Despite the prevalent nature of SIM swap fraud and the resultant Internet banking breaches taking place in SA, consumers have little to no recourse, as neither mobile operators nor banks can be held liable.
The recently highlighted scourge of SIM swap fraud has been the bane of consumers, operators and banks alike for years. However, there is still no solution when it comes to a failsafe system to thwart criminals and track movements to verify where responsibility lies - and the main victims, consumers, are crying foul.
Nicholas Hall, an attorney with Michalsons Attorneys, underpins operators' claims that they cannot be held responsible if fraud is committed on a banked consumer's account. "As far as the networks are concerned, the SIM is used to access networks it has verified and, providing it is not due to negligence on their part, they cannot be held liable - even by the Consumer Protection Act. [Furthermore,] if someone commits fraud on your account, the banks are not liable, as they put up security measures."
No simple solution
Hall says there are instances in which a consumer could seek recourse, but there are variables and formalities that can muddy respective cases.
"On the face of it, the providers cannot be held liable due to fraud happening on their systems if it was a result of customer negligence (ie, falling victim to a phishing scam) that their details have been compromised. However, that being said, if it can be proven that an employee of the operator committed the fraud, then there may be a possibility of holding the provider liable."
He says typically, if employees act fraudulently, it would fall out of the scope of their employment and so the employer could not be held to be vicariously liable. "However, if one can show a sufficiently close link between the employee's conduct and what the employer authorises, the employer is vicariously liable.
"The other problem a consumer will face is that the causal connection between the fraudulent SIM swap, and the unlawful accessing of the consumer's account, may be too far. As has been indicated, just having a cloned or SIM swapped card isn't enough to get into a consumer's bank account; the bank login details are also required, and presumably the employees of the operators aren't involved in this process."
Hall says the only other option open to consumers would be to show that the operators - or their employees - acted with gross negligence, and that the negligent act led to the loss suffered by the consumer. "However, given the large amount of verification that is required, I don't see how this could be successful."
Circumstantial payback
Dione Sankar, head of cellphone banking and messaging at big four bank First National Bank (FNB), says each case of fraud - such as a SIM swap - is handled and evaluated individually, based on circumstances.
"FNB is aware of the risk of a SIM swap to clients and we are, therefore, constantly informing customers on how to protect themselves from falling victim to this type of fraud. FNB works closely with the mobile network operators to combat SIM swap fraud and good progress has been made thus far."
In most of these fraud cases, says Sankar, customers are phished for other personal bank information in addition to the SIM swap taking place. "The result is that the client may be defrauded." He says FNB is continuously implementing solutions and additional security measures to protect customers from this type of fraud.
Sankar notes that, in terms of recourse, each case is investigated by the bank and - depending on the facts and circumstances of the case - a refund is processed or the client is advised that no refund will be made. "Should the customer want to dispute the outcome, they have the option of contacting the ombudsman to review their case."
SA's biggest bank by customer numbers, Absa, declined to comment on what it regards as an industry-wide issue.
Ombudsman authority
Banking ombudsman Clive Pillay confirms the regulator has been approached on the issue of SIM swap fraud, but notes its mandate is to adjudicate disputes between banks and their customers - and SIM swaps are the "second stage" of Internet banking fraud.
"The first stage is when the customer discloses his personal logon details to the fraudster. The fraudster then does a SIM swap so that he can intercept the passwords generated by the customer's bank."
Pillay notes that banks have no control over SIM swaps. "This process happens at the cellular phone network provider. The cellular phone network provider is legally obliged in terms of section 40 of the Regulation of Interception of Communications Act, no 70 of 2002 (RICA), to satisfy himself of the identity of the person requesting the SIM swap."
Because SIM swaps do not involve banks, says Pillay, his office is not in a position to investigate the circumstances under which the SIM card replacement was approved.
Pillay says the banking regulator was always under the impression that the Independent Communications Authority of SA's (ICASA's) mandate was to ensure mobile operators comply with RICA.
However, he says, ICASA has said it has no jurisdiction over mobile operators that are not compliant with RICA. "[ICASA] has referred us to the Department of Justice and Constitutional Development."
Pillay says, in the past year, his office has closed 810 Internet banking fraud cases, 104 of which related to SIM card swaps - third in line after phishing (380) and cellphone phishing (266).
Learn more
You can uncover more on cellular and cyber law at ITWeb Security Summit 2013, on at the Sandton Convention Centre from 7 to 9 May.
These top-level speakers will provide usable, practical information:
* Cyber law attorney Doug Depeppe will deliver a cyber law update.
* Professor Basie von Solms, research professor at the Academy for Computer Science and Software Engineering at the University of Johannesburg, will provide an overview of the legal and regulatory landscape.
* Adam Ely, founder and COO of Bluebox, will discuss the bring your own device tidal wave, and the resultant risks, rewards and challenges.
The Security Summit will be held from 7 to 9 May, at the Sandton Convention Centre. For more information about this event and to book your seat, click here.
Share