Sim card swap: How man lost Sh26m to phone hackers

Farah Bashir is yet to come to terms with how his bank accounts were wiped clean by fraudsters, barely two days after he had landed in Johannesburg for a two-week assignment in February.

He painfully recounted how he watched helplessly as Sh2.6 million was withdrawn by hackers in several transactions from his four different Absa Bank accounts between February 7 and February 9.

Mr Bashir, 58, a medical lab scientist, had landed in Johannesburg on February 5. Soon after, he got calls from his family and friends, who told him that some people were looking for him. The hackers had accessed his contacts and were texting and calling those close to him. Nobody thought much about it. All was well until 5.43pm on February 7 when he got a disturbing message from Safaricom. The text informed him that the company had received a  Sim Card swap request and told him to ignore the message in case he had not initiated it.

An hour later, Mr Bashir had received over 10 such messages. He reached out to Safaricom Customer Care on Twitter but was informed to ignore the message if he had not initiated the requests. He did just that. However, at 11.31pm, Mr Bashir sensed something was wrong when he could not access M-Pesa services as he attempted to buy airtime to call home.

He contacted Safaricom Customer Care on Twitter, who asked for his details, including his ID and phone numbers. By now, his riled spirit could not rest and so he decided to check his bank balance. When he opened the Absa app and used his fingerprint to unlock it as usual, the system rejected. He could not access the account. At 11.51pm, he logged on to his account via the internet using his laptop. What he saw jolted him. A withdrawal of Sh150,000 had already been made from his Kenyan currency account, which had some Sh335,000. Before he could gather his wits, another Sh150,000 was withdrawn as he watched helplessly on his laptop. It was left with Sh35,000.

He immediately sent a message to Absa, informing them about the problem and changed his password. That did not help as another Sh34,000 was withdrawn, emptying his account. But that was just the beginning of his woes. The fraudsters raided his dollar account that had US$17, 451 (about Sh2 million). This was a few minutes past midnight on February 8. The hackers began by withdrawing US$936, which was followed by US$4,680, US$3,650, US$4,680, US$936, US$1,872, US$561, US$121, US$9.36 and finally US$4.68, leaving the account with US$0.12. They wired the entire amount to a Pesa Link account and withdrew it. The fraudsters then went for his Sterling Pound account and withdrew UK£225 before clearing his credit card balance, which had Sh231,000. By the end of their digital adventure, the hackers had made away with Sh2.6 million.

Seeing no help was coming from either the bank or the telco, Mr Farah contacted a friend at Safaricom, who blocked his Sim card but it was too late as the damage had already been done.

For a number of days, he survived on extra yoghurt and snacks from the breakfast provision that was offered by the hotel until his family sent him some money. When he returned home, he never got any updates from the bank. On April 25, he wrote to Absa and asked for a progress report on his matter and demanded for a guarantee that his money was safe at the bank.

“I would like to know how the fraud was conducted, what internal systems the bank has to detect illegal withdrawal of funds from my accounts, and why did the fraudsters access my account on February 8 at 11pm SA time after I had changed my password?” he wrote. The email was answered in 14 minutes and he was assured by an official from the bank that investigations were ongoing. By May 9, he had not received any feedback and wrote to the bank again. Four days later, on May 13, a response came from the bank. It was a full report labelled “complaint resolution”.

In the document, the bank admitted that they had received his complaint via his relationship manager on February 9 and confirmed receipt of his follow-up email. The bank confirmed that Sh2,015,715 from his USD account, (the dollar, currently trading at 116 was by then trading at 106 thus the difference in valuation of figures), some more from the GBP and credit card accounts had been withdrawn.

Their investigations established that the funds were transferred via mobile banking to two other banks and M-Pesa mobile wallets. The bank said that they also established that there was a Sim card swap on his Safaricom mobile number that precipitated the transfers of the funds and that Mr Bashir reported the incident to the bank, which immediately followed up with recipient banks and the telco for reversal.

“We managed to secure only Sh500,000.00 and credited the amount to your account on March 7. The rest of the funds unfortunately were already utilised,” the bank stated.

“From the above sequence of events, we have established that there was no compromise to the security/password integrity in your account on the part of the bank. Kindly note the credentials are only known to the customer. In addition, where a password is compromised, you are under a duty to inform us immediately so that we may take appropriate action to secure your account. Based on this, the bank is not liable for the net loss of Sh1,515,715.00 from your account,” the bank said.

Despite denying any culpability, the bank said it had reported the incident to the Banking Fraud Investigations Department for further investigations. With the help of private investigators, it was established that the Sim swap happened at 11:31pm on February 7 at a Safaricom agent shop in Kasarani and that at least 15 different mobile numbers were used to transfer the money to different bank accounts.

In response to inquiries by the Nation, a representative from Absa acknowledged receipt of the email on May 23 and advised that it be forwarded to the Corporate Communications team.

The Nation contacted the department as directed and on May 24, they requested that they be given a day to file a response. Two days later, no response had been given. Safaricom acknowledged receipt of the Nation’s email and promised to reach out to him. However, the telco did not respond to any of the questions raised, including how long it takes to block Sim swap requests that are flagged by genuine mobile number owners and measures they take to assist fraud victims.

Credit: Source link