advertisement
Facebook
X
LinkedIn
WhatsApp
Reddit

Social engineering could be responsible for FNB and MTN SIM Swap scam say experts

Toss ‘FNB’ and “MTN’ into a search engine, and you’re likely to see that today has become a PR nightmare for both entities.

The local press is a-whirl with reports that numerous First National Bank customers have claimed that they’ve been the victims of a scam involving SIM swapping that has cost them hundreds of thousands of rands.

Worse still, there have been allegations levelled at both FNB and MTN that the scam could have been an inside job, involving employees at one or both institutions.

News about the scam first surfaced in a report by IOL in February, which reveals that Cape Town Audiologist, Gail Jacklin lost R200 000 after an illegal SIM swap occurred and an unknown person used her number to access one-time-PINs (OTP) sent to her smartphone number to authorise payments.

The report suggests that the MTN call centre did not pick up on the fact that a SIM swap had been carried out on Ms Jacklin’s cell number.

The story grabbed the nation’s full attention last night after a forensic investigator, who is representing some of the victims, alleged that the scam was an inside job at FNB and MTN.

“The evidence seems to show that there is somebody within the bank and within MTN who has access to your details,” Dr David Klatzow told Fin24.

FNB responded to Klatzow’s allegations in a statement blaming the scam on phishing.

“We continually warn and educate our customers to never release their confidential banking information, or to respond to unsolicited e-mail including threats to close their accounts if they do not ‘update’ their information via a link provided or offers of prizes/refunds via a link in an e-mail,” FNB said.

MTN, for its part, has confirmed that a SIM swap did in fact, occur but this wouldn’t have been carried out without an external request from a customer (or someone claiming to be a customer).

“As far as we are aware, nobody in MTN performed a SIM swap without being requested to do so, however, the matter is currently being investigated,” Senior Manager of PR and Communications at MTN SA, Bridget Bhengu told htxt.africa.

Klatzow, however, has voiced doubts about these responses.

“The two companies involved would love you to believe that this is phishing and that people are inadvertently giving out their banking details. That is not so,” Dr Klatzow told Fin24. “Now, there is no way that somebody on a phishing scam could put your phone on the blink.”

So how then did somebody get a hold of Ms Jacklin’s details to perform a SIM swap?

Quite simply, phishing. Or rather, social engineering.

With a bit of social engineering it’s possible to obtain a ton of personal data. Don’t believe us? Watch the video below and see how with a phone, the sound of a crying baby and a friendly tone a hacker gets unfettered access to a cellular account. Then sit in the corner and shiver a bit.


Of course, a video on YouTube can be staged but given Klatzow’s allegations, we decided to do a bit of digging.

So we called up information risk assessment firm Wolfpack Information Risk, to find out whether what we saw in the video is actually possible and whether through social engineering it was possible to break into someone’s cellphone account.

“Yes it is possible to do this in South Africa especially if  it is a targeted attack where the criminal has gathered enough information on you to be able to profile you in that way,” Manuel Corregedor from Wolfpack tells us.

You might wonder how these hackers get hold of cell numbers or ID numbers in order to execute these attacks. Disturbingly, the simple explanation is that people are too open with their personal information.

Just last week we spoke to a hacker who told us that South Africans need to take privacy more seriously.With nothing more than your phone number a criminal could find you on Facebook, learn where you work, where you live and even discover your email address. Having an email address means an attacker could launch a phishing attack on you in which malware is secretly downloaded to your PC.

So have MTN and FNB been internally compromised? Were employees involved in this scam? We honestly cannot say because an investigation is pending.

What we can say is that telling people that hackers cannot get access to the kind of information necessary to execute this scam externally through phishing or social engineering is irresponsible.

 

We know that cyber criminals are always improving their craft and evolving their playbook, and that means we all need to be more aware of what we share – and what the internet at large can find out about us. You never know, it could be you losing money in the future.

[Image – CC BY/2.0 frankieleon]

advertisement

About Author

advertisement

Related News

advertisement