In the space of a few days, Johan and Maatje du Plessis went from having retirement savings of R570,000 in the bank, to owing Absa R171,000.
Two years ago, the couple went out of town for a weekend and the husband’s cellphone lost signal.
Du Plessis went to an MTN store, where he was informed his phone needed to be sent for repairs, which he said he would do when he got home.
Back home, another MTN store told him a different story – an unauthorised SIM swap had been carried out on his account.
A visit to their local Absa branch when they couldn’t buy electricity confirmed that the nightmare was real.
Not only had their accounts been cleaned out, several hundred thousand rand of debt had been taken out in their name.
Within three weeks, Absa wrote to Du Plessis to say it had investigated the fraud and found that the transactions were made using his PIN and password.
As it was his responsibility to keep his online banking credentials safe, Absa concluded it was not responsible for the fraud.
Absa offered Du Plessis a goodwill settlement, without admitting guilt, of 50% of the stolen money that was not recovered or written off.
The payment totaled R345,000.
Du Plessis told the Sunday Times that a month after he accepted the payment, he received a call from the forensic auditors asking for the password to his devices.
This led him to believe that Absa had not conducted a proper investigation before offering the payment.
He began fighting his case and Absa started bullying them, said du Plessis.
Before the fraud, they owed R39,000 on their house. The fraudsters stole R53,000 from their access bond, and the couple continued to pay the instalments they were paying before the fraud.
Absa demanded that the repayment be increased, which du Plessis refused to do.
Absa reportedly then cancelled the debit order, but he continued to pay the monthly instalment manually while disputing the case.
The couple were then handed over to debt collectors for R75,000 outstanding on their home loan, and the attorneys on the case attempted to attach their home by applying for a summary judgement in the high court.
Following the Sunday Times’ enquiries about the case, Absa instructed the attorneys to halt further legal action.
The bank said it called off the lawyers in an effort to resolve the dispute amicably.
Absa told MyBroadband that prior to offering the settlement payment, it conducted an investigation and found that a SIM swap was performed.
However, the fraudster could not have logged into du Plessis’s online banking profile without the account number, PIN, and password.
Absa said the credentials were not compromised by its staff, which means du Plessis was liable for the breach.
“Bank staff, including IT support staff, do not have access to customer passwords as these are held in an inaccessible, encrypted database,” said Absa.
Regarding the call from the forensic auditor a month later, Absa said the investigation continued even though the matter was resolved.
“Each case presents us with an opportunity to potentially find a solution for cyber fraud and related criminal conduct, an industry-wide problem.”
Absa’s investigation established the following:
- The client’s phone lost connectivity on 14 June 2016.
- After swapping the SIM back, he visited the Absa branch on 20 June to ask why he received an insufficient funds message when he tried to buy electricity.
- Du Plessis received a phishing email on 5 June 2016 requesting that he update his FICA credentials.
While the report did not determine whether du Plessis was scammed by this email, Absa concluded he must have been for the banking login to take place.
Despite banks and mobile operators installing significant protections to prevent SIM-swap fraud, the criminals managed to extract funds.
MTN confirmed that du Plessis did not authorise the SIM swap, which means MTN Verified did not request authorisation for the swap.
“Like any other system, there is always room for improvement. We will continue to tighten our internal controls in a bid to safeguard our customers against incidents of fraud,” said MTN.
MTN said this does not make it liable for the fraud, however, as the thieves still needed his online banking credentials.
SIM swap API
MTN and other network operators also put systems in place during a spate of SIM-swap fraud reports several years ago.
They allow banks to check whether a SIM had been recently swapped.
Absa confirmed it used this system in June 2016.
“As soon as we detect that a SIM swap has taken place, the bank places a hold on the online banking service to allow the customer to remedy the situation with his service provider,” said Absa.
“At the time this specific case took place, the hold we placed was 36 hours. The current hold period is 72 hours.”
When the fraudsters got into the du Plessis bank account, they stole the R570,000 the couple had saved for their retirement. and incurred debt.
- R152,500 personal loan.
- ±R75,000 credit card debt.
- ±R53,000 transferred from Flexi-Reserve access bond.
- ±R43,000 overdraft.
The fraudsters maxed unused pre-authorised limits that Absa made available to du Plessis in his online banking profile.
The money was transferred to a Capitec account in two transactions: one for R731,000, and another of R153,000.
Absa wrote off the personal loan and recovered R41,045 from Capitec, making the total loss just over R690,000.
The bank offered du Plessis an ex-gratia payment of 50% of that amount, which would leave the couple with R174,000 if they paid off the additional debt.
The extent of reimbursement was determined after investigation into the loss, said Absa.
It also considered that the customer was the victim of crime.
Absa disputed the suggestion that it bullied du Plessis and sought to attach his property, however.
“The fraudulent activity does not diminish the payment obligation Mr du Plessis has in terms of his home loan account, especially taking into consideration the ex-gratia payment,” said Absa.
It said that due to the fraudsters stealing the Flexi-Reserve amount from his home loan, the monthly repayment increased from R1,309 to R2,916.
Absa said it cancelled du Plessis’s fixed debit order of R1,500 on 28 July 2017, as it was six cycles in arrears, and referred it to its legal department.
Absa’s legal department handed over the account to GDLK Attorneys, and confirmed it instructed the attorneys to proceed on the matter.
Du Plessis was summonsed and GDLK made an application in the high court for a summary judgement to attach his house to settle the outstanding R75,000 debt.
Absa has since called off the lawyers.
This article, written by Jan Vermeulen, was originally published on MyBroadband. Click here to read the original article.