Internet in SA: A playground for faceless criminals
In January 2013, in the flurry of resolution that accompanies the new year, Dino Maloko (40, not his real name) decided to bite the bullet and pay off his credit card. He was over R40,000 in the red, and he wanted to start the year off right. So he made a large payment into his bank credit card account and got his card debt back down to zero.
It should have been a good feeling. But shortly after making the payment, Maloko received his statement. He noticed that payments were still going off his account, even though he hadn’t been using the card. “I thought, ‘hey, what’s happening here?’” said Maloko. As he started to go through his statement in detail, he realised that it was littered with payments for things that he had not actually bought.
In time, credit began racking up again on his account. Eventually, there was R8,600 outstanding. Maloko called the fraud division at his bank.
“They looked into it and said there was something wrong with my credit card,” he said. “They cancelled the card. Last week they told me that my credit rating had been affected by my non-payment and that my credit limit had been reduced,” he said. “I could not pay for something I did not owe!”
Eventually, he paid the R8,600 “just to avoid crap”, he said. He was in Angola at the time and had intended to remain there for several months. But now he plans to fly back to South Africa to visit one of the branches of his bank to get to the bottom of the problem. “How did the [fraudster] get the one-time PIN required to authorise those payments when I had the cellphone [that receives the PINs] with me?” he said.
Victims to cybercrime
Maloko is one of about 1.5-million people around the globe who fall victim to cybercrime every day. Cybercrime is broadly defined by tech company Symantec as any offence that is committed using a computer, network or hardware device. It is not a new phenomenon, but its scope is constantly changing.
According to Verine Etsebeth, a senior lecturer at the University of the Witwatersrand who specialises in information security and data protection, it is also constantly growing.
The global profit gleaned from cybercrime is about $388-billion a year, said Etsebeth, citing research by Symantec and computer protection company Norton.
“That is bigger than the global black market in marijuana, cocaine and heroin combined, which is $110-billion,” she said. “There are twice as many cybercrime victims as newborn babies in the world.”
And emerging markets such as South Africa are most often targeted. About 80% of adults in emerging markets have been victims, compared with 64% of adults in developed markets, the report said.
But although South Africa is definitely feeling the effects of cybercrime, it is hard to say exactly how much. According to the South African Cyber Threat Barometer 2012-2013, a public-private partnership researched by Wolfpack Information Risk and commissioned by the British High Commission, the total loss in the country cannot be accurately pinpointed. But their estimate, based on interviews and known incidences, is that the government lost about R1.5-billion to cybercrime between January 2011 and August 2012. Based on annualised figures, that amounts to about R900-million last year.
Figure likely to be higher
According to Craig Rosewarne, managing director of Wolfpack, this only reflects direct losses incurred through fraud using computers and the internet. The figure was a conservative one, and is likely to be higher in reality.
The telecommunications sector, including fixed and mobile providers, lost R1-billion last year, according to the barometer’s conservative estimate. This was mainly caused by SIM card fraud and classic subscription fraud.
And according to the South African Banking Risk Information Centre, South African consumers lost R90-million last year in internet banking fraud. It constitutes the second largest number of complaints to the banking ombud in South Africa, and made up 20% of all complaints last year. The number of cases logged to the ombud rose from 591 in 2011 to 810 in 2012, an increase of 37%.
“The numbers have definitely gone up,” South Africa’s banking ombud, Clive Pillay, told the Mail & Guardian.
Nevertheless, the amount of money being bled by cybercriminals in South Africa is comparatively small. Rosewarne said 75% of money stolen is eventually recovered through banks freezing accounts and refunding cash, or through the apprehension of perpetrators by the police. Taking that into account, the real loss incurred by the whole economy in fraud last year was about R663-million, he said.
That’s 0.0002% of last year’s gross domestic product — a comparatively small amount. But, for individuals who fall victim to the crime, the inconvenience and cost is very real.
Cybercrime and the law
According to the barometer, less than 5% of cyber-related incidents are reported to the police. According to Etsebeth, there are several reasons for why the rate is so low. First, like Maloko, individuals often don’t even realise they have fallen victim to a crime.
Second, companies and banks that fall victim try to keep it quiet for fear of damage to their reputation. TheM&G asked the four major banks how much they had lost to cybercrime in the past year. All of them refused to divulge the information, on the basis that it would potentially damage their brands.
The National Prosecuting Authority (NPA) successfully prosecuted 133 cases of cybercrime in the year ending March 2013, Business Day reported. According to NPA spokesperson Bulelwa Makeke, that represented a 98% success rate. But the NPA only sees the cases that are handed over by the South African Police Service. “The NPA is called unofficially for advice, but doesn’t receive that many cases for prosecution,” the report said.
After trying repeatedly through her bank to stop a fraudster from making debits on her account, Thobeka Magcai (29) became one of the few to log her case with the police. She opened a docket at the Fish Hoek Police Station in Cape Town.
“At first the police seemed a bit confused,” she said. “They did not know where to investigate it and where to put the scene of the crime. It happened in cyberspace. Where do you say the crime happened? The crime documents need to be changed possibly to accommodate that.”
Magcai also tweeted the South African Police Service about the incident. “They responded immediately, advising the specific department to forward my details to,” she said.
The investigation is pending. According to South African Banking Risk Information Centre (Sabric) spokesperson Bongani Diako, of the 35 arrests related to cybercrime made since 2011, all are still pending.
And complexities in the system mean the conviction rate is likely to stay low, said Etsebeth. Lawyers, magistrates and judges often lack the technical understanding to deal with cases of cybercrime, she said. And they face other unique difficulties.
“When the cyber perpetrator is from another country, it raises questions such as in which country will the case be heard? Which country’s laws will apply? How will you ensure that the defendant is present at the hearing? If sentenced, how will you ensure he complies?’” she said.
The Electronic Communications and Transactions Act – a law governing cybercrime – was put into place in 2002. But it has been criticised for carrying sanctions that are too light. “Depending on the offence, imprisonment cannot exceed five years,” said Etsebeth. “It is not going to act as a deterrent.”
Government is taking steps to address the problem. South Africa has signed – but not ratified – the Budapest Convention of Cybercrime, an international best practice framework for dealing with the problem. And on Tuesday, Sabric launched an interbank e-crime awareness campaign.
“Ultimately, for cybercrime, I don’t believe the sky is falling,” said Haroon Meer, founder of tech research company Thinkst Applied Research. “Billions of dollars are successfully transacted online daily. We have work to do for sure, but I’m fairly convinced we will get there.”
Gone phishing: Cybercrime trends in SA
According to the South African Cyber Threat Barometer, three kinds of cybercrime are prevalent in South Africa. Phishing is the most popular form of attack.
“Phishing attacks use spam emails to coerce or trick users to go to fake sites and enter their online credentials,” said the report. The aim is usually to gain access to a person’s internet banking profile.
Abuse of system privileges is the second most common cybercrime. Unsurprisingly, the report found it took place predominantly in the finance and government sectors.
“The abuse of privileged access by external service providers, third parties and contractors was seen as a factor in these types of attacks,” said the barometer.
Malware – malicious software – is the third most common form of cybercrime. “These are, for example, viruses and worms that affect the integrity of the computer,” said Verine Etsebeth from the University of the Witwatersrand.
“It’s really not about gaining financial benefit. It could be perpetrated by anyone from a bored teenager to a disgruntled former employee.”
A surge in SIM card swapping
The South African Banking Risk Information Centre recently flagged a surge in SIM card swapping. Susan Potgieter, general manager at the centre’s commercial crime office, told Moneyweb that the number of such incidents jumped from less than 100 in 2011 to more than 1 000 in 2012.
SIM card swap fraud occurs when criminals impersonate the victim and apply to the victim’s cellphone service provider for a new SIM card to be activated. Once in possession of a new activated SIM card, they will receive the “one-time password” messages needed to carry out a transaction on the victim’s internet banking profile. Haroon Meer, founder of tech research company Thinkst Applied Research said end users will remain the soft targets.
“Targeting end users is always going to be easier than targeting banks,” he said. “One group invests millions in security and have staff dedicated to spotting badness, while the other group is only just figuring out this online thing and will happily trade their username and password for the opportunity to see cute kittens.”
Head of financial crime control at Standard Bank Retail, Selvan Naidu, said that banks put much time and effort into spotting and combating trends in cybercrime, but the overall level is unlikely to abate.
“If you close the doors on ATM crime, it will migrate to cellphone crime. If you close the doors on that, it will migrate elsewhere. They keep us on our toes,” he said.