Vusi Mona, spokesperson for SANRAL, participated in a telephonic interview on Radio 702 and Cape Talk last night, addressing concerns from listeners about SANRAL’s billing issues.
One question came from a listener who asked how the public could know that text messages demanding payment for e-Toll fees were not scams. This was in reference to many users being on the receiving end of a phishing scam in December and January, wherein they were notified by SMS of outstanding balances for toll fees – however the messages were not from SANRAL.
Vusi replied with: “Very easy. Raise your IQ”.
Unsurprisingly, the backlash was immediate. Howard Dembovsky of Justice Project South Africa posted a clip of the interview, with Mona’s offensive statement, on Soundcloud – we’ve embedded it below. Dembovsky also condemned Vusi Mona’s statement, saying that Mona has no right to insult a member of the public.
Aside from Mona’s sarcastic insult showing a gross misunderstanding of human intelligence and the IQ scale, it also shows how little he knows about phishing. Really, we have to be thankful that his off-the-cuff quip has highlighted the real problem here, and how little people know about this advanced form of social engineering.
Phishing scams by their very nature are designed to be undetected and fool even the savviest users. The most successful ones do just that – hence them being successful – because if somebody sees something is obviously a scam then they’re unlikely to respond to it.
Phishing is a modern form of social engineering, which itself is a science. Famous hacker Kevin Mitnick made his name in the cyber underworld of the 70s and 80s by doing just this. Why use complex code and risky hacks to get a password when somebody can just give it to you? Mitnick and many others got very far by just asking the right questions and making it look like they were meant to be where they were. Heck, there are companies today that make a living off doing just this.
Security expert Bruce Schneier blogs endlessly on the subject of how the social engineers are always one step ahead, coining beautiful phrases like ‘laser-guided precision spear phishing‘. Last year, the official Twitter account of the South African State Security Ministry was hacked, most likely via a simple phishing attack. Does that mean everyone there needs to raise their IQs, Mr. Mona?
Maybe Mona had a point – in a roundabout way. People should know about these things and they should approach with caution. But it’s SANRAL’s job to do the educating and, like any responsible organisation which operates online, do its best to protect users from being scammed in their name. After all, banks have been trying to educate people about phishing scams for years, yet banking banking fraud continues to rise year-on-year all over the world.
The thing is, no matter how clever or well educated you are, there’s a criminal out there who knows even more about how to get you to click on the wrong button or fill in the wrong form than you do. There’s literally no point blaming the victim in these attacks, they’re at the mercy of confusing systems being exploited by intelligent people all around them.
That doesn’t mean you shouldn’t do your best to educate yourself, of course. The more you learn about phishing attacks out looking for your email passwords, Twitter logins, Facebook account details, banking usernames, and e-Toll profiles, the better you can protect yourself from them.
What totally undermines Mona’s point, besides his own childish use of language, is the fact that even those of us armed with good technical knowledge, ‘common sense’, and relatively high IQs are just as much at risk of being phished through eToll notifications as anyone else – because there’s no information on the SANRAL site that tells you what you should look for to guarnatee an SMS is genuine.
It’s been a few years now that SANRAL’s had to sort out all the billing kinks; build a stellar, informative website; and effectively communicate its message. But even now the e-Toll website just has information on how to register and how to pay. There’s no clear, step-by-step informational article telling people how they will be billed if they don’t have an e-Tag. Will it be by SMS? Email? Traditional post?
Are these scam messages SANRAL’s fault? Yes, because it could simply have said, from the beginning, “We will never send you an SMS demanding payment”. The banks learned that lesson back when lots of people still clicked links in phishing mails. Now people know not to click any links in phishing mails, because they were taught about the risks.
The former made the news when a feature on the e-Tag website allowed unregistered users’ bills to be publicly visible. At the time this didn’t seem like a huge security risk – our legal expert Paul Jacobson of webtechlaw pointed out that there was no information in the online bills that personally identified the drivers of those cars – but combined with scam text messages it could be quite dangerous
Knowledge is power, and in the
right wrong hands the knowledge of what you owe SANRAL could have been used in a scam SMS to tell you how much you owe. That same SMS could’ve then had a convenient link that takes you to a payment portal, where a ne’er-do-well cyber scumbag is just waiting for you to enter your credit card details before he laughs his way to Russia. Or whichever country has laws that can be exploited to this effect.
With enough personal information a very complex attack can be orchestrated. The more detail a scammer has, the more convincing their phishing attempts. Just ask the guys over at Financial Times – and we’re pretty sure they don’t need to raise their IQs.
Then there is the SANRAL billing system, which was the subject of our research in December. We speculated, with a degree of certainty, that the reason SANRAL wants everybody to have e-Tags is because its ANPR cameras aren’t 100% accurate. The cameras don’t always detect when a non-tagged car drives under a gantry, but an e-Tag will always be detected. The billing controversy continues with reports that people are being billed despite not even entering the Gauteng province. This isn’t a fault with the cameras, but does show up a weakness in the automated billing system – and it’s something that chips away at the very little trust people have in the system.
Ultimately, with the reputation SANRAL has, Vusi Mona should not be belittling people who fall for phishing scams or downplaying the situation. As a growing technology economy, with more people connecting to the internet every day, South Africa has become one of the leading markets for phishing scams. It’s a very real threat that nobody is immune to – regardless of how smart they are – and as a partner of the government it should be working with the people rather than calling them names.