The inconvenient truth is that the processes companies have developed to spare us from hassle and inconvenience can be exploited by criminals to get their hands on our money.
SIM — subscriber identity module — swaps are a prime example. That SIM is your link to your cellphone number, no matter what device you put it into, and it enables you to not only communicate but to access and transfer funds out of your bank accounts by means of one-time passwords (OTPs) sent by your bank.
If you lose your phone or your SIM becomes damaged, you don’t have to schlep into a branch to get a new one. All Vodacom subscribers need do, for example, is buy a new prepaid starter pack and dial 136 from the new SIM. A call centre agent will apply their old number to that SIM and “between two and 24 hours” later, they’ll be A for away.
What’s to stop a criminal from doing that, given that getting into their potential victim’s bank account is not enough — they need that OTP to set themselves up as a new beneficiary and transfer money into their account.
Vodacom has told me: “Customers who are approved for services have the right to access services almost immediately. Unfortunately, this also happens when a service is activated fraudulently. But we have mechanisms in place to detect fraudulent activities.”
Vodacom should ask a subscriber to confirm that is in order for them to proceed with the SIM swap request, and then waiting for a response before proceeding
— Vodacom customer Hazel Lumsden
One such mechanism is that Vodacom allows banks to check when last the customer requested a SIM swap on a specific mobile number before they send an OTP to that number.
“This measure has already been implemented by some banks, allowing them, for example, to prevent flagged customers from adding a beneficiary during a certain window period while still allowing customers to conduct other banking affairs.”
That’s helpful, but not allowing the SIM swap to happen at all, without the explicit go-ahead from the legitimate owner of that SIM would clearly be even better.
But that’s not what happens. If the legitimate subscriber doesn’t respond to that SMS from Vodacom, asking if they have applied for a SIM swap, it gets processed. In other words, the lack of response is taken as a yes.
The mobile networks are at pains to point out that a SIM swap alone doesn’t enable a fraudster to commit fraud on a customer's bank account, and the courts have confirmed this, allowing them to evade liability for those losses. But the fact remains that without a successful SIM swap, criminals can’t raid their victim’s bank account.
It happened to Hazel Lumsden four months ago: at exactly 8.44am on a Friday, she got an SMS notifying her of a SIM swap application on her number and, within minutes, she called Vodacom’s helpline to say she hadn’t authorised it. Within hours, she was unable to make or receive calls and two days later she discovered that R50,000 had disappeared out of her business account and R137,000 out of her personal account, which included R25,000 which had been transferred from her credit card account.
Some of the funds were recalled, and her bank gave her a R20,000 “ex gratia” payment as a long-standing client, bringing her loss to R80,000.
She feels let down by both her bank and Vodacom, neither of which accept any liability.
“I hold Vodacom responsible for enabling the swap in the first place,” she told me. “Vodacom should ask a subscriber to confirm that everything is in order for them to proceed with the SIM swap request, and then wait for a response before proceeding. They should not proceed without confirmation from the client and if they do not receive any confirmation, they should not proceed!”
Chris Richards feels the same. He was unable to prevent fraudsters from completing a swap on his SIM at 8am on New Year's Day, and thereby helping themselves to R150,000 from his bank account. Vodacom had notified him via SMS ofthe SIM swap request at 8am on SundayJanuary 1, giving him two hours to respond.
“I was in church at the time and, in any case, I don’t look at SMS messages every hour to ensure that I don’t miss bank and other service provider’s questions which carry such dire consequences,” he said.
I put it to Vodacom: “Given the role which SIM swaps play in bank fraud, shouldn’t all SIM swap requests only be approved when the rightful owner of the SIM responds to say that it’s legit? What is stopping Vodacom from implementing this?”
Vodacom’s response: “This is a business rule, which if changed would have a significantly negative impact on customer service, given that the vast majority of SIM swap requests processed are valid.”
I was in church at the time and, in any case, I don’t look at SMS messages every hour to ensure that I don’t miss bank and other service provider’s questions which carry such dire consequences
— Chris Richards
Fraudulent SIM swaps account for less than 0.02% of all SIM swaps requested on its network, Vodacom said.
“A two-hour hour waiting period is strictly applied during business hours to mitigate risk for our customers, and SIM swaps processed after hours will remain pended until 8am the following day.”
So, the burning question in Lumsden’s case is this: why, given that she responded within minutes to Vodacom’s SIM swap notification to say it was not legitimate, did it go ahead?
“Your call centre agents must surely know by now that when someone makes contact to say they have not authorised a SIM swap, they must act with extreme urgency, given that if the swap goes ahead, the client’s bank account will be raided,” I said.
Vodacom responded: “We are in the process of finalising our investigation into the matter. “That is what is expected of call centre agents who deal with these types of queries. This is part of the investigation into this particular case.”
Vodacom said there was no evidence to suggest that its employees were involved in SIM swap fraud. “An agent’s login details were compromised, and we are fully committed to taking appropriate action once the investigation runs its course.”
A Vodacom forensic services person gave Lumsden more detail: “The unique username and password of the relevant employee was fraudulently used to unlawfully manipulate the system and circumvent security processes to SIM swap your cellphone number.”
So, what liability does Vodacom bear for the results of the “compromise” of their agent’s log-in details, or is it only the client who pays the price, and mostly a hefty one?
“Vodacom treats each matter on its merits, case by case, and will make a final decision with regard to any liability once an investigation is finalised,” I was told.
To be continued ... Meanwhile, don’t forget to check your SMSes regularly. A SIM swap notification is not one you want to miss.
• Contact Knowler for advice with your consumer issues via e-mail consumer@knowler.co.za or on X (Twitter) @wendyknowler
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.