry player said that while FNB has been quick to implement the additional security features, other banks are not using all the resources available to them to fight Internet banking fraud involving SIM swaps.

Courtesy: MyBroadBand

Teenager develops app that thwarts ATM thefts

Why rob a bank when you could do just as well — with a quarter of the risk — at an automated teller machine kiosk (ATM), is a feeling that appears to be running high among thieves given the spate of ATM heists. But these robberies could be nipped if an 18-year-old student has his way.

Sudhanshu Nath Mishra, who has just passed out of Std XII from AECS Magnolia Maaruti Public School, has developed an Android application that will not only alert bank authorities and the police the moment an ATM is being broken into, but will also pinpoint the exact location of the machine in case the robbers manage to flee with it.

Sudhanshu said he thought of the idea of an app after reading about an ATM theft in the city. He visitedseveral banks, ATM kiosks and even an ATM development centre to find out why carting away an ATM was ludicrously easy.

Sudhanshu found that the modus operandi of the thieves follows almost a ritualistic pattern: Disable the surveillance camera, disconnect the power and the centralised battery, uproot the machine and cart it away.

"Most ATMs are connected to a national network managed by National Payment Corporation of India (NPCI)" says Sudhanshu. While the NPCI can detect fraud, it isn't equipped to deal with a physical heist of the machine. That needs local intervention.

Sudhanshu's security solution involves two smartphones that run the android application he had developed. The app has inbuilt sensors (like accelerometer to measure vibration, temperature, a USB connection to measure power and a mike to detect noise levels).

"When the sensors detect the slightest change in any of these parameters, an SMS alert is automatically sent to the police control room. Another app then tracks the location of the ATM on a Google map and even gives GPS coordinates. These smartphones can be easily hidden in the top (electronic) and bottom (cash dispenser) compartments of the ATM. The phones communicate with a back-end monitoring system and the local authorities that receive the alert. The phone will work even if the ATM is carried away."

Sudhanshu said the phones can be installed in less than 30 minutes. "As it is independent of the ATM power and communication network, it is tamper proof. The app can also send alerts to other controlling devices like creating an audio alarm, locking doors etc during attack."

Courtesy: Bangalore Mirror

Banks still struggling to keep off ATM fraudsters

In Kenya, ATM thieves have reportedly made off with millions in cash and personal data. But most banks are now coming up with innovations to contain the upsurge in high-tech fraud.

According to the Bureau of Economics Federal Trade Commission, ATM fraud is much more common than crimes directed at ATM customers as they withdraw cash.

The frauds include inserting a ‘skimmer’ into an ATM card reader to steal customer’s PIN numbers and remotely “hack” into the software system running the ATMs in order to electronically divert funds into another account.

Skimmers are impossible to detect because the manufacturers of the devices have matched everything from colours of the particular banking branch to the brand of machine they perfectly work with.

If you get hit by one of these fraudsters, they could easily and slowly drain your account without your knowledge.

Courtesy: Standard Media

Related Blogs and Posts

Subscribe to Our Monthly Newsletter

Get insights & updates from the world of financial crime management in your inbox. Be on our newsletter mail list.

Subscribe Newsletter

©2018. CustomerXPs® Software